Overview

overview

10

Static

static

7a13e5d9c4...7b.dll

windows7_x64

10

7a13e5d9c4...7b.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    17-04-2022 16:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a13e5d9c436191ec91643ba7c5a67be2e509abf4261e1ad00e3795d532bfe7b.dll

  • Size

    689KB

  • MD5

    7dfb4ba2bd6af9d1d873f7570227c944

  • SHA1

    a4ba8288d9ce7f64dc7af457222783131ccbb120

  • SHA256

    7a13e5d9c436191ec91643ba7c5a67be2e509abf4261e1ad00e3795d532bfe7b

  • SHA512

    bbef51d5be2ac929e525e9a096480c1e76b5e59475730dbaa84de2d3efeb24e29fd66910149ae2a5e408a513e303a1886de7052d642d59d89e4ccf3d175d0244

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Payload 3 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7a13e5d9c436191ec91643ba7c5a67be2e509abf4261e1ad00e3795d532bfe7b.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:732
  • C:\Windows\system32\lpksetup.exe
    C:\Windows\system32\lpksetup.exe
    1⤵
      PID:1868
    • C:\Users\Admin\AppData\Local\kiSBTuo\lpksetup.exe
      C:\Users\Admin\AppData\Local\kiSBTuo\lpksetup.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:1804
    • C:\Windows\system32\rekeywiz.exe
      C:\Windows\system32\rekeywiz.exe
      1⤵
        PID:896
      • C:\Users\Admin\AppData\Local\S5h\rekeywiz.exe
        C:\Users\Admin\AppData\Local\S5h\rekeywiz.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: EnumeratesProcesses
        PID:976
      • C:\Windows\system32\mmc.exe
        C:\Windows\system32\mmc.exe
        1⤵
          PID:1224
        • C:\Users\Admin\AppData\Local\UQdH\mmc.exe
          C:\Users\Admin\AppData\Local\UQdH\mmc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1736
        • C:\Windows\system32\RDVGHelper.exe
          C:\Windows\system32\RDVGHelper.exe
          1⤵
            PID:1444
          • C:\Users\Admin\AppData\Local\sf1xg\RDVGHelper.exe
            C:\Users\Admin\AppData\Local\sf1xg\RDVGHelper.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:1980

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\S5h\rekeywiz.exe
            Filesize

            67KB

            MD5

            767c75767b00ccfd41a547bb7b2adfff

            SHA1

            91890853a5476def402910e6507417d400c0d3cb

            SHA256

            bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

            SHA512

            f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

            Download Submit
          • C:\Users\Admin\AppData\Local\S5h\slc.dll
            Filesize

            691KB

            MD5

            e2a52ab57a1154e624d9ad198c8a88b1

            SHA1

            bafaff1fb88b85fd9d6d88cfc1f2d5330d14830a

            SHA256

            774f4f055ff85c2eb4be516eed898d35ffa2aac83204cfe2507479225cf37a09

            SHA512

            78f80a21122424f31ecb1e3ad98351a7cfaebd55a95e76b318d1152f5a5d2a49eda77b54868feb23193a8152d2cf01b3df907e11e9d2270dcbf6bd6a5e425781

            Download Submit
          • C:\Users\Admin\AppData\Local\UQdH\MFC42u.dll
            Filesize

            717KB

            MD5

            1384ac6af536e58e50ab56a43b5c86bc

            SHA1

            0e5a044db80c0e2cb7cda1d9fc39d890eda9c070

            SHA256

            df399077ad4a674ddbf5a42919dfb2e38715db21a5a2603972b8804cbde88801

            SHA512

            d6abcbdb11a5c3b3d826efca7b05684df0200eacd911a8c713af1a2b03187f60e91fc79dca7088213c77dfbdd6377ebbcede15a3e57a652133fd84949766674c

            Download Submit
          • C:\Users\Admin\AppData\Local\UQdH\mmc.exe
            Filesize

            2.0MB

            MD5

            9fea051a9585f2a303d55745b4bf63aa

            SHA1

            f5dc12d658402900a2b01af2f018d113619b96b8

            SHA256

            b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484

            SHA512

            beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

            Download Submit
          • C:\Users\Admin\AppData\Local\kiSBTuo\lpksetup.exe
            Filesize

            638KB

            MD5

            50d28f3f8b7c17056520c80a29efe17c

            SHA1

            1b1e62be0a0bdc9aec2e91842c35381297d8f01e

            SHA256

            71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

            SHA512

            92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

            Download Submit
          • C:\Users\Admin\AppData\Local\kiSBTuo\slc.dll
            Filesize

            691KB

            MD5

            c84ae3030bb5f89fa8430e55c31632a7

            SHA1

            4a53904e85a01791b1d9f5195f671b7e36f21e15

            SHA256

            6c2a56cd49d6a7c113eecec7c8b1b3b82bd79bf926ffe3a46436f0e417ffc349

            SHA512

            257ab0f3b83f7387fe0e4a671236a97e83134c3a0700ad623140f096029935e4db611d8144d688a40145b2f4b5247c7359a8923e08f0688d18016702d62006eb

            Download Submit
          • C:\Users\Admin\AppData\Local\sf1xg\RDVGHelper.exe
            Filesize

            93KB

            MD5

            53fda4af81e7c4895357a50e848b7cfe

            SHA1

            01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

            SHA256

            62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

            SHA512

            dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

            Download Submit
          • C:\Users\Admin\AppData\Local\sf1xg\WTSAPI32.dll
            Filesize

            692KB

            MD5

            5712a8cdc1da715b72d692568dd0501e

            SHA1

            15cba7c8b17715c8c53f5c5cdddc9dee06394400

            SHA256

            581b7c4e726d6ec45ad5f38c2bb2828ccf30d3be45fd68d8749d2f655a7b4fc2

            SHA512

            932f65ec51a4a0c76bde5b8bf57c9c837b8518c1a2417f215d73cc2e292544477503adc00c2fb275b64725cb01fb04b6b35b19c2c9cc34b9d5ac4175b53aee5d

            Download Submit
          • \Users\Admin\AppData\Local\S5h\rekeywiz.exe
            Filesize

            67KB

            MD5

            767c75767b00ccfd41a547bb7b2adfff

            SHA1

            91890853a5476def402910e6507417d400c0d3cb

            SHA256

            bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

            SHA512

            f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

            Download Submit
          • \Users\Admin\AppData\Local\S5h\slc.dll
            Filesize

            691KB

            MD5

            e2a52ab57a1154e624d9ad198c8a88b1

            SHA1

            bafaff1fb88b85fd9d6d88cfc1f2d5330d14830a

            SHA256

            774f4f055ff85c2eb4be516eed898d35ffa2aac83204cfe2507479225cf37a09

            SHA512

            78f80a21122424f31ecb1e3ad98351a7cfaebd55a95e76b318d1152f5a5d2a49eda77b54868feb23193a8152d2cf01b3df907e11e9d2270dcbf6bd6a5e425781

            Download Submit
          • \Users\Admin\AppData\Local\UQdH\MFC42u.dll
            Filesize

            717KB

            MD5

            1384ac6af536e58e50ab56a43b5c86bc

            SHA1

            0e5a044db80c0e2cb7cda1d9fc39d890eda9c070

            SHA256

            df399077ad4a674ddbf5a42919dfb2e38715db21a5a2603972b8804cbde88801

            SHA512

            d6abcbdb11a5c3b3d826efca7b05684df0200eacd911a8c713af1a2b03187f60e91fc79dca7088213c77dfbdd6377ebbcede15a3e57a652133fd84949766674c

            Download Submit
          • \Users\Admin\AppData\Local\UQdH\mmc.exe
            Filesize

            2.0MB

            MD5

            9fea051a9585f2a303d55745b4bf63aa

            SHA1

            f5dc12d658402900a2b01af2f018d113619b96b8

            SHA256

            b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484

            SHA512

            beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

            Download Submit
          • \Users\Admin\AppData\Local\kiSBTuo\lpksetup.exe
            Filesize

            638KB

            MD5

            50d28f3f8b7c17056520c80a29efe17c

            SHA1

            1b1e62be0a0bdc9aec2e91842c35381297d8f01e

            SHA256

            71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

            SHA512

            92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

            Download Submit
          • \Users\Admin\AppData\Local\kiSBTuo\slc.dll
            Filesize

            691KB

            MD5

            c84ae3030bb5f89fa8430e55c31632a7

            SHA1

            4a53904e85a01791b1d9f5195f671b7e36f21e15

            SHA256

            6c2a56cd49d6a7c113eecec7c8b1b3b82bd79bf926ffe3a46436f0e417ffc349

            SHA512

            257ab0f3b83f7387fe0e4a671236a97e83134c3a0700ad623140f096029935e4db611d8144d688a40145b2f4b5247c7359a8923e08f0688d18016702d62006eb

            Download Submit
          • \Users\Admin\AppData\Local\sf1xg\RDVGHelper.exe
            Filesize

            93KB

            MD5

            53fda4af81e7c4895357a50e848b7cfe

            SHA1

            01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

            SHA256

            62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

            SHA512

            dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

            Download Submit
          • \Users\Admin\AppData\Local\sf1xg\WTSAPI32.dll
            Filesize

            692KB

            MD5

            5712a8cdc1da715b72d692568dd0501e

            SHA1

            15cba7c8b17715c8c53f5c5cdddc9dee06394400

            SHA256

            581b7c4e726d6ec45ad5f38c2bb2828ccf30d3be45fd68d8749d2f655a7b4fc2

            SHA512

            932f65ec51a4a0c76bde5b8bf57c9c837b8518c1a2417f215d73cc2e292544477503adc00c2fb275b64725cb01fb04b6b35b19c2c9cc34b9d5ac4175b53aee5d

            Download Submit
          • \Users\Admin\AppData\Roaming\Adobe\Acrobat\mNPIJrmWvWE\RDVGHelper.exe
            Filesize

            93KB

            MD5

            53fda4af81e7c4895357a50e848b7cfe

            SHA1

            01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

            SHA256

            62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

            SHA512

            dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

            Download Submit
          • memory/732-54-0x0000000140000000-0x00000001400B1000-memory.dmp
            Filesize

            708KB

            Download
          • memory/732-57-0x00000000000A0000-0x00000000000A7000-memory.dmp
            Filesize

            28KB

            Download
          • memory/976-96-0x0000000001CA0000-0x0000000001CA7000-memory.dmp
            Filesize

            28KB

            Download
          • memory/976-88-0x0000000000000000-mapping.dmp
            Download
          • memory/1260-66-0x0000000140000000-0x00000001400B1000-memory.dmp
            Filesize

            708KB

            Download
          • memory/1260-60-0x0000000140000000-0x00000001400B1000-memory.dmp
            Filesize

            708KB

            Download
          • memory/1260-58-0x0000000002260000-0x0000000002261000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1260-65-0x0000000140000000-0x00000001400B1000-memory.dmp
            Filesize

            708KB

            Download
          • memory/1260-64-0x0000000140000000-0x00000001400B1000-memory.dmp
            Filesize

            708KB

            Download
          • memory/1260-75-0x0000000002240000-0x0000000002247000-memory.dmp
            Filesize

            28KB

            Download
          • memory/1260-76-0x0000000077570000-0x0000000077572000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1260-63-0x0000000140000000-0x00000001400B1000-memory.dmp
            Filesize

            708KB

            Download
          • memory/1260-59-0x0000000140000000-0x00000001400B1000-memory.dmp
            Filesize

            708KB

            Download
          • memory/1260-62-0x0000000140000000-0x00000001400B1000-memory.dmp
            Filesize

            708KB

            Download
          • memory/1260-61-0x0000000140000000-0x00000001400B1000-memory.dmp
            Filesize

            708KB

            Download
          • memory/1736-102-0x0000000140000000-0x00000001400B8000-memory.dmp
            Filesize

            736KB

            Download
          • memory/1736-105-0x0000000000170000-0x0000000000177000-memory.dmp
            Filesize

            28KB

            Download
          • memory/1736-98-0x0000000000000000-mapping.dmp
            Download
          • memory/1804-86-0x0000000000090000-0x0000000000097000-memory.dmp
            Filesize

            28KB

            Download
          • memory/1804-78-0x0000000000000000-mapping.dmp
            Download
          • memory/1804-80-0x000007FEFBC11000-0x000007FEFBC13000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1804-83-0x0000000140000000-0x00000001400B2000-memory.dmp
            Filesize

            712KB

            Download
          • memory/1980-107-0x0000000000000000-mapping.dmp
            Download
          • memory/1980-114-0x00000000000F0000-0x00000000000F7000-memory.dmp
            Filesize

            28KB

            Download