Overview

overview

10

Static

static

3

f3e5445bf8...6f.dll

windows7-x64

10

f3e5445bf8...6f.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/03/2024, 12:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f3e5445bf8a1e7d8b66987427dc35f56c1f9e4b8510d5a57ca9639916a83bf6f.dll

  • Size

    744KB

  • MD5

    6879c63919a9ad0dc300ee03dae01390

  • SHA1

    6216e83b03304b73ce6ab635bb1fd37b47eb112f

  • SHA256

    f3e5445bf8a1e7d8b66987427dc35f56c1f9e4b8510d5a57ca9639916a83bf6f

  • SHA512

    d8095a00c8f87f1a6345580dfff6bc34e02d61cbc481ee4f0f90649dbaa5d5e4f4c729cc2ec9f26dba6c0ded505c5e9046b325431de69ca8b38b8faf08257c88

  • SSDEEP

    12288:iBim9Tnts08FbKuPcA8NAc1l/XkGaZKoRQIpRX2/0Ak2ng/Zi66wNdufAdN:O/nts0Q9K/0ooRQIxAk2wi0N/

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 12 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f3e5445bf8a1e7d8b66987427dc35f56c1f9e4b8510d5a57ca9639916a83bf6f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2992
  • C:\Windows\system32\msra.exe
    C:\Windows\system32\msra.exe
    1⤵
      PID:2464
    • C:\Users\Admin\AppData\Local\BBUd6e\msra.exe
      C:\Users\Admin\AppData\Local\BBUd6e\msra.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2488
    • C:\Windows\system32\irftp.exe
      C:\Windows\system32\irftp.exe
      1⤵
        PID:2748
      • C:\Users\Admin\AppData\Local\myCzQBVK\irftp.exe
        C:\Users\Admin\AppData\Local\myCzQBVK\irftp.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2640
      • C:\Windows\system32\rrinstaller.exe
        C:\Windows\system32\rrinstaller.exe
        1⤵
          PID:1844
        • C:\Users\Admin\AppData\Local\i2Aww\rrinstaller.exe
          C:\Users\Admin\AppData\Local\i2Aww\rrinstaller.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2220

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\BBUd6e\Secur32.dll
                Filesize

                748KB

                MD5

                1142e169401b181a6e5f81a9082af140

                SHA1

                549c140a17257c26ca8e82109751bace40230c44

                SHA256

                98a357f4a776652bf2ab4e9d82f0996fabdd46d634bc67ebd57f070d93ce60bc

                SHA512

                a32b592b2325ead177cc6bf2f8454d0353ed45ec965c1014dc6d2d04e53562644b02b74d4e29f0a3d7da34b6bc14bb528b3c9f1ebf41d53b99ede34315fcef04

                Download Submit

              • C:\Users\Admin\AppData\Local\i2Aww\MFPlat.DLL
                Filesize

                752KB

                MD5

                2b6cb738db847064717c3d9742c0e2ab

                SHA1

                30f1e42e652b82aaf3b4141a88b50b314fd786f1

                SHA256

                230751d0cec18725c52df20a5a2b801ff7e9c63e31f6cd28b4ef749f1505dc97

                SHA512

                d48852acd622763a280e7b7f5efb64dbbcd1e4db12ef4d64e83c607658a7c1adfa3033cb0c64dc9a29a526b0505e28601685b9e5e77b4174a32f864554857926

                Download Submit

              • C:\Users\Admin\AppData\Local\i2Aww\rrinstaller.exe
                Filesize

                54KB

                MD5

                0d3a73b0b30252680b383532f1758649

                SHA1

                9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

                SHA256

                fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

                SHA512

                a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

                Download Submit

              • C:\Users\Admin\AppData\Local\myCzQBVK\WTSAPI32.dll
                Filesize

                748KB

                MD5

                89256f88e951a9af097e835390c11a08

                SHA1

                701638da5e3745218f533d23e8790e91812f4a3c

                SHA256

                04d3652eb4ca7dbe9c348a98a6f5cfcb8251ee3a010766f203d08d12db118c01

                SHA512

                91c7e1044e2da8fc242d546b6a14802333d8b6339c405146e4028941b22438d5dd4c263e1afaba5ea2af2fda0c12b160fbfb294b3f78d7af6476eeb1112d0b6e

                Download Submit

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xwtifesqpwfy.lnk
                Filesize

                1KB

                MD5

                8a240b9c6d702e4f171ba1b4ae5c4747

                SHA1

                3872e419b99b7824ca047f89b53ef9cbde170df4

                SHA256

                65bdc1c358dc4d06e20895365031fd30db66ab2224225251f000c55b788d21e2

                SHA512

                5e4c62e1b9737c7ef22b777c63f31ebdf2187027eced4504735860534c7b7289129f895244822bdbd58c0f9260ca05986abf7bd5b85266bb11fc046de4d9302e

                Download Submit

              • \Users\Admin\AppData\Local\BBUd6e\msra.exe
                Filesize

                636KB

                MD5

                e79df53bad587e24b3cf965a5746c7b6

                SHA1

                87a97ec159a3fc1db211f3c2c62e4d60810e7a70

                SHA256

                4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

                SHA512

                9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

                Download Submit

              • \Users\Admin\AppData\Local\myCzQBVK\irftp.exe
                Filesize

                192KB

                MD5

                0cae1fb725c56d260bfd6feba7ae9a75

                SHA1

                102ac676a1de3ec3d56401f8efd518c31c8b0b80

                SHA256

                312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

                SHA512

                db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

                Download Submit

              • memory/1088-11-0x0000000140000000-0x00000001400BA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/1088-7-0x0000000140000000-0x00000001400BA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/1088-21-0x0000000140000000-0x00000001400BA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/1088-20-0x0000000140000000-0x00000001400BA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/1088-19-0x0000000140000000-0x00000001400BA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/1088-33-0x0000000077AB0000-0x0000000077AB2000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1088-32-0x0000000077A80000-0x0000000077A82000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1088-31-0x0000000140000000-0x00000001400BA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/1088-43-0x0000000140000000-0x00000001400BA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/1088-42-0x0000000140000000-0x00000001400BA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/1088-16-0x0000000140000000-0x00000001400BA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/1088-15-0x0000000140000000-0x00000001400BA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/1088-14-0x0000000140000000-0x00000001400BA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/1088-13-0x0000000140000000-0x00000001400BA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/1088-12-0x0000000140000000-0x00000001400BA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/1088-3-0x0000000077716000-0x0000000077717000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1088-10-0x0000000140000000-0x00000001400BA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/1088-9-0x0000000140000000-0x00000001400BA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/1088-8-0x0000000140000000-0x00000001400BA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/1088-23-0x0000000140000000-0x00000001400BA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/1088-6-0x0000000140000000-0x00000001400BA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/1088-4-0x00000000024B0000-0x00000000024B1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1088-24-0x0000000002490000-0x0000000002497000-memory.dmp

                Filesize

                28KB

                Download

              • memory/1088-22-0x0000000140000000-0x00000001400BA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/1088-86-0x0000000077716000-0x0000000077717000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1088-17-0x0000000140000000-0x00000001400BA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/1088-18-0x0000000140000000-0x00000001400BA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/2220-94-0x000007FEF6700000-0x000007FEF67BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/2220-96-0x0000000000100000-0x0000000000107000-memory.dmp

                Filesize

                28KB

                Download

              • memory/2220-99-0x000007FEF6700000-0x000007FEF67BC000-memory.dmp

                Filesize

                752KB

                Download

              • memory/2488-64-0x000007FEF77B0000-0x000007FEF786B000-memory.dmp

                Filesize

                748KB

                Download

              • memory/2488-61-0x0000000000120000-0x0000000000127000-memory.dmp

                Filesize

                28KB

                Download

              • memory/2488-59-0x000007FEF77B0000-0x000007FEF786B000-memory.dmp

                Filesize

                748KB

                Download

              • memory/2640-76-0x00000000002A0000-0x00000000002A7000-memory.dmp

                Filesize

                28KB

                Download

              • memory/2640-77-0x000007FEF65B0000-0x000007FEF666B000-memory.dmp

                Filesize

                748KB

                Download

              • memory/2640-81-0x000007FEF65B0000-0x000007FEF666B000-memory.dmp

                Filesize

                748KB

                Download

              • memory/2992-51-0x000007FEF76F0000-0x000007FEF77AA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/2992-0-0x0000000001CF0000-0x0000000001CF7000-memory.dmp

                Filesize

                28KB

                Download

              • memory/2992-1-0x000007FEF76F0000-0x000007FEF77AA000-memory.dmp

                Filesize

                744KB

                Download