Overview

overview

10

Static

static

9896a4f7a5...b8.dll

windows7_x64

8

9896a4f7a5...b8.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    17-04-2022 16:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9896a4f7a5d74708af6fdfc7bde7995dd9242b6c18a6239943c963ed60eeb7b8.dll

  • Size

    998KB

  • MD5

    c6b8a03ce5ec402adf6a7e40d960b306

  • SHA1

    bdbb9fbe24914344c69086ceeaed355c7715bdfd

  • SHA256

    9896a4f7a5d74708af6fdfc7bde7995dd9242b6c18a6239943c963ed60eeb7b8

  • SHA512

    3bb10b255f3ecc49fcd5cf743857af83b638c923c02c6814649cf3f64c310baa577430c278aac370765fe87bcf497a35141c7fc408c9906c3cba837def16e39f

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9896a4f7a5d74708af6fdfc7bde7995dd9242b6c18a6239943c963ed60eeb7b8.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:5056
  • C:\Windows\system32\upfc.exe
    C:\Windows\system32\upfc.exe
    1⤵
      PID:4428
    • C:\Users\Admin\AppData\Local\CuCF\upfc.exe
      C:\Users\Admin\AppData\Local\CuCF\upfc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1596
    • C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      1⤵
        PID:4312
      • C:\Users\Admin\AppData\Local\Pj18\wermgr.exe
        C:\Users\Admin\AppData\Local\Pj18\wermgr.exe
        1⤵
        • Executes dropped EXE
        PID:4884
      • C:\Windows\system32\DWWIN.EXE
        C:\Windows\system32\DWWIN.EXE
        1⤵
          PID:636
        • C:\Users\Admin\AppData\Local\sgbCOcVwy\DWWIN.EXE
          C:\Users\Admin\AppData\Local\sgbCOcVwy\DWWIN.EXE
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1112
        • C:\Windows\system32\ie4uinit.exe
          C:\Windows\system32\ie4uinit.exe
          1⤵
            PID:3736
          • C:\Users\Admin\AppData\Local\ctaV2JXc\ie4uinit.exe
            C:\Users\Admin\AppData\Local\ctaV2JXc\ie4uinit.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:1100
          • C:\Windows\system32\dialer.exe
            C:\Windows\system32\dialer.exe
            1⤵
              PID:3060
            • C:\Users\Admin\AppData\Local\vKJIc\dialer.exe
              C:\Users\Admin\AppData\Local\vKJIc\dialer.exe
              1⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Checks whether UAC is enabled
              PID:2540

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\CuCF\XmlLite.dll
              Filesize

              999KB

              MD5

              a1ef0185e5d052b0b5a56debb5d6ac7b

              SHA1

              5802685a92533cdf2de06171ad67b0e620d97059

              SHA256

              d8343f6ec96986298f9425de886c8ce815b09037da18ff990e31ca543782ef28

              SHA512

              58b33a4896b84d72ee6e76cca0cb2f050d2621dada688ea2ba42770ea7bc3d8c354967e6b6a95b3187289cea91d629064f22eb08d743186ae64bc0fecb12f421

              Download Submit
            • C:\Users\Admin\AppData\Local\CuCF\XmlLite.dll
              Filesize

              999KB

              MD5

              a1ef0185e5d052b0b5a56debb5d6ac7b

              SHA1

              5802685a92533cdf2de06171ad67b0e620d97059

              SHA256

              d8343f6ec96986298f9425de886c8ce815b09037da18ff990e31ca543782ef28

              SHA512

              58b33a4896b84d72ee6e76cca0cb2f050d2621dada688ea2ba42770ea7bc3d8c354967e6b6a95b3187289cea91d629064f22eb08d743186ae64bc0fecb12f421

              Download Submit
            • C:\Users\Admin\AppData\Local\CuCF\upfc.exe
              Filesize

              118KB

              MD5

              299ea296575ccb9d2c1a779062535d5c

              SHA1

              2497169c13b0ba46a6be8a1fe493b250094079b7

              SHA256

              ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2

              SHA512

              02fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa

              Download Submit
            • C:\Users\Admin\AppData\Local\Pj18\wermgr.exe
              Filesize

              223KB

              MD5

              f7991343cf02ed92cb59f394e8b89f1f

              SHA1

              573ad9af63a6a0ab9b209ece518fd582b54cfef5

              SHA256

              1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc

              SHA512

              fa3cf314100f5340c7d0f6a70632a308fcadb4b48785753310a053a510169979a89637b8b4fedf4d3690db6b8b55146e323cad70d704c4e2ede4edff5284237d

              Download Submit
            • C:\Users\Admin\AppData\Local\ctaV2JXc\VERSION.dll
              Filesize

              1000KB

              MD5

              18dd9edf4356e25d2651e01f793cc4d5

              SHA1

              69476823a59c57e8e5e5f0ab88ebd4537a1c42a0

              SHA256

              868e74b04b0d0f6ae0516e00ddc58e441906e0282f29bdc87f1411dcf9012c2f

              SHA512

              7edd1ab87ab79fc0c0d2a917c4fc473397a40d85dc4ef99e08b19b90f7e6a7359fa1f11ff189827ce91dd35ec82fb9d25feadaabb0638230f325b67057382365

              Download Submit
            • C:\Users\Admin\AppData\Local\ctaV2JXc\VERSION.dll
              Filesize

              1000KB

              MD5

              18dd9edf4356e25d2651e01f793cc4d5

              SHA1

              69476823a59c57e8e5e5f0ab88ebd4537a1c42a0

              SHA256

              868e74b04b0d0f6ae0516e00ddc58e441906e0282f29bdc87f1411dcf9012c2f

              SHA512

              7edd1ab87ab79fc0c0d2a917c4fc473397a40d85dc4ef99e08b19b90f7e6a7359fa1f11ff189827ce91dd35ec82fb9d25feadaabb0638230f325b67057382365

              Download Submit
            • C:\Users\Admin\AppData\Local\ctaV2JXc\VERSION.dll
              Filesize

              1000KB

              MD5

              18dd9edf4356e25d2651e01f793cc4d5

              SHA1

              69476823a59c57e8e5e5f0ab88ebd4537a1c42a0

              SHA256

              868e74b04b0d0f6ae0516e00ddc58e441906e0282f29bdc87f1411dcf9012c2f

              SHA512

              7edd1ab87ab79fc0c0d2a917c4fc473397a40d85dc4ef99e08b19b90f7e6a7359fa1f11ff189827ce91dd35ec82fb9d25feadaabb0638230f325b67057382365

              Download Submit
            • C:\Users\Admin\AppData\Local\ctaV2JXc\VERSION.dll
              Filesize

              1000KB

              MD5

              18dd9edf4356e25d2651e01f793cc4d5

              SHA1

              69476823a59c57e8e5e5f0ab88ebd4537a1c42a0

              SHA256

              868e74b04b0d0f6ae0516e00ddc58e441906e0282f29bdc87f1411dcf9012c2f

              SHA512

              7edd1ab87ab79fc0c0d2a917c4fc473397a40d85dc4ef99e08b19b90f7e6a7359fa1f11ff189827ce91dd35ec82fb9d25feadaabb0638230f325b67057382365

              Download Submit
            • C:\Users\Admin\AppData\Local\ctaV2JXc\ie4uinit.exe
              Filesize

              262KB

              MD5

              a2f0104edd80ca2c24c24356d5eacc4f

              SHA1

              8269b9fd9231f04ed47419bd565c69dc677fab56

              SHA256

              5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c

              SHA512

              e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

              Download Submit
            • C:\Users\Admin\AppData\Local\sgbCOcVwy\DWWIN.EXE
              Filesize

              229KB

              MD5

              444cc4d3422a0fdd45c1b78070026c60

              SHA1

              97162ff341fff1ec54b827ec02f8b86fd2d41a97

              SHA256

              4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0

              SHA512

              21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

              Download Submit
            • C:\Users\Admin\AppData\Local\sgbCOcVwy\VERSION.dll
              Filesize

              1000KB

              MD5

              06fe002f2572b59965997e79584abcfe

              SHA1

              81ea99ec51ba103c6d6e2f753aaf10c4ecab1882

              SHA256

              91e3568df69af2bd6a2707350d82f6f210a6c65da0231d179324d7d1811821dd

              SHA512

              0d120bb9e9061692ed503faa6adc9552f9b235884ec772da7aa3bb3b6b3cc1070f473cf784ed2b0e55b4c04f5fa39b4e734a62f73bff17117156acd654a97feb

              Download Submit
            • C:\Users\Admin\AppData\Local\sgbCOcVwy\VERSION.dll
              Filesize

              1000KB

              MD5

              06fe002f2572b59965997e79584abcfe

              SHA1

              81ea99ec51ba103c6d6e2f753aaf10c4ecab1882

              SHA256

              91e3568df69af2bd6a2707350d82f6f210a6c65da0231d179324d7d1811821dd

              SHA512

              0d120bb9e9061692ed503faa6adc9552f9b235884ec772da7aa3bb3b6b3cc1070f473cf784ed2b0e55b4c04f5fa39b4e734a62f73bff17117156acd654a97feb

              Download Submit
            • C:\Users\Admin\AppData\Local\vKJIc\TAPI32.dll
              Filesize

              1007KB

              MD5

              cf5e3ee027cdc037e2a5f96efe394c02

              SHA1

              f3cc127339da83f8f01d50e7a84a5066b45d195f

              SHA256

              fdce0b84e2af34afaeb13d70e115431ef7463602ea0adffb5488a4391e74c1d1

              SHA512

              c6e43b51be0dc33abeea89961e743d77d58fc6e65276abf4810fcda79abc1ad679d5bc29a84d3fe5b0f5d5f54219aece16000191f1e50777cd482b0c52760cec

              Download Submit
            • C:\Users\Admin\AppData\Local\vKJIc\TAPI32.dll
              Filesize

              1007KB

              MD5

              cf5e3ee027cdc037e2a5f96efe394c02

              SHA1

              f3cc127339da83f8f01d50e7a84a5066b45d195f

              SHA256

              fdce0b84e2af34afaeb13d70e115431ef7463602ea0adffb5488a4391e74c1d1

              SHA512

              c6e43b51be0dc33abeea89961e743d77d58fc6e65276abf4810fcda79abc1ad679d5bc29a84d3fe5b0f5d5f54219aece16000191f1e50777cd482b0c52760cec

              Download Submit
            • C:\Users\Admin\AppData\Local\vKJIc\dialer.exe
              Filesize

              39KB

              MD5

              b2626bdcf079c6516fc016ac5646df93

              SHA1

              838268205bd97d62a31094d53643c356ea7848a6

              SHA256

              e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb

              SHA512

              615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971

              Download Submit
            • memory/1100-179-0x0000000000000000-mapping.dmp
              Download
            • memory/1112-178-0x000001FCBF470000-0x000001FCBF477000-memory.dmp
              Filesize

              28KB

              Download
            • memory/1112-170-0x0000000000000000-mapping.dmp
              Download
            • memory/1596-163-0x0000000140000000-0x0000000140102000-memory.dmp
              Filesize

              1.0MB

              Download
            • memory/1596-159-0x0000000000000000-mapping.dmp
              Download
            • memory/1596-167-0x000001D4448C0000-0x000001D4448C7000-memory.dmp
              Filesize

              28KB

              Download
            • memory/2148-144-0x0000000140000000-0x0000000140101000-memory.dmp
              Filesize

              1.0MB

              Download
            • memory/2148-142-0x0000000140000000-0x0000000140101000-memory.dmp
              Filesize

              1.0MB

              Download
            • memory/2148-156-0x00007FFAD951C000-0x00007FFAD951D000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2148-146-0x0000000140000000-0x0000000140101000-memory.dmp
              Filesize

              1.0MB

              Download
            • memory/2148-135-0x00000000009E0000-0x00000000009E1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2148-136-0x0000000140000000-0x0000000140101000-memory.dmp
              Filesize

              1.0MB

              Download
            • memory/2148-145-0x0000000140000000-0x0000000140101000-memory.dmp
              Filesize

              1.0MB

              Download
            • memory/2148-155-0x00000000009B0000-0x00000000009B7000-memory.dmp
              Filesize

              28KB

              Download
            • memory/2148-158-0x00007FFAD9430000-0x00007FFAD9440000-memory.dmp
              Filesize

              64KB

              Download
            • memory/2148-137-0x0000000140000000-0x0000000140101000-memory.dmp
              Filesize

              1.0MB

              Download
            • memory/2148-143-0x0000000140000000-0x0000000140101000-memory.dmp
              Filesize

              1.0MB

              Download
            • memory/2148-157-0x00007FFAD94EC000-0x00007FFAD94ED000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2148-141-0x0000000140000000-0x0000000140101000-memory.dmp
              Filesize

              1.0MB

              Download
            • memory/2148-140-0x0000000140000000-0x0000000140101000-memory.dmp
              Filesize

              1.0MB

              Download
            • memory/2148-139-0x0000000140000000-0x0000000140101000-memory.dmp
              Filesize

              1.0MB

              Download
            • memory/2148-138-0x0000000140000000-0x0000000140101000-memory.dmp
              Filesize

              1.0MB

              Download
            • memory/2540-185-0x0000000000000000-mapping.dmp
              Download
            • memory/2540-189-0x0000000140000000-0x0000000140103000-memory.dmp
              Filesize

              1.0MB

              Download
            • memory/2540-193-0x0000028417540000-0x0000028417547000-memory.dmp
              Filesize

              28KB

              Download
            • memory/4884-168-0x0000000000000000-mapping.dmp
              Download
            • memory/5056-130-0x0000000140000000-0x0000000140101000-memory.dmp
              Filesize

              1.0MB

              Download
            • memory/5056-134-0x000001C0124D0000-0x000001C0124D7000-memory.dmp
              Filesize

              28KB

              Download