Overview

overview

10

Static

static

7a13e5d9c4...7b.dll

windows7_x64

10

7a13e5d9c4...7b.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    17-04-2022 16:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a13e5d9c436191ec91643ba7c5a67be2e509abf4261e1ad00e3795d532bfe7b.dll

  • Size

    689KB

  • MD5

    7dfb4ba2bd6af9d1d873f7570227c944

  • SHA1

    a4ba8288d9ce7f64dc7af457222783131ccbb120

  • SHA256

    7a13e5d9c436191ec91643ba7c5a67be2e509abf4261e1ad00e3795d532bfe7b

  • SHA512

    bbef51d5be2ac929e525e9a096480c1e76b5e59475730dbaa84de2d3efeb24e29fd66910149ae2a5e408a513e303a1886de7052d642d59d89e4ccf3d175d0244

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Payload 2 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7a13e5d9c436191ec91643ba7c5a67be2e509abf4261e1ad00e3795d532bfe7b.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3292
  • C:\Windows\system32\consent.exe
    C:\Windows\system32\consent.exe
    1⤵
      PID:1704
    • C:\Users\Admin\AppData\Local\cu21NxyCF\consent.exe
      C:\Users\Admin\AppData\Local\cu21NxyCF\consent.exe
      1⤵
      • Executes dropped EXE
      PID:1856
    • C:\Windows\system32\iexpress.exe
      C:\Windows\system32\iexpress.exe
      1⤵
        PID:3396
      • C:\Users\Admin\AppData\Local\Jkmt\iexpress.exe
        C:\Users\Admin\AppData\Local\Jkmt\iexpress.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:5048
      • C:\Users\Admin\AppData\Local\UX5xvOVKA\BitLockerWizardElev.exe
        C:\Users\Admin\AppData\Local\UX5xvOVKA\BitLockerWizardElev.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1392
      • C:\Windows\system32\BitLockerWizardElev.exe
        C:\Windows\system32\BitLockerWizardElev.exe
        1⤵
          PID:3788
        • C:\Windows\system32\raserver.exe
          C:\Windows\system32\raserver.exe
          1⤵
            PID:3708
          • C:\Users\Admin\AppData\Local\e4ET4Fkoo\raserver.exe
            C:\Users\Admin\AppData\Local\e4ET4Fkoo\raserver.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:3712

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Jkmt\VERSION.dll
            Filesize

            691KB

            MD5

            02300982ce9f34f490afe91d79719616

            SHA1

            1546e927a3bec9f6d4eee01502fa1e31ea55d465

            SHA256

            c0b7706a5879dc46b4ebc1d73b0f299e13d0404cd56033c5b0005ad4125660cd

            SHA512

            4d84344613e22599ee0a7e0787fdcbc709fef5139bbcbf124e0c104e50c24aa6a2bfc97419db1d28fe51b4a1b71bbf1b3945cd52ad2a897debde1e6cdcf7705a

            Download Submit
          • C:\Users\Admin\AppData\Local\Jkmt\VERSION.dll
            Filesize

            691KB

            MD5

            02300982ce9f34f490afe91d79719616

            SHA1

            1546e927a3bec9f6d4eee01502fa1e31ea55d465

            SHA256

            c0b7706a5879dc46b4ebc1d73b0f299e13d0404cd56033c5b0005ad4125660cd

            SHA512

            4d84344613e22599ee0a7e0787fdcbc709fef5139bbcbf124e0c104e50c24aa6a2bfc97419db1d28fe51b4a1b71bbf1b3945cd52ad2a897debde1e6cdcf7705a

            Download Submit
          • C:\Users\Admin\AppData\Local\Jkmt\iexpress.exe
            Filesize

            166KB

            MD5

            17b93a43e25d821d01af40ba6babcc8c

            SHA1

            97c978d78056d995f751dfef1388d7cce4cc404a

            SHA256

            d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3

            SHA512

            6b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391

            Download Submit
          • C:\Users\Admin\AppData\Local\UX5xvOVKA\BitLockerWizardElev.exe
            Filesize

            100KB

            MD5

            8ac5a3a20cf18ae2308c64fd707eeb81

            SHA1

            31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

            SHA256

            803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

            SHA512

            85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

            Download Submit
          • C:\Users\Admin\AppData\Local\UX5xvOVKA\FVEWIZ.dll
            Filesize

            692KB

            MD5

            2b0541ee3512227c66806058b666c5cb

            SHA1

            e4556f5028b25c379a1e3e2b047b18bebccf1d9f

            SHA256

            edceda2638bd422f8a42f6c2b7c43616a5ffb4538d93ca521e6f6cf91295e0e7

            SHA512

            c024f93e9303dddcf00b6430d193ebe9a4d9c81b5824e287c0e248e48542af6c5894cc787ebebad48850770b48e839a30050fcc24acdc112b549793885beee39

            Download Submit
          • C:\Users\Admin\AppData\Local\UX5xvOVKA\FVEWIZ.dll
            Filesize

            692KB

            MD5

            2b0541ee3512227c66806058b666c5cb

            SHA1

            e4556f5028b25c379a1e3e2b047b18bebccf1d9f

            SHA256

            edceda2638bd422f8a42f6c2b7c43616a5ffb4538d93ca521e6f6cf91295e0e7

            SHA512

            c024f93e9303dddcf00b6430d193ebe9a4d9c81b5824e287c0e248e48542af6c5894cc787ebebad48850770b48e839a30050fcc24acdc112b549793885beee39

            Download Submit
          • C:\Users\Admin\AppData\Local\cu21NxyCF\consent.exe
            Filesize

            162KB

            MD5

            6646631ce4ad7128762352da81f3b030

            SHA1

            1095bd4b63360fc2968d75622aa745e5523428ab

            SHA256

            56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64

            SHA512

            1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da

            Download Submit
          • C:\Users\Admin\AppData\Local\e4ET4Fkoo\WTSAPI32.dll
            Filesize

            692KB

            MD5

            da9dcfbf82cfccc960a99192055725fb

            SHA1

            8c7b189dc188431e7e75dfc0c3a2c603ba0e7386

            SHA256

            343a191d3b082dbc04a1d97ffbe13d32bc55743298ac1927e07b88b0cc90e4b7

            SHA512

            68da0ec9fdf1962a29ebe844e4bbe3c75fa8bb2e0e305f01bd958a4c5cd1524246434b2eb94360129bb383f5d23537cc95d4c8d7ecd18e8f7e782e651f07b4ae

            Download Submit
          • C:\Users\Admin\AppData\Local\e4ET4Fkoo\WTSAPI32.dll
            Filesize

            692KB

            MD5

            da9dcfbf82cfccc960a99192055725fb

            SHA1

            8c7b189dc188431e7e75dfc0c3a2c603ba0e7386

            SHA256

            343a191d3b082dbc04a1d97ffbe13d32bc55743298ac1927e07b88b0cc90e4b7

            SHA512

            68da0ec9fdf1962a29ebe844e4bbe3c75fa8bb2e0e305f01bd958a4c5cd1524246434b2eb94360129bb383f5d23537cc95d4c8d7ecd18e8f7e782e651f07b4ae

            Download Submit
          • C:\Users\Admin\AppData\Local\e4ET4Fkoo\raserver.exe
            Filesize

            132KB

            MD5

            d1841c6ee4ea45794ced131d4b68b60e

            SHA1

            4be6d2116060d7c723ac2d0b5504efe23198ea01

            SHA256

            38732626242988cc5b8f97fe8d3b030d483046ef66ea90d7ea3607f1adc0600d

            SHA512

            d8bad215872c5956c6e8acac1cd3ad19b85f72b224b068fb71cfd1493705bc7d3390853ba923a1aa461140294f8793247df018484a378e4f026c2a12cb3fa5c9

            Download Submit
          • memory/1392-165-0x0000000000000000-mapping.dmp
            Download
          • memory/1856-155-0x0000000000000000-mapping.dmp
            Download
          • memory/3252-135-0x0000000140000000-0x00000001400B1000-memory.dmp
            Filesize

            708KB

            Download
          • memory/3252-139-0x0000000140000000-0x00000001400B1000-memory.dmp
            Filesize

            708KB

            Download
          • memory/3252-154-0x00007FFE26F90000-0x00007FFE26FA0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/3252-152-0x00007FFE2704C000-0x00007FFE2704D000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3252-142-0x0000000140000000-0x00000001400B1000-memory.dmp
            Filesize

            708KB

            Download
          • memory/3252-153-0x0000000000A50000-0x0000000000A57000-memory.dmp
            Filesize

            28KB

            Download
          • memory/3252-138-0x0000000140000000-0x00000001400B1000-memory.dmp
            Filesize

            708KB

            Download
          • memory/3252-140-0x0000000140000000-0x00000001400B1000-memory.dmp
            Filesize

            708KB

            Download
          • memory/3252-137-0x0000000140000000-0x00000001400B1000-memory.dmp
            Filesize

            708KB

            Download
          • memory/3252-151-0x00007FFE2707C000-0x00007FFE2707D000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3252-141-0x0000000140000000-0x00000001400B1000-memory.dmp
            Filesize

            708KB

            Download
          • memory/3252-136-0x0000000140000000-0x00000001400B1000-memory.dmp
            Filesize

            708KB

            Download
          • memory/3252-134-0x0000000000A60000-0x0000000000A61000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3292-133-0x000001DF15E10000-0x000001DF15E17000-memory.dmp
            Filesize

            28KB

            Download
          • memory/3292-130-0x0000000140000000-0x00000001400B1000-memory.dmp
            Filesize

            708KB

            Download
          • memory/3712-179-0x0000026062990000-0x0000026062997000-memory.dmp
            Filesize

            28KB

            Download
          • memory/3712-172-0x0000000000000000-mapping.dmp
            Download
          • memory/5048-157-0x0000000000000000-mapping.dmp
            Download
          • memory/5048-164-0x00000271C2070000-0x00000271C2077000-memory.dmp
            Filesize

            28KB

            Download
          • memory/5048-161-0x0000000140000000-0x00000001400B2000-memory.dmp
            Filesize

            712KB

            Download