Overview

overview

10

Static

static

18183b756c...9b.dll

windows7_x64

10

18183b756c...9b.dll

windows10-2004_x64

8

Analysis

  • max time kernel
    153s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    17-04-2022 15:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18183b756caf26a960e906479ee989da217e49b69ecf564624368194137f1f9b.dll

  • Size

    1.1MB

  • MD5

    886b43a327447cece77a27f03eea3c94

  • SHA1

    0c459a4196f6fd0d7bf68ad339f75ce081a374f3

  • SHA256

    18183b756caf26a960e906479ee989da217e49b69ecf564624368194137f1f9b

  • SHA512

    a59d269f9a1d66e63e1b4ffcbf89767a73032011820bf0bf3a911505efd8b04bf4c47d2640a9858a95ab05fdb6922939e0b9806e23d281fdd241593d978cf30d

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\18183b756caf26a960e906479ee989da217e49b69ecf564624368194137f1f9b.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1928
  • C:\Windows\system32\perfmon.exe
    C:\Windows\system32\perfmon.exe
    1⤵
      PID:1848
    • C:\Users\Admin\AppData\Local\DeWh\perfmon.exe
      C:\Users\Admin\AppData\Local\DeWh\perfmon.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1048
    • C:\Windows\system32\BitLockerWizard.exe
      C:\Windows\system32\BitLockerWizard.exe
      1⤵
        PID:1312
      • C:\Users\Admin\AppData\Local\QIfUZL\BitLockerWizard.exe
        C:\Users\Admin\AppData\Local\QIfUZL\BitLockerWizard.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1316
      • C:\Windows\system32\slui.exe
        C:\Windows\system32\slui.exe
        1⤵
          PID:660
        • C:\Users\Admin\AppData\Local\RvjlbFx\slui.exe
          C:\Users\Admin\AppData\Local\RvjlbFx\slui.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1568

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\DeWh\Secur32.dll
          Filesize

          1.1MB

          MD5

          2a19bfb5d17286f36864ec3c398d48e5

          SHA1

          703402eb54f9950cfa05735084131bb6a05a2a32

          SHA256

          a07f2a3da8765a26de4a002a7360196c06c4f6528b3258feb2952ff33d7409f6

          SHA512

          11a864cb5617c8f744d63b951e47f124d5340ba04b0ebac0f7a9685395c5aeb9de62297ef65530a8035bb86352dc9737342fa7ebc0142f19f42b4ed3ad722c0b

          Download Submit
        • C:\Users\Admin\AppData\Local\DeWh\perfmon.exe
          Filesize

          168KB

          MD5

          3eb98cff1c242167df5fdbc6441ce3c5

          SHA1

          730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

          SHA256

          6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

          SHA512

          f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

          Download Submit
        • C:\Users\Admin\AppData\Local\QIfUZL\BitLockerWizard.exe
          Filesize

          98KB

          MD5

          08a761595ad21d152db2417d6fdb239a

          SHA1

          d84c1bc2e8c9afce9fb79916df9bca169f93a936

          SHA256

          ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

          SHA512

          8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

          Download Submit
        • C:\Users\Admin\AppData\Local\QIfUZL\FVEWIZ.dll
          Filesize

          1.1MB

          MD5

          827b4d4af26613393c565d8bdc1651d8

          SHA1

          afbd3f9f19d2e0b1bdd91c022f44e695377f69ee

          SHA256

          b56da7585d285c050f9590215e5566c792a146373d964a1a9ac58a190a1316ba

          SHA512

          65373d108a0aacc16b63269ee982f34a0532b177f68e6f486292ac1b0ea1a41858f93e1b29c4edaa370e06d885f2ae02c18a5a2c054cd1ef10bc4768248c3096

          Download Submit
        • C:\Users\Admin\AppData\Local\RvjlbFx\slc.dll
          Filesize

          1.1MB

          MD5

          b06f37d6b37566256ac2c86a6b24fc4e

          SHA1

          195c6b8874f61baaefe9263c7c27fe1fbcf07745

          SHA256

          a6ca646870034f4fba516b97662e6c0ed02802cbd51893471a372b90a088c729

          SHA512

          03c148667d7eb28340ae23b1eaf08505fc9453b26b6df93b7a4292dc51fb91cd31874a5c2d8fd71890822c0678811ef0df82761c993bd99cc49eedf4d1283c72

          Download Submit
        • C:\Users\Admin\AppData\Local\RvjlbFx\slui.exe
          Filesize

          341KB

          MD5

          c5ce5ce799387e82b7698a0ee5544a6d

          SHA1

          ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

          SHA256

          34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

          SHA512

          79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

          Download Submit
        • \Users\Admin\AppData\Local\DeWh\Secur32.dll
          Filesize

          1.1MB

          MD5

          2a19bfb5d17286f36864ec3c398d48e5

          SHA1

          703402eb54f9950cfa05735084131bb6a05a2a32

          SHA256

          a07f2a3da8765a26de4a002a7360196c06c4f6528b3258feb2952ff33d7409f6

          SHA512

          11a864cb5617c8f744d63b951e47f124d5340ba04b0ebac0f7a9685395c5aeb9de62297ef65530a8035bb86352dc9737342fa7ebc0142f19f42b4ed3ad722c0b

          Download Submit
        • \Users\Admin\AppData\Local\DeWh\perfmon.exe
          Filesize

          168KB

          MD5

          3eb98cff1c242167df5fdbc6441ce3c5

          SHA1

          730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

          SHA256

          6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

          SHA512

          f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

          Download Submit
        • \Users\Admin\AppData\Local\QIfUZL\BitLockerWizard.exe
          Filesize

          98KB

          MD5

          08a761595ad21d152db2417d6fdb239a

          SHA1

          d84c1bc2e8c9afce9fb79916df9bca169f93a936

          SHA256

          ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

          SHA512

          8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

          Download Submit
        • \Users\Admin\AppData\Local\QIfUZL\FVEWIZ.dll
          Filesize

          1.1MB

          MD5

          827b4d4af26613393c565d8bdc1651d8

          SHA1

          afbd3f9f19d2e0b1bdd91c022f44e695377f69ee

          SHA256

          b56da7585d285c050f9590215e5566c792a146373d964a1a9ac58a190a1316ba

          SHA512

          65373d108a0aacc16b63269ee982f34a0532b177f68e6f486292ac1b0ea1a41858f93e1b29c4edaa370e06d885f2ae02c18a5a2c054cd1ef10bc4768248c3096

          Download Submit
        • \Users\Admin\AppData\Local\RvjlbFx\slc.dll
          Filesize

          1.1MB

          MD5

          b06f37d6b37566256ac2c86a6b24fc4e

          SHA1

          195c6b8874f61baaefe9263c7c27fe1fbcf07745

          SHA256

          a6ca646870034f4fba516b97662e6c0ed02802cbd51893471a372b90a088c729

          SHA512

          03c148667d7eb28340ae23b1eaf08505fc9453b26b6df93b7a4292dc51fb91cd31874a5c2d8fd71890822c0678811ef0df82761c993bd99cc49eedf4d1283c72

          Download Submit
        • \Users\Admin\AppData\Local\RvjlbFx\slui.exe
          Filesize

          341KB

          MD5

          c5ce5ce799387e82b7698a0ee5544a6d

          SHA1

          ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

          SHA256

          34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

          SHA512

          79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

          Download Submit
        • \Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2277218442-1199762539-2004043321-1000\Dmn\slui.exe
          Filesize

          341KB

          MD5

          c5ce5ce799387e82b7698a0ee5544a6d

          SHA1

          ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

          SHA256

          34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

          SHA512

          79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

          Download Submit
        • memory/1048-73-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1048-69-0x0000000000000000-mapping.dmp
          Download
        • memory/1224-62-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1224-60-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1224-66-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1224-65-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1224-64-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1224-63-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1224-55-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1224-67-0x0000000077400000-0x0000000077402000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1224-54-0x00000000021E0000-0x00000000021E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1224-61-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1224-59-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1224-56-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1224-58-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1224-57-0x0000000140000000-0x0000000140126000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/1316-75-0x0000000000000000-mapping.dmp
          Download
        • memory/1568-80-0x0000000000000000-mapping.dmp
          Download