Overview

overview

10

Static

static

86bcfce2dd...00.dll

windows7_x64

10

86bcfce2dd...00.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-02-2022 11:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100.dll

  • Size

    768KB

  • MD5

    bd5cfa593ed87901f8184eaa44c0a8b8

  • SHA1

    963a57fb83ca6361624fb057058ea4fb538015dc

  • SHA256

    86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100

  • SHA512

    f6235abb0503db5a7cc7a0f6d2a4682db1491127a4f5700d3f68e15535b838651e1df8a8292643e46febb678e16abe9f36f6990db57db3f58c60ceae186ae489

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3428
  • C:\Windows\system32\Taskmgr.exe
    C:\Windows\system32\Taskmgr.exe
    1⤵
      PID:3288
    • C:\Users\Admin\AppData\Local\Hz3K\Taskmgr.exe
      C:\Users\Admin\AppData\Local\Hz3K\Taskmgr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:3880
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe 6c6d6071fb34ff300d8d82c473415888 siIubRRiTk+y8IxrmhWjIw.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:3308
    • C:\Windows\system32\ApplicationFrameHost.exe
      C:\Windows\system32\ApplicationFrameHost.exe
      1⤵
        PID:2812
      • C:\Users\Admin\AppData\Local\dIlQu02\ApplicationFrameHost.exe
        C:\Users\Admin\AppData\Local\dIlQu02\ApplicationFrameHost.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2824
      • C:\Windows\system32\phoneactivate.exe
        C:\Windows\system32\phoneactivate.exe
        1⤵
          PID:3128
        • C:\Users\Admin\AppData\Local\0ku\phoneactivate.exe
          C:\Users\Admin\AppData\Local\0ku\phoneactivate.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2836
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k wusvcs -p
          1⤵
            PID:4088

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          2
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          2
          T1112

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\0ku\DUI70.dll
            MD5

            2c87be48e288917b334599d0f5611978

            SHA1

            bb8497e3ef34dd17212c4a04d5e56e367b217217

            SHA256

            6724dc312aafa1901ec2fe4566c7e3126cfe6fa1587dcf75549b169cf3948124

            SHA512

            17a85d145f0b0670dfa3f32b199913140953d52b0d8533e26328d5eb66150b1df057f35acd760be5988d4bca996af6d8e8311508442f17d119b4897367591b77

            Download Submit
          • C:\Users\Admin\AppData\Local\0ku\DUI70.dll
            MD5

            2c87be48e288917b334599d0f5611978

            SHA1

            bb8497e3ef34dd17212c4a04d5e56e367b217217

            SHA256

            6724dc312aafa1901ec2fe4566c7e3126cfe6fa1587dcf75549b169cf3948124

            SHA512

            17a85d145f0b0670dfa3f32b199913140953d52b0d8533e26328d5eb66150b1df057f35acd760be5988d4bca996af6d8e8311508442f17d119b4897367591b77

            Download Submit
          • C:\Users\Admin\AppData\Local\0ku\phoneactivate.exe
            MD5

            32c31f06e0b68f349f68afdd08e45f3d

            SHA1

            e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c

            SHA256

            cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017

            SHA512

            fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26

            Download Submit
          • C:\Users\Admin\AppData\Local\Hz3K\DUI70.dll
            MD5

            c9eb3c7716d14c612f757135a6ddaaf2

            SHA1

            cf01c71e26344aea8623598481d75ae09dc27d25

            SHA256

            d7e8bb77cdf19210440d83310ec3e38e66fb5bad4f07dfc3c4613813b632bace

            SHA512

            12e0045a8e02d5679d70337857988b81b7e1daed3b4c5dad3f77a73752bd3e21f405cee1b59201f1f5c11ca03be0a1f227f2115a18b92069a5768336a53d0d2a

            Download Submit
          • C:\Users\Admin\AppData\Local\Hz3K\DUI70.dll
            MD5

            c9eb3c7716d14c612f757135a6ddaaf2

            SHA1

            cf01c71e26344aea8623598481d75ae09dc27d25

            SHA256

            d7e8bb77cdf19210440d83310ec3e38e66fb5bad4f07dfc3c4613813b632bace

            SHA512

            12e0045a8e02d5679d70337857988b81b7e1daed3b4c5dad3f77a73752bd3e21f405cee1b59201f1f5c11ca03be0a1f227f2115a18b92069a5768336a53d0d2a

            Download Submit
          • C:\Users\Admin\AppData\Local\Hz3K\Taskmgr.exe
            MD5

            58d5bc7895f7f32ee308e34f06f25dd5

            SHA1

            7a7f5e991ddeaf73e15a0fdcb5c999c0248a2fa4

            SHA256

            4e305198f15bafd5728b5fb8e7ff48d9f312399c744ecfea0ecac79d93c5e478

            SHA512

            872c84c92b0e4050ae4a4137330ec3cda30008fd15d6413bf7a913c03a021ad41b6131e5a7356b374ced98d37ae207147ebefd93893560dc15c3e9875f93f7a9

            Download Submit
          • C:\Users\Admin\AppData\Local\dIlQu02\ApplicationFrameHost.exe
            MD5

            d58a8a987a8dafad9dc32a548cc061e7

            SHA1

            f79fc9e0ab066cad530b949c2153c532a5223156

            SHA256

            cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4

            SHA512

            93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265

            Download Submit
          • C:\Users\Admin\AppData\Local\dIlQu02\dxgi.dll
            MD5

            40c508e6f625a898a9478ecf93f22ad5

            SHA1

            4f3ed66d24797a1f8f0a392d5564da9381794dfc

            SHA256

            24fbe10e590003886e281b5b4ee10f61bf9475d37499c1a3f01c9cd88e3579c7

            SHA512

            3d4d27af60c16b8a8da6d64323ddf85ca68db59a608f5b0b09baa339687ed29c6ed80133f455178d36bd7d30eae2301aefd26eceb5cfe508daa6361ad5e82931

            Download Submit
          • C:\Users\Admin\AppData\Local\dIlQu02\dxgi.dll
            MD5

            40c508e6f625a898a9478ecf93f22ad5

            SHA1

            4f3ed66d24797a1f8f0a392d5564da9381794dfc

            SHA256

            24fbe10e590003886e281b5b4ee10f61bf9475d37499c1a3f01c9cd88e3579c7

            SHA512

            3d4d27af60c16b8a8da6d64323ddf85ca68db59a608f5b0b09baa339687ed29c6ed80133f455178d36bd7d30eae2301aefd26eceb5cfe508daa6361ad5e82931

            Download Submit
          • memory/2384-140-0x0000000140000000-0x00000001400C0000-memory.dmp
            Filesize

            768KB

            Download
          • memory/2384-137-0x00000000027E0000-0x00000000027E1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2384-148-0x00007FFC9B3DCF20-0x00007FFC9B4BDF20-memory.dmp
            Filesize

            900KB

            Download
          • memory/2384-143-0x0000000140000000-0x00000001400C0000-memory.dmp
            Filesize

            768KB

            Download
          • memory/2384-142-0x0000000140000000-0x00000001400C0000-memory.dmp
            Filesize

            768KB

            Download
          • memory/2384-141-0x0000000140000000-0x00000001400C0000-memory.dmp
            Filesize

            768KB

            Download
          • memory/2384-149-0x00007FFC9B3A0000-0x00007FFC9B3B0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2384-139-0x0000000140000000-0x00000001400C0000-memory.dmp
            Filesize

            768KB

            Download
          • memory/2384-138-0x0000000140000000-0x00000001400C0000-memory.dmp
            Filesize

            768KB

            Download
          • memory/2824-163-0x00007FFC7D150000-0x00007FFC7D210000-memory.dmp
            Filesize

            768KB

            Download
          • memory/2836-175-0x00007FFC7BC10000-0x00007FFC7BD16000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/3428-130-0x00007FFC7C940000-0x00007FFC7CA00000-memory.dmp
            Filesize

            768KB

            Download
          • memory/3428-136-0x00000253D51D0000-0x00000253D51D7000-memory.dmp
            Filesize

            28KB

            Download
          • memory/3880-153-0x00007FFC7BB90000-0x00007FFC7BC96000-memory.dmp
            Filesize

            1.0MB

            Download