Overview

overview

10

Static

static

73caa28a71...c9.dll

windows7_x64

10

73caa28a71...c9.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    170s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    17-04-2022 07:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73caa28a71480350c140f8cb71bf182687bf83c0d481692b2b3bf03aa5fbcfc9.dll

  • Size

    889KB

  • MD5

    1460c61535d4ed50db9b869de9730df8

  • SHA1

    fe13819850c1539cbd2cbefe62f5ad72f9b03fb5

  • SHA256

    73caa28a71480350c140f8cb71bf182687bf83c0d481692b2b3bf03aa5fbcfc9

  • SHA512

    ce3cbaad3e075cdfcbf0889d82f6a2d8fe8947fa00e09cc58b4bd77a85dbbace5564ea3ad33026dc1b482bf3b17f1194a8988b2c33513dc957550a3e713d5d10

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\73caa28a71480350c140f8cb71bf182687bf83c0d481692b2b3bf03aa5fbcfc9.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1112
  • C:\Windows\system32\sethc.exe
    C:\Windows\system32\sethc.exe
    1⤵
      PID:4124
    • C:\Users\Admin\AppData\Local\QGs64V\sethc.exe
      C:\Users\Admin\AppData\Local\QGs64V\sethc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2580
    • C:\Windows\system32\omadmclient.exe
      C:\Windows\system32\omadmclient.exe
      1⤵
        PID:3276
      • C:\Users\Admin\AppData\Local\rnTz3PnN\omadmclient.exe
        C:\Users\Admin\AppData\Local\rnTz3PnN\omadmclient.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3408
      • C:\Windows\system32\BitLockerWizard.exe
        C:\Windows\system32\BitLockerWizard.exe
        1⤵
          PID:4652
        • C:\Users\Admin\AppData\Local\m4OXyT\BitLockerWizard.exe
          C:\Users\Admin\AppData\Local\m4OXyT\BitLockerWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4220

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\QGs64V\WTSAPI32.dll
          Filesize

          892KB

          MD5

          7745c15667cc04858cf9e06e1c9b9c5f

          SHA1

          202decf7a9c28ea70f684deb21e002f89ee10dbe

          SHA256

          359b17ced362de678237ed749051ea2dc0776209ca42db2da61fda8c0346533d

          SHA512

          2fbf12375c6d125bc6ed490d3f92437261f6d05f5a5969970c0279147973d40043bfb9649de59934ee6a080c5b5e8eaf20cc3e987d589d14ccfa5d3067cb6321

          Download Submit
        • C:\Users\Admin\AppData\Local\QGs64V\WTSAPI32.dll
          Filesize

          892KB

          MD5

          7745c15667cc04858cf9e06e1c9b9c5f

          SHA1

          202decf7a9c28ea70f684deb21e002f89ee10dbe

          SHA256

          359b17ced362de678237ed749051ea2dc0776209ca42db2da61fda8c0346533d

          SHA512

          2fbf12375c6d125bc6ed490d3f92437261f6d05f5a5969970c0279147973d40043bfb9649de59934ee6a080c5b5e8eaf20cc3e987d589d14ccfa5d3067cb6321

          Download Submit
        • C:\Users\Admin\AppData\Local\QGs64V\sethc.exe
          Filesize

          104KB

          MD5

          8ba3a9702a3f1799431cad6a290223a6

          SHA1

          9c7dc9b6830297c8f759d1f46c8b36664e26c031

          SHA256

          615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8

          SHA512

          680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746

          Download Submit
        • C:\Users\Admin\AppData\Local\m4OXyT\BitLockerWizard.exe
          Filesize

          100KB

          MD5

          6d30c96f29f64b34bc98e4c81d9b0ee8

          SHA1

          4a3adc355f02b9c69bdbe391bfb01469dee15cf0

          SHA256

          7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

          SHA512

          25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

          Download Submit
        • C:\Users\Admin\AppData\Local\m4OXyT\FVEWIZ.dll
          Filesize

          892KB

          MD5

          f8cbad01505f9d52a6b262dc4613f9b8

          SHA1

          dac4eeff0d80d1e7c2f69646bc257c05f9903846

          SHA256

          96cfb7e228139780ae8d5bc0b5fd0889be170cdadb151180bbb2e80320ba6b81

          SHA512

          ade81d201c56f15d82f4675d54ce949ff517aa720f2be437bb7bbeb2e4770fb2ebac1c61948b7c2f60ca40a5d52928e48999c18697c091d7ab804d6f37d58a8e

          Download Submit
        • C:\Users\Admin\AppData\Local\m4OXyT\FVEWIZ.dll
          Filesize

          892KB

          MD5

          f8cbad01505f9d52a6b262dc4613f9b8

          SHA1

          dac4eeff0d80d1e7c2f69646bc257c05f9903846

          SHA256

          96cfb7e228139780ae8d5bc0b5fd0889be170cdadb151180bbb2e80320ba6b81

          SHA512

          ade81d201c56f15d82f4675d54ce949ff517aa720f2be437bb7bbeb2e4770fb2ebac1c61948b7c2f60ca40a5d52928e48999c18697c091d7ab804d6f37d58a8e

          Download Submit
        • C:\Users\Admin\AppData\Local\rnTz3PnN\XmlLite.dll
          Filesize

          890KB

          MD5

          a2e159793246fff7ce84285b29442cc7

          SHA1

          951f66cee701284e721c6f5c7b7524a8f2b58706

          SHA256

          4e499c9e882131cbe5b7320f1f1fd5d42bb3b3bbed5fbd697ac37f8267f4e7f4

          SHA512

          6de3c59c7b4dc7432b286d2d694688fcbe51f25adccf5590d46206c7330a054911d39b16d569114a5fc40aa38b123b8d53ab46d289a9b0c01cdd6d2afed05a81

          Download Submit
        • C:\Users\Admin\AppData\Local\rnTz3PnN\XmlLite.dll
          Filesize

          890KB

          MD5

          a2e159793246fff7ce84285b29442cc7

          SHA1

          951f66cee701284e721c6f5c7b7524a8f2b58706

          SHA256

          4e499c9e882131cbe5b7320f1f1fd5d42bb3b3bbed5fbd697ac37f8267f4e7f4

          SHA512

          6de3c59c7b4dc7432b286d2d694688fcbe51f25adccf5590d46206c7330a054911d39b16d569114a5fc40aa38b123b8d53ab46d289a9b0c01cdd6d2afed05a81

          Download Submit
        • C:\Users\Admin\AppData\Local\rnTz3PnN\omadmclient.exe
          Filesize

          425KB

          MD5

          8992b5b28a996eb83761dafb24959ab4

          SHA1

          697ecb33b8ff5b0e73ef29ce471153b368b1b729

          SHA256

          e0c6c1b082c5d61be95b7fad95155b7cb2e516d6dcd51b8e1554a176876699e7

          SHA512

          4ab0d71f6f9e5a5d0870d8e6eaa4b5db74ea6148de0a00603e3e56303d0fec4722172e0207b9678a5bd0136f2d43d43b9d34907183369ab3b9b9c1484034fe3d

          Download Submit
        • memory/1060-138-0x0000000140000000-0x00000001400E2000-memory.dmp
          Filesize

          904KB

          Download
        • memory/1060-139-0x0000000140000000-0x00000001400E2000-memory.dmp
          Filesize

          904KB

          Download
        • memory/1060-142-0x0000000140000000-0x00000001400E2000-memory.dmp
          Filesize

          904KB

          Download
        • memory/1060-131-0x0000000140000000-0x00000001400E2000-memory.dmp
          Filesize

          904KB

          Download
        • memory/1060-144-0x00007FFFB994C000-0x00007FFFB994D000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1060-143-0x00007FFFB997C000-0x00007FFFB997D000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1060-145-0x00007FFFB9890000-0x00007FFFB98A0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/1060-132-0x0000000140000000-0x00000001400E2000-memory.dmp
          Filesize

          904KB

          Download
        • memory/1060-140-0x0000000140000000-0x00000001400E2000-memory.dmp
          Filesize

          904KB

          Download
        • memory/1060-141-0x0000000140000000-0x00000001400E2000-memory.dmp
          Filesize

          904KB

          Download
        • memory/1060-130-0x0000000000900000-0x0000000000901000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1060-133-0x0000000140000000-0x00000001400E2000-memory.dmp
          Filesize

          904KB

          Download
        • memory/1060-137-0x0000000140000000-0x00000001400E2000-memory.dmp
          Filesize

          904KB

          Download
        • memory/1060-136-0x0000000140000000-0x00000001400E2000-memory.dmp
          Filesize

          904KB

          Download
        • memory/1060-135-0x0000000140000000-0x00000001400E2000-memory.dmp
          Filesize

          904KB

          Download
        • memory/1060-134-0x0000000140000000-0x00000001400E2000-memory.dmp
          Filesize

          904KB

          Download
        • memory/2580-146-0x0000000000000000-mapping.dmp
          Download
        • memory/3408-150-0x0000000000000000-mapping.dmp
          Download
        • memory/4220-154-0x0000000000000000-mapping.dmp
          Download