Overview

overview

10

Static

static

6712500bb0...6f.dll

windows7_x64

10

6712500bb0...6f.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-02-2022 11:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f.dll

  • Size

    1.0MB

  • MD5

    369638ac700f3c41ebaba447d4048ff8

  • SHA1

    6c50a1abf9dc992e74a73279d40fb1a09368cdfe

  • SHA256

    6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f

  • SHA512

    5f7a1913e83cd443a3339af0a52c04a4de17c67be480646d9bb02c984196a0a1ec3d7419ee88ca12d219af927aad1859c47372e08ba6a7a35ad956d5dc4ce7f5

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4000
  • C:\Windows\system32\mfpmp.exe
    C:\Windows\system32\mfpmp.exe
    1⤵
      PID:3852
    • C:\Users\Admin\AppData\Local\qPm4rFB\mfpmp.exe
      C:\Users\Admin\AppData\Local\qPm4rFB\mfpmp.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:3848
    • C:\Windows\system32\rstrui.exe
      C:\Windows\system32\rstrui.exe
      1⤵
        PID:2360
      • C:\Users\Admin\AppData\Local\5LXMT\rstrui.exe
        C:\Users\Admin\AppData\Local\5LXMT\rstrui.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2296
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe 4c4715869dad9bb08378e2bc665701f0 m1LUVBdGck63P0D30X+vRQ.0.1.0.0.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:2968
      • C:\Windows\system32\SystemPropertiesHardware.exe
        C:\Windows\system32\SystemPropertiesHardware.exe
        1⤵
          PID:564
        • C:\Users\Admin\AppData\Local\UPZ6w5DHu\SystemPropertiesHardware.exe
          C:\Users\Admin\AppData\Local\UPZ6w5DHu\SystemPropertiesHardware.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2584
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k wusvcs -p
          1⤵
            PID:4044

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          2
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          2
          T1112

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\5LXMT\SPP.dll
            MD5

            ed6de4fea764ae85c887dc91db3a2294

            SHA1

            0c15bcae0d37c5be99ddc4a8bc8341dbcd16804e

            SHA256

            6ddf989b9c0affecfc5068e43eb174f073f69ab803c0317252b24ecbc90297a1

            SHA512

            c440612ac4f0ab00e36cf8ad102650028187943fcb93daba8d5d807b724cc960487c0b6b927e495d331adaf38eeeb9f4a62ae1c79f865578debfe7b12a621371

            Download Submit
          • C:\Users\Admin\AppData\Local\5LXMT\SPP.dll
            MD5

            ed6de4fea764ae85c887dc91db3a2294

            SHA1

            0c15bcae0d37c5be99ddc4a8bc8341dbcd16804e

            SHA256

            6ddf989b9c0affecfc5068e43eb174f073f69ab803c0317252b24ecbc90297a1

            SHA512

            c440612ac4f0ab00e36cf8ad102650028187943fcb93daba8d5d807b724cc960487c0b6b927e495d331adaf38eeeb9f4a62ae1c79f865578debfe7b12a621371

            Download Submit
          • C:\Users\Admin\AppData\Local\5LXMT\rstrui.exe
            MD5

            4cad10846e93e85790865d5c0ab6ffd9

            SHA1

            8a223f4bab28afa4c7ed630f29325563c5dcda1a

            SHA256

            9ddcfcaf2ebc810cc2e593446681bc4ccbad39756b1712cf045db8dee6310b4b

            SHA512

            c0db44de0d35a70277f8621a318c5099378da675376e47545cfbfa7412e70a870fd05c92e0d6523ea2e0139d54d9eeaed14973762341fa3154406ae36f4ce7c6

            Download Submit
          • C:\Users\Admin\AppData\Local\UPZ6w5DHu\SYSDM.CPL
            MD5

            1726724eea580b20db0c6c518b530c9e

            SHA1

            2130570129ecb642ad719324a2ebe9e4d910b2a1

            SHA256

            cca6c4eed117133b71030b4a87a36b8f331951c08f149006ca52d0b7d1b428b2

            SHA512

            70e5745bbc1839862b224868d38f47af6f8c75d6b54a4c0586d73bda07e1c814bf7353b3f4a7dea905f762a2ad22804b33ff68bd899a6f995ba5cb5285bbaf3e

            Download Submit
          • C:\Users\Admin\AppData\Local\UPZ6w5DHu\SYSDM.CPL
            MD5

            1726724eea580b20db0c6c518b530c9e

            SHA1

            2130570129ecb642ad719324a2ebe9e4d910b2a1

            SHA256

            cca6c4eed117133b71030b4a87a36b8f331951c08f149006ca52d0b7d1b428b2

            SHA512

            70e5745bbc1839862b224868d38f47af6f8c75d6b54a4c0586d73bda07e1c814bf7353b3f4a7dea905f762a2ad22804b33ff68bd899a6f995ba5cb5285bbaf3e

            Download Submit
          • C:\Users\Admin\AppData\Local\UPZ6w5DHu\SystemPropertiesHardware.exe
            MD5

            bf5bc0d70a936890d38d2510ee07a2cd

            SHA1

            69d5971fd264d8128f5633db9003afef5fad8f10

            SHA256

            c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7

            SHA512

            0e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51

            Download Submit
          • C:\Users\Admin\AppData\Local\qPm4rFB\MFPlat.DLL
            MD5

            7b261b217f62eeb2d3c030882df8e53f

            SHA1

            edc53e0151ca36c64294ef531f48d3177272820e

            SHA256

            0a109d5fe7e3a96a781ae9036e414bf09d3f86dc4e3121c8ed2ba11d74b62a4a

            SHA512

            0a76b938544d14304bd1c937bbd89a3bf87c8958aa06c31d4bf3685c2d6830ad199dd7405d18fc5d624d914921ca726e748f203703ce6897d1c47cadb66d56da

            Download Submit
          • C:\Users\Admin\AppData\Local\qPm4rFB\MFPlat.DLL
            MD5

            7b261b217f62eeb2d3c030882df8e53f

            SHA1

            edc53e0151ca36c64294ef531f48d3177272820e

            SHA256

            0a109d5fe7e3a96a781ae9036e414bf09d3f86dc4e3121c8ed2ba11d74b62a4a

            SHA512

            0a76b938544d14304bd1c937bbd89a3bf87c8958aa06c31d4bf3685c2d6830ad199dd7405d18fc5d624d914921ca726e748f203703ce6897d1c47cadb66d56da

            Download Submit
          • C:\Users\Admin\AppData\Local\qPm4rFB\mfpmp.exe
            MD5

            8f8fd1988973bac0c5244431473b96a5

            SHA1

            ce81ea37260d7cafe27612606cf044921ad1304c

            SHA256

            27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e

            SHA512

            a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

            Download Submit
          • memory/2296-164-0x00007FFCC7C40000-0x00007FFCC7D45000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/2432-139-0x0000000140000000-0x0000000140105000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/2432-149-0x00007FFCE5960000-0x00007FFCE5970000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2432-148-0x00007FFCE599CF20-0x00007FFCE5A7DF20-memory.dmp
            Filesize

            900KB

            Download
          • memory/2432-143-0x0000000140000000-0x0000000140105000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/2432-142-0x0000000140000000-0x0000000140105000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/2432-141-0x0000000140000000-0x0000000140105000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/2432-140-0x0000000140000000-0x0000000140105000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/2432-138-0x0000000140000000-0x0000000140105000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/2432-137-0x0000000000F80000-0x0000000000F81000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3848-155-0x00007FFCC74F0000-0x00007FFCC75F7000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/4000-130-0x00007FFCC74F0000-0x00007FFCC75F5000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/4000-135-0x0000023665D00000-0x0000023665D07000-memory.dmp
            Filesize

            28KB

            Download