Overview

overview

10

Static

static

c1b3d54243...46.dll

windows7_x64

10

c1b3d54243...46.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    17-04-2022 09:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1b3d542437bf99e35a80e4e3c76f96bbd606ff4ad3d776dac0b669349a21f46.dll

  • Size

    879KB

  • MD5

    345fe9bed1a1c1abe86be54d6e986731

  • SHA1

    c45e7d3942fbd00268937c9d638c580565a1a2ec

  • SHA256

    c1b3d542437bf99e35a80e4e3c76f96bbd606ff4ad3d776dac0b669349a21f46

  • SHA512

    3c130b65cbeebc6dc9e724df377a75d3a0780cce19d32f085b6b8b4aac01d881f63bb5cdc2b696943bc7f18b6802289ee4fd12203126f732b15dfb260aca55e7

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c1b3d542437bf99e35a80e4e3c76f96bbd606ff4ad3d776dac0b669349a21f46.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3376
  • C:\Windows\system32\MusNotificationUx.exe
    C:\Windows\system32\MusNotificationUx.exe
    1⤵
      PID:2308
    • C:\Users\Admin\AppData\Local\PAaZ2wuPP\MusNotificationUx.exe
      C:\Users\Admin\AppData\Local\PAaZ2wuPP\MusNotificationUx.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1248
    • C:\Windows\system32\FXSCOVER.exe
      C:\Windows\system32\FXSCOVER.exe
      1⤵
        PID:1720
      • C:\Users\Admin\AppData\Local\TL1aRqxA\FXSCOVER.exe
        C:\Users\Admin\AppData\Local\TL1aRqxA\FXSCOVER.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:688
      • C:\Windows\system32\DevicePairingWizard.exe
        C:\Windows\system32\DevicePairingWizard.exe
        1⤵
          PID:1860
        • C:\Users\Admin\AppData\Local\fxuVI\DevicePairingWizard.exe
          C:\Users\Admin\AppData\Local\fxuVI\DevicePairingWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3772

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\PAaZ2wuPP\MusNotificationUx.exe
          Filesize

          615KB

          MD5

          869a214114a81712199f3de5d69d9aad

          SHA1

          be973e4188eff0d53fdf0e9360106e8ad946d89f

          SHA256

          405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361

          SHA512

          befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

          Download Submit
        • C:\Users\Admin\AppData\Local\PAaZ2wuPP\XmlLite.dll
          Filesize

          879KB

          MD5

          630cc2a851293a0c510a181b8288dbcf

          SHA1

          ce6f024313e3f542b56a0b1fce974c50908ee268

          SHA256

          03f95aae3b6e4c26d79d73653ea3cfdb5fc57b4954efc6a9a9b29e0ba9cc0b19

          SHA512

          5d0013acb49372f2a15c581169519fdaf33849597600e9f9d8065b4d8f4d0f76e07b1540ab4751b9736bb2298e6af64df47636271aa90d117dae1bd1edd78d3e

          Download Submit
        • C:\Users\Admin\AppData\Local\PAaZ2wuPP\XmlLite.dll
          Filesize

          879KB

          MD5

          630cc2a851293a0c510a181b8288dbcf

          SHA1

          ce6f024313e3f542b56a0b1fce974c50908ee268

          SHA256

          03f95aae3b6e4c26d79d73653ea3cfdb5fc57b4954efc6a9a9b29e0ba9cc0b19

          SHA512

          5d0013acb49372f2a15c581169519fdaf33849597600e9f9d8065b4d8f4d0f76e07b1540ab4751b9736bb2298e6af64df47636271aa90d117dae1bd1edd78d3e

          Download Submit
        • C:\Users\Admin\AppData\Local\TL1aRqxA\FXSCOVER.exe
          Filesize

          242KB

          MD5

          5769f78d00f22f76a4193dc720d0b2bd

          SHA1

          d62b6cab057e88737cba43fe9b0c6d11a28b53e8

          SHA256

          40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31

          SHA512

          b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

          Download Submit
        • C:\Users\Admin\AppData\Local\TL1aRqxA\MFC42u.dll
          Filesize

          906KB

          MD5

          0ea86ac065ac91b8f75afd98cd5f7089

          SHA1

          b9fb9d5f7f0d7f4b70ef824c6adcf93572b7aa70

          SHA256

          46884056b1a6d6028c531a01ab06f68e7b49fa62b9fd67f8ec9779a182ab7444

          SHA512

          ecc0ca52a14794d9916e2ab76cea05011312d4fac083b4220178ad612e6b6b91156f2537bcb5ab3e972f625dada884bc5de5de8aa09785be3c0dc9fd5a2102d5

          Download Submit
        • C:\Users\Admin\AppData\Local\TL1aRqxA\MFC42u.dll
          Filesize

          906KB

          MD5

          0ea86ac065ac91b8f75afd98cd5f7089

          SHA1

          b9fb9d5f7f0d7f4b70ef824c6adcf93572b7aa70

          SHA256

          46884056b1a6d6028c531a01ab06f68e7b49fa62b9fd67f8ec9779a182ab7444

          SHA512

          ecc0ca52a14794d9916e2ab76cea05011312d4fac083b4220178ad612e6b6b91156f2537bcb5ab3e972f625dada884bc5de5de8aa09785be3c0dc9fd5a2102d5

          Download Submit
        • C:\Users\Admin\AppData\Local\fxuVI\DevicePairingWizard.exe
          Filesize

          93KB

          MD5

          d0e40a5a0c7dad2d6e5040d7fbc37533

          SHA1

          b0eabbd37a97a1abcd90bd56394f5c45585699eb

          SHA256

          2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

          SHA512

          1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

          Download Submit
        • C:\Users\Admin\AppData\Local\fxuVI\MFC42u.dll
          Filesize

          906KB

          MD5

          91992f6545d232201ccc633ce141fc4c

          SHA1

          16debe659aa560b0f13a892aadba60f3e1c176c0

          SHA256

          c75bf779063c7e2b2c29a8089b0d2aa07a59cf728326738c708a728d83d5429e

          SHA512

          8a4fbd2bdf70cd4b9acae4a000c6df0346722a392549320033505d91556eaf2478edbfeebcdc931141facc6e4be96c2e35af83f790b496e815d91a3cf8136ebf

          Download Submit
        • C:\Users\Admin\AppData\Local\fxuVI\MFC42u.dll
          Filesize

          906KB

          MD5

          91992f6545d232201ccc633ce141fc4c

          SHA1

          16debe659aa560b0f13a892aadba60f3e1c176c0

          SHA256

          c75bf779063c7e2b2c29a8089b0d2aa07a59cf728326738c708a728d83d5429e

          SHA512

          8a4fbd2bdf70cd4b9acae4a000c6df0346722a392549320033505d91556eaf2478edbfeebcdc931141facc6e4be96c2e35af83f790b496e815d91a3cf8136ebf

          Download Submit
        • memory/688-148-0x0000000000000000-mapping.dmp
          Download
        • memory/1248-144-0x0000000000000000-mapping.dmp
          Download
        • memory/2640-139-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/2640-138-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/2640-143-0x00007FFA16AB0000-0x00007FFA16AC0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/2640-134-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/2640-135-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/2640-136-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/2640-137-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/2640-133-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/2640-130-0x00000000012E0000-0x00000000012E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2640-142-0x00007FFA16B6C000-0x00007FFA16B6D000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2640-141-0x00007FFA16B9C000-0x00007FFA16B9D000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2640-140-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/2640-132-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/2640-131-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/3772-152-0x0000000000000000-mapping.dmp
          Download