Overview

overview

10

Static

static

a0a7108d7f...a6.dll

windows7_x64

10

a0a7108d7f...a6.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    19-04-2022 04:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a0a7108d7f34ff577b4a8db39b03563800dc3700d33e2f9829c057b93bde7aa6.dll

  • Size

    1.2MB

  • MD5

    928e03c371cf2e36675fe8aaf3651b8f

  • SHA1

    60a06ac1dee727b35f783c8da28426100d4ba527

  • SHA256

    a0a7108d7f34ff577b4a8db39b03563800dc3700d33e2f9829c057b93bde7aa6

  • SHA512

    24511d0641f02a0a762c47831d4bd64ca2e65a4573afeba8facb463d88275dc2d858e10b2e633260a0d623ce81d3d16ad79bca6b4cbc17409e2fc1a26d625d99

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Payload 2 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a0a7108d7f34ff577b4a8db39b03563800dc3700d33e2f9829c057b93bde7aa6.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1008
  • C:\Windows\system32\psr.exe
    C:\Windows\system32\psr.exe
    1⤵
      PID:692
    • C:\Users\Admin\AppData\Local\of1mac\psr.exe
      C:\Users\Admin\AppData\Local\of1mac\psr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:784
    • C:\Windows\system32\UI0Detect.exe
      C:\Windows\system32\UI0Detect.exe
      1⤵
        PID:652
      • C:\Users\Admin\AppData\Local\EKToL\UI0Detect.exe
        C:\Users\Admin\AppData\Local\EKToL\UI0Detect.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: EnumeratesProcesses
        PID:1572
      • C:\Windows\system32\rstrui.exe
        C:\Windows\system32\rstrui.exe
        1⤵
          PID:1944
        • C:\Users\Admin\AppData\Local\2o35GULo\rstrui.exe
          C:\Users\Admin\AppData\Local\2o35GULo\rstrui.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          PID:1304

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2o35GULo\SPP.dll
          Filesize

          1.2MB

          MD5

          34786d4d5d78ab210c24e725b8d76748

          SHA1

          474b307ebc9009ed0e4fa99e0b3e12d15cd0b9bd

          SHA256

          189257df8bf61078c6177beeb4a8da2d0322de8908e19a252e129f01ada601e0

          SHA512

          9bae9ec637a6d6c90bbaccdfd62e7ca9c849b97a743f8cd13f0967b45d7a580c6a3d5703b83a24dd4f41c8468d9370dbda7a12f7a60e24cbc7f35401aa701284

          Download Submit
        • C:\Users\Admin\AppData\Local\2o35GULo\rstrui.exe
          Filesize

          290KB

          MD5

          3db5a1eace7f3049ecc49fa64461e254

          SHA1

          7dc64e4f75741b93804cbae365e10dc70592c6a9

          SHA256

          ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49

          SHA512

          ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025

          Download Submit
        • C:\Users\Admin\AppData\Local\EKToL\UI0Detect.exe
          Filesize

          40KB

          MD5

          3cbdec8d06b9968aba702eba076364a1

          SHA1

          6e0fcaccadbdb5e3293aa3523ec1006d92191c58

          SHA256

          b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

          SHA512

          a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

          Download Submit
        • C:\Users\Admin\AppData\Local\EKToL\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          b092a27dbf362016156d27823dc2e851

          SHA1

          25401caa3fbb6b04f7cb1a7a2556d5cb92fcd2f7

          SHA256

          a6399e121c625d43be996ecb62e3e894bbb4ffdcfc5378a49a7cee4983adc587

          SHA512

          07c35556b858e121dab449c88fc385eb55b5b14db45c46da8fbe3ac2128c4861238b5453a67d36c853e097f31caed672441d5b39b64937266c022cfd3ada21a4

          Download Submit
        • C:\Users\Admin\AppData\Local\of1mac\VERSION.dll
          Filesize

          1.2MB

          MD5

          2929a3fddfc992e883cc32261ceeb951

          SHA1

          0982d12ee4ffe16c625360dcad668dbd3e3c0e48

          SHA256

          37af726b8d43d695d2150d32e75650dd055fa18f9697ef056197a97ef16e4243

          SHA512

          94d2f96a93661c6d82ab41646054f873e7af36f7af5e1f77b9b53f9eee9954855a129e9cdbc22a7a2d9fe6af5a426fadfa517ea4a5dbcdb0b25c62a8909729ed

          Download Submit
        • C:\Users\Admin\AppData\Local\of1mac\psr.exe
          Filesize

          715KB

          MD5

          a80527109d75cba125d940b007eea151

          SHA1

          facf32a9ede6abfaa09368bfdfcfec8554107272

          SHA256

          68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

          SHA512

          77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

          Download Submit
        • \Users\Admin\AppData\Local\2o35GULo\SPP.dll
          Filesize

          1.2MB

          MD5

          34786d4d5d78ab210c24e725b8d76748

          SHA1

          474b307ebc9009ed0e4fa99e0b3e12d15cd0b9bd

          SHA256

          189257df8bf61078c6177beeb4a8da2d0322de8908e19a252e129f01ada601e0

          SHA512

          9bae9ec637a6d6c90bbaccdfd62e7ca9c849b97a743f8cd13f0967b45d7a580c6a3d5703b83a24dd4f41c8468d9370dbda7a12f7a60e24cbc7f35401aa701284

          Download Submit
        • \Users\Admin\AppData\Local\2o35GULo\rstrui.exe
          Filesize

          290KB

          MD5

          3db5a1eace7f3049ecc49fa64461e254

          SHA1

          7dc64e4f75741b93804cbae365e10dc70592c6a9

          SHA256

          ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49

          SHA512

          ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025

          Download Submit
        • \Users\Admin\AppData\Local\EKToL\UI0Detect.exe
          Filesize

          40KB

          MD5

          3cbdec8d06b9968aba702eba076364a1

          SHA1

          6e0fcaccadbdb5e3293aa3523ec1006d92191c58

          SHA256

          b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

          SHA512

          a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

          Download Submit
        • \Users\Admin\AppData\Local\EKToL\WTSAPI32.dll
          Filesize

          1.2MB

          MD5

          b092a27dbf362016156d27823dc2e851

          SHA1

          25401caa3fbb6b04f7cb1a7a2556d5cb92fcd2f7

          SHA256

          a6399e121c625d43be996ecb62e3e894bbb4ffdcfc5378a49a7cee4983adc587

          SHA512

          07c35556b858e121dab449c88fc385eb55b5b14db45c46da8fbe3ac2128c4861238b5453a67d36c853e097f31caed672441d5b39b64937266c022cfd3ada21a4

          Download Submit
        • \Users\Admin\AppData\Local\of1mac\VERSION.dll
          Filesize

          1.2MB

          MD5

          2929a3fddfc992e883cc32261ceeb951

          SHA1

          0982d12ee4ffe16c625360dcad668dbd3e3c0e48

          SHA256

          37af726b8d43d695d2150d32e75650dd055fa18f9697ef056197a97ef16e4243

          SHA512

          94d2f96a93661c6d82ab41646054f873e7af36f7af5e1f77b9b53f9eee9954855a129e9cdbc22a7a2d9fe6af5a426fadfa517ea4a5dbcdb0b25c62a8909729ed

          Download Submit
        • \Users\Admin\AppData\Local\of1mac\psr.exe
          Filesize

          715KB

          MD5

          a80527109d75cba125d940b007eea151

          SHA1

          facf32a9ede6abfaa09368bfdfcfec8554107272

          SHA256

          68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

          SHA512

          77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

          Download Submit
        • \Users\Admin\AppData\Roaming\Adobe\ZHJWJKjr\rstrui.exe
          Filesize

          290KB

          MD5

          3db5a1eace7f3049ecc49fa64461e254

          SHA1

          7dc64e4f75741b93804cbae365e10dc70592c6a9

          SHA256

          ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49

          SHA512

          ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025

          Download Submit
        • memory/784-82-0x0000000000000000-mapping.dmp
          Download
        • memory/784-84-0x000007FEFBA51000-0x000007FEFBA53000-memory.dmp
          Filesize

          8KB

          Download
        • memory/784-90-0x0000000000500000-0x0000000000507000-memory.dmp
          Filesize

          28KB

          Download
        • memory/784-87-0x0000000140000000-0x0000000140141000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1008-57-0x0000000000320000-0x0000000000327000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1008-54-0x0000000140000000-0x0000000140140000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1280-70-0x0000000140000000-0x0000000140140000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1280-79-0x00000000029D0000-0x00000000029D7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1280-68-0x0000000140000000-0x0000000140140000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1280-69-0x0000000140000000-0x0000000140140000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1280-61-0x0000000140000000-0x0000000140140000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1280-80-0x00000000773B0000-0x00000000773B2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1280-67-0x0000000140000000-0x0000000140140000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1280-60-0x0000000140000000-0x0000000140140000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1280-66-0x0000000140000000-0x0000000140140000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1280-65-0x0000000140000000-0x0000000140140000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1280-64-0x0000000140000000-0x0000000140140000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1280-58-0x00000000029F0000-0x00000000029F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1280-63-0x0000000140000000-0x0000000140140000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1280-59-0x0000000140000000-0x0000000140140000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1280-62-0x0000000140000000-0x0000000140140000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1304-101-0x0000000000000000-mapping.dmp
          Download
        • memory/1304-109-0x0000000000100000-0x0000000000107000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1572-99-0x0000000000180000-0x0000000000187000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1572-92-0x0000000000000000-mapping.dmp
          Download