Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
17-04-2022 16:35
General
-
Target
754bbc764d9795ce569b43da13cff7ac3a2989e00d40b6bfa28d26b744181a63.dll
-
Size
695KB
-
MD5
2152a92c873be5b4f0e9eeb39994bf73
-
SHA1
f4f2ce11b51a4612bbb815ada9caff2707ab3efa
-
SHA256
754bbc764d9795ce569b43da13cff7ac3a2989e00d40b6bfa28d26b744181a63
-
SHA512
93ca66ed5b29c38050c2ea957fa1767618181f4759b8ec97023579f7be6eed4dc7d09c02c49bf75888a242ba5d74f1e1da0248d8a512973ab076eb76383d19a6
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Payload 3 IoCs
Detects Dridex x64 core DLL in memory.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\754bbc764d9795ce569b43da13cff7ac3a2989e00d40b6bfa28d26b744181a63.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\wbengine.exeC:\Windows\system32\wbengine.exe1⤵
-
C:\Users\Admin\AppData\Local\8wX\wbengine.exeC:\Users\Admin\AppData\Local\8wX\wbengine.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\Utilman.exeC:\Windows\system32\Utilman.exe1⤵
-
C:\Users\Admin\AppData\Local\5FGP\Utilman.exeC:\Users\Admin\AppData\Local\5FGP\Utilman.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\SysResetErr.exeC:\Windows\system32\SysResetErr.exe1⤵
-
C:\Users\Admin\AppData\Local\sD2Vy86\SysResetErr.exeC:\Users\Admin\AppData\Local\sD2Vy86\SysResetErr.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\5FGP\OLEACC.dllFilesize
696KB
MD559cfe73abb6bbad87682825f9ca000a6
SHA1034974559cfeb1ae5e98d4658bddb4c9c97f1db0
SHA256b019e8840ea53e2b27f319e6a59fbd442aaee54da7d13b21f55cd06132685fbd
SHA512ff1c8e259f5f0a74499afdc7b2758f6fba78fd4d3cb7457c2be66d96c8745e3359220c2471dc14e4febbe94bd2b3ba59f42b29263f31b5d780f58f70b5e8441c
-
C:\Users\Admin\AppData\Local\5FGP\OLEACC.dllFilesize
696KB
MD559cfe73abb6bbad87682825f9ca000a6
SHA1034974559cfeb1ae5e98d4658bddb4c9c97f1db0
SHA256b019e8840ea53e2b27f319e6a59fbd442aaee54da7d13b21f55cd06132685fbd
SHA512ff1c8e259f5f0a74499afdc7b2758f6fba78fd4d3cb7457c2be66d96c8745e3359220c2471dc14e4febbe94bd2b3ba59f42b29263f31b5d780f58f70b5e8441c
-
C:\Users\Admin\AppData\Local\5FGP\Utilman.exeFilesize
123KB
MD5a117edc0e74ab4770acf7f7e86e573f7
SHA15ceffb1a5e05e52aafcbc2d44e1e8445440706f3
SHA256b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37
SHA51272883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97
-
C:\Users\Admin\AppData\Local\8wX\XmlLite.dllFilesize
696KB
MD5fd20972778e395fe49b209aa7d3ea765
SHA1f8b5e7989f7f59c77ef2c7818f5c39ae61343086
SHA2564d5c8551657433bf4ced877c300c73d4f4e51839e0a57b0af0081dd54d338f49
SHA5120fab26bef7069ac57244dfafe44e4ac5565d51be5be9b3ec6751e566e9c45cedb8bb0752f118b1e217706ec36b3f890c591b7793602d16309d18ddb7d72e117f
-
C:\Users\Admin\AppData\Local\8wX\XmlLite.dllFilesize
696KB
MD5fd20972778e395fe49b209aa7d3ea765
SHA1f8b5e7989f7f59c77ef2c7818f5c39ae61343086
SHA2564d5c8551657433bf4ced877c300c73d4f4e51839e0a57b0af0081dd54d338f49
SHA5120fab26bef7069ac57244dfafe44e4ac5565d51be5be9b3ec6751e566e9c45cedb8bb0752f118b1e217706ec36b3f890c591b7793602d16309d18ddb7d72e117f
-
C:\Users\Admin\AppData\Local\8wX\wbengine.exeFilesize
1.5MB
MD517270a354a66590953c4aac1cf54e507
SHA1715babcc8e46b02ac498f4f06df7937904d9798d
SHA2569954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4
SHA5126be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89
-
C:\Users\Admin\AppData\Local\sD2Vy86\DUI70.dllFilesize
972KB
MD5898d7c5eeb6832b76213c1eb57c91b3f
SHA1da3089c77dd47bfbce6a58288db9b364e16f6ca8
SHA2560b416ade5ee8ddc7c111bb3d22a6d015b8950a070dc0a02a9f650e84bd532e5c
SHA512231b25892bb221b0aef4cbab40b5647042a39b1b9878a1c2bca4d490f809ba72ac632f6c2265544120ea381f6ae11fccfc1e580b6326052141de04f0d81ef9ff
-
C:\Users\Admin\AppData\Local\sD2Vy86\DUI70.dllFilesize
972KB
MD5898d7c5eeb6832b76213c1eb57c91b3f
SHA1da3089c77dd47bfbce6a58288db9b364e16f6ca8
SHA2560b416ade5ee8ddc7c111bb3d22a6d015b8950a070dc0a02a9f650e84bd532e5c
SHA512231b25892bb221b0aef4cbab40b5647042a39b1b9878a1c2bca4d490f809ba72ac632f6c2265544120ea381f6ae11fccfc1e580b6326052141de04f0d81ef9ff
-
C:\Users\Admin\AppData\Local\sD2Vy86\SysResetErr.exeFilesize
41KB
MD5090c6f458d61b7ddbdcfa54e761b8b57
SHA1c5a93e9d6eca4c3842156cc0262933b334113864
SHA256a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd
SHA512c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542
-
memory/3076-137-0x0000000140000000-0x00000001400B2000-memory.dmpFilesize
712KB
-
memory/3076-141-0x0000000140000000-0x00000001400B2000-memory.dmpFilesize
712KB
-
memory/3076-148-0x0000000000570000-0x0000000000577000-memory.dmpFilesize
28KB
-
memory/3076-153-0x00007FFBAF58C000-0x00007FFBAF58D000-memory.dmpFilesize
4KB
-
memory/3076-152-0x00007FFBAF5BC000-0x00007FFBAF5BD000-memory.dmpFilesize
4KB
-
memory/3076-154-0x00007FFBAF4D0000-0x00007FFBAF4E0000-memory.dmpFilesize
64KB
-
memory/3076-140-0x0000000140000000-0x00000001400B2000-memory.dmpFilesize
712KB
-
memory/3076-134-0x0000000000590000-0x0000000000591000-memory.dmpFilesize
4KB
-
memory/3076-138-0x0000000140000000-0x00000001400B2000-memory.dmpFilesize
712KB
-
memory/3076-139-0x0000000140000000-0x00000001400B2000-memory.dmpFilesize
712KB
-
memory/3076-135-0x0000000140000000-0x00000001400B2000-memory.dmpFilesize
712KB
-
memory/3076-142-0x0000000140000000-0x00000001400B2000-memory.dmpFilesize
712KB
-
memory/3076-136-0x0000000140000000-0x00000001400B2000-memory.dmpFilesize
712KB
-
memory/3688-133-0x000001C0A6C30000-0x000001C0A6C37000-memory.dmpFilesize
28KB
-
memory/3688-130-0x0000000140000000-0x00000001400B2000-memory.dmpFilesize
712KB
-
memory/4036-162-0x000001DF468D0000-0x000001DF468D7000-memory.dmpFilesize
28KB
-
memory/4036-159-0x0000000140000000-0x00000001400B3000-memory.dmpFilesize
716KB
-
memory/4036-155-0x0000000000000000-mapping.dmp
-
memory/4704-171-0x0000000000000000-mapping.dmp
-
memory/4704-175-0x0000000140000000-0x00000001400F8000-memory.dmpFilesize
992KB
-
memory/4704-178-0x0000021CCB450000-0x0000021CCB457000-memory.dmpFilesize
28KB
-
memory/4752-170-0x0000026E53C60000-0x0000026E53C67000-memory.dmpFilesize
28KB
-
memory/4752-163-0x0000000000000000-mapping.dmp