Overview

overview

10

Static

static

3

29eee3b450...e5.dll

windows7-x64

10

29eee3b450...e5.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11/03/2024, 19:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    29eee3b4500a5c9457694d4fc1a3446fb4258a700b17a7644cc2f889a69b39e5.dll

  • Size

    784KB

  • MD5

    dbaf5690708350d89f49bca1d793e356

  • SHA1

    86318665e723971f0b079e442c40deb76dc5569b

  • SHA256

    29eee3b4500a5c9457694d4fc1a3446fb4258a700b17a7644cc2f889a69b39e5

  • SHA512

    a7feb14efdf0aa13b497cbe4675564e5e6ca9a9e955cb2ee229356e5da037a8faa0e93d7da4b07fc6dadb8239b2427c429d05a480475fdfa87782d46f5a2df13

  • SSDEEP

    12288:QBim9Tnts08FbKuPcA8NAc1l/XkGaZKoRQIpRX2/0Ak2ng/Zi66wNdufAdN:8/nts0Q9K/0ooRQIxAk2wi0N/

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\29eee3b4500a5c9457694d4fc1a3446fb4258a700b17a7644cc2f889a69b39e5.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2868
  • C:\Windows\system32\RDVGHelper.exe
    C:\Windows\system32\RDVGHelper.exe
    1⤵
      PID:2476
    • C:\Users\Admin\AppData\Local\OIBIF5R\RDVGHelper.exe
      C:\Users\Admin\AppData\Local\OIBIF5R\RDVGHelper.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2592
    • C:\Windows\system32\SystemPropertiesAdvanced.exe
      C:\Windows\system32\SystemPropertiesAdvanced.exe
      1⤵
        PID:2128
      • C:\Users\Admin\AppData\Local\DvL\SystemPropertiesAdvanced.exe
        C:\Users\Admin\AppData\Local\DvL\SystemPropertiesAdvanced.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2892
      • C:\Windows\system32\wusa.exe
        C:\Windows\system32\wusa.exe
        1⤵
          PID:2744
        • C:\Users\Admin\AppData\Local\AYy2Cdx\wusa.exe
          C:\Users\Admin\AppData\Local\AYy2Cdx\wusa.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:804

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\AYy2Cdx\WTSAPI32.dll
                Filesize

                788KB

                MD5

                75e1c2d95e426bece7bce279814de342

                SHA1

                0ae8b2c85c5edb5ed11df4656c010a32f9bed3a1

                SHA256

                e3828f4fafe9ca5d1a291890a3939940cfe286577f1b987435381c7c51782b59

                SHA512

                84fd98289a68d0f975f5d22590a9f64cb05f845d1f8e081900d1028d5b1a97ea613906a22bd09e906851f9047b3e0b73be1a16ff36bcec942ce465b70be155f6

                Download Submit

              • C:\Users\Admin\AppData\Local\DvL\SYSDM.CPL
                Filesize

                788KB

                MD5

                08f982e5a872b7eca51d37b209ee4996

                SHA1

                85a50298fa7482e035ecc48301e117ed6728cb09

                SHA256

                6af84cfb6907699acd8e8962061efe2d8131c2267e1faefb5e2de994bad0ab85

                SHA512

                28b897f2d2adc9e8b557e1f512f673a0631d4496acd3a8181cf3547d95157273cce43c63a37d831573b9a350354bd503b61f1a67a4f9a78260cbd65c5becdaee

                Download Submit

              • C:\Users\Admin\AppData\Local\OIBIF5R\RDVGHelper.exe
                Filesize

                93KB

                MD5

                53fda4af81e7c4895357a50e848b7cfe

                SHA1

                01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

                SHA256

                62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

                SHA512

                dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

                Download Submit

              • C:\Users\Admin\AppData\Local\OIBIF5R\WTSAPI32.dll
                Filesize

                788KB

                MD5

                1f165c02c1429f8918fcd68407ec132a

                SHA1

                4c40d0e850f355c27f0354d525984977ed8cc24f

                SHA256

                d5d69f3bcb1722d965d28681c860937399537d79546780258c5376320a16687f

                SHA512

                b3c3bfe6c08948c9d5630448cf2caab0437c8ec5a0bb40eb2b981adba6b035f956d9ad4c995baec89c5953b2a95fe06e9ade982f088706287bd75e749fbc7084

                Download Submit

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tkjddllshxzvy.lnk
                Filesize

                1KB

                MD5

                c61c97d17b9ecb33931dc8cd0c90fcdf

                SHA1

                e16ee00f775f4fc418db7ebcf58081963d3698eb

                SHA256

                763473608d4738cf9b20cf80330580b980b6e5785699707a523b878bd3642187

                SHA512

                4c59ec70110cffe5a9da74bee52908ec1cac512100f82991aca87cda8e090eebd8459154a6a6db4e7bc067de3743395a45b9b46b0958dd29bb8135b0dee0fc74

                Download Submit

              • \Users\Admin\AppData\Local\AYy2Cdx\wusa.exe
                Filesize

                300KB

                MD5

                c15b3d813f4382ade98f1892350f21c7

                SHA1

                a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

                SHA256

                8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

                SHA512

                6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

                Download Submit

              • \Users\Admin\AppData\Local\DvL\SystemPropertiesAdvanced.exe
                Filesize

                80KB

                MD5

                25dc1e599591871c074a68708206e734

                SHA1

                27a9dffa92d979d39c07d889fada536c062dac77

                SHA256

                a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

                SHA512

                f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

                Download Submit

              • memory/804-99-0x0000000000200000-0x0000000000207000-memory.dmp

                Filesize

                28KB

                Download

              • memory/804-102-0x000007FEF6960000-0x000007FEF6A25000-memory.dmp

                Filesize

                788KB

                Download

              • memory/804-97-0x000007FEF6960000-0x000007FEF6A25000-memory.dmp

                Filesize

                788KB

                Download

              • memory/1176-10-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-46-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-21-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-20-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-19-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-17-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-16-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-15-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-14-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-36-0x0000000077A00000-0x0000000077A02000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1176-35-0x00000000779D0000-0x00000000779D2000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1176-34-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-13-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-12-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-3-0x0000000077666000-0x0000000077667000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1176-9-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-8-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-7-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-6-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-23-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-45-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-4-0x0000000002A70000-0x0000000002A71000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1176-24-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-25-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-11-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-18-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-22-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-33-0x0000000002A50000-0x0000000002A57000-memory.dmp

                Filesize

                28KB

                Download

              • memory/1176-26-0x0000000140000000-0x00000001400C4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/1176-89-0x0000000077666000-0x0000000077667000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2592-67-0x000007FEF7AA0000-0x000007FEF7B65000-memory.dmp

                Filesize

                788KB

                Download

              • memory/2592-64-0x0000000000100000-0x0000000000107000-memory.dmp

                Filesize

                28KB

                Download

              • memory/2592-62-0x000007FEF7AA0000-0x000007FEF7B65000-memory.dmp

                Filesize

                788KB

                Download

              • memory/2868-54-0x000007FEF6FF0000-0x000007FEF70B4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/2868-1-0x0000000000290000-0x0000000000297000-memory.dmp

                Filesize

                28KB

                Download

              • memory/2868-0-0x000007FEF6FF0000-0x000007FEF70B4000-memory.dmp

                Filesize

                784KB

                Download

              • memory/2892-84-0x000007FEF7AA0000-0x000007FEF7B65000-memory.dmp

                Filesize

                788KB

                Download

              • memory/2892-80-0x0000000000180000-0x0000000000187000-memory.dmp

                Filesize

                28KB

                Download