Overview

overview

10

Static

static

a7ae8e4bc0...f3.dll

windows7_x64

8

a7ae8e4bc0...f3.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    17-04-2022 07:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a7ae8e4bc04a200c85ebd599977d5bace425481f69ed9e28983b7e4f5aa79bf3.dll

  • Size

    883KB

  • MD5

    2b1ed27affd5b2c6413780abe2f60a6b

  • SHA1

    b2cbcf2d41695c9a173a7feba16bb4166c0c560f

  • SHA256

    a7ae8e4bc04a200c85ebd599977d5bace425481f69ed9e28983b7e4f5aa79bf3

  • SHA512

    f80d7dbb53a307648ff95ff12bdaa06a37f7b1d5d472585768dee296129ffdd28a3da7ff2d747f4b7a9f5858f71a5c98f069de110ddbd1fc71a3ca9df1c7ff03

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7ae8e4bc04a200c85ebd599977d5bace425481f69ed9e28983b7e4f5aa79bf3.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4724
  • C:\Windows\system32\InfDefaultInstall.exe
    C:\Windows\system32\InfDefaultInstall.exe
    1⤵
      PID:1436
    • C:\Users\Admin\AppData\Local\WNL64f\InfDefaultInstall.exe
      C:\Users\Admin\AppData\Local\WNL64f\InfDefaultInstall.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2520
    • C:\Windows\system32\lpksetup.exe
      C:\Windows\system32\lpksetup.exe
      1⤵
        PID:4668
      • C:\Users\Admin\AppData\Local\5q6\lpksetup.exe
        C:\Users\Admin\AppData\Local\5q6\lpksetup.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2396
      • C:\Windows\system32\SppExtComObj.Exe
        C:\Windows\system32\SppExtComObj.Exe
        1⤵
          PID:2928
        • C:\Users\Admin\AppData\Local\noIhm\SppExtComObj.Exe
          C:\Users\Admin\AppData\Local\noIhm\SppExtComObj.Exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2832

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5q6\dpx.dll
          Filesize

          884KB

          MD5

          a121ec94706af7d53f1e94e6e3b2cd6a

          SHA1

          b9cb93efaec3bd28124a493dff9f8e9fe2093157

          SHA256

          b64c5fea50375079e2e4a0744505fe8ae3e2074be072c6a36759b76994058225

          SHA512

          19297d19440d161ad9e241f72baf3273fb49e9afce015ae70766cc50a3ad69241ebf5f5634d015fc0aaa16b6d68acac8fde346a2cf700150f7429a137237bfce

          Download Submit
        • C:\Users\Admin\AppData\Local\5q6\dpx.dll
          Filesize

          884KB

          MD5

          a121ec94706af7d53f1e94e6e3b2cd6a

          SHA1

          b9cb93efaec3bd28124a493dff9f8e9fe2093157

          SHA256

          b64c5fea50375079e2e4a0744505fe8ae3e2074be072c6a36759b76994058225

          SHA512

          19297d19440d161ad9e241f72baf3273fb49e9afce015ae70766cc50a3ad69241ebf5f5634d015fc0aaa16b6d68acac8fde346a2cf700150f7429a137237bfce

          Download Submit
        • C:\Users\Admin\AppData\Local\5q6\lpksetup.exe
          Filesize

          728KB

          MD5

          c75516a32e0aea02a184074d55d1a997

          SHA1

          f9396946c078f8b0f28e3a6e21a97eeece31d13f

          SHA256

          cb3cbeaaff7c07b044f70177e2899a87e80840d177238eb7dd25b8d9e20bef22

          SHA512

          92994fdb75b15742e33e6d7a499664b722e45b9c160d8cc42d30bc727044063d589f45853692b5b754df6ff0fd21294dc32fed985b153f93f4bcf9f8c89a5bcc

          Download Submit
        • C:\Users\Admin\AppData\Local\WNL64f\InfDefaultInstall.exe
          Filesize

          13KB

          MD5

          ee18876c1e5de583de7547075975120e

          SHA1

          f7fcb3d77da74deee25de9296a7c7335916504e3

          SHA256

          e59127b5fe82714956c7a1f10392a8673086a8e1f609e059935c7da1fa015a5d

          SHA512

          08bc4d28b8f528582c58175a74871dd33ac97955c3709c991779fc34b5ba4b2ba6ff40476d9f59345b61b0153fd932b0ea539431a67ff5012cb2ac8ab392f73c

          Download Submit
        • C:\Users\Admin\AppData\Local\WNL64f\newdev.dll
          Filesize

          884KB

          MD5

          fb479ef28045ae57660d2fd9f2ef567a

          SHA1

          009cb3d13f72c700cf0b12574ac5e5b294e4350e

          SHA256

          ea0b8367d034a3c71ae6b50154250b566a7e7e471fac9dc62930c41c2167cd30

          SHA512

          a5c214cd39bb37c2dd856d20afca2ee7db200cc5318eb94305b615f35ebe299317f9a86fe18d904a81c56da626ccd6ecc0956826fc7bfd060b4bfeaf08cf59be

          Download Submit
        • C:\Users\Admin\AppData\Local\WNL64f\newdev.dll
          Filesize

          884KB

          MD5

          fb479ef28045ae57660d2fd9f2ef567a

          SHA1

          009cb3d13f72c700cf0b12574ac5e5b294e4350e

          SHA256

          ea0b8367d034a3c71ae6b50154250b566a7e7e471fac9dc62930c41c2167cd30

          SHA512

          a5c214cd39bb37c2dd856d20afca2ee7db200cc5318eb94305b615f35ebe299317f9a86fe18d904a81c56da626ccd6ecc0956826fc7bfd060b4bfeaf08cf59be

          Download Submit
        • C:\Users\Admin\AppData\Local\noIhm\ACTIVEDS.dll
          Filesize

          884KB

          MD5

          fe5aa746af027959d13cde8271b3a697

          SHA1

          dc05423ed4f816e64e4ef00dd6423e3aed3d282b

          SHA256

          9ce94818f29db944adc2af108d3033c23d3011785698aeb0862073ceba7b6089

          SHA512

          4d2a07e9b1e616eb2d9bc16db50619c9d278779f9e06c7e7ebebb3956946db46fc1d3d517f398c6f228fe6ac76ef687aa53163502a36aa5fc1df495f6043f01f

          Download Submit
        • C:\Users\Admin\AppData\Local\noIhm\ACTIVEDS.dll
          Filesize

          884KB

          MD5

          fe5aa746af027959d13cde8271b3a697

          SHA1

          dc05423ed4f816e64e4ef00dd6423e3aed3d282b

          SHA256

          9ce94818f29db944adc2af108d3033c23d3011785698aeb0862073ceba7b6089

          SHA512

          4d2a07e9b1e616eb2d9bc16db50619c9d278779f9e06c7e7ebebb3956946db46fc1d3d517f398c6f228fe6ac76ef687aa53163502a36aa5fc1df495f6043f01f

          Download Submit
        • C:\Users\Admin\AppData\Local\noIhm\SppExtComObj.Exe
          Filesize

          559KB

          MD5

          728a78909aa69ca0e976e94482350700

          SHA1

          6508dfcbf37df25cae8ae68cf1fcd4b78084abb7

          SHA256

          2a6581576305771044f07ea0fef27f77859996dbf66c2017e938f90bfc1e010c

          SHA512

          22bf985e71afa58a1365cc733c0aa03dabd4b44e7c6a136eb5f9b870db14470201b4ef88a19fa3864af6c44e79e1a01d6f8806062d9d4861ba7dac77d82074f1

          Download Submit
        • memory/2396-148-0x0000000000000000-mapping.dmp
          Download
        • memory/2520-144-0x0000000000000000-mapping.dmp
          Download
        • memory/2832-152-0x0000000000000000-mapping.dmp
          Download
        • memory/3116-140-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/3116-142-0x00007FFFB7E8C000-0x00007FFFB7E8D000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3116-131-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/3116-137-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/3116-138-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/3116-139-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/3116-141-0x00007FFFB7EBC000-0x00007FFFB7EBD000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3116-143-0x00007FFFB7DD0000-0x00007FFFB7DE0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3116-130-0x0000000000920000-0x0000000000921000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3116-136-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/3116-135-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/3116-134-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/3116-133-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/3116-132-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download