Overview

overview

10

Static

static

3

2f16358833...73.dll

windows7-x64

10

2f16358833...73.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2024 02:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f16358833b2414eeec6ca8512176982cb9ee1797ea131039e21bc187989e073.dll

  • Size

    936KB

  • MD5

    bfcdafe69d90bd7023f8ad9a3010387e

  • SHA1

    7fa6a02a6a2ded8ec7146ea384f61c9fa0dd783d

  • SHA256

    2f16358833b2414eeec6ca8512176982cb9ee1797ea131039e21bc187989e073

  • SHA512

    1a5f3d120c40656d9b8d44f21afbe4841426ff12c0b72e9ef9f493e2c519ae430bd631e3da7cfe90afe8c50e6096215d4dc898044f66922123f210024f46082e

  • SSDEEP

    12288:DPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:DtKTrsKSKBTSb6DUXWq8

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f16358833b2414eeec6ca8512176982cb9ee1797ea131039e21bc187989e073.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2716
  • C:\Windows\system32\mmc.exe
    C:\Windows\system32\mmc.exe
    1⤵
      PID:2576
    • C:\Users\Admin\AppData\Local\z21JXr6\mmc.exe
      C:\Users\Admin\AppData\Local\z21JXr6\mmc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2656
    • C:\Windows\system32\rdpshell.exe
      C:\Windows\system32\rdpshell.exe
      1⤵
        PID:3008
      • C:\Users\Admin\AppData\Local\L9nxjw\rdpshell.exe
        C:\Users\Admin\AppData\Local\L9nxjw\rdpshell.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2980
      • C:\Windows\system32\TpmInit.exe
        C:\Windows\system32\TpmInit.exe
        1⤵
          PID:1224
        • C:\Users\Admin\AppData\Local\2BUEPwZKn\TpmInit.exe
          C:\Users\Admin\AppData\Local\2BUEPwZKn\TpmInit.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:296

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2BUEPwZKn\TpmInit.exe
          Filesize

          112KB

          MD5

          8b5eb38e08a678afa129e23129ca1e6d

          SHA1

          a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

          SHA256

          4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

          SHA512

          a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

          Download Submit

        • C:\Users\Admin\AppData\Local\L9nxjw\WINSTA.dll
          Filesize

          944KB

          MD5

          244fdff706147d09a04687a2d68296ad

          SHA1

          5fd13068e20a0f1e31be652185779f28b7f880a0

          SHA256

          de502de2784f5dc40c1511536169c560ce2a7f06a11a9aaacab73556c76ea873

          SHA512

          066357fdf9dfe650b06795cd80758ecbc9a3cde234686bf067c8aa3a482fab178e21184f061ae73c388c9e7abec17a4c9d46e6108763b0be03b039d3c3b77590

          Download Submit

        • C:\Users\Admin\AppData\Local\z21JXr6\mmc.exe
          Filesize

          2.0MB

          MD5

          9fea051a9585f2a303d55745b4bf63aa

          SHA1

          f5dc12d658402900a2b01af2f018d113619b96b8

          SHA256

          b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484

          SHA512

          beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ncfyujonfo.lnk
          Filesize

          1KB

          MD5

          7ad50792377b58c5627728dacaf2f67c

          SHA1

          5379504fe39f3643b45debdd0b976246e86c1e17

          SHA256

          39ad22310e64073ed021ef2a8284657107b92987c743b2949238784d4a22c44b

          SHA512

          fbd86795c01a374e6f85d73949347ba05e456dd91785840a05c017f756203bdd5aebf23c6c4038a2e2b4bb712bb0ca4cc1272de8901df117a03a49566253113c

          Download Submit

        • \Users\Admin\AppData\Local\2BUEPwZKn\Secur32.dll
          Filesize

          940KB

          MD5

          748f1c9f6bbc834a3051a2291ba5fe1b

          SHA1

          a57d11d0e0bec990292c871df3cd3183f11cc201

          SHA256

          030c0d7853cdbe957eebcd590fbdbf0cfdb24afc4e126737a239feaaac87a168

          SHA512

          0d6f7867f92c191af0e039238ed574229053312feec90dec437026c4032ac9765c00c7977082485aed26e6749a0675243236c6138ffc7450a776a76208d7691d

          Download Submit

        • \Users\Admin\AppData\Local\L9nxjw\rdpshell.exe
          Filesize

          292KB

          MD5

          a62dfcea3a58ba8fcf32f831f018fe3f

          SHA1

          75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

          SHA256

          f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

          SHA512

          9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

          Download Submit

        • \Users\Admin\AppData\Local\z21JXr6\DUser.dll
          Filesize

          940KB

          MD5

          ba10a65a07b09184bdf2d5a83864b7bb

          SHA1

          abd5a4bacd6d314cc7388fd932f5f85c4631db0d

          SHA256

          b9988d90ea1fc87a6557e57b32c56badd71e769977c1fa9cdfcbd8dca18d903b

          SHA512

          921dde25689742e37b63f7d4b736349b1570eb33512f2b620192f3bd3413030249a1c2fecaf06688efc833e89f910841e6e2e64230fa563bb7c0a0d161396dde

          Download Submit

        • memory/296-93-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1188-24-0x0000000077870000-0x0000000077872000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1188-23-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1188-12-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1188-11-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1188-10-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1188-8-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1188-13-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1188-25-0x00000000778A0000-0x00000000778A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1188-3-0x0000000077606000-0x0000000077607000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-34-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1188-35-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1188-4-0x0000000002560000-0x0000000002561000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-44-0x0000000077606000-0x0000000077607000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-14-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1188-22-0x0000000002540000-0x0000000002547000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1188-6-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1188-7-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1188-9-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/2656-56-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2656-53-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2656-52-0x0000000001C90000-0x0000000001C97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2716-43-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/2716-0-0x00000000000A0000-0x00000000000A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2716-1-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/2980-75-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2980-73-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2980-78-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download