Overview

overview

10

Static

static

3

d3fa6fcc3a...ae.dll

windows7-x64

10

d3fa6fcc3a...ae.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-03-2024 16:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d3fa6fcc3a459eecd5f814bd57b697ae.dll

  • Size

    1004KB

  • MD5

    d3fa6fcc3a459eecd5f814bd57b697ae

  • SHA1

    62d3d9e4786e08e375dd4b3129ffffa8a1094c3f

  • SHA256

    39c60c6c9f0757516684c5667be66d03e241ac56e792e570398e91781a85865e

  • SHA512

    f1e30751409d71eddb8a60eb6b7b51efa0d70671482a35a93a8b8d023cf76dd05eb259fc751d634e0a589b09c5a2ae5bcb8d995d5b35195bda35218c6e9ed5f3

  • SSDEEP

    12288:d6BBWGJW6eC85Df97+yXUj7SncCxj8iHGo59S1WQSCtEdFO7YKJf6:d6BQBjlc728jo7S1bl6FbK

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3fa6fcc3a459eecd5f814bd57b697ae.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2092
  • C:\Windows\system32\consent.exe
    C:\Windows\system32\consent.exe
    1⤵
      PID:2424
    • C:\Users\Admin\AppData\Local\qkoz\consent.exe
      C:\Users\Admin\AppData\Local\qkoz\consent.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2464
    • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
      C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
      1⤵
        PID:596
      • C:\Users\Admin\AppData\Local\BRnU\SystemPropertiesDataExecutionPrevention.exe
        C:\Users\Admin\AppData\Local\BRnU\SystemPropertiesDataExecutionPrevention.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1060
      • C:\Windows\system32\rdpshell.exe
        C:\Windows\system32\rdpshell.exe
        1⤵
          PID:1032
        • C:\Users\Admin\AppData\Local\vWS9x0kp\rdpshell.exe
          C:\Users\Admin\AppData\Local\vWS9x0kp\rdpshell.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1976
        • C:\Windows\system32\msra.exe
          C:\Windows\system32\msra.exe
          1⤵
            PID:2888
          • C:\Users\Admin\AppData\Local\iza70\msra.exe
            C:\Users\Admin\AppData\Local\iza70\msra.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:2476

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\BRnU\SYSDM.CPL
            Filesize

            1008KB

            MD5

            aa40042ad70cb1d092664e83ba4b53d5

            SHA1

            a06bfcf74ed238d8aacce166027da1204b061708

            SHA256

            38c95690e748a63fdbfbd5825df6a864463b67672ec4ad4a5a387027034dda7f

            SHA512

            7ad03adbc9454e3df67041477e629dd0f69e43de6b662c1a478db2d4046132aae9cd494f61058e44ae81b5ff663d777f8275d2b4bcc73af2e368d87ee98b39dc

            Download Submit

          • C:\Users\Admin\AppData\Local\BRnU\SystemPropertiesDataExecutionPrevention.exe
            Filesize

            80KB

            MD5

            e43ff7785fac643093b3b16a9300e133

            SHA1

            a30688e84c0b0a22669148fe87680b34fcca2fba

            SHA256

            c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

            SHA512

            61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

            Download Submit

          • C:\Users\Admin\AppData\Local\iza70\Secur32.dll
            Filesize

            1008KB

            MD5

            387884a63d6bda137d8b2059d92afe19

            SHA1

            8b0c69ddd27b4dd3ac9e1c758cd91d4a3a78d156

            SHA256

            f5506c91277486cc5cb33b050adf3f25e12528b27b6d81a75fd2a8393c9eb32d

            SHA512

            f483c5aaf38460c477a8e1ff01f37c0d58497dc6252dcabbdf831a4ec12ef255fda419895b9d29674e737f0a445b016cf5e1fa9c253f33b66e939713d1de4211

            Download Submit

          • C:\Users\Admin\AppData\Local\qkoz\WMsgAPI.dll
            Filesize

            1008KB

            MD5

            d4c8e5c30f4416bfa61d2f4e49d257c6

            SHA1

            5c00e2fe2f1d7df04a2674525755e91706bfeb87

            SHA256

            94357a797e69641d6e29cb9529f11138c47860ebfe5e73a6b7d7d9a1fa104a18

            SHA512

            17c997ab76a47b4069ea2d062fa4f0a31a5f29fa3ece68e3468ec4a9967310f4a20b751ed567da910b840c56077c1b5d9c0f59a3cd0d12b8a73e09a4863c2713

            Download Submit

          • C:\Users\Admin\AppData\Local\vWS9x0kp\WINSTA.dll
            Filesize

            960KB

            MD5

            a26dd397d54d06d2e9996f580f828ec3

            SHA1

            b73d5ed7ecb5266f1cc33b23f21294453f11da74

            SHA256

            c3d84a050965f7e8e946c2ec1ae3e793c3aaa93713af400e71e81ae6a0ea8123

            SHA512

            1496d4043597de92e71fb6e09527019fa803bd97b79aa23f9fdfc1a7f0bb49768cdcbbcc94e56208c71558d87f41d701377868f22277b8a79939631de70d2c7c

            Download Submit

          • C:\Users\Admin\AppData\Local\vWS9x0kp\rdpshell.exe
            Filesize

            292KB

            MD5

            a62dfcea3a58ba8fcf32f831f018fe3f

            SHA1

            75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

            SHA256

            f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

            SHA512

            9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hvvcxfz.lnk
            Filesize

            1KB

            MD5

            27c7c2a9770e711f00914cf8ab0204b4

            SHA1

            c8fddd90c62e39169e7ad1c98480c8f6c04c6131

            SHA256

            bc2393694cdba7f462762c09900548f4d436db92010d0a68d447a3adaccd326b

            SHA512

            d35adb0674adf699dc79a8c5188f3603ffa146904a162c45d984101f1527fa0d1057c79793db3640d41bb9c080427a1460215cf841cd99b0210fb1e2cc16633a

            Download Submit

          • \Users\Admin\AppData\Local\BRnU\SystemPropertiesDataExecutionPrevention.exe
            Filesize

            75KB

            MD5

            717a9779fcc73c10ac77546e64d20011

            SHA1

            c36e9826f46f3cd32032520724e448b5db940160

            SHA256

            6d3cd1ea5bfaa3e5040035525c9755e7b9de36bb746b109cb45e9b831921f8cb

            SHA512

            851eb655a251eed8f0e34932b21f9de46cc54053f699195b0c135eb90c6243c319ba2458327491f504f28c12937c7507e7fda576d9dd1cd8199799c7f2b7504f

            Download Submit

          • \Users\Admin\AppData\Local\iza70\msra.exe
            Filesize

            636KB

            MD5

            e79df53bad587e24b3cf965a5746c7b6

            SHA1

            87a97ec159a3fc1db211f3c2c62e4d60810e7a70

            SHA256

            4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

            SHA512

            9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

            Download Submit

          • \Users\Admin\AppData\Local\qkoz\consent.exe
            Filesize

            109KB

            MD5

            0b5511674394666e9d221f8681b2c2e6

            SHA1

            6e4e720dfc424a12383f0b8194e4477e3bc346dc

            SHA256

            ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

            SHA512

            00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

            Download Submit

          • \Users\Admin\AppData\Local\vWS9x0kp\WINSTA.dll
            Filesize

            896KB

            MD5

            34d008ac794a53f2b85267eaeddb31e6

            SHA1

            0d7b1d2e56855fdf361a6b7c27381600e87bc40c

            SHA256

            3f61f6d60c60a3c6dbd72cf218313d144365c9d5bac53db74b24a001aaf9484c

            SHA512

            e8bae5d2c3bfa4ae6d6ff326e308287ec4e902a021659d0c4900878331c89d0dadcf3f4ccafa2c528011d4fa14e0c9820f5126a237afcca8c11a6ac083ba8849

            Download Submit

          • memory/1060-81-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/1204-15-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/1204-13-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/1204-18-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/1204-17-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/1204-19-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/1204-21-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/1204-20-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/1204-22-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/1204-24-0x0000000002A00000-0x0000000002A07000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1204-23-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/1204-31-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/1204-32-0x00000000773F1000-0x00000000773F2000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1204-35-0x0000000077580000-0x0000000077582000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1204-4-0x00000000771E6000-0x00000000771E7000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1204-40-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/1204-38-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/1204-5-0x0000000002A20000-0x0000000002A21000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1204-16-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/1204-7-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/1204-8-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/1204-9-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/1204-68-0x00000000771E6000-0x00000000771E7000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1204-14-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/1204-12-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/1204-11-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/1204-10-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/1976-93-0x0000000140000000-0x00000001400FD000-memory.dmp

            Filesize

            1012KB

            Download

          • memory/1976-95-0x0000000000260000-0x0000000000267000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2092-1-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/2092-41-0x0000000140000000-0x00000001400FB000-memory.dmp

            Filesize

            1004KB

            Download

          • memory/2092-0-0x0000000000280000-0x0000000000287000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2464-61-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/2464-57-0x00000000000E0000-0x00000000000E7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2464-55-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download

          • memory/2476-309-0x00000000000F0000-0x00000000000F7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2476-312-0x0000000140000000-0x00000001400FC000-memory.dmp

            Filesize

            1008KB

            Download