Overview

overview

10

Static

static

3

Trojan.Win...KN.dll

windows7-x64

10

Trojan.Win...KN.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-09-2024 17:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Trojan.Win64.Dridex.AKN.dll

  • Size

    988KB

  • MD5

    faa52775467027ecef5464835e81dca0

  • SHA1

    7828dca05863145a3010264642e76ed54db422c1

  • SHA256

    31876c7c1c30dead73141dc79176c60ed2c28448ff7b233196841eef03df891a

  • SHA512

    8a45ee106468a7d634cf38b33168df6716f1f9dee47b70dbabb6e2abb225dee19c6fec9c7788f7a460297db947df2c5dd123e6577446c01ec317270aea2a2d95

  • SSDEEP

    12288:rw4UXJosZXoyOBTHE0wGxk8LyYB8OpFpG0JrbEvSdYmZbvnMEfI:LUolBrtw4k8LL8OpFpG0JXHZrf

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Trojan.Win64.Dridex.AKN.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2100
  • C:\Windows\system32\VaultSysUi.exe
    C:\Windows\system32\VaultSysUi.exe
    1⤵
      PID:2640
    • C:\Users\Admin\AppData\Local\VV8DU\VaultSysUi.exe
      C:\Users\Admin\AppData\Local\VV8DU\VaultSysUi.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2632
    • C:\Windows\system32\rdpinit.exe
      C:\Windows\system32\rdpinit.exe
      1⤵
        PID:2324
      • C:\Users\Admin\AppData\Local\qZk\rdpinit.exe
        C:\Users\Admin\AppData\Local\qZk\rdpinit.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1732
      • C:\Windows\system32\sigverif.exe
        C:\Windows\system32\sigverif.exe
        1⤵
          PID:1188
        • C:\Users\Admin\AppData\Local\XeMx\sigverif.exe
          C:\Users\Admin\AppData\Local\XeMx\sigverif.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1528

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\VV8DU\VaultSysUi.exe
          Filesize

          39KB

          MD5

          f40ef105d94350d36c799ee23f7fec0f

          SHA1

          ee3a5cfe8b807e1c1718a27eb97fa134360816e3

          SHA256

          eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

          SHA512

          f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

          Download Submit

        • C:\Users\Admin\AppData\Local\VV8DU\credui.dll
          Filesize

          992KB

          MD5

          2483c1e9d12b838bd953c3907a9815bf

          SHA1

          a06a0e29528c14070e98da3e2c27c004acffddec

          SHA256

          523b7369faaee7201eda6c3f59bec97a1829e2b78aa43b29027db5868f6a85e7

          SHA512

          6b7c158d1bbb57a36ddf0f25457f7b2bf2caab840361e62cf5c97a645ea72ad2a7feadefd8102172bb53e129e446f7de7e24dc54ffac65725b9c97d070a2b6b5

          Download Submit

        • C:\Users\Admin\AppData\Local\XeMx\VERSION.dll
          Filesize

          992KB

          MD5

          54e8879236772bdc10439ff3296128c4

          SHA1

          baff78c54b713b66e5779559de72b2799cb7ff62

          SHA256

          d5bb28524c1cee55e7391206ad43cd767b79551cec68dfadbfd62480d671f15e

          SHA512

          05952cd20b558b43aa740231da59cc2bc86af6b7998a75accad4e8903540f053adec91d019aebff859ab4bdac8b3f98282b0916e4203cf1a69fdd4a5344741b6

          Download Submit

        • C:\Users\Admin\AppData\Local\XeMx\sigverif.exe
          Filesize

          73KB

          MD5

          e8e95ae5534553fc055051cee99a7f55

          SHA1

          4e0f668849fd546edd083d5981ed685d02a68df4

          SHA256

          9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

          SHA512

          5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

          Download Submit

        • C:\Users\Admin\AppData\Local\qZk\WTSAPI32.dll
          Filesize

          992KB

          MD5

          e4e7bfa48cba34d7b08d0539b9e9a3dd

          SHA1

          b872970bc63f4f7ce5bb6e631e725078f69c8254

          SHA256

          0354a7a77b7c487fdd5eb08940b267a43548fc405d07128efa780696b51bd905

          SHA512

          8a6c3391fa922cd4c306ca87f28fd887a18cb381abed45a019735bb4295f58c8a458d8c2afd32bb6bc5561c71353b59a9896179abd7d5b3c030e18e3d8209a7c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gwifj.lnk
          Filesize

          1KB

          MD5

          f717011a80b1e32dea73b06b9604c240

          SHA1

          15c31b2be042d208b11ae037f146a2a4fcca843a

          SHA256

          e9ee08c430e45663b89f2c9b95cce9e805189380ff9b0afc54152ed2c486d8bf

          SHA512

          d8a2d30518ef1bbc58345ae48e2c985f61e8e823aec2fa8fcd0a72d0db0f51da4be1e2bfee9b630fb647fe67a80014100572153a4eceef19ab549f6733fc2cb4

          Download Submit

        • \Users\Admin\AppData\Local\qZk\rdpinit.exe
          Filesize

          174KB

          MD5

          664e12e0ea009cc98c2b578ff4983c62

          SHA1

          27b302c0108851ac6cc37e56590dd9074b09c3c9

          SHA256

          00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

          SHA512

          f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

          Download Submit

        • memory/1192-13-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/1192-46-0x0000000077886000-0x0000000077887000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-11-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/1192-16-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/1192-10-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/1192-14-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/1192-27-0x0000000077B20000-0x0000000077B22000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-26-0x0000000077AF0000-0x0000000077AF2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-25-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/1192-24-0x0000000002140000-0x0000000002147000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1192-15-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/1192-3-0x0000000077886000-0x0000000077887000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-37-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/1192-36-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/1192-4-0x0000000002510000-0x0000000002511000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-12-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/1192-9-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/1192-6-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/1192-8-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/1192-7-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/1528-95-0x0000000140000000-0x00000001400F8000-memory.dmp

          Filesize

          992KB

          Download

        • memory/1732-74-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1732-79-0x0000000140000000-0x00000001400F8000-memory.dmp

          Filesize

          992KB

          Download

        • memory/2100-45-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/2100-2-0x0000000000320000-0x0000000000327000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2100-1-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/2632-62-0x0000000140000000-0x00000001400F8000-memory.dmp

          Filesize

          992KB

          Download

        • memory/2632-58-0x0000000140000000-0x00000001400F8000-memory.dmp

          Filesize

          992KB

          Download

        • memory/2632-57-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download