Overview

overview

10

Static

static

3

72e1aadf72...0N.dll

windows7-x64

10

72e1aadf72...0N.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    05/08/2024, 09:04

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    72e1aadf72bbcfb50588b5878a6ad6c0N.dll

  • Size

    1.2MB

  • MD5

    72e1aadf72bbcfb50588b5878a6ad6c0

  • SHA1

    4094dc12ead34082dcf9a3d0bbe2464cfc72c8b9

  • SHA256

    9d79d18b0cfd87341dd03d51ba23ed13914c3d15e3fdae4fd9aedb6b0bebc08b

  • SHA512

    74933b8fbd6a01925a193a3641aae3cb135fc7352d9c1d5e842f836b9b4880971c4639dfa14c1b56ff3fed5bc3b1d364e67792c6922f526ce604c468d229f193

  • SSDEEP

    24576:CTEqOo6qzOst9D9GDeIwvXKgMuJS0WQKz:5lqzYDeIwtT80

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\72e1aadf72bbcfb50588b5878a6ad6c0N.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1728
  • C:\Windows\system32\Dxpserver.exe
    C:\Windows\system32\Dxpserver.exe
    1⤵
      PID:2692
    • C:\Users\Admin\AppData\Local\lW6\Dxpserver.exe
      C:\Users\Admin\AppData\Local\lW6\Dxpserver.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2628
    • C:\Windows\system32\perfmon.exe
      C:\Windows\system32\perfmon.exe
      1⤵
        PID:2920
      • C:\Users\Admin\AppData\Local\0Yfi\perfmon.exe
        C:\Users\Admin\AppData\Local\0Yfi\perfmon.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2772
      • C:\Windows\system32\DeviceDisplayObjectProvider.exe
        C:\Windows\system32\DeviceDisplayObjectProvider.exe
        1⤵
          PID:2108
        • C:\Users\Admin\AppData\Local\G4XMLZMLY\DeviceDisplayObjectProvider.exe
          C:\Users\Admin\AppData\Local\G4XMLZMLY\DeviceDisplayObjectProvider.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2948

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\0Yfi\Secur32.dll
                Filesize

                1.2MB

                MD5

                2bafeb926e383c3162104d46d36e2813

                SHA1

                77871b855d2d66b03e36d2222720312383fea226

                SHA256

                f0eeb42562f89e2458410022a40cb69fd97aef5354a8cf3e63c73072261682b7

                SHA512

                3d9d88ec489633c4313163dbf1bd2282f94ec391c5fa68a486b6ea8122dcd308cc0c10342f8aac12362f8502a4c691deae64d6ce00a5e925da28da4112f864f7

                Download Submit

              • C:\Users\Admin\AppData\Local\0Yfi\perfmon.exe
                Filesize

                168KB

                MD5

                3eb98cff1c242167df5fdbc6441ce3c5

                SHA1

                730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

                SHA256

                6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

                SHA512

                f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

                Download Submit

              • C:\Users\Admin\AppData\Local\G4XMLZMLY\DeviceDisplayObjectProvider.exe
                Filesize

                109KB

                MD5

                7e2eb3a4ae11190ef4c8a9b9a9123234

                SHA1

                72e98687a8d28614e2131c300403c2822856e865

                SHA256

                8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

                SHA512

                18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

                Download Submit

              • C:\Users\Admin\AppData\Local\G4XMLZMLY\XmlLite.dll
                Filesize

                1.2MB

                MD5

                6f191f76d475998ffda8357b1ef7ac3d

                SHA1

                481d3180c5f4099b1a51267e82e827f14bf0eb17

                SHA256

                6e766b170024417a576d0193c62404cc1acb2a3e71436c78e2698692659ce463

                SHA512

                010d20fc792161f2b0ae4c529ecf9803c77364a0de8428a8cf8977e29204c367cb1b80ccabcc9aa7a40c790aef50b4ad575f446febfb2c6aa37058d1ebca7b06

                Download Submit

              • C:\Users\Admin\AppData\Local\lW6\dwmapi.dll
                Filesize

                1.2MB

                MD5

                fb1c38a327736ddea076ee89d706440e

                SHA1

                e2cf235ff99a11ebc01b40a23fb59f9e622bfad2

                SHA256

                78467d1ec5b9e6d9ff52fd0583fee723e83e022eb2ae8d03bf5096b96ecc3a3b

                SHA512

                d07c04ca94ca0f5fd434c2f76fde2e7702f02790c403c4ff17f6cb0b902de97237231b1b503dac33eb1de34dc2c0cd131a36afce576d5e4d64d09815c412ea85

                Download Submit

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ygxjfqh.lnk
                Filesize

                1KB

                MD5

                90934e0928668720b9e2d6e50cee3cd3

                SHA1

                63a185c757a9cba0fd9d20f706606a72e720afc5

                SHA256

                b1f857c8f0387c8a7e0e4138f2675d4f39fb7f997791ca41f150ea60172371eb

                SHA512

                5937e1845604bc4d8c91f01a16d2f40df2a4620a4c075608196146f83c5eab059d642d95c599556e3a29def7387b432059f983eb227e969981ed912e729bb4fb

                Download Submit

              • \Users\Admin\AppData\Local\lW6\Dxpserver.exe
                Filesize

                259KB

                MD5

                4d38389fb92e43c77a524fd96dbafd21

                SHA1

                08014e52f6894cad4f1d1e6fc1a703732e9acd19

                SHA256

                070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

                SHA512

                02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

                Download Submit

              • memory/1204-15-0x0000000140000000-0x0000000140132000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1204-31-0x0000000077610000-0x0000000077612000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1204-20-0x0000000140000000-0x0000000140132000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1204-10-0x0000000140000000-0x0000000140132000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1204-9-0x0000000140000000-0x0000000140132000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1204-7-0x0000000140000000-0x0000000140132000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1204-29-0x0000000002940000-0x0000000002947000-memory.dmp

                Filesize

                28KB

                Download

              • memory/1204-30-0x0000000140000000-0x0000000140132000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1204-21-0x0000000140000000-0x0000000140132000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1204-19-0x0000000140000000-0x0000000140132000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1204-18-0x0000000140000000-0x0000000140132000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1204-17-0x0000000140000000-0x0000000140132000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1204-16-0x0000000140000000-0x0000000140132000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1204-3-0x00000000772A6000-0x00000000772A7000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1204-14-0x0000000140000000-0x0000000140132000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1204-13-0x0000000140000000-0x0000000140132000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1204-32-0x0000000077640000-0x0000000077642000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1204-11-0x0000000140000000-0x0000000140132000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1204-42-0x0000000140000000-0x0000000140132000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1204-43-0x0000000140000000-0x0000000140132000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1204-4-0x0000000002960000-0x0000000002961000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1204-22-0x0000000140000000-0x0000000140132000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1204-12-0x0000000140000000-0x0000000140132000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1204-75-0x00000000772A6000-0x00000000772A7000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1204-6-0x0000000140000000-0x0000000140132000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1204-8-0x0000000140000000-0x0000000140132000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1728-50-0x000007FEF6530000-0x000007FEF6662000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1728-0-0x000007FEF6530000-0x000007FEF6662000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/1728-2-0x0000000000190000-0x0000000000197000-memory.dmp

                Filesize

                28KB

                Download

              • memory/2628-60-0x0000000000100000-0x0000000000107000-memory.dmp

                Filesize

                28KB

                Download

              • memory/2628-63-0x000007FEF6530000-0x000007FEF6663000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2628-58-0x000007FEF6530000-0x000007FEF6663000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2772-76-0x0000000000110000-0x0000000000117000-memory.dmp

                Filesize

                28KB

                Download

              • memory/2772-77-0x000007FEF6060000-0x000007FEF6193000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2772-81-0x000007FEF6060000-0x000007FEF6193000-memory.dmp

                Filesize

                1.2MB

                Download

              • memory/2948-97-0x000007FEF6060000-0x000007FEF6193000-memory.dmp

                Filesize

                1.2MB

                Download