Overview

overview

10

Static

static

6aafd2dd44...14.dll

windows7_x64

10

6aafd2dd44...14.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    19-04-2022 04:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6aafd2dd448fa8e982695f250298f2e9c0927d4d90f80c57e6d57d69abed9a14.dll

  • Size

    965KB

  • MD5

    8c626b0730876bc39bfad224fb742d3f

  • SHA1

    b998aa15b53814de5407c2048440786dbcecd572

  • SHA256

    6aafd2dd448fa8e982695f250298f2e9c0927d4d90f80c57e6d57d69abed9a14

  • SHA512

    4ec780d3061245e18cb36268df014325142c9894ce59e33fcd9a87605afcfb872aa0aa53f09a76a2152004d7a0a20ab3e3438b952756c1bf4004b3b442082092

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6aafd2dd448fa8e982695f250298f2e9c0927d4d90f80c57e6d57d69abed9a14.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3308
  • C:\Windows\system32\DevicePairingWizard.exe
    C:\Windows\system32\DevicePairingWizard.exe
    1⤵
      PID:3664
    • C:\Users\Admin\AppData\Local\OeSJioUR\DevicePairingWizard.exe
      C:\Users\Admin\AppData\Local\OeSJioUR\DevicePairingWizard.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4060
    • C:\Windows\system32\SystemSettingsRemoveDevice.exe
      C:\Windows\system32\SystemSettingsRemoveDevice.exe
      1⤵
        PID:2624
      • C:\Users\Admin\AppData\Local\wip3OUL\SystemSettingsRemoveDevice.exe
        C:\Users\Admin\AppData\Local\wip3OUL\SystemSettingsRemoveDevice.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4448
      • C:\Windows\system32\sessionmsg.exe
        C:\Windows\system32\sessionmsg.exe
        1⤵
          PID:1552
        • C:\Users\Admin\AppData\Local\mu0EXJWD\sessionmsg.exe
          C:\Users\Admin\AppData\Local\mu0EXJWD\sessionmsg.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4388

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\OeSJioUR\DevicePairingWizard.exe
          Filesize

          93KB

          MD5

          d0e40a5a0c7dad2d6e5040d7fbc37533

          SHA1

          b0eabbd37a97a1abcd90bd56394f5c45585699eb

          SHA256

          2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

          SHA512

          1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

          Download Submit
        • C:\Users\Admin\AppData\Local\OeSJioUR\MFC42u.dll
          Filesize

          992KB

          MD5

          ac5013d45f3676057404c6b2ee1fa2f2

          SHA1

          4763f46bd762c7355b01b8a01715dd2d3abc8917

          SHA256

          4f0ff54eed993a5db85157185e044cb70eae8ab491bc27e65ed618922d2f27b2

          SHA512

          0db060badf534c2b97b2c8026214eb4baac17ca56ade601c1d25336d3d1da2bef59c681563810a0f94cebdb88a661d5bd7d24c84a7c25f4dc9cb99198848def1

          Download Submit
        • C:\Users\Admin\AppData\Local\OeSJioUR\MFC42u.dll
          Filesize

          992KB

          MD5

          ac5013d45f3676057404c6b2ee1fa2f2

          SHA1

          4763f46bd762c7355b01b8a01715dd2d3abc8917

          SHA256

          4f0ff54eed993a5db85157185e044cb70eae8ab491bc27e65ed618922d2f27b2

          SHA512

          0db060badf534c2b97b2c8026214eb4baac17ca56ade601c1d25336d3d1da2bef59c681563810a0f94cebdb88a661d5bd7d24c84a7c25f4dc9cb99198848def1

          Download Submit
        • C:\Users\Admin\AppData\Local\mu0EXJWD\DUser.dll
          Filesize

          969KB

          MD5

          d9544f2067fb5aa86c7df553af2d2d8f

          SHA1

          2ac5150422c51bd897eba74b2d64efb37645b75b

          SHA256

          aac8e50a567b9f97a8450e55c04e4688a682ffa3e0e6f1c3c8c142104c2a5555

          SHA512

          cc54dfb92b49086600b5d2a557dbe42c618b2f3536ccba1debfe23202489eee57dceb096bd1e2ea9d61700be551b9055b1e43590c5099a7c29629b3a55356c5f

          Download Submit
        • C:\Users\Admin\AppData\Local\mu0EXJWD\DUser.dll
          Filesize

          969KB

          MD5

          d9544f2067fb5aa86c7df553af2d2d8f

          SHA1

          2ac5150422c51bd897eba74b2d64efb37645b75b

          SHA256

          aac8e50a567b9f97a8450e55c04e4688a682ffa3e0e6f1c3c8c142104c2a5555

          SHA512

          cc54dfb92b49086600b5d2a557dbe42c618b2f3536ccba1debfe23202489eee57dceb096bd1e2ea9d61700be551b9055b1e43590c5099a7c29629b3a55356c5f

          Download Submit
        • C:\Users\Admin\AppData\Local\mu0EXJWD\sessionmsg.exe
          Filesize

          85KB

          MD5

          480f710806b68dfe478ca1ec7d7e79cc

          SHA1

          b4fc97fed2dbff9c4874cb65ede7b50699db37cd

          SHA256

          2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc

          SHA512

          29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

          Download Submit
        • C:\Users\Admin\AppData\Local\wip3OUL\DUI70.dll
          Filesize

          1.2MB

          MD5

          ba213aea01ba76410c695341b077e456

          SHA1

          bafda39f014a3eac8571032ca9b98b487cd01b7a

          SHA256

          001e8cb1ba603c0371bca0b6fc4b1a6d8fd54b7fb3bc6b174153fd53c488194c

          SHA512

          d99c08f96cc348099487bcbae9d40937dbdf3fb21cfcc657e9386d270c6ed88c84f45609acd3c0ecad6c0fe3f0c8ad4651b2e82ce137e9136b6ef1480cce5b41

          Download Submit
        • C:\Users\Admin\AppData\Local\wip3OUL\DUI70.dll
          Filesize

          1.2MB

          MD5

          ba213aea01ba76410c695341b077e456

          SHA1

          bafda39f014a3eac8571032ca9b98b487cd01b7a

          SHA256

          001e8cb1ba603c0371bca0b6fc4b1a6d8fd54b7fb3bc6b174153fd53c488194c

          SHA512

          d99c08f96cc348099487bcbae9d40937dbdf3fb21cfcc657e9386d270c6ed88c84f45609acd3c0ecad6c0fe3f0c8ad4651b2e82ce137e9136b6ef1480cce5b41

          Download Submit
        • C:\Users\Admin\AppData\Local\wip3OUL\SystemSettingsRemoveDevice.exe
          Filesize

          39KB

          MD5

          7853f1c933690bb7c53c67151cbddeb0

          SHA1

          d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6

          SHA256

          9500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d

          SHA512

          831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304

          Download Submit
        • memory/3152-141-0x0000000140000000-0x00000001400F9000-memory.dmp
          Filesize

          996KB

          Download
        • memory/3152-142-0x0000000140000000-0x00000001400F9000-memory.dmp
          Filesize

          996KB

          Download
        • memory/3152-144-0x0000000140000000-0x00000001400F9000-memory.dmp
          Filesize

          996KB

          Download
        • memory/3152-145-0x0000000140000000-0x00000001400F9000-memory.dmp
          Filesize

          996KB

          Download
        • memory/3152-154-0x00007FFED8ABC000-0x00007FFED8ABD000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3152-155-0x00007FFED8A8C000-0x00007FFED8A8D000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3152-156-0x0000000000B80000-0x0000000000B87000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3152-157-0x00007FFED89D0000-0x00007FFED89E0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3152-138-0x0000000140000000-0x00000001400F9000-memory.dmp
          Filesize

          996KB

          Download
        • memory/3152-137-0x0000000140000000-0x00000001400F9000-memory.dmp
          Filesize

          996KB

          Download
        • memory/3152-139-0x0000000140000000-0x00000001400F9000-memory.dmp
          Filesize

          996KB

          Download
        • memory/3152-135-0x0000000000BB0000-0x0000000000BB1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3152-140-0x0000000140000000-0x00000001400F9000-memory.dmp
          Filesize

          996KB

          Download
        • memory/3152-143-0x0000000140000000-0x00000001400F9000-memory.dmp
          Filesize

          996KB

          Download
        • memory/3152-136-0x0000000140000000-0x00000001400F9000-memory.dmp
          Filesize

          996KB

          Download
        • memory/3308-130-0x0000000140000000-0x00000001400F9000-memory.dmp
          Filesize

          996KB

          Download
        • memory/3308-134-0x000001A3B4500000-0x000001A3B4507000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4060-165-0x00000299A88A0000-0x00000299A88A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4060-162-0x0000000140000000-0x0000000140100000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/4060-158-0x0000000000000000-mapping.dmp
          Download
        • memory/4388-176-0x0000000000000000-mapping.dmp
          Download
        • memory/4388-180-0x0000000140000000-0x00000001400FB000-memory.dmp
          Filesize

          1004KB

          Download
        • memory/4388-184-0x000001C71D500000-0x000001C71D507000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4448-171-0x0000000140000000-0x000000014013F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/4448-175-0x000001DEDFCD0000-0x000001DEDFCD7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4448-167-0x0000000000000000-mapping.dmp
          Download