Overview

overview

10

Static

static

9dbfefd3aa...b9.dll

windows7_x64

10

9dbfefd3aa...b9.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    17-04-2022 09:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9dbfefd3aa7cbd264a254148e585440e404efe13db1bbc21cb462e17e85ce4b9.dll

  • Size

    1.1MB

  • MD5

    6bd4364803953637e50005a3b7ffef39

  • SHA1

    612d94d8505a4df8c1daf0b2577d63902fc48bc4

  • SHA256

    9dbfefd3aa7cbd264a254148e585440e404efe13db1bbc21cb462e17e85ce4b9

  • SHA512

    cc4965aa058138d81d0a034fa3b802ff830eff8475addb788116f792e1597a40fd1580a217384e1afec865f19ce1de669c5f175cd49c1a2cd095a94874334649

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9dbfefd3aa7cbd264a254148e585440e404efe13db1bbc21cb462e17e85ce4b9.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1764
  • C:\Windows\system32\msdtc.exe
    C:\Windows\system32\msdtc.exe
    1⤵
      PID:1844
    • C:\Users\Admin\AppData\Local\G0r2Flb\msdtc.exe
      C:\Users\Admin\AppData\Local\G0r2Flb\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:956
    • C:\Windows\system32\SystemPropertiesHardware.exe
      C:\Windows\system32\SystemPropertiesHardware.exe
      1⤵
        PID:1704
      • C:\Users\Admin\AppData\Local\y0Awm\SystemPropertiesHardware.exe
        C:\Users\Admin\AppData\Local\y0Awm\SystemPropertiesHardware.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:796
      • C:\Windows\system32\notepad.exe
        C:\Windows\system32\notepad.exe
        1⤵
          PID:532
        • C:\Users\Admin\AppData\Local\ZLqi\notepad.exe
          C:\Users\Admin\AppData\Local\ZLqi\notepad.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1656

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\G0r2Flb\VERSION.dll
          Filesize

          1.1MB

          MD5

          63184a8099d2cd126ff9fc875725608f

          SHA1

          78d4bb98e12f5f254d3ecfce2af37121b73a1c7d

          SHA256

          07895a6345c948e253b8c97d6bedd124e16670519f0d599fbda4605fd5491f5d

          SHA512

          390ca02a0cdf6d9d82d5442c3a6b85a42f1f81da979b0c38dda9e064504b4dddb9495dc4fd7196b506be6a76e2915600d0f8302f64721481a2cb28d80bcd65af

          Download Submit
        • C:\Users\Admin\AppData\Local\G0r2Flb\msdtc.exe
          Filesize

          138KB

          MD5

          de0ece52236cfa3ed2dbfc03f28253a8

          SHA1

          84bbd2495c1809fcd19b535d41114e4fb101466c

          SHA256

          2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

          SHA512

          69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

          Download Submit
        • C:\Users\Admin\AppData\Local\ZLqi\VERSION.dll
          Filesize

          1.1MB

          MD5

          81951cd436531a5a0609d31c26868a83

          SHA1

          a65bc42d9050ea4ed6a7714d5c80e53129008cb2

          SHA256

          dce899bf17d3151c9b0fdf6b90bb14062bc64ca0fd6012a07adc56cff2361359

          SHA512

          153f8a46b021037faa55135c5d36c1159a34e3ef20f9e9123b0513596fa92a292151fb2370a2322a084547c6f5857670bfb1dc3d8a3e71611e726f543d61f3da

          Download Submit
        • C:\Users\Admin\AppData\Local\ZLqi\notepad.exe
          Filesize

          189KB

          MD5

          f2c7bb8acc97f92e987a2d4087d021b1

          SHA1

          7eb0139d2175739b3ccb0d1110067820be6abd29

          SHA256

          142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

          SHA512

          2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

          Download Submit
        • C:\Users\Admin\AppData\Local\y0Awm\SYSDM.CPL
          Filesize

          1.1MB

          MD5

          071d2f88e3c04a04d35a2d1053271a85

          SHA1

          dc8dccc8ab1e1c9718f0f9dda522b1d8c2446524

          SHA256

          b7550a84b2051ff1727fb2404612a9a6acb7771bed6318bd259c93c708dcbf04

          SHA512

          768b97f758e288acb48b59cb9b7a6de55e0afc4dad031ea83be951383b817c8e9ffb90a77d1a52a32784610419e430e6e2ff0ad0279beafb8a2e091098800d88

          Download Submit
        • C:\Users\Admin\AppData\Local\y0Awm\SystemPropertiesHardware.exe
          Filesize

          80KB

          MD5

          c63d722641c417764247f683f9fb43be

          SHA1

          948ec61ebf241c4d80efca3efdfc33fe746e3b98

          SHA256

          4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

          SHA512

          7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

          Download Submit
        • \Users\Admin\AppData\Local\G0r2Flb\VERSION.dll
          Filesize

          1.1MB

          MD5

          63184a8099d2cd126ff9fc875725608f

          SHA1

          78d4bb98e12f5f254d3ecfce2af37121b73a1c7d

          SHA256

          07895a6345c948e253b8c97d6bedd124e16670519f0d599fbda4605fd5491f5d

          SHA512

          390ca02a0cdf6d9d82d5442c3a6b85a42f1f81da979b0c38dda9e064504b4dddb9495dc4fd7196b506be6a76e2915600d0f8302f64721481a2cb28d80bcd65af

          Download Submit
        • \Users\Admin\AppData\Local\G0r2Flb\msdtc.exe
          Filesize

          138KB

          MD5

          de0ece52236cfa3ed2dbfc03f28253a8

          SHA1

          84bbd2495c1809fcd19b535d41114e4fb101466c

          SHA256

          2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

          SHA512

          69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

          Download Submit
        • \Users\Admin\AppData\Local\ZLqi\VERSION.dll
          Filesize

          1.1MB

          MD5

          81951cd436531a5a0609d31c26868a83

          SHA1

          a65bc42d9050ea4ed6a7714d5c80e53129008cb2

          SHA256

          dce899bf17d3151c9b0fdf6b90bb14062bc64ca0fd6012a07adc56cff2361359

          SHA512

          153f8a46b021037faa55135c5d36c1159a34e3ef20f9e9123b0513596fa92a292151fb2370a2322a084547c6f5857670bfb1dc3d8a3e71611e726f543d61f3da

          Download Submit
        • \Users\Admin\AppData\Local\ZLqi\notepad.exe
          Filesize

          189KB

          MD5

          f2c7bb8acc97f92e987a2d4087d021b1

          SHA1

          7eb0139d2175739b3ccb0d1110067820be6abd29

          SHA256

          142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

          SHA512

          2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

          Download Submit
        • \Users\Admin\AppData\Local\y0Awm\SYSDM.CPL
          Filesize

          1.1MB

          MD5

          071d2f88e3c04a04d35a2d1053271a85

          SHA1

          dc8dccc8ab1e1c9718f0f9dda522b1d8c2446524

          SHA256

          b7550a84b2051ff1727fb2404612a9a6acb7771bed6318bd259c93c708dcbf04

          SHA512

          768b97f758e288acb48b59cb9b7a6de55e0afc4dad031ea83be951383b817c8e9ffb90a77d1a52a32784610419e430e6e2ff0ad0279beafb8a2e091098800d88

          Download Submit
        • \Users\Admin\AppData\Local\y0Awm\SystemPropertiesHardware.exe
          Filesize

          80KB

          MD5

          c63d722641c417764247f683f9fb43be

          SHA1

          948ec61ebf241c4d80efca3efdfc33fe746e3b98

          SHA256

          4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

          SHA512

          7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

          Download Submit
        • \Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1083475884-596052423-1669053738-1000\YCTp5u\notepad.exe
          Filesize

          189KB

          MD5

          f2c7bb8acc97f92e987a2d4087d021b1

          SHA1

          7eb0139d2175739b3ccb0d1110067820be6abd29

          SHA256

          142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

          SHA512

          2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

          Download Submit
        • memory/796-74-0x0000000000000000-mapping.dmp
          Download
        • memory/956-69-0x0000000000000000-mapping.dmp
          Download
        • memory/1264-67-0x0000000077030000-0x0000000077032000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1264-63-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1264-64-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1264-65-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1264-54-0x00000000026A0000-0x00000000026A1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1264-61-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1264-66-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1264-62-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1264-55-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1264-58-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1264-60-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1264-57-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1264-59-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1264-56-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1656-81-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1656-79-0x0000000000000000-mapping.dmp
          Download