Overview

overview

10

Static

static

5af146f34a...eb.dll

windows7_x64

10

5af146f34a...eb.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    4294211s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    01-03-2022 05:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5af146f34a016cb00d039b9c27f9377562b2114d1bd3bfb3bae84e37b621faeb.dll

  • Size

    1.4MB

  • MD5

    bbd1c7e574466ed65425219a7aa7ff68

  • SHA1

    e9778bcf32187c7b54d0879b4f57a9aa38e19fa6

  • SHA256

    5af146f34a016cb00d039b9c27f9377562b2114d1bd3bfb3bae84e37b621faeb

  • SHA512

    c57faf27f783786a284d65b7fb124d700d8c03c4a0447025976ea737555199bcb4b9a400c06c3d6829fee2658882fb8c5b1e538776ce34cabd2358f6d0f3f547

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5af146f34a016cb00d039b9c27f9377562b2114d1bd3bfb3bae84e37b621faeb.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1064
  • C:\Windows\system32\vmicsvc.exe
    C:\Windows\system32\vmicsvc.exe
    1⤵
      PID:1792
    • C:\Users\Admin\AppData\Local\GyYGV6ZwB\vmicsvc.exe
      C:\Users\Admin\AppData\Local\GyYGV6ZwB\vmicsvc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:904
    • C:\Windows\system32\rrinstaller.exe
      C:\Windows\system32\rrinstaller.exe
      1⤵
        PID:592
      • C:\Users\Admin\AppData\Local\raJUz7Ej\rrinstaller.exe
        C:\Users\Admin\AppData\Local\raJUz7Ej\rrinstaller.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:968
      • C:\Windows\system32\notepad.exe
        C:\Windows\system32\notepad.exe
        1⤵
          PID:1972
        • C:\Users\Admin\AppData\Local\zikt\notepad.exe
          C:\Users\Admin\AppData\Local\zikt\notepad.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1524

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\GyYGV6ZwB\ACTIVEDS.dll
          MD5

          da4be8b4b2eef1a891735e503f4abf04

          SHA1

          a3cbd3c605eae357bfbd62030dd45b215f0a2165

          SHA256

          b35098b24c21d96fbf40469c9663b0e491c9a5567aeb59eda4e7a96c85a06bdd

          SHA512

          da7a634caeea9022db80553d55fbea128a875e272ca315fafc4a1ad603714da980a925b1a432123ad7ac15af5ab5d735521883aaeae0ec39956db0002041c998

          Download Submit
        • C:\Users\Admin\AppData\Local\GyYGV6ZwB\vmicsvc.exe
          MD5

          79e14b291ca96a02f1eb22bd721deccd

          SHA1

          4c8dbff611acd8a92cd2280239f78bebd2a9947e

          SHA256

          d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

          SHA512

          f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

          Download Submit
        • C:\Users\Admin\AppData\Local\raJUz7Ej\MFPlat.DLL
          MD5

          181b1d32e2af4a26f5f1d21a391d538f

          SHA1

          a8c81b7c11eab552e3c9d5c2258582372e50e98b

          SHA256

          3983e047103839b71fbc088005cc5866ed74485a5bcba883651134f164e900cf

          SHA512

          6efe92c66452ef4ca89bb9a9fccd76a567fbe04b95f0e6f3ed1aeaf540075c569346899101297e6f265c971d41ef23f417228c74b24934ebc5eea2c6a36ad6cb

          Download Submit
        • C:\Users\Admin\AppData\Local\raJUz7Ej\rrinstaller.exe
          MD5

          0d3a73b0b30252680b383532f1758649

          SHA1

          9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

          SHA256

          fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

          SHA512

          a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

          Download Submit
        • C:\Users\Admin\AppData\Local\zikt\VERSION.dll
          MD5

          1298c9227447cd1fca99be6bad1de85b

          SHA1

          17d45f57214c3c7b8c8a745cc07d628f84fae648

          SHA256

          184f239a48ff6fed61430693c14be762165a9325e1ae444b07d5ab30e928e958

          SHA512

          ce699ad3a15cccdf23b6b67c91e82e6d876cea04b11eaef1ac6c1e336b36ce5519c8d1829e1c8b5b62ad34f5b926278f85fbb09d36ad07b8571ebcd1350f60be

          Download Submit
        • C:\Users\Admin\AppData\Local\zikt\notepad.exe
          MD5

          f2c7bb8acc97f92e987a2d4087d021b1

          SHA1

          7eb0139d2175739b3ccb0d1110067820be6abd29

          SHA256

          142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

          SHA512

          2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

          Download Submit
        • \Users\Admin\AppData\Local\GyYGV6ZwB\ACTIVEDS.dll
          MD5

          da4be8b4b2eef1a891735e503f4abf04

          SHA1

          a3cbd3c605eae357bfbd62030dd45b215f0a2165

          SHA256

          b35098b24c21d96fbf40469c9663b0e491c9a5567aeb59eda4e7a96c85a06bdd

          SHA512

          da7a634caeea9022db80553d55fbea128a875e272ca315fafc4a1ad603714da980a925b1a432123ad7ac15af5ab5d735521883aaeae0ec39956db0002041c998

          Download Submit
        • \Users\Admin\AppData\Local\GyYGV6ZwB\vmicsvc.exe
          MD5

          79e14b291ca96a02f1eb22bd721deccd

          SHA1

          4c8dbff611acd8a92cd2280239f78bebd2a9947e

          SHA256

          d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

          SHA512

          f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

          Download Submit
        • \Users\Admin\AppData\Local\raJUz7Ej\MFPlat.DLL
          MD5

          181b1d32e2af4a26f5f1d21a391d538f

          SHA1

          a8c81b7c11eab552e3c9d5c2258582372e50e98b

          SHA256

          3983e047103839b71fbc088005cc5866ed74485a5bcba883651134f164e900cf

          SHA512

          6efe92c66452ef4ca89bb9a9fccd76a567fbe04b95f0e6f3ed1aeaf540075c569346899101297e6f265c971d41ef23f417228c74b24934ebc5eea2c6a36ad6cb

          Download Submit
        • \Users\Admin\AppData\Local\raJUz7Ej\rrinstaller.exe
          MD5

          0d3a73b0b30252680b383532f1758649

          SHA1

          9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

          SHA256

          fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

          SHA512

          a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

          Download Submit
        • \Users\Admin\AppData\Local\zikt\VERSION.dll
          MD5

          1298c9227447cd1fca99be6bad1de85b

          SHA1

          17d45f57214c3c7b8c8a745cc07d628f84fae648

          SHA256

          184f239a48ff6fed61430693c14be762165a9325e1ae444b07d5ab30e928e958

          SHA512

          ce699ad3a15cccdf23b6b67c91e82e6d876cea04b11eaef1ac6c1e336b36ce5519c8d1829e1c8b5b62ad34f5b926278f85fbb09d36ad07b8571ebcd1350f60be

          Download Submit
        • \Users\Admin\AppData\Local\zikt\notepad.exe
          MD5

          f2c7bb8acc97f92e987a2d4087d021b1

          SHA1

          7eb0139d2175739b3ccb0d1110067820be6abd29

          SHA256

          142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

          SHA512

          2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

          Download Submit
        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\h1sWKFuMIi3\notepad.exe
          MD5

          f2c7bb8acc97f92e987a2d4087d021b1

          SHA1

          7eb0139d2175739b3ccb0d1110067820be6abd29

          SHA256

          142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

          SHA512

          2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

          Download Submit
        • memory/904-88-0x0000000000270000-0x0000000000277000-memory.dmp
          Filesize

          28KB

          Download
        • memory/904-84-0x0000000140000000-0x0000000140179000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/968-93-0x0000000140000000-0x000000014017A000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/968-97-0x0000000000400000-0x0000000000407000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1064-54-0x000007FEFB7A1000-0x000007FEFB7A3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1064-59-0x00000000001A0000-0x00000000001A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1064-55-0x0000000140000000-0x0000000140178000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/1396-66-0x0000000140000000-0x0000000140178000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/1396-69-0x0000000140000000-0x0000000140178000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/1396-78-0x0000000076F71000-0x0000000076F72000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1396-79-0x0000000077100000-0x0000000077102000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1396-61-0x0000000140000000-0x0000000140178000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/1396-67-0x0000000140000000-0x0000000140178000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/1396-68-0x0000000076E66000-0x0000000076E67000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1396-77-0x0000000002630000-0x0000000002637000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1396-70-0x0000000140000000-0x0000000140178000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/1396-63-0x0000000140000000-0x0000000140178000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/1396-65-0x0000000140000000-0x0000000140178000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/1396-64-0x0000000140000000-0x0000000140178000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/1396-62-0x0000000140000000-0x0000000140178000-memory.dmp
          Filesize

          1.5MB

          Download
        • memory/1396-60-0x0000000002650000-0x0000000002651000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1524-107-0x00000000000F0000-0x00000000000F7000-memory.dmp
          Filesize

          28KB

          Download