Overview

overview

10

Static

static

3

2f16358833...73.dll

windows7-x64

10

2f16358833...73.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 02:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f16358833b2414eeec6ca8512176982cb9ee1797ea131039e21bc187989e073.dll

  • Size

    936KB

  • MD5

    bfcdafe69d90bd7023f8ad9a3010387e

  • SHA1

    7fa6a02a6a2ded8ec7146ea384f61c9fa0dd783d

  • SHA256

    2f16358833b2414eeec6ca8512176982cb9ee1797ea131039e21bc187989e073

  • SHA512

    1a5f3d120c40656d9b8d44f21afbe4841426ff12c0b72e9ef9f493e2c519ae430bd631e3da7cfe90afe8c50e6096215d4dc898044f66922123f210024f46082e

  • SSDEEP

    12288:DPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:DtKTrsKSKBTSb6DUXWq8

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f16358833b2414eeec6ca8512176982cb9ee1797ea131039e21bc187989e073.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1660
  • C:\Windows\system32\rstrui.exe
    C:\Windows\system32\rstrui.exe
    1⤵
      PID:3820
    • C:\Users\Admin\AppData\Local\dgiyTA7h9\rstrui.exe
      C:\Users\Admin\AppData\Local\dgiyTA7h9\rstrui.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2500
    • C:\Windows\system32\SysResetErr.exe
      C:\Windows\system32\SysResetErr.exe
      1⤵
        PID:1560
      • C:\Users\Admin\AppData\Local\XAJOQZw\SysResetErr.exe
        C:\Users\Admin\AppData\Local\XAJOQZw\SysResetErr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4484
      • C:\Windows\system32\SndVol.exe
        C:\Windows\system32\SndVol.exe
        1⤵
          PID:2384
        • C:\Users\Admin\AppData\Local\HA0Ci5\SndVol.exe
          C:\Users\Admin\AppData\Local\HA0Ci5\SndVol.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3824

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\HA0Ci5\SndVol.exe
          Filesize

          269KB

          MD5

          c5d939ac3f9d885c8355884199e36433

          SHA1

          b8f277549c23953e8683746e225e7af1c193ad70

          SHA256

          68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605

          SHA512

          8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0

          Download Submit

        • C:\Users\Admin\AppData\Local\HA0Ci5\UxTheme.dll
          Filesize

          940KB

          MD5

          eb566ac5cf3d9d196314f26a8eea6565

          SHA1

          dc1fbc26d02405a2701a3c3c1ef78eddfc90b0c6

          SHA256

          4f92a734fc8bf77c07e50540f2510ba88fe0bd1c8083d40783a609a656d47019

          SHA512

          5844508d7e4a8ca9f216789764fdc43cced4484c1c2c9af7ca059c95e745e7443b9c218868b45214cd5cadba6f560ff294b6f767bd75a84d3ea393cd8c905709

          Download Submit

        • C:\Users\Admin\AppData\Local\XAJOQZw\DUI70.dll
          Filesize

          1.2MB

          MD5

          27479c6bee579ee4e718bcd758b08f62

          SHA1

          68957ae5482a5029f85299cdbc041b37d08303af

          SHA256

          0a901b1311f2aab5619af350a11656f1a4b8d22bba84527a67a96a9c11bbcc04

          SHA512

          8a012bfa279c1d28368a92e4d8288f4e7e33df99148abf1624b6a19e957392d9147c2ed7f8bffae9da05b05d7ff4b1f984ae63a9ded45b682c68e588ffa0bf26

          Download Submit

        • C:\Users\Admin\AppData\Local\XAJOQZw\SysResetErr.exe
          Filesize

          41KB

          MD5

          090c6f458d61b7ddbdcfa54e761b8b57

          SHA1

          c5a93e9d6eca4c3842156cc0262933b334113864

          SHA256

          a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

          SHA512

          c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

          Download Submit

        • C:\Users\Admin\AppData\Local\dgiyTA7h9\SPP.dll
          Filesize

          940KB

          MD5

          2768ffb2d7f6d7e61877ae10a8d0a9d1

          SHA1

          00da6cde47f65c642a8631617912c6470a6fe9d6

          SHA256

          175e5e0173832d68cb20284367914af04427058e8b3c490ee470e4f6a82c3d19

          SHA512

          bd2d09a36dc18de8bc6d1245d0891974c7786d9490ee27a3e9f747f26a5a3aaadcad3bdc183615dbb25e3e6a383c0c55e95b2f44b67accc4102a1d9b708fa529

          Download Submit

        • C:\Users\Admin\AppData\Local\dgiyTA7h9\rstrui.exe
          Filesize

          268KB

          MD5

          4cad10846e93e85790865d5c0ab6ffd9

          SHA1

          8a223f4bab28afa4c7ed630f29325563c5dcda1a

          SHA256

          9ddcfcaf2ebc810cc2e593446681bc4ccbad39756b1712cf045db8dee6310b4b

          SHA512

          c0db44de0d35a70277f8621a318c5099378da675376e47545cfbfa7412e70a870fd05c92e0d6523ea2e0139d54d9eeaed14973762341fa3154406ae36f4ce7c6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zugrajzkhopu.lnk
          Filesize

          1KB

          MD5

          e8e1722405d0962755035d89740b8d5b

          SHA1

          91b3d3cacb687afded533896b1ce4d89d7948fdb

          SHA256

          9271acdda8fd2d6cd641ca89639f0af48577154c1a5c30370c9ead6500b90b9c

          SHA512

          362a070d6b25b023fda27b7e3aeb6fad7a5a9bd903775ca95116337d0c604f06f37951dfab6d6c204ff2f2b6e9a324332fcbedf1b0776e09669d6f2f3c04e425

          Download Submit

        • memory/1660-1-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1660-37-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1660-0-0x00000229A1880000-0x00000229A1887000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2500-49-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2500-45-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2500-44-0x000001CBB6330000-0x000001CBB6337000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3432-12-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3432-11-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3432-7-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3432-6-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3432-34-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3432-10-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3432-23-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3432-24-0x00007FFA21FC0000-0x00007FFA21FD0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3432-25-0x00007FFA21FB0000-0x00007FFA21FC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3432-8-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3432-14-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3432-22-0x0000000000AA0000-0x0000000000AA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3432-13-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3432-4-0x0000000002510000-0x0000000002511000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3432-3-0x00007FFA2109A000-0x00007FFA2109B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3432-9-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3824-80-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/4484-65-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4484-61-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4484-60-0x000001F5694C0000-0x000001F5694C7000-memory.dmp

          Filesize

          28KB

          Download