Overview

overview

10

Static

static

91a7289739...65.dll

windows7_x64

10

91a7289739...65.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    17-04-2022 07:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91a7289739c77592bb9df66d5c071d4db3776f1605f2c424b81d785ebccd4a65.dll

  • Size

    884KB

  • MD5

    ced02686016fde4bfb16ba8f821108bf

  • SHA1

    3a0d57f789e19bc2dd84697f283fb21a49d45800

  • SHA256

    91a7289739c77592bb9df66d5c071d4db3776f1605f2c424b81d785ebccd4a65

  • SHA512

    9b278ec14d2c3cfb2f5ee3a4a622c37302a6e3573d7364c32f1124a578e98aeb84a576848fffe5f580495841a7bae1ac6fdebba7da1fda26aab5bee08bf13d9a

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\91a7289739c77592bb9df66d5c071d4db3776f1605f2c424b81d785ebccd4a65.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1984
  • C:\Windows\system32\recdisc.exe
    C:\Windows\system32\recdisc.exe
    1⤵
      PID:1888
    • C:\Users\Admin\AppData\Local\Z9oqQqxU\recdisc.exe
      C:\Users\Admin\AppData\Local\Z9oqQqxU\recdisc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:1940
    • C:\Windows\system32\wisptis.exe
      C:\Windows\system32\wisptis.exe
      1⤵
        PID:1752
      • C:\Users\Admin\AppData\Local\KN1i\wisptis.exe
        C:\Users\Admin\AppData\Local\KN1i\wisptis.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1244
      • C:\Windows\system32\sigverif.exe
        C:\Windows\system32\sigverif.exe
        1⤵
          PID:1520
        • C:\Users\Admin\AppData\Local\9nNk\sigverif.exe
          C:\Users\Admin\AppData\Local\9nNk\sigverif.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:776

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\9nNk\VERSION.dll
          Filesize

          885KB

          MD5

          e21b14e62ec5ac659ca406f943b39cfa

          SHA1

          135241626f0d4b679473f4cb0e3459459410df7c

          SHA256

          831ffbe39c2a34aa54e20abd6b1c866debffb1c5e37789d81ea9deb8a3586caf

          SHA512

          f3b3cdfe5ceb450a962bad35b032d9c85eb5d4f0278b6b20c5cd59eb4dc48917e89e490252da29f1ff712f4c02915068360c42d266ef2df649b527e71de0ea6d

          Download Submit
        • C:\Users\Admin\AppData\Local\9nNk\sigverif.exe
          Filesize

          73KB

          MD5

          e8e95ae5534553fc055051cee99a7f55

          SHA1

          4e0f668849fd546edd083d5981ed685d02a68df4

          SHA256

          9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

          SHA512

          5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

          Download Submit
        • C:\Users\Admin\AppData\Local\KN1i\HID.DLL
          Filesize

          886KB

          MD5

          94645e0dfc31f9bff222b2bde41245bd

          SHA1

          3f380705f330a397d9182d3da7215d864906a752

          SHA256

          d504e1220e2d310d203457512d04ab2a90fd948a25e11deadf64b14c63274d8a

          SHA512

          75012da3e39b0d6a4e82e0736995f8220972d492bb5e28d877ec8bbfe40a041710fc8c2beace1eb0a1869669096c2ae0afad69b200282ae0dc77f4a7a96d1b18

          Download Submit
        • C:\Users\Admin\AppData\Local\KN1i\wisptis.exe
          Filesize

          396KB

          MD5

          02e20372d9d6d28e37ba9704edc90b67

          SHA1

          d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

          SHA256

          3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

          SHA512

          bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

          Download Submit
        • C:\Users\Admin\AppData\Local\KN1i\wisptis.exe
          Filesize

          396KB

          MD5

          02e20372d9d6d28e37ba9704edc90b67

          SHA1

          d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

          SHA256

          3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

          SHA512

          bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

          Download Submit
        • C:\Users\Admin\AppData\Local\Z9oqQqxU\SPP.dll
          Filesize

          885KB

          MD5

          d8f68d7375dd8fd9d18332e622ddd7de

          SHA1

          fae08e7dee8ec4b223e0384ca9bed973403531a1

          SHA256

          e3431e09c98f0f896678b7fd26817b7188c632f3746c4ca29467ef5b1f1f2eb4

          SHA512

          129204975eed3c64b395275729e96628e44a6722eae7455016812e62f7ff23d3f43bc03d952f7db0103c3fde6e80234b8a8aca906d159ec09c1a6a346b753b32

          Download Submit
        • C:\Users\Admin\AppData\Local\Z9oqQqxU\recdisc.exe
          Filesize

          232KB

          MD5

          f3b306179f1840c0813dc6771b018358

          SHA1

          dec7ce3c13f7a684cb52ae6007c99cf03afef005

          SHA256

          dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

          SHA512

          9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

          Download Submit
        • \Users\Admin\AppData\Local\9nNk\VERSION.dll
          Filesize

          885KB

          MD5

          e21b14e62ec5ac659ca406f943b39cfa

          SHA1

          135241626f0d4b679473f4cb0e3459459410df7c

          SHA256

          831ffbe39c2a34aa54e20abd6b1c866debffb1c5e37789d81ea9deb8a3586caf

          SHA512

          f3b3cdfe5ceb450a962bad35b032d9c85eb5d4f0278b6b20c5cd59eb4dc48917e89e490252da29f1ff712f4c02915068360c42d266ef2df649b527e71de0ea6d

          Download Submit
        • \Users\Admin\AppData\Local\9nNk\sigverif.exe
          Filesize

          73KB

          MD5

          e8e95ae5534553fc055051cee99a7f55

          SHA1

          4e0f668849fd546edd083d5981ed685d02a68df4

          SHA256

          9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

          SHA512

          5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

          Download Submit
        • \Users\Admin\AppData\Local\KN1i\HID.DLL
          Filesize

          886KB

          MD5

          94645e0dfc31f9bff222b2bde41245bd

          SHA1

          3f380705f330a397d9182d3da7215d864906a752

          SHA256

          d504e1220e2d310d203457512d04ab2a90fd948a25e11deadf64b14c63274d8a

          SHA512

          75012da3e39b0d6a4e82e0736995f8220972d492bb5e28d877ec8bbfe40a041710fc8c2beace1eb0a1869669096c2ae0afad69b200282ae0dc77f4a7a96d1b18

          Download Submit
        • \Users\Admin\AppData\Local\KN1i\wisptis.exe
          Filesize

          396KB

          MD5

          02e20372d9d6d28e37ba9704edc90b67

          SHA1

          d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

          SHA256

          3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

          SHA512

          bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

          Download Submit
        • \Users\Admin\AppData\Local\Z9oqQqxU\SPP.dll
          Filesize

          885KB

          MD5

          d8f68d7375dd8fd9d18332e622ddd7de

          SHA1

          fae08e7dee8ec4b223e0384ca9bed973403531a1

          SHA256

          e3431e09c98f0f896678b7fd26817b7188c632f3746c4ca29467ef5b1f1f2eb4

          SHA512

          129204975eed3c64b395275729e96628e44a6722eae7455016812e62f7ff23d3f43bc03d952f7db0103c3fde6e80234b8a8aca906d159ec09c1a6a346b753b32

          Download Submit
        • \Users\Admin\AppData\Local\Z9oqQqxU\recdisc.exe
          Filesize

          232KB

          MD5

          f3b306179f1840c0813dc6771b018358

          SHA1

          dec7ce3c13f7a684cb52ae6007c99cf03afef005

          SHA256

          dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

          SHA512

          9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

          Download Submit
        • \Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\FcSv3S\sigverif.exe
          Filesize

          73KB

          MD5

          e8e95ae5534553fc055051cee99a7f55

          SHA1

          4e0f668849fd546edd083d5981ed685d02a68df4

          SHA256

          9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

          SHA512

          5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

          Download Submit
        • memory/776-81-0x0000000000000000-mapping.dmp
          Download
        • memory/1244-75-0x0000000000000000-mapping.dmp
          Download
        • memory/1272-64-0x0000000140000000-0x00000001400E1000-memory.dmp
          Filesize

          900KB

          Download
        • memory/1272-61-0x0000000140000000-0x00000001400E1000-memory.dmp
          Filesize

          900KB

          Download
        • memory/1272-57-0x0000000140000000-0x00000001400E1000-memory.dmp
          Filesize

          900KB

          Download
        • memory/1272-60-0x0000000140000000-0x00000001400E1000-memory.dmp
          Filesize

          900KB

          Download
        • memory/1272-56-0x0000000140000000-0x00000001400E1000-memory.dmp
          Filesize

          900KB

          Download
        • memory/1272-67-0x0000000077B80000-0x0000000077B82000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1272-65-0x0000000140000000-0x00000001400E1000-memory.dmp
          Filesize

          900KB

          Download
        • memory/1272-66-0x0000000140000000-0x00000001400E1000-memory.dmp
          Filesize

          900KB

          Download
        • memory/1272-54-0x0000000002980000-0x0000000002981000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1272-58-0x0000000140000000-0x00000001400E1000-memory.dmp
          Filesize

          900KB

          Download
        • memory/1272-63-0x0000000140000000-0x00000001400E1000-memory.dmp
          Filesize

          900KB

          Download
        • memory/1272-55-0x0000000140000000-0x00000001400E1000-memory.dmp
          Filesize

          900KB

          Download
        • memory/1272-62-0x0000000140000000-0x00000001400E1000-memory.dmp
          Filesize

          900KB

          Download
        • memory/1272-59-0x0000000140000000-0x00000001400E1000-memory.dmp
          Filesize

          900KB

          Download
        • memory/1940-69-0x0000000000000000-mapping.dmp
          Download
        • memory/1940-71-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp
          Filesize

          8KB

          Download