Overview

overview

10

Static

static

02a28f4bc4...26.dll

windows7_x64

10

02a28f4bc4...26.dll

windows10_x64

10

02a28f4bc4...26.dll

windows7_x64

10

02a28f4bc4...26.dll

windows10_x64

10

Analysis

  • max time kernel
    62s
  • max time network
    26s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    03-12-2021 10:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02a28f4bc46d29f2ae0c82813839b3f5661a26937bef1a5c2d9fc8f05406da26.dll

  • Size

    1.0MB

  • MD5

    6f35fe576a7c7bc71651a0ee2e76cb85

  • SHA1

    b240f9008cfca0bc90865363a8fd5a56ed051435

  • SHA256

    02a28f4bc46d29f2ae0c82813839b3f5661a26937bef1a5c2d9fc8f05406da26

  • SHA512

    22707965963ea8b91c365f2439980113e5949db69cafbf8eb9358ee440908b686c16f1bddea7a8fd649acb10a18489b3f2582c02db329d9ab61f699b55cac764

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\02a28f4bc46d29f2ae0c82813839b3f5661a26937bef1a5c2d9fc8f05406da26.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:2220
  • C:\Windows\system32\embeddedapplauncher.exe
    C:\Windows\system32\embeddedapplauncher.exe
    1⤵
      PID:2320
    • C:\Users\Admin\AppData\Local\KZGR\embeddedapplauncher.exe
      C:\Users\Admin\AppData\Local\KZGR\embeddedapplauncher.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2972
    • C:\Windows\system32\rdpinput.exe
      C:\Windows\system32\rdpinput.exe
      1⤵
        PID:2856
      • C:\Users\Admin\AppData\Local\FnAP\rdpinput.exe
        C:\Users\Admin\AppData\Local\FnAP\rdpinput.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2852
      • C:\Windows\system32\DmNotificationBroker.exe
        C:\Windows\system32\DmNotificationBroker.exe
        1⤵
          PID:1072
        • C:\Users\Admin\AppData\Local\4RxOe\DmNotificationBroker.exe
          C:\Users\Admin\AppData\Local\4RxOe\DmNotificationBroker.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious behavior: GetForegroundWindowSpam
          PID:612

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\4RxOe\DUI70.dll
          MD5

          49f07c4a74d9c4b7d583deef3ec97492

          SHA1

          fec91ba959ba7546d307573abf5a7c739f3fc7ac

          SHA256

          d29eff953eef14c75e2d5f98604481370b8b0b8c343c991f89e9f5d9a87f535c

          SHA512

          fb7a0c659316d782b64c4e973d5cf6eac951bb1f7faabcd10f760f52c0c3e8104fd05eeabd023f9341660f6e5f125903b475c474f8dc0ce9128075122cbc5aa0

          Download Submit
        • C:\Users\Admin\AppData\Local\4RxOe\DmNotificationBroker.exe
          MD5

          80650482bacf349d2d4aadc99e916da7

          SHA1

          7c3d6eb2fc82cfa2122f115b80d49a9887d089de

          SHA256

          1cb2fe49a4d07375b6216bc51c372a3c78a96443765672ded3624d279c37c715

          SHA512

          d3bf9501b25ffe7145dda9cf3aa521854949ed11ebb5dd48aba7aab16d3b0d75dfe8976d3c3b932cc4eb2f77cf185a0b2d81965e055fdb3c5606400d77824a56

          Download Submit
        • C:\Users\Admin\AppData\Local\FnAP\WTSAPI32.dll
          MD5

          c6da71bc09c9844dda3116d0a08f0808

          SHA1

          2e5b50e8f8e5d405382a55d3f1391f5623a670ef

          SHA256

          c65b72021af9bf7c0e5264bc1d944f85cd3ac2c97321fe87c10e585509656a34

          SHA512

          87fedaf56371c52d859225b99a924c96106903d5281cc3da2e8ea6fa32e3320ab4823bb418830b68fda69b4f95e29e9001f272acf852c7916f96dcf15d4321ac

          Download Submit
        • C:\Users\Admin\AppData\Local\FnAP\rdpinput.exe
          MD5

          431364c49991ebfea19b468020368e08

          SHA1

          c36c8a01ccd17b8ec754fe92d1e03558bb3f05ac

          SHA256

          6c59ea8b7807d9cc9de5c67cf679a1fb1bed4629da1f0a071e03af775de8e4fc

          SHA512

          6b2baeb9abc1277fef874ead7d0c4b2b5c5953b8f9db5ae056a14a0af6edb6482b303e7f4ba5237a22e62919f09cd8334692dd58053754ed18837ace14565d8f

          Download Submit
        • C:\Users\Admin\AppData\Local\KZGR\WTSAPI32.dll
          MD5

          0edc32c63665cedbcd0aef04d49b8bbb

          SHA1

          afa6a817df83147ebb273e7c246c391f8c56f088

          SHA256

          d6144e2d05bdde07e79abc2c8a5ff74f67273ba120124ee6aae7e5f1e502a9f9

          SHA512

          044c0cf4dc07aec2137f3f902366ed17dd3450a31c142b51bd79d2b1e160f1275757f67cb496f5ebd6dbc2e5f23a842fee2c8ccedbadd3cf371aa071b6ffdbfe

          Download Submit
        • C:\Users\Admin\AppData\Local\KZGR\embeddedapplauncher.exe
          MD5

          372475cd2d5658a529c83cbe159dd4ce

          SHA1

          be8496491da2bbb3f06bfdf4ffe80285a7f891d9

          SHA256

          708d78211be2333cab7658a99b02ae81014475973dea05d92115a8bc91965024

          SHA512

          88f138678d8f8aae8bc0ac429744f8aad4a76187c0dd4367c03d9ed21ae132edae0109849570d49b47918ccac6fe671a896f64ef723e4e275a723b2c6e050028

          Download Submit
        • \Users\Admin\AppData\Local\4RxOe\DUI70.dll
          MD5

          49f07c4a74d9c4b7d583deef3ec97492

          SHA1

          fec91ba959ba7546d307573abf5a7c739f3fc7ac

          SHA256

          d29eff953eef14c75e2d5f98604481370b8b0b8c343c991f89e9f5d9a87f535c

          SHA512

          fb7a0c659316d782b64c4e973d5cf6eac951bb1f7faabcd10f760f52c0c3e8104fd05eeabd023f9341660f6e5f125903b475c474f8dc0ce9128075122cbc5aa0

          Download Submit
        • \Users\Admin\AppData\Local\FnAP\WTSAPI32.dll
          MD5

          c6da71bc09c9844dda3116d0a08f0808

          SHA1

          2e5b50e8f8e5d405382a55d3f1391f5623a670ef

          SHA256

          c65b72021af9bf7c0e5264bc1d944f85cd3ac2c97321fe87c10e585509656a34

          SHA512

          87fedaf56371c52d859225b99a924c96106903d5281cc3da2e8ea6fa32e3320ab4823bb418830b68fda69b4f95e29e9001f272acf852c7916f96dcf15d4321ac

          Download Submit
        • \Users\Admin\AppData\Local\KZGR\WTSAPI32.dll
          MD5

          0edc32c63665cedbcd0aef04d49b8bbb

          SHA1

          afa6a817df83147ebb273e7c246c391f8c56f088

          SHA256

          d6144e2d05bdde07e79abc2c8a5ff74f67273ba120124ee6aae7e5f1e502a9f9

          SHA512

          044c0cf4dc07aec2137f3f902366ed17dd3450a31c142b51bd79d2b1e160f1275757f67cb496f5ebd6dbc2e5f23a842fee2c8ccedbadd3cf371aa071b6ffdbfe

          Download Submit
        • memory/612-179-0x000001F5BC480000-0x000001F5BC482000-memory.dmp
          Filesize

          8KB

          Download
        • memory/612-181-0x000001F5BC480000-0x000001F5BC482000-memory.dmp
          Filesize

          8KB

          Download
        • memory/612-172-0x0000000000000000-mapping.dmp
          Download
        • memory/612-176-0x0000000140000000-0x000000014014F000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/612-180-0x000001F5BC480000-0x000001F5BC482000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2220-119-0x000002C6024B0000-0x000002C6024B2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2220-115-0x0000000140000000-0x0000000140109000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/2220-118-0x000002C6024B0000-0x000002C6024B2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2220-120-0x000002C6024A0000-0x000002C6024A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2852-170-0x00000168C7AC0000-0x00000168C7AC2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2852-162-0x0000000000000000-mapping.dmp
          Download
        • memory/2852-169-0x00000168C7AC0000-0x00000168C7AC2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2852-171-0x00000168C7AC0000-0x00000168C7AC2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2972-161-0x0000016DC60A0000-0x0000016DC60A2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2972-160-0x0000016DC60A0000-0x0000016DC60A2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2972-159-0x0000016DC60A0000-0x0000016DC60A2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2972-156-0x0000000140000000-0x000000014010A000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/2972-151-0x0000000000000000-mapping.dmp
          Download
        • memory/3064-130-0x0000000140000000-0x0000000140109000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3064-150-0x00000000009E0000-0x00000000009E2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3064-149-0x00007FFB361D5000-0x00007FFB361D6000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3064-148-0x00000000009E0000-0x00000000009E2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3064-147-0x00000000009E0000-0x00000000009E2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3064-141-0x0000000140000000-0x0000000140109000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3064-155-0x00007FFB36310000-0x00007FFB36312000-memory.dmp
          Filesize

          8KB

          Download
        • memory/3064-140-0x0000000140000000-0x0000000140109000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3064-139-0x0000000140000000-0x0000000140109000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3064-138-0x0000000140000000-0x0000000140109000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3064-136-0x0000000140000000-0x0000000140109000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3064-137-0x0000000140000000-0x0000000140109000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3064-135-0x0000000140000000-0x0000000140109000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3064-134-0x0000000140000000-0x0000000140109000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3064-133-0x0000000140000000-0x0000000140109000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3064-132-0x0000000140000000-0x0000000140109000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3064-131-0x0000000140000000-0x0000000140109000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3064-129-0x0000000140000000-0x0000000140109000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3064-128-0x0000000140000000-0x0000000140109000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3064-127-0x0000000140000000-0x0000000140109000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3064-126-0x0000000140000000-0x0000000140109000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3064-125-0x0000000140000000-0x0000000140109000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3064-124-0x0000000140000000-0x0000000140109000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3064-123-0x0000000140000000-0x0000000140109000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3064-122-0x0000000140000000-0x0000000140109000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3064-121-0x0000000000840000-0x0000000000841000-memory.dmp
          Filesize

          4KB

          Download