Overview

overview

10

Static

static

3

5274829dfd...73.dll

windows7-x64

10

5274829dfd...73.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 04:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5274829dfdbd08c8f993a4a31d3d6073.dll

  • Size

    852KB

  • MD5

    5274829dfdbd08c8f993a4a31d3d6073

  • SHA1

    a4f07ed425b1a4002efee120f3aacdc18f2e4e2b

  • SHA256

    14906c032956bed15a33083266a615ff7d5b24d84f0dbc36c3e245a3e46ac500

  • SHA512

    d65c192609e4d7c643b0305901c94188245b18e87d9417068c937a5b569bb913264590e37a0da00c96d8ce3640e2a5f040f9ed771c966551fe3febdd7d70fe2a

  • SSDEEP

    12288:hkbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/R:hkbHkWfzZ5adwLNGeStHntqN7v

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 12 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5274829dfdbd08c8f993a4a31d3d6073.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2916
  • C:\Windows\system32\spreview.exe
    C:\Windows\system32\spreview.exe
    1⤵
      PID:1920
    • C:\Users\Admin\AppData\Local\jqNlwmnd\spreview.exe
      C:\Users\Admin\AppData\Local\jqNlwmnd\spreview.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:240
    • C:\Windows\system32\Netplwiz.exe
      C:\Windows\system32\Netplwiz.exe
      1⤵
        PID:2880
      • C:\Users\Admin\AppData\Local\fmf\Netplwiz.exe
        C:\Users\Admin\AppData\Local\fmf\Netplwiz.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2624
      • C:\Windows\system32\UI0Detect.exe
        C:\Windows\system32\UI0Detect.exe
        1⤵
          PID:764
        • C:\Users\Admin\AppData\Local\XF0jjxz3\UI0Detect.exe
          C:\Users\Admin\AppData\Local\XF0jjxz3\UI0Detect.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2500

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\XF0jjxz3\WINSTA.dll
                Filesize

                860KB

                MD5

                33b74ac6c89f99da4f8c4080618d7039

                SHA1

                54bf25a081b153d1aabe7b4965d34453653a5941

                SHA256

                bf48af4daf0d90a34172f0f78684d4899d1343f6cdfe475af65402fa46cf3c55

                SHA512

                ae8dfb515be28fab573780fe617735f78caf3b9e69d535221e22f5706469216cfe9543f8d88144ba115b405b5f6bf9096e1a5937e08ec10ae6e0a8b6231382a6

                Download Submit

              • C:\Users\Admin\AppData\Local\fmf\NETPLWIZ.dll
                Filesize

                856KB

                MD5

                40526cf39374af30b67ac410be671c32

                SHA1

                dbe04af72e35989241302e4fcb6f371765cea751

                SHA256

                45b15ea44d53f3274732eece427605b65e535d0f3bc76cea04fc79f61570cfd7

                SHA512

                32ba9da0a044efef88b86bf03ada526d27fee1fcae64d8e8cdf6aa57e0c19ef0fbdb2a53774ca7abae43ac42beaf1e782772ed45c3896f0c430e0d481f4c7f68

                Download Submit

              • C:\Users\Admin\AppData\Local\jqNlwmnd\sqmapi.dll
                Filesize

                856KB

                MD5

                a3c4b642b1717ce1269efceb1de32bc5

                SHA1

                2967f669c0b4bea6f6a9b2df874342704bcfd85e

                SHA256

                808c7e5ff6617a3de6b0514f3ceb29a423e069775a780fc866351b2f49c974f2

                SHA512

                33be8b447a8329932bdfd2aac8f8032b6c23026ab30b2fa80dd3f86f7ea212ef4b22ab7d3d682b947ea0e1cd69d62984b7251405486af8e26906a2b50a4d03bb

                Download Submit

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk
                Filesize

                1KB

                MD5

                bfc76b6e3c952b6c374fa63ada4e82bf

                SHA1

                d5d9ef3529797df35a3b172d7a87b8e6949e586b

                SHA256

                ce61a4cde43d90511820e848a33d6ed9aa0b8e9618f5a67d2352a9dccc9aeebb

                SHA512

                0615fbbf427dd83dab3fe8caff064039dd7c2cc5011c9720fe338c81284c1ed02a0131e60f0241213661683ff03f1d060916f61534bb001c2b1c38eccff47a42

                Download Submit

              • \Users\Admin\AppData\Local\XF0jjxz3\UI0Detect.exe
                Filesize

                40KB

                MD5

                3cbdec8d06b9968aba702eba076364a1

                SHA1

                6e0fcaccadbdb5e3293aa3523ec1006d92191c58

                SHA256

                b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

                SHA512

                a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

                Download Submit

              • \Users\Admin\AppData\Local\fmf\Netplwiz.exe
                Filesize

                26KB

                MD5

                e43ec3c800d4c0716613392e81fba1d9

                SHA1

                37de6a235e978ecf3bb0fc2c864016c5b0134348

                SHA256

                636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

                SHA512

                176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

                Download Submit

              • \Users\Admin\AppData\Local\jqNlwmnd\spreview.exe
                Filesize

                294KB

                MD5

                704cd4cac010e8e6d8de9b778ed17773

                SHA1

                81856abf70640f102b8b3defe2cf65669fe8e165

                SHA256

                4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

                SHA512

                b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

                Download Submit

              • memory/240-60-0x000007FEF6F20000-0x000007FEF6FF6000-memory.dmp

                Filesize

                856KB

                Download

              • memory/240-55-0x000007FEF6F20000-0x000007FEF6FF6000-memory.dmp

                Filesize

                856KB

                Download

              • memory/240-56-0x00000000000E0000-0x00000000000E7000-memory.dmp

                Filesize

                28KB

                Download

              • memory/1260-13-0x0000000140000000-0x00000001400D5000-memory.dmp

                Filesize

                852KB

                Download

              • memory/1260-72-0x00000000775A6000-0x00000000775A7000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1260-14-0x0000000140000000-0x00000001400D5000-memory.dmp

                Filesize

                852KB

                Download

              • memory/1260-15-0x0000000140000000-0x00000001400D5000-memory.dmp

                Filesize

                852KB

                Download

              • memory/1260-16-0x0000000140000000-0x00000001400D5000-memory.dmp

                Filesize

                852KB

                Download

              • memory/1260-17-0x0000000140000000-0x00000001400D5000-memory.dmp

                Filesize

                852KB

                Download

              • memory/1260-18-0x0000000001D50000-0x0000000001D57000-memory.dmp

                Filesize

                28KB

                Download

              • memory/1260-19-0x0000000140000000-0x00000001400D5000-memory.dmp

                Filesize

                852KB

                Download

              • memory/1260-20-0x0000000140000000-0x00000001400D5000-memory.dmp

                Filesize

                852KB

                Download

              • memory/1260-27-0x0000000140000000-0x00000001400D5000-memory.dmp

                Filesize

                852KB

                Download

              • memory/1260-28-0x0000000077910000-0x0000000077912000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1260-29-0x0000000077940000-0x0000000077942000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1260-38-0x0000000140000000-0x00000001400D5000-memory.dmp

                Filesize

                852KB

                Download

              • memory/1260-40-0x0000000140000000-0x00000001400D5000-memory.dmp

                Filesize

                852KB

                Download

              • memory/1260-3-0x00000000775A6000-0x00000000775A7000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1260-4-0x0000000002B10000-0x0000000002B11000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1260-11-0x0000000140000000-0x00000001400D5000-memory.dmp

                Filesize

                852KB

                Download

              • memory/1260-7-0x0000000140000000-0x00000001400D5000-memory.dmp

                Filesize

                852KB

                Download

              • memory/1260-8-0x0000000140000000-0x00000001400D5000-memory.dmp

                Filesize

                852KB

                Download

              • memory/1260-10-0x0000000140000000-0x00000001400D5000-memory.dmp

                Filesize

                852KB

                Download

              • memory/1260-9-0x0000000140000000-0x00000001400D5000-memory.dmp

                Filesize

                852KB

                Download

              • memory/1260-6-0x0000000140000000-0x00000001400D5000-memory.dmp

                Filesize

                852KB

                Download

              • memory/1260-12-0x0000000140000000-0x00000001400D5000-memory.dmp

                Filesize

                852KB

                Download

              • memory/2500-90-0x000007FEF6900000-0x000007FEF69D7000-memory.dmp

                Filesize

                860KB

                Download

              • memory/2500-94-0x000007FEF6900000-0x000007FEF69D7000-memory.dmp

                Filesize

                860KB

                Download

              • memory/2624-74-0x0000000000070000-0x0000000000077000-memory.dmp

                Filesize

                28KB

                Download

              • memory/2624-73-0x000007FEF6900000-0x000007FEF69D6000-memory.dmp

                Filesize

                856KB

                Download

              • memory/2624-78-0x000007FEF6900000-0x000007FEF69D6000-memory.dmp

                Filesize

                856KB

                Download

              • memory/2916-1-0x000007FEF6E40000-0x000007FEF6F15000-memory.dmp

                Filesize

                852KB

                Download

              • memory/2916-41-0x000007FEF6E40000-0x000007FEF6F15000-memory.dmp

                Filesize

                852KB

                Download

              • memory/2916-0-0x0000000000110000-0x0000000000117000-memory.dmp

                Filesize

                28KB

                Download