Overview

overview

10

Static

static

3

793df85f28...7f.dll

windows7-x64

10

793df85f28...7f.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    71s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2023, 15:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    793df85f287f06c4764a229b404e0a7f.dll

  • Size

    660KB

  • MD5

    793df85f287f06c4764a229b404e0a7f

  • SHA1

    454ad7fe4ede68aeffa2144dc95d22618a17a17e

  • SHA256

    823691284d6b7786dee73b7315b3cd146eac4160d5f7fca663cab821b66698fa

  • SHA512

    e20fce0797127f695247109fa01d39db3304fee14aa34441cc5f88c3ea38c18bf8d013b2207c57dd56b542dc9eaee0100a3c3c58c326be54677e760dd7f50c9f

  • SSDEEP

    6144:Z34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:ZIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\793df85f287f06c4764a229b404e0a7f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3992
  • C:\Users\Admin\AppData\Local\nHTTOPH\slui.exe
    C:\Users\Admin\AppData\Local\nHTTOPH\slui.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:1176
  • C:\Windows\system32\slui.exe
    C:\Windows\system32\slui.exe
    1⤵
      PID:872
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe
      1⤵
        PID:3484
      • C:\Users\Admin\AppData\Local\TTcSUIg\printfilterpipelinesvc.exe
        C:\Users\Admin\AppData\Local\TTcSUIg\printfilterpipelinesvc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3648
      • C:\Users\Admin\AppData\Local\f9B\osk.exe
        C:\Users\Admin\AppData\Local\f9B\osk.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4432
      • C:\Windows\system32\osk.exe
        C:\Windows\system32\osk.exe
        1⤵
          PID:2224

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\TTcSUIg\XmlLite.dll
          Filesize

          664KB

          MD5

          ce92fb27287b8d8da3b53825faebe282

          SHA1

          b0b3a97dcfecb6a25ad52cfca9a9f8708eaa3a76

          SHA256

          94a90a4eb25abcbbac0c023c3736473b5a29df02f1a702ca86d037b5ca244312

          SHA512

          27f0d045d02c93cc1ebc5e5ab22716fa48d02d00f02445b3e215c980e01ef1d688cbbd732924113fdb691ec076fefa0ee8f5124b4164544168397b6129a8f215

          Download Submit

        • C:\Users\Admin\AppData\Local\TTcSUIg\printfilterpipelinesvc.exe
          Filesize

          813KB

          MD5

          331a40eabaa5870e316b401bd81c4861

          SHA1

          ddff65771ca30142172c0d91d5bfff4eb1b12b73

          SHA256

          105099819555ed87ef3dab70a2eaf2cb61076f453266cec57ffccb8f4c00df88

          SHA512

          29992dbf10f327d77865af5e6ebbe66b937a5b4ad04c68cafbf4e6adbd6c6532c8a82ac7e638d97c1f053353a7c8a6d7e379f389af15443c94a1e8f9b16be5f8

          Download Submit

        • C:\Users\Admin\AppData\Local\TTcSUIg\printfilterpipelinesvc.exe
          Filesize

          92KB

          MD5

          e8c60c1cea5fe66669a567f2928da865

          SHA1

          130273dd1a9c632a10d9cee2864175361293f020

          SHA256

          3676a513ee82bafc02efd24f96178b6e9385947021fe46f0526f61acbd20b15d

          SHA512

          2f3ebcf552e41b0740bcfa9643461d0f866ac92132ccc6cbf900fdee8da189466ef17f7c2da039baed8713ec569c16d17e03465bca0b2a5e5e5378537d7210d3

          Download Submit

        • C:\Users\Admin\AppData\Local\f9B\WINMM.dll
          Filesize

          92KB

          MD5

          0a6c9d0583ea2a2bbe2d8df974e13d3d

          SHA1

          dd0d9b7ed6b8e833e3c0317402f82d0fe21fffee

          SHA256

          a0a852c7d1fcd00cc2710d09f1f5afaf51efa5a69f1795faacb9c805b367abc3

          SHA512

          da22a9c5fa741242855fbd582b2dd091908f82fcd2ef885b2cad3c00f0d0dabcd3c468e2ad2479d13c89de53bf13280e988e396fbc9482af115e53c339d3b975

          Download Submit

        • C:\Users\Admin\AppData\Local\f9B\osk.exe
          Filesize

          149KB

          MD5

          c6a35c5c01187c39859b84e884de47ef

          SHA1

          6fef730762b70ea398eb7ff5358690fb94f73bd8

          SHA256

          a0c4f535e7cda3451e3639fb2c3b4b586dcb686f67f03475619d22fd38c7f7bc

          SHA512

          dbf7d088d8aa52e5a459d37f1ccccdd00e31b7bd1b15806681e79cad3c11e7b66fbe339dec9c0ab6fb1c111bc58213413ebc8b8f093f90f2e1e971e0fded8127

          Download Submit

        • C:\Users\Admin\AppData\Local\nHTTOPH\WTSAPI32.dll
          Filesize

          381KB

          MD5

          3979dd404e02cd194f81b74f78d85245

          SHA1

          7c0d381c5104fbff83a33ca00f2c785c073de9a3

          SHA256

          dd495154b1cb39a729ae8907aca4eb63e67455c31ac72a80db6adfe823799743

          SHA512

          582f9bfef8a172bbd312db29d5decee9bfaa032e9d1889e267e99fde2769f6e4a1aed67d861ffac8e7dbf7a2dfb9c3ad4b1eb888a8f2ad584fe121820ba936d6

          Download Submit

        • C:\Users\Admin\AppData\Local\nHTTOPH\WTSAPI32.dll
          Filesize

          92KB

          MD5

          288d72978838193b8aa0ddeb45d163d6

          SHA1

          ff1b81e3e358aaed9b73e586a1bbb2b3d8ec8651

          SHA256

          ca50d1eb34df25fb899fe747c4ace4423c4da79bee82cdd5b813a6bb504a8f11

          SHA512

          de492cc2853fd977c2756ae8f4c30f2cd6060f50657070ac4cf99de9ae5711c0e12d6a392fd623fd5ff80c4d5daf69528bc74c9fc45dedd666dbc8648780ec22

          Download Submit

        • C:\Users\Admin\AppData\Local\nHTTOPH\slui.exe
          Filesize

          342KB

          MD5

          89e3292a3338df70574e1a8415659204

          SHA1

          7233c59a227a40fe9ef6f74ea9b03d5545420dfd

          SHA256

          7ae0532fc112967677baaf64272ddaa467c9004c5d0d9980b82b43143bb16afc

          SHA512

          86b3224d7a0035d812266754c5977d698f5f1a538d0961afaa6edc20569d2de0a2b0d84889dc347bdefd65bdd8fb602673311c7889a12df10dfed24677d4097a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\j1ywryR\XmlLite.dll
          Filesize

          92KB

          MD5

          4ce79158c633aedd6b20602785fd9efc

          SHA1

          fe7c1477b9654d12a1d1f4575604a5471f5812e6

          SHA256

          9c2ea2e54f50a4c3cc08d6d6ddb864e61290b0d8cfd7753d79ce5907dbbcf5a4

          SHA512

          28b2e6e042cb83a1e472dece258689f840eee9ae23648ca6954f819953824cb4c7220bb1a9cfaaec862f8e8cb1ecd14687a063d4f96356c5e8565a6c7cd9e184

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iydemppuyghrhln.lnk
          Filesize

          938B

          MD5

          df07bad1a5f4389192fc09ee163b160e

          SHA1

          b619c2ff5ceafeb9402c3dc369d43b63c866fd41

          SHA256

          0ab1123bcfa5a76d20a3eca57d1cd7911d0fa66800e87931f93247809468103f

          SHA512

          2c48b6c47de94ac4a023d10a8ee1e826dfdb38e121596303150a67bea66e1a8d282de4382b2f11a07efa6a66c3a5548908c0f6d2eab19bbd08ebab875391c361

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Sun\4xsoJ4o\WTSAPI32.dll
          Filesize

          664KB

          MD5

          bca074a7366a91b631507914afcac0c1

          SHA1

          d15420166ea0070adb76b254deac7e50188b12a3

          SHA256

          0e11ca1228cbc474d5f0fd149fd3615d7caeadc4421cd478bb281716958e5a72

          SHA512

          ff9c141437aa1cd6a7176b2943ae1a134be32d5711eb03aee64cad8650b013c0c54895b4de3cb1229fa8bf2b940caac2fabca9e90d99c86075dc57adaecc5094

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Sun\VML6Xp\WINMM.dll
          Filesize

          668KB

          MD5

          6e81fa44ba1b79c29a1f1e2e6af6faaf

          SHA1

          993d4e84074a54b99a356eb3224eceb7e0b7e0f6

          SHA256

          5f96961bd625f1511372ddb3b20380f3d9085fe9765d088b10c730ace5ee01e6

          SHA512

          ebd94dce5c34630905ed744e7b75af2c1d934241e86717069f5b66e900906082b500f5cb494e60d5126785c569db2475e7a7732846f3b0dd1dde024643783c25

          Download Submit

        • memory/1176-48-0x00007FFBDD720000-0x00007FFBDD7C6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1176-45-0x0000028BAA850000-0x0000028BAA857000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1176-43-0x00007FFBDD720000-0x00007FFBDD7C6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3560-15-0x0000000140000000-0x00000001400A5000-memory.dmp

          Filesize

          660KB

          Download

        • memory/3560-12-0x0000000140000000-0x00000001400A5000-memory.dmp

          Filesize

          660KB

          Download

        • memory/3560-4-0x00007FFBEB9FA000-0x00007FFBEB9FB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3560-14-0x0000000007AF0000-0x0000000007AF7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3560-22-0x0000000140000000-0x00000001400A5000-memory.dmp

          Filesize

          660KB

          Download

        • memory/3560-33-0x0000000140000000-0x00000001400A5000-memory.dmp

          Filesize

          660KB

          Download

        • memory/3560-23-0x00007FFBEC400000-0x00007FFBEC410000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3560-24-0x00007FFBEC3F0000-0x00007FFBEC400000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3560-9-0x0000000140000000-0x00000001400A5000-memory.dmp

          Filesize

          660KB

          Download

        • memory/3560-13-0x0000000140000000-0x00000001400A5000-memory.dmp

          Filesize

          660KB

          Download

        • memory/3560-8-0x0000000140000000-0x00000001400A5000-memory.dmp

          Filesize

          660KB

          Download

        • memory/3560-6-0x0000000140000000-0x00000001400A5000-memory.dmp

          Filesize

          660KB

          Download

        • memory/3560-7-0x0000000140000000-0x00000001400A5000-memory.dmp

          Filesize

          660KB

          Download

        • memory/3560-11-0x0000000140000000-0x00000001400A5000-memory.dmp

          Filesize

          660KB

          Download

        • memory/3560-10-0x0000000140000000-0x00000001400A5000-memory.dmp

          Filesize

          660KB

          Download

        • memory/3560-3-0x0000000007B10000-0x0000000007B11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3648-61-0x000001FC35230000-0x000001FC35237000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3648-64-0x00007FFBDD720000-0x00007FFBDD7C6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3992-0-0x000002397A610000-0x000002397A617000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3992-36-0x00007FFBDE320000-0x00007FFBDE3C5000-memory.dmp

          Filesize

          660KB

          Download

        • memory/3992-1-0x00007FFBDE320000-0x00007FFBDE3C5000-memory.dmp

          Filesize

          660KB

          Download

        • memory/4432-77-0x000001FC5E3E0000-0x000001FC5E3E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4432-80-0x00007FFBDD610000-0x00007FFBDD6B7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/4432-75-0x00007FFBDD610000-0x00007FFBDD6B7000-memory.dmp

          Filesize

          668KB

          Download