Overview

overview

10

Static

static

3

2915f0ee3b...c5.dll

windows7-x64

10

2915f0ee3b...c5.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    100s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 04:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2915f0ee3b4358c235bd91e7e90325c5.dll

  • Size

    1.1MB

  • MD5

    2915f0ee3b4358c235bd91e7e90325c5

  • SHA1

    f51129c7e9c2cc23c16c6c63ef221d44831adcc2

  • SHA256

    99c03fb6a99ac38d78f5c1e853acae759e8cbefdf160e7257c8f3fcbb74ccf4e

  • SHA512

    b171b550248a891e5e264527198abdc25b0f6d6e34bd07f617cf4d96e00d5da489b871efc645f6ada815e8e0f96f14c834c7564cd01f14b245041a115185c813

  • SSDEEP

    12288:vkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64CC:vkMZ+gf4ltGd8H1fYO0q2G1Ah

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2915f0ee3b4358c235bd91e7e90325c5.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2376
  • C:\Windows\system32\eudcedit.exe
    C:\Windows\system32\eudcedit.exe
    1⤵
      PID:2700
    • C:\Users\Admin\AppData\Local\sLKsq\eudcedit.exe
      C:\Users\Admin\AppData\Local\sLKsq\eudcedit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2736
    • C:\Users\Admin\AppData\Local\cQO3Xxe\SystemPropertiesHardware.exe
      C:\Users\Admin\AppData\Local\cQO3Xxe\SystemPropertiesHardware.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1084
    • C:\Windows\system32\SystemPropertiesHardware.exe
      C:\Windows\system32\SystemPropertiesHardware.exe
      1⤵
        PID:2532
      • C:\Users\Admin\AppData\Local\qNd\iexpress.exe
        C:\Users\Admin\AppData\Local\qNd\iexpress.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:792
      • C:\Windows\system32\iexpress.exe
        C:\Windows\system32\iexpress.exe
        1⤵
          PID:2844

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\sLKsq\MFC42u.dll
          Filesize

          123KB

          MD5

          bf9aae01b072df34060548afd5aa0c31

          SHA1

          565e507455ea5c805dfd7e2d0c2b745d4b9e75df

          SHA256

          d75b7e3dfa81db854b11d26a105bbfc92da29fe8070dcc420c1d0acba5cbbe02

          SHA512

          5f863c33f525160267e2f3eeb0f5072ff4b55d94881fe420711d20035546498134397574bc73a01be4869781c4b786b34b6bd5a13805aea12a1913088c74232d

          Download Submit

        • C:\Users\Admin\AppData\Local\sLKsq\eudcedit.exe
          Filesize

          65KB

          MD5

          c6d856dd0577d4752a724614437a0e49

          SHA1

          61580e8df03e2582f70722c1a45e0cbe28b47c48

          SHA256

          5ce52e878505e4f53ee1525cbe17f1c4e4a177a01844f13fba5463b5fe2478f2

          SHA512

          56f7a5f12f8e580471ff970808c6285f1a514149b30e1ad50e872d99bcf21fd67952752945c1c255233aa6c8d38f731a196d8ac70284e4da7fe4a7cf801df2c7

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dbyxyty.lnk
          Filesize

          1KB

          MD5

          d9fb5e7b648535d2e99cf722e6e77748

          SHA1

          3212a94fd66f0e3893e47bc1858213ecfa4fb8ad

          SHA256

          1dee7db558463566ef79f9b2e92fbc4f14f006837541c1fdd83bc14089d27a36

          SHA512

          2664a45064234398a269995c9075ab180158788e266579f9bd62dc7210698bf4f32bb0c8fd143d6725904b4f1e46499376b084727871bbd40b33649b4f6a05fe

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\adPKG4Oi\SYSDM.CPL
          Filesize

          1024KB

          MD5

          174039bc2a2fc970320a0ac71b3118ab

          SHA1

          cf47a2b4caccfd882465ffbd2b337b56551b7c73

          SHA256

          23c90d02685a7bbb1a3bd25d9e659d1e7aa363f811a170dc9c6f73b2fa6c742f

          SHA512

          4cf26d3488cdc0ac1a28f8fc79fa1b39f4f34660e637ea7e4bb52606a82e58d0197f8bb59353b41d9a16fa0a3a88dae491e1eb20c332ef7c02110825255c4b9b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\I7aE6YfyTc\MFC42u.dll
          Filesize

          442KB

          MD5

          ed6a3d3aa37d236b35d7a1808155ac08

          SHA1

          d7d7968ee0e29bdde351402b053972228894b0ca

          SHA256

          9d5d4dab3d3eff61b3e3eff51c028213ddf29434982eae2115277acafccf9829

          SHA512

          ec69dad3e064c1cb866359ff5eb8e74bc003e50307ac595101e698c0ca7879129e7437104ede4cac28736c88f708235801037f05ad7beb7db56b77784e07f8f6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\R0jSX2\VERSION.dll
          Filesize

          1024KB

          MD5

          17fdc10fd740ca5e7f830dd1ca5ab3c7

          SHA1

          38e8011d60a734ebbadf5c8e5536613841bc93a4

          SHA256

          e801467781ba7c4fa6ef3fa87ea7060721f965a511f51b8ef1eb74fbdaa64c83

          SHA512

          60e1cbf7777120b4691140c39ff1d23e3c0f4c2d3376f61e5fb4a93251f71a31583f251aa947f2cbbb164e41e699c1a1336f4541af2e1c40bda586cea44c063d

          Download Submit

        • \Users\Admin\AppData\Local\sLKsq\MFC42u.dll
          Filesize

          92KB

          MD5

          054a76f4c99be583e201604594fa18fc

          SHA1

          7fe47692f9ec5d168abce1466ff609fc17bcff36

          SHA256

          14ed63d092856faeb0c7d83b56e6b2f3a86599e2600b76bd42f1c976d78f29f6

          SHA512

          25f1414ea790a832751b8e854772c802630e17c9692e96576f34e08390cadf81ec21dd81b941a87048f2ca0f62eb616d1eb67b5e3c7abe6a9eb29ce8aea40a67

          Download Submit

        • \Users\Admin\AppData\Local\sLKsq\eudcedit.exe
          Filesize

          128KB

          MD5

          cff7f28cc5ba69ca3bd61b638859c062

          SHA1

          372ed738ed7fe53280ed80decd688a01a772c911

          SHA256

          a1a6d39268bec44ecb5d4f2cf29c82e2e19fbb4e30243bd9c65410670a8058e3

          SHA512

          e361e7b39bd113b49705a9ab93ecf0bba391077ec27cc3444fc15788340bac054369a61f9b1f2572d4da690488f06822aabffcf4cff8fca6e50b9258c0b1a2d9

          Download Submit

        • memory/792-85-0x0000000000510000-0x0000000000517000-memory.dmp

          Filesize

          28KB

          Download

        • memory/792-87-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1084-70-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1084-67-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1360-33-0x0000000140000000-0x000000014011B000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1360-24-0x00000000772D0000-0x00000000772D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1360-8-0x0000000140000000-0x000000014011B000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1360-7-0x0000000140000000-0x000000014011B000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1360-6-0x0000000140000000-0x000000014011B000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1360-3-0x0000000077036000-0x0000000077037000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1360-10-0x0000000140000000-0x000000014011B000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1360-13-0x0000000140000000-0x000000014011B000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1360-22-0x0000000140000000-0x000000014011B000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1360-4-0x0000000002B20000-0x0000000002B21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1360-11-0x0000000140000000-0x000000014011B000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1360-12-0x0000000140000000-0x000000014011B000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1360-34-0x0000000140000000-0x000000014011B000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1360-15-0x0000000002B00000-0x0000000002B07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1360-23-0x00000000772A0000-0x00000000772A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1360-73-0x0000000077036000-0x0000000077037000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1360-9-0x0000000140000000-0x000000014011B000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2376-1-0x0000000140000000-0x000000014011B000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2376-42-0x0000000140000000-0x000000014011B000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2376-0-0x0000000000420000-0x0000000000427000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2736-50-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2736-55-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2736-52-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download