Overview

overview

10

Static

static

3

2f16358833...73.dll

windows7-x64

10

2f16358833...73.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    99s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 02:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f16358833b2414eeec6ca8512176982cb9ee1797ea131039e21bc187989e073.dll

  • Size

    936KB

  • MD5

    bfcdafe69d90bd7023f8ad9a3010387e

  • SHA1

    7fa6a02a6a2ded8ec7146ea384f61c9fa0dd783d

  • SHA256

    2f16358833b2414eeec6ca8512176982cb9ee1797ea131039e21bc187989e073

  • SHA512

    1a5f3d120c40656d9b8d44f21afbe4841426ff12c0b72e9ef9f493e2c519ae430bd631e3da7cfe90afe8c50e6096215d4dc898044f66922123f210024f46082e

  • SSDEEP

    12288:DPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:DtKTrsKSKBTSb6DUXWq8

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 8 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f16358833b2414eeec6ca8512176982cb9ee1797ea131039e21bc187989e073.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3464
  • C:\Windows\system32\slui.exe
    C:\Windows\system32\slui.exe
    1⤵
      PID:3220
    • C:\Users\Admin\AppData\Local\0Jjsmdp\slui.exe
      C:\Users\Admin\AppData\Local\0Jjsmdp\slui.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3116
    • C:\Windows\system32\wextract.exe
      C:\Windows\system32\wextract.exe
      1⤵
        PID:2316
      • C:\Users\Admin\AppData\Local\FHiPrXxC\wextract.exe
        C:\Users\Admin\AppData\Local\FHiPrXxC\wextract.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3108
      • C:\Windows\system32\phoneactivate.exe
        C:\Windows\system32\phoneactivate.exe
        1⤵
          PID:2192
        • C:\Users\Admin\AppData\Local\nfMLM\phoneactivate.exe
          C:\Users\Admin\AppData\Local\nfMLM\phoneactivate.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4636

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0Jjsmdp\SLC.dll
          Filesize

          940KB

          MD5

          f429f758c9abacba5ab2886f75d5f707

          SHA1

          b46f067ea664c392e6b6c0b38d309435a26cee5f

          SHA256

          5acab9d2b991c9fbea87798a5a3c1dcfd53c42d3916acd48d5430e64300be42e

          SHA512

          8cb2c399f16d7721c449ac709425fdf32dc0c7a9554992613a6f165998e6b93b7f9f17f5508aa5fcfdd0dd1d897130a73649159a6bb95a7bc3826f865ed2922f

          Download Submit

        • C:\Users\Admin\AppData\Local\0Jjsmdp\slui.exe
          Filesize

          534KB

          MD5

          eb725ea35a13dc18eac46aa81e7f2841

          SHA1

          c0b3304c970324952e18c4a51073e3bdec73440b

          SHA256

          25e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff

          SHA512

          39192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26

          Download Submit

        • C:\Users\Admin\AppData\Local\FHiPrXxC\VERSION.dll
          Filesize

          940KB

          MD5

          e782ec7ad94372190591feff6a990bda

          SHA1

          4a4201c0789ac649e3a241f2824fe6524389fa2a

          SHA256

          fc02035da7c826126fa95d11f7a5d772c4b842794f711b6aa2cd86a8282ad89a

          SHA512

          5db9c0363b59e913bb075acce90f4cf49074f33fc32a679a0af358338b0ed1202a13ed49afde06703e3426dafb22cd23a3879eaef8be0e4e4b1d5d568546ba4d

          Download Submit

        • C:\Users\Admin\AppData\Local\FHiPrXxC\wextract.exe
          Filesize

          143KB

          MD5

          56e501e3e49cfde55eb1caabe6913e45

          SHA1

          ab2399cbf17dbee7b302bea49e40d4cee7caea76

          SHA256

          fbb6dc62abeeb222b49a63f43dc6eea96f3d7e9a8da55381c15d57a5d099f3e0

          SHA512

          2b536e86cbd8ab026529ba2c72c0fda97e9b6f0bc4fd96777024155852670cb41d17937cde372a44cdbad3e53b8cd3ef1a4a3ee9b34dfb3c2069822095f7a172

          Download Submit

        • C:\Users\Admin\AppData\Local\nfMLM\SLC.dll
          Filesize

          940KB

          MD5

          bd8491f6f413ca3c629f69f8d5fe6f9a

          SHA1

          1b86e44ee25f6be1abc116602f563d579f5ac887

          SHA256

          571b690a474686d07ef6750b7e3583b867a6617177cc611ce2e80cc0b6cd26dc

          SHA512

          dfeb29817beb1a3577516c9b590f64e13084acbe2bff87052ca2a8e5fd0bd67fded7d056d831ff48078f3eb31b1460f7e9871b090aaa86055cf341a5c2b8d633

          Download Submit

        • C:\Users\Admin\AppData\Local\nfMLM\phoneactivate.exe
          Filesize

          107KB

          MD5

          32c31f06e0b68f349f68afdd08e45f3d

          SHA1

          e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c

          SHA256

          cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017

          SHA512

          fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk
          Filesize

          1KB

          MD5

          dbe282f009ebd26d01d47cfa00b967ee

          SHA1

          686b17b963b25d045216cd56b918915a03cf87a4

          SHA256

          04cca09f56256c9d2d0a3499f3bcc6d94a1ae4db49f8315925734c34e7fd1808

          SHA512

          ab08eb634774c3a35ba5752961cf8950842af2c6504c996d1f0435f4425065a8c7993b6d78ce75a951d58324dd2058a2c8adbc98f57bc565c701a1face0fa313

          Download Submit

        • memory/3108-65-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3108-62-0x000001A5825F0000-0x000001A5825F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3116-49-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3116-45-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3116-44-0x000001CE9F410000-0x000001CE9F417000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3436-12-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3436-9-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3436-34-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3436-25-0x00007FFC9E1D0000-0x00007FFC9E1E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3436-24-0x00007FFC9E1E0000-0x00007FFC9E1F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3436-6-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3436-5-0x00007FFC9D4DA000-0x00007FFC9D4DB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-7-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3436-8-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3436-23-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3436-10-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3436-3-0x0000000002720000-0x0000000002721000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-14-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3436-22-0x0000000000800000-0x0000000000807000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3436-13-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3436-11-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3464-0-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3464-37-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3464-2-0x0000017394310000-0x0000017394317000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4636-80-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download