Overview

overview

10

Static

static

3

b7145f389f...4c.dll

windows7-x64

10

b7145f389f...4c.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 02:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7145f389fc79052d20e54ce49b5b51194dccd385e08850eb11dc068d6ba6e4c.dll

  • Size

    940KB

  • MD5

    6767a3a501338fa1e0d20387797baa25

  • SHA1

    3b3b1b8514899ce981e091b1f10c5981e2276e39

  • SHA256

    b7145f389fc79052d20e54ce49b5b51194dccd385e08850eb11dc068d6ba6e4c

  • SHA512

    8571d5e0b210cac49012909d6e326b5bfd47718f115d63c23f540ff79a9d32f7bb1ada10d5b65248d99a7789eadbd4db823fe40dfffbbdc4af6c67affe431118

  • SSDEEP

    12288:YPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:YtKTrsKSKBTSb6DUXWq8

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b7145f389fc79052d20e54ce49b5b51194dccd385e08850eb11dc068d6ba6e4c.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4596
  • C:\Windows\system32\DevicePairingWizard.exe
    C:\Windows\system32\DevicePairingWizard.exe
    1⤵
      PID:2260
    • C:\Users\Admin\AppData\Local\0snzvPXv\DevicePairingWizard.exe
      C:\Users\Admin\AppData\Local\0snzvPXv\DevicePairingWizard.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4964
    • C:\Windows\system32\RdpSa.exe
      C:\Windows\system32\RdpSa.exe
      1⤵
        PID:2100
      • C:\Users\Admin\AppData\Local\ArMDxmwv\RdpSa.exe
        C:\Users\Admin\AppData\Local\ArMDxmwv\RdpSa.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4040
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        1⤵
          PID:1240
        • C:\Users\Admin\AppData\Local\Dvz5tV\wermgr.exe
          C:\Users\Admin\AppData\Local\Dvz5tV\wermgr.exe
          1⤵
          • Executes dropped EXE
          PID:376
        • C:\Windows\system32\shrpubw.exe
          C:\Windows\system32\shrpubw.exe
          1⤵
            PID:1012
          • C:\Users\Admin\AppData\Local\gANo6S\shrpubw.exe
            C:\Users\Admin\AppData\Local\gANo6S\shrpubw.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:4872

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\0snzvPXv\DevicePairingWizard.exe
            Filesize

            93KB

            MD5

            d0e40a5a0c7dad2d6e5040d7fbc37533

            SHA1

            b0eabbd37a97a1abcd90bd56394f5c45585699eb

            SHA256

            2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

            SHA512

            1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

            Download Submit

          • C:\Users\Admin\AppData\Local\0snzvPXv\MFC42u.dll
            Filesize

            968KB

            MD5

            39f2629404ceea8c7336d6e2e326e171

            SHA1

            90c97c2a9f15ee6e68b24f8bd89fb09777763edf

            SHA256

            82fde1e07009eb4090f28ec8ec36eeca5c4c888298906765dd8001d6c6207481

            SHA512

            e7c91fb28cefd03ef10371290dbdaa058eddc5a83abb92bcacec48117e96d73b5ff49d22636875c606ad6e087a3953307baa22d0f295a332af25fcb9b44e909d

            Download Submit

          • C:\Users\Admin\AppData\Local\ArMDxmwv\RdpSa.exe
            Filesize

            56KB

            MD5

            5992f5b5d0b296b83877da15b54dd1b4

            SHA1

            0d87be8d4b7aeada4b55d1d05c0539df892f8f82

            SHA256

            32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c

            SHA512

            4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

            Download Submit

          • C:\Users\Admin\AppData\Local\ArMDxmwv\WINSTA.dll
            Filesize

            948KB

            MD5

            ad7929068d34d50a583a23fc5ea66676

            SHA1

            ad5032fb26e84af1de66b14f4c200c7bd0429a1f

            SHA256

            84f237ec9e58472a87bdd293376f348fb85727b0da176602c3ec6e08ea936ad1

            SHA512

            fce0862da78eb9e0d93eb08c2dccbcb6ee5816e58e4cca7d40c3d1965eccc79b993f68b78c6d16ac9af29b1df63b0232b76c9730205ea6d711584c2d436a5f4f

            Download Submit

          • C:\Users\Admin\AppData\Local\Dvz5tV\wermgr.exe
            Filesize

            223KB

            MD5

            f7991343cf02ed92cb59f394e8b89f1f

            SHA1

            573ad9af63a6a0ab9b209ece518fd582b54cfef5

            SHA256

            1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc

            SHA512

            fa3cf314100f5340c7d0f6a70632a308fcadb4b48785753310a053a510169979a89637b8b4fedf4d3690db6b8b55146e323cad70d704c4e2ede4edff5284237d

            Download Submit

          • C:\Users\Admin\AppData\Local\gANo6S\shrpubw.exe
            Filesize

            59KB

            MD5

            9910d5c62428ec5f92b04abf9428eec9

            SHA1

            05f27d7515e8ae1fa3bc974ec65b864ec4c9ac8b

            SHA256

            6b84e6e55d8572d7edf0b6243d00abb651fcb0cddddac8461de5f9bb80035a2e

            SHA512

            01be043f7ff879a683e53962eec58456ba200d6787ea66581bb62669ae65d5e58a5577cdf23441165f7a535fce1dec933e3ad2465c72172b4a1488b24ce722cb

            Download Submit

          • C:\Users\Admin\AppData\Local\gANo6S\srvcli.dll
            Filesize

            944KB

            MD5

            019c2bfeb5e6f9ac8c10a723bd2a2e75

            SHA1

            4b3b863c5d18b95ccc6c1fd5d3befbbbb96e87c2

            SHA256

            6fefc4acb5158494a68d2566b6c6cfa70ecc9856dbb7ce2bdb9b1a4630f8c9ef

            SHA512

            8f9f1e2e57ddf60ce9da6cb6afdcd01c9e06c673bf967b476d7e2507347413962910fe59cb0550eb274c7eb8e409095b66f2f8b2be1cb6a593db39eabacf62c0

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ehuvmtvuxjwd.lnk
            Filesize

            1KB

            MD5

            eacd1977499f2fc0def6d88cf84764e5

            SHA1

            d248b859b82bfb01f0223ab88819884386d5ab33

            SHA256

            198fc83e0164cb4bb735e89e76fcef6e9e528e64d7e0e759e30a0a9606c70be7

            SHA512

            1c5b89ebc66b789e31a3bc016fbff515d613d222abb40f398f897ee10b66c3ef60ff45da81bfbb1884ce55a6cd014d8d8b420377b121e8848e999f51b2cf0d0f

            Download Submit

          • memory/3412-35-0x0000000140000000-0x00000001400EB000-memory.dmp

            Filesize

            940KB

            Download

          • memory/3412-15-0x0000000140000000-0x00000001400EB000-memory.dmp

            Filesize

            940KB

            Download

          • memory/3412-26-0x00007FFC8C910000-0x00007FFC8C920000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3412-25-0x00007FFC8C920000-0x00007FFC8C930000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3412-24-0x0000000140000000-0x00000001400EB000-memory.dmp

            Filesize

            940KB

            Download

          • memory/3412-11-0x0000000140000000-0x00000001400EB000-memory.dmp

            Filesize

            940KB

            Download

          • memory/3412-9-0x0000000140000000-0x00000001400EB000-memory.dmp

            Filesize

            940KB

            Download

          • memory/3412-8-0x0000000140000000-0x00000001400EB000-memory.dmp

            Filesize

            940KB

            Download

          • memory/3412-7-0x0000000140000000-0x00000001400EB000-memory.dmp

            Filesize

            940KB

            Download

          • memory/3412-6-0x0000000140000000-0x00000001400EB000-memory.dmp

            Filesize

            940KB

            Download

          • memory/3412-4-0x00007FFC8C5BA000-0x00007FFC8C5BB000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3412-3-0x0000000002C10000-0x0000000002C11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3412-13-0x0000000140000000-0x00000001400EB000-memory.dmp

            Filesize

            940KB

            Download

          • memory/3412-12-0x0000000140000000-0x00000001400EB000-memory.dmp

            Filesize

            940KB

            Download

          • memory/3412-10-0x0000000140000000-0x00000001400EB000-memory.dmp

            Filesize

            940KB

            Download

          • memory/3412-14-0x0000000140000000-0x00000001400EB000-memory.dmp

            Filesize

            940KB

            Download

          • memory/3412-23-0x0000000000CB0000-0x0000000000CB7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/4040-61-0x0000020485950000-0x0000020485957000-memory.dmp

            Filesize

            28KB

            Download

          • memory/4040-62-0x0000000140000000-0x00000001400ED000-memory.dmp

            Filesize

            948KB

            Download

          • memory/4040-66-0x0000000140000000-0x00000001400ED000-memory.dmp

            Filesize

            948KB

            Download

          • memory/4596-38-0x0000000140000000-0x00000001400EB000-memory.dmp

            Filesize

            940KB

            Download

          • memory/4596-0-0x00000210A54B0000-0x00000210A54B7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/4596-2-0x0000000140000000-0x00000001400EB000-memory.dmp

            Filesize

            940KB

            Download

          • memory/4872-85-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/4872-89-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/4964-50-0x0000000140000000-0x00000001400F2000-memory.dmp

            Filesize

            968KB

            Download

          • memory/4964-46-0x0000000140000000-0x00000001400F2000-memory.dmp

            Filesize

            968KB

            Download

          • memory/4964-45-0x0000026F599B0000-0x0000026F599B7000-memory.dmp

            Filesize

            28KB

            Download