Overview

overview

10

Static

static

ac789285c9...ee.dll

windows7_x64

10

ac789285c9...ee.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    185s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    17-04-2022 16:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ac789285c91a1777f5c5cfb1e0c6d93f1a06856849ef005f471cb6641b05a8ee.dll

  • Size

    1.2MB

  • MD5

    bd42ea33dfc75bbbc8e5b537fc14ac6d

  • SHA1

    bf81af779374bfd5bc6caf97524e549541025a56

  • SHA256

    ac789285c91a1777f5c5cfb1e0c6d93f1a06856849ef005f471cb6641b05a8ee

  • SHA512

    78f92d35c6d8f1a7c79293d52d4f6ba13d2ad8d4cc018ede2e4d4c78392b94e384c86b6626c062bcf1a2f44f95eb28d60342565ed497a5166ef43a181dc41b43

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ac789285c91a1777f5c5cfb1e0c6d93f1a06856849ef005f471cb6641b05a8ee.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1680
  • C:\Windows\system32\SoundRecorder.exe
    C:\Windows\system32\SoundRecorder.exe
    1⤵
      PID:1784
    • C:\Users\Admin\AppData\Local\lkmx\SoundRecorder.exe
      C:\Users\Admin\AppData\Local\lkmx\SoundRecorder.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:772
    • C:\Users\Admin\AppData\Local\MmWT1\MpSigStub.exe
      C:\Users\Admin\AppData\Local\MmWT1\MpSigStub.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:648
    • C:\Windows\system32\MpSigStub.exe
      C:\Windows\system32\MpSigStub.exe
      1⤵
        PID:1916
      • C:\Windows\system32\mstsc.exe
        C:\Windows\system32\mstsc.exe
        1⤵
          PID:1056
        • C:\Users\Admin\AppData\Local\d2t\mstsc.exe
          C:\Users\Admin\AppData\Local\d2t\mstsc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1908

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\MmWT1\MpSigStub.exe
          Filesize

          264KB

          MD5

          2e6bd16aa62e5e95c7b256b10d637f8f

          SHA1

          350be084477b1fe581af83ca79eb58d4defe260f

          SHA256

          d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

          SHA512

          1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

          Download Submit
        • C:\Users\Admin\AppData\Local\MmWT1\VERSION.dll
          Filesize

          1.2MB

          MD5

          3b6c12247ab2b5447b4c262d02b99081

          SHA1

          940b559bf3a7341ae04f0a61ff7e30b149aadcab

          SHA256

          3418cc45b4dcb228ee8c3afc1faf340ada30af5381871067ab7d2e6063958ef0

          SHA512

          241ed8bd46a001d37f31d452ccdeebe2a425ece3d0f4d9885d345159385a9f7739d9e6bae91f588cb527bbcfdbb81e059ae3ee2fc69b57ecae6db8fee8f5e6d0

          Download Submit
        • C:\Users\Admin\AppData\Local\d2t\Secur32.dll
          Filesize

          1.2MB

          MD5

          63856eaab6c9be1c88cb50558fd0540f

          SHA1

          dc4950af195ed3653703aed0a3b0cc6fcd8934c1

          SHA256

          a8d7d555cb9d871239a03c1f3348bc848b945c535a268e5b57b17204e2b4b48d

          SHA512

          d160ac7a156d78829da1c14e7cf667587f4990d9971302d87c86127ce06c23b244ec2ef4aaaa8ba79c05a10da6d533fbc069e791a27bd5f0bd2fd47ec32577b1

          Download Submit
        • C:\Users\Admin\AppData\Local\d2t\mstsc.exe
          Filesize

          1.1MB

          MD5

          50f739538ef014b2e7ec59431749d838

          SHA1

          b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

          SHA256

          85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

          SHA512

          02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

          Download Submit
        • C:\Users\Admin\AppData\Local\lkmx\SoundRecorder.exe
          Filesize

          139KB

          MD5

          47f0f526ad4982806c54b845b3289de1

          SHA1

          8420ea488a2e187fe1b7fcfb53040d10d5497236

          SHA256

          e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

          SHA512

          4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

          Download Submit
        • C:\Users\Admin\AppData\Local\lkmx\UxTheme.dll
          Filesize

          1.2MB

          MD5

          a43975fe18aadc89182e2adde352992d

          SHA1

          d6b5db6e2aa05b19eceb8a56bf40db6e21f8a6d2

          SHA256

          7db3c012e14e49c2cc008dc0461a1e304c8dbcc90b48d6de073ff5be2fa1743c

          SHA512

          f7bc5ab97a04a392f861c52d22c9ce327997c195c374fe8b1f14a04bd231bf7fcfca76a614c0b4ceb2ed96a3633d7394910ff079d47a251eddcda46f7718d9c1

          Download Submit
        • \Users\Admin\AppData\Local\MmWT1\MpSigStub.exe
          Filesize

          264KB

          MD5

          2e6bd16aa62e5e95c7b256b10d637f8f

          SHA1

          350be084477b1fe581af83ca79eb58d4defe260f

          SHA256

          d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

          SHA512

          1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

          Download Submit
        • \Users\Admin\AppData\Local\MmWT1\VERSION.dll
          Filesize

          1.2MB

          MD5

          3b6c12247ab2b5447b4c262d02b99081

          SHA1

          940b559bf3a7341ae04f0a61ff7e30b149aadcab

          SHA256

          3418cc45b4dcb228ee8c3afc1faf340ada30af5381871067ab7d2e6063958ef0

          SHA512

          241ed8bd46a001d37f31d452ccdeebe2a425ece3d0f4d9885d345159385a9f7739d9e6bae91f588cb527bbcfdbb81e059ae3ee2fc69b57ecae6db8fee8f5e6d0

          Download Submit
        • \Users\Admin\AppData\Local\d2t\Secur32.dll
          Filesize

          1.2MB

          MD5

          63856eaab6c9be1c88cb50558fd0540f

          SHA1

          dc4950af195ed3653703aed0a3b0cc6fcd8934c1

          SHA256

          a8d7d555cb9d871239a03c1f3348bc848b945c535a268e5b57b17204e2b4b48d

          SHA512

          d160ac7a156d78829da1c14e7cf667587f4990d9971302d87c86127ce06c23b244ec2ef4aaaa8ba79c05a10da6d533fbc069e791a27bd5f0bd2fd47ec32577b1

          Download Submit
        • \Users\Admin\AppData\Local\d2t\mstsc.exe
          Filesize

          1.1MB

          MD5

          50f739538ef014b2e7ec59431749d838

          SHA1

          b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

          SHA256

          85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

          SHA512

          02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

          Download Submit
        • \Users\Admin\AppData\Local\lkmx\SoundRecorder.exe
          Filesize

          139KB

          MD5

          47f0f526ad4982806c54b845b3289de1

          SHA1

          8420ea488a2e187fe1b7fcfb53040d10d5497236

          SHA256

          e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

          SHA512

          4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

          Download Submit
        • \Users\Admin\AppData\Local\lkmx\UxTheme.dll
          Filesize

          1.2MB

          MD5

          a43975fe18aadc89182e2adde352992d

          SHA1

          d6b5db6e2aa05b19eceb8a56bf40db6e21f8a6d2

          SHA256

          7db3c012e14e49c2cc008dc0461a1e304c8dbcc90b48d6de073ff5be2fa1743c

          SHA512

          f7bc5ab97a04a392f861c52d22c9ce327997c195c374fe8b1f14a04bd231bf7fcfca76a614c0b4ceb2ed96a3633d7394910ff079d47a251eddcda46f7718d9c1

          Download Submit
        • \Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\Zc\mstsc.exe
          Filesize

          1.1MB

          MD5

          50f739538ef014b2e7ec59431749d838

          SHA1

          b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

          SHA256

          85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

          SHA512

          02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

          Download Submit
        • memory/648-101-0x0000000000170000-0x0000000000177000-memory.dmp
          Filesize

          28KB

          Download
        • memory/648-93-0x0000000000000000-mapping.dmp
          Download
        • memory/772-84-0x000007FEFC021000-0x000007FEFC023000-memory.dmp
          Filesize

          8KB

          Download
        • memory/772-91-0x0000000000370000-0x0000000000377000-memory.dmp
          Filesize

          28KB

          Download
        • memory/772-82-0x0000000000000000-mapping.dmp
          Download
        • memory/772-87-0x0000000140000000-0x0000000140140000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1264-63-0x0000000140000000-0x000000014013F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1264-64-0x0000000140000000-0x000000014013F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1264-62-0x0000000140000000-0x000000014013F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1264-70-0x0000000140000000-0x000000014013F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1264-60-0x0000000140000000-0x000000014013F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1264-80-0x0000000077980000-0x0000000077982000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1264-69-0x0000000140000000-0x000000014013F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1264-79-0x00000000029A0000-0x00000000029A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1264-67-0x0000000140000000-0x000000014013F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1264-61-0x0000000140000000-0x000000014013F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1264-68-0x0000000140000000-0x000000014013F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1264-65-0x0000000140000000-0x000000014013F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1264-66-0x0000000140000000-0x000000014013F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1264-59-0x0000000002A40000-0x0000000002A41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1680-58-0x00000000000A0000-0x00000000000A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1680-54-0x0000000140000000-0x000000014013F000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1908-103-0x0000000000000000-mapping.dmp
          Download
        • memory/1908-112-0x0000000000120000-0x0000000000127000-memory.dmp
          Filesize

          28KB

          Download