Overview

overview

10

Static

static

114957fd7f...3f.dll

windows7_x64

10

114957fd7f...3f.dll

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    26-11-2021 09:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    114957fd7fb9c6830b6da37b828ad27a8c8a61f01abb6f52424ca1c5da9f523f.dll

  • Size

    1.3MB

  • MD5

    4bcdeb39da135fecdcaad9f1a96c3186

  • SHA1

    8432f49550f40d8da39ccbc9fdfaf6fc631def1f

  • SHA256

    114957fd7fb9c6830b6da37b828ad27a8c8a61f01abb6f52424ca1c5da9f523f

  • SHA512

    c2b8da83cf40228071c27de1592b81bf9ed622e9506ca9942e2f6409ef2d6ccb7cf655cf3eedc4089b8f91eaf470d2ebce1ac06bc5837b468f4f1d46d7124c2a

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\114957fd7fb9c6830b6da37b828ad27a8c8a61f01abb6f52424ca1c5da9f523f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:1752
  • C:\Windows\system32\Utilman.exe
    C:\Windows\system32\Utilman.exe
    1⤵
      PID:1984
    • C:\Users\Admin\AppData\Local\UBE3Sf\Utilman.exe
      C:\Users\Admin\AppData\Local\UBE3Sf\Utilman.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1052
    • C:\Windows\system32\EhStorAuthn.exe
      C:\Windows\system32\EhStorAuthn.exe
      1⤵
        PID:1728
      • C:\Users\Admin\AppData\Local\zSUKN\EhStorAuthn.exe
        C:\Users\Admin\AppData\Local\zSUKN\EhStorAuthn.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: GetForegroundWindowSpam
        PID:960
      • C:\Windows\system32\rrinstaller.exe
        C:\Windows\system32\rrinstaller.exe
        1⤵
          PID:992
        • C:\Users\Admin\AppData\Local\DLKf\rrinstaller.exe
          C:\Users\Admin\AppData\Local\DLKf\rrinstaller.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious behavior: GetForegroundWindowSpam
          PID:936

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\DLKf\MFPlat.DLL
          MD5

          f264a54403aff056ac4e266d237536d7

          SHA1

          6113ac7b461163bd0ad5dae581aba729d2884f2b

          SHA256

          4ea6f3ace771d75113aa8e2c13c42189f7c3a9aa6b6f5e383ba46850a149daf0

          SHA512

          8331c4e4504c638f6632b4a43a23b458a7572df19db49c1c019720825be72e8dce80d20abfe0e83ae8e29b610f63749d37fab9f41e3851fbf3cebc8b95e7c8d9

          Download Submit
        • C:\Users\Admin\AppData\Local\DLKf\rrinstaller.exe
          MD5

          0d3a73b0b30252680b383532f1758649

          SHA1

          9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

          SHA256

          fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

          SHA512

          a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

          Download Submit
        • C:\Users\Admin\AppData\Local\UBE3Sf\DUI70.dll
          MD5

          493a900f368e66a00abe424b5a784587

          SHA1

          48ce6e8f4a0b74d5ac233113e39df5d8727fd3f6

          SHA256

          36bea355204f8a8e3816dc15e7336e31fcf54683f1ded04db3a5e187b0695f38

          SHA512

          ddcd7ca970d3e6642fd176f0bfc5343bd8e7f6382faf55478f742d30bd7917143e03878e1eb635d6dc239ab5926d48eaaa88faebf802ba3c6c08efbcb4356aa6

          Download Submit
        • C:\Users\Admin\AppData\Local\UBE3Sf\Utilman.exe
          MD5

          32c5ee55eadfc071e57851e26ac98477

          SHA1

          8f8d0aee344e152424143da49ce2c7badabb8f9d

          SHA256

          7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

          SHA512

          e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

          Download Submit
        • C:\Users\Admin\AppData\Local\zSUKN\EhStorAuthn.exe
          MD5

          3abe95d92c80dc79707d8e168d79a994

          SHA1

          64b10c17f602d3f21c84954541e7092bc55bb5ab

          SHA256

          2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad

          SHA512

          70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

          Download Submit
        • C:\Users\Admin\AppData\Local\zSUKN\WTSAPI32.dll
          MD5

          ca1b57790caf67c9ef71066b1c2db7cf

          SHA1

          c3c77dd659e50539030b8744d9a2731340202908

          SHA256

          109e3f70a355e3743da2973d0d02388d4a51559bca729b593e06985605274fbc

          SHA512

          5472796de05261373d47125efe8615d9220bb8318704ba348ff58a79feb57b459d43eb0522488df77d0d48402ba0c605b152c02173bf2654ed0540b0a8ca69c3

          Download Submit
        • \Users\Admin\AppData\Local\DLKf\MFPlat.DLL
          MD5

          f264a54403aff056ac4e266d237536d7

          SHA1

          6113ac7b461163bd0ad5dae581aba729d2884f2b

          SHA256

          4ea6f3ace771d75113aa8e2c13c42189f7c3a9aa6b6f5e383ba46850a149daf0

          SHA512

          8331c4e4504c638f6632b4a43a23b458a7572df19db49c1c019720825be72e8dce80d20abfe0e83ae8e29b610f63749d37fab9f41e3851fbf3cebc8b95e7c8d9

          Download Submit
        • \Users\Admin\AppData\Local\DLKf\rrinstaller.exe
          MD5

          0d3a73b0b30252680b383532f1758649

          SHA1

          9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

          SHA256

          fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

          SHA512

          a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

          Download Submit
        • \Users\Admin\AppData\Local\UBE3Sf\DUI70.dll
          MD5

          493a900f368e66a00abe424b5a784587

          SHA1

          48ce6e8f4a0b74d5ac233113e39df5d8727fd3f6

          SHA256

          36bea355204f8a8e3816dc15e7336e31fcf54683f1ded04db3a5e187b0695f38

          SHA512

          ddcd7ca970d3e6642fd176f0bfc5343bd8e7f6382faf55478f742d30bd7917143e03878e1eb635d6dc239ab5926d48eaaa88faebf802ba3c6c08efbcb4356aa6

          Download Submit
        • \Users\Admin\AppData\Local\UBE3Sf\Utilman.exe
          MD5

          32c5ee55eadfc071e57851e26ac98477

          SHA1

          8f8d0aee344e152424143da49ce2c7badabb8f9d

          SHA256

          7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

          SHA512

          e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

          Download Submit
        • \Users\Admin\AppData\Local\zSUKN\EhStorAuthn.exe
          MD5

          3abe95d92c80dc79707d8e168d79a994

          SHA1

          64b10c17f602d3f21c84954541e7092bc55bb5ab

          SHA256

          2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad

          SHA512

          70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

          Download Submit
        • \Users\Admin\AppData\Local\zSUKN\WTSAPI32.dll
          MD5

          ca1b57790caf67c9ef71066b1c2db7cf

          SHA1

          c3c77dd659e50539030b8744d9a2731340202908

          SHA256

          109e3f70a355e3743da2973d0d02388d4a51559bca729b593e06985605274fbc

          SHA512

          5472796de05261373d47125efe8615d9220bb8318704ba348ff58a79feb57b459d43eb0522488df77d0d48402ba0c605b152c02173bf2654ed0540b0a8ca69c3

          Download Submit
        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sg0Av\rrinstaller.exe
          MD5

          0d3a73b0b30252680b383532f1758649

          SHA1

          9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

          SHA256

          fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

          SHA512

          a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

          Download Submit
        • memory/936-107-0x0000000140000000-0x000000014015A000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/936-103-0x0000000000000000-mapping.dmp
          Download
        • memory/960-94-0x0000000000000000-mapping.dmp
          Download
        • memory/960-99-0x0000000140000000-0x0000000140159000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1052-90-0x0000000140000000-0x000000014018C000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/1052-87-0x000007FEFC061000-0x000007FEFC063000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1052-85-0x0000000000000000-mapping.dmp
          Download
        • memory/1260-73-0x0000000140000000-0x0000000140158000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1260-72-0x0000000140000000-0x0000000140158000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1260-66-0x0000000140000000-0x0000000140158000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1260-67-0x0000000140000000-0x0000000140158000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1260-68-0x0000000140000000-0x0000000140158000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1260-69-0x0000000140000000-0x0000000140158000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1260-75-0x0000000140000000-0x0000000140158000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1260-76-0x0000000140000000-0x0000000140158000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1260-77-0x0000000140000000-0x0000000140158000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1260-70-0x0000000140000000-0x0000000140158000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1260-71-0x0000000140000000-0x0000000140158000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1260-83-0x0000000077990000-0x0000000077992000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1260-59-0x0000000002A70000-0x0000000002A71000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1260-74-0x0000000140000000-0x0000000140158000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1260-65-0x0000000140000000-0x0000000140158000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1260-64-0x0000000140000000-0x0000000140158000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1260-62-0x0000000140000000-0x0000000140158000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1260-63-0x0000000140000000-0x0000000140158000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1260-61-0x0000000140000000-0x0000000140158000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1260-60-0x0000000140000000-0x0000000140158000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1752-55-0x0000000140000000-0x0000000140158000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1752-58-0x0000000000190000-0x0000000000197000-memory.dmp
          Filesize

          28KB

          Download