Overview

overview

10

Static

static

d61a3625e4...7b.dll

windows7_x64

10

d61a3625e4...7b.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    17-04-2022 16:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d61a3625e48b64d363dd0285df0b62ceff9447ab6ed4db4699408486ec96fb7b.dll

  • Size

    693KB

  • MD5

    128568f4bf11bb59f95e87f5057f1987

  • SHA1

    5099331e75b4a77cfe1cd00da93f7ceb21cebfcf

  • SHA256

    d61a3625e48b64d363dd0285df0b62ceff9447ab6ed4db4699408486ec96fb7b

  • SHA512

    1ace10e8851bcae7ba8347c14016fe6b198d2e30aa399f919e5cdb1aceba2e3fd70dad3cd5b19f08ad97d5d7986668b884808a890607916d7ff31acb02ad86d8

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Payload 3 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d61a3625e48b64d363dd0285df0b62ceff9447ab6ed4db4699408486ec96fb7b.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1856
  • C:\Windows\system32\wbengine.exe
    C:\Windows\system32\wbengine.exe
    1⤵
      PID:2840
    • C:\Users\Admin\AppData\Local\kkc9RL\wbengine.exe
      C:\Users\Admin\AppData\Local\kkc9RL\wbengine.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4256
    • C:\Windows\system32\SystemPropertiesRemote.exe
      C:\Windows\system32\SystemPropertiesRemote.exe
      1⤵
        PID:4708
      • C:\Users\Admin\AppData\Local\zmD7l\SystemPropertiesRemote.exe
        C:\Users\Admin\AppData\Local\zmD7l\SystemPropertiesRemote.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:5064
      • C:\Windows\system32\tcmsetup.exe
        C:\Windows\system32\tcmsetup.exe
        1⤵
          PID:2680
        • C:\Users\Admin\AppData\Local\sByIT84i\tcmsetup.exe
          C:\Users\Admin\AppData\Local\sByIT84i\tcmsetup.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2660

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\kkc9RL\SPP.dll
          Filesize

          694KB

          MD5

          849adc3100f81deb315c225c9c7ff350

          SHA1

          4cc76c2a8e545fcde93f07850696ac34e29a71f9

          SHA256

          e701046fa9c29121d890b09333906f95d2eecdacbc632dc5e298bb46aaeb2120

          SHA512

          df8830a7d0169226457d2b086641e2fbb3da1d4687a42154948f596fc08729df37683f5445816fb14832a4d6e5bd62e4f835d3c71a5785db7634ba36d03c0bff

          Download Submit
        • C:\Users\Admin\AppData\Local\kkc9RL\SPP.dll
          Filesize

          694KB

          MD5

          849adc3100f81deb315c225c9c7ff350

          SHA1

          4cc76c2a8e545fcde93f07850696ac34e29a71f9

          SHA256

          e701046fa9c29121d890b09333906f95d2eecdacbc632dc5e298bb46aaeb2120

          SHA512

          df8830a7d0169226457d2b086641e2fbb3da1d4687a42154948f596fc08729df37683f5445816fb14832a4d6e5bd62e4f835d3c71a5785db7634ba36d03c0bff

          Download Submit
        • C:\Users\Admin\AppData\Local\kkc9RL\wbengine.exe
          Filesize

          1.5MB

          MD5

          17270a354a66590953c4aac1cf54e507

          SHA1

          715babcc8e46b02ac498f4f06df7937904d9798d

          SHA256

          9954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4

          SHA512

          6be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89

          Download Submit
        • C:\Users\Admin\AppData\Local\sByIT84i\TAPI32.dll
          Filesize

          701KB

          MD5

          731f4c1ff1347d28dba3eaf4d3b21c54

          SHA1

          16d2f577188b7369d8fbc381e1fc4e5fb5df5bc2

          SHA256

          0d8af03326793ed0066873f0a2050b1770bee2ce88d74abaead24f22d70cd286

          SHA512

          03c7e56d994da81fce7c5a67c836f801c2840c49044148e410a95e08a5bb2aa559caf502862f1d461b11198668f2aba20d09a33a90121bc8ea3e1d4e7663d376

          Download Submit
        • C:\Users\Admin\AppData\Local\sByIT84i\TAPI32.dll
          Filesize

          701KB

          MD5

          731f4c1ff1347d28dba3eaf4d3b21c54

          SHA1

          16d2f577188b7369d8fbc381e1fc4e5fb5df5bc2

          SHA256

          0d8af03326793ed0066873f0a2050b1770bee2ce88d74abaead24f22d70cd286

          SHA512

          03c7e56d994da81fce7c5a67c836f801c2840c49044148e410a95e08a5bb2aa559caf502862f1d461b11198668f2aba20d09a33a90121bc8ea3e1d4e7663d376

          Download Submit
        • C:\Users\Admin\AppData\Local\sByIT84i\tcmsetup.exe
          Filesize

          16KB

          MD5

          58f3b915b9ae7d63431772c2616b0945

          SHA1

          6346e837da3b0f551becb7cac6d160e3063696e9

          SHA256

          e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39

          SHA512

          7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

          Download Submit
        • C:\Users\Admin\AppData\Local\zmD7l\SYSDM.CPL
          Filesize

          694KB

          MD5

          bdfe567639b824093d6c98811a5d3d59

          SHA1

          f2077ef89ae7618f021392eca1c79ebce31080ce

          SHA256

          f0001168ed539e3b238cffab8e4e49522994990866aa7598b8a17a095510e03a

          SHA512

          8f5db57c6f9dbcbb752d8f70be5faaca61f35d4ae38ac87c56c20efba6fe8bc916d81c6a9611d329834536ff4e2a8074012d39dabd49114d5a2cf0c78f8547de

          Download Submit
        • C:\Users\Admin\AppData\Local\zmD7l\SYSDM.CPL
          Filesize

          694KB

          MD5

          bdfe567639b824093d6c98811a5d3d59

          SHA1

          f2077ef89ae7618f021392eca1c79ebce31080ce

          SHA256

          f0001168ed539e3b238cffab8e4e49522994990866aa7598b8a17a095510e03a

          SHA512

          8f5db57c6f9dbcbb752d8f70be5faaca61f35d4ae38ac87c56c20efba6fe8bc916d81c6a9611d329834536ff4e2a8074012d39dabd49114d5a2cf0c78f8547de

          Download Submit
        • C:\Users\Admin\AppData\Local\zmD7l\SystemPropertiesRemote.exe
          Filesize

          82KB

          MD5

          cdce1ee7f316f249a3c20cc7a0197da9

          SHA1

          dadb23af07827758005ec0235ac1573ffcea0da6

          SHA256

          7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932

          SHA512

          f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

          Download Submit
        • memory/1856-133-0x0000020272930000-0x0000020272937000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1856-130-0x0000000140000000-0x00000001400B2000-memory.dmp
          Filesize

          712KB

          Download
        • memory/2660-178-0x000002D492E40000-0x000002D492E47000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2660-175-0x0000000140000000-0x00000001400B4000-memory.dmp
          Filesize

          720KB

          Download
        • memory/2660-171-0x0000000000000000-mapping.dmp
          Download
        • memory/3144-154-0x00007FF8C1510000-0x00007FF8C1520000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3144-136-0x0000000140000000-0x00000001400B2000-memory.dmp
          Filesize

          712KB

          Download
        • memory/3144-135-0x0000000140000000-0x00000001400B2000-memory.dmp
          Filesize

          712KB

          Download
        • memory/3144-139-0x0000000140000000-0x00000001400B2000-memory.dmp
          Filesize

          712KB

          Download
        • memory/3144-138-0x0000000140000000-0x00000001400B2000-memory.dmp
          Filesize

          712KB

          Download
        • memory/3144-142-0x0000000000830000-0x0000000000837000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3144-143-0x0000000140000000-0x00000001400B2000-memory.dmp
          Filesize

          712KB

          Download
        • memory/3144-141-0x0000000140000000-0x00000001400B2000-memory.dmp
          Filesize

          712KB

          Download
        • memory/3144-140-0x0000000140000000-0x00000001400B2000-memory.dmp
          Filesize

          712KB

          Download
        • memory/3144-137-0x0000000140000000-0x00000001400B2000-memory.dmp
          Filesize

          712KB

          Download
        • memory/3144-153-0x00007FF8C15CC000-0x00007FF8C15CD000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3144-134-0x0000000000860000-0x0000000000861000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3144-152-0x00007FF8C15FC000-0x00007FF8C15FD000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4256-155-0x0000000000000000-mapping.dmp
          Download
        • memory/4256-162-0x00000255C43E0000-0x00000255C43E7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4256-159-0x0000000140000000-0x00000001400B3000-memory.dmp
          Filesize

          716KB

          Download
        • memory/5064-170-0x000001EE10300000-0x000001EE10307000-memory.dmp
          Filesize

          28KB

          Download
        • memory/5064-163-0x0000000000000000-mapping.dmp
          Download