Overview

overview

10

Static

static

3

b9ecfcc555...fN.dll

windows7-x64

10

b9ecfcc555...fN.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2024 12:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9ecfcc555b3841fc24b5cb6c4a867e272ccfd9ab3e847dcea0a33f7da5de2cfN.dll

  • Size

    1.1MB

  • MD5

    a963e5563d9df9750d85194fad36f820

  • SHA1

    c9915fb3d1a2e116afdd1f72f4c33c24943c5978

  • SHA256

    b9ecfcc555b3841fc24b5cb6c4a867e272ccfd9ab3e847dcea0a33f7da5de2cf

  • SHA512

    b70b0d7dd65c59acf9609991bc3853926d06c557102a1a803007de42ce2efbc9291f587f1eac7ca91ab23b1f84be44f4403760397071406608bd349a17ee8eeb

  • SSDEEP

    12288:IGVNJAvuPFUl/faxmVlBLXKCgFfEK7JRLeHlX//ve77:Z3JAvRl/fKQKCgFfx4P/va7

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b9ecfcc555b3841fc24b5cb6c4a867e272ccfd9ab3e847dcea0a33f7da5de2cfN.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:2668
  • C:\Windows\system32\wbengine.exe
    C:\Windows\system32\wbengine.exe
    1⤵
      PID:2572
    • C:\Users\Admin\AppData\Local\slkxY\wbengine.exe
      C:\Users\Admin\AppData\Local\slkxY\wbengine.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1628
    • C:\Windows\system32\msdt.exe
      C:\Windows\system32\msdt.exe
      1⤵
        PID:2252
      • C:\Users\Admin\AppData\Local\cKR4rvUwK\msdt.exe
        C:\Users\Admin\AppData\Local\cKR4rvUwK\msdt.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2200
      • C:\Windows\system32\rdpshell.exe
        C:\Windows\system32\rdpshell.exe
        1⤵
          PID:2288
        • C:\Users\Admin\AppData\Local\ENt\rdpshell.exe
          C:\Users\Admin\AppData\Local\ENt\rdpshell.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious behavior: GetForegroundWindowSpam
          PID:1900

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\ENt\WINSTA.dll
          Filesize

          1.2MB

          MD5

          2246a6f01e0af8e6a52fb98505fb6c77

          SHA1

          aa474b2c1337b45d9716fa55aa5de99d15b16049

          SHA256

          7c2e22c943e7d62a439c6987be7bf05fc1e6f20af9729ce794f79799da982fe2

          SHA512

          5f0418c8b42945d205f757f4dee9cd39a8003fa2dc74b4455aa7d7bbd50652c6ebbf07f4a9392e37eb98a2b799a344ce98b6588575a7b3d4899c864e0807e90e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ykefwsdudlbqds.lnk
          Filesize

          1KB

          MD5

          4fc3dfbf200a8bc12993b869f15b7593

          SHA1

          f3ac4f16d2766981064f10dd900168e880487d6c

          SHA256

          3417c14b3162e3c3a490edc790f0f21f8bd6d66ed4567e237b9ec09105a99d80

          SHA512

          c9d203ea8c23efc9a5d22921b76d73a8e3499c879aff5e902e43388453d6f32179ee4c53a1e17a4b49222e340570166fdd00aad9e5b3bf7e47503a1458e2039c

          Download Submit

        • \Users\Admin\AppData\Local\ENt\rdpshell.exe
          Filesize

          292KB

          MD5

          a62dfcea3a58ba8fcf32f831f018fe3f

          SHA1

          75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

          SHA256

          f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

          SHA512

          9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

          Download Submit

        • \Users\Admin\AppData\Local\cKR4rvUwK\Secur32.dll
          Filesize

          1.1MB

          MD5

          3178b351336b9ae434455be19e87ecd8

          SHA1

          dab6f9d13dff086f54beea46450fbb40f4ddf321

          SHA256

          12cda58fb21fccd00053659873ec9c12343d47b3e206621c8f63f54023995779

          SHA512

          492592c21033f4ec185efc05e926e68a906ac864cc4a7230d1dfd64a60d5f11f3fd71b1e91c05b8c4c69e9334a9bbd27dfd0a9fcdd4ca0a41861b1bcf6138206

          Download Submit

        • \Users\Admin\AppData\Local\cKR4rvUwK\msdt.exe
          Filesize

          1.0MB

          MD5

          aecb7b09566b1f83f61d5a4b44ae9c7e

          SHA1

          3a4a2338c6b5ac833dc87497e04fe89c5481e289

          SHA256

          fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

          SHA512

          6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

          Download Submit

        • \Users\Admin\AppData\Local\slkxY\XmlLite.dll
          Filesize

          1.1MB

          MD5

          3a654d5c3f7ba17f740a121b3443d150

          SHA1

          52ec4e2ed7100f5493a1d0638d4034ca72a968f9

          SHA256

          40b67f634280f07bb995a9dacb483bf1dc35af7ef7407bdf317cc6774e42e076

          SHA512

          97f756c328669f337133367655eb4bb7f402a52c437082a19871a72d3dc655864e4af9656a4f00d43262473ca4c43c5f345a28438785d14240895b8fcc1cedc8

          Download Submit

        • \Users\Admin\AppData\Local\slkxY\wbengine.exe
          Filesize

          1.4MB

          MD5

          78f4e7f5c56cb9716238eb57da4b6a75

          SHA1

          98b0b9db6ec5961dbb274eff433a8bc21f7e557b

          SHA256

          46a4e78ce5f2a4b26f4e9c3ff04a99d9b727a82ac2e390a82a1611c3f6e0c9af

          SHA512

          1a24ea71624dbbca188ee3b4812e09bc42e7d38ceac02b69940d7693475c792685a23141c8faa85a87ab6aace3f951c1a81facb610d757ac6df37cf2aa65ccd2

          Download Submit

        • memory/1208-15-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-37-0x00000000775C1000-0x00000000775C2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-12-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-36-0x0000000002F70000-0x0000000002F77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1208-35-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-28-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-27-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-26-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-24-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-23-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-22-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-21-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-20-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-19-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-18-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-17-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-16-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-118-0x00000000773B6000-0x00000000773B7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-14-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-13-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-25-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-4-0x00000000773B6000-0x00000000773B7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-38-0x0000000077720000-0x0000000077722000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1208-47-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-52-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-51-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-10-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-7-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-5-0x0000000002F90000-0x0000000002F91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-9-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1208-8-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1628-68-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1628-71-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1628-65-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1900-106-0x0000000140000000-0x0000000140127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1900-101-0x0000000140000000-0x0000000140127000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1900-100-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2200-88-0x0000000140000000-0x0000000140126000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2668-11-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2668-1-0x0000000140000000-0x0000000140125000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2668-0-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download