Overview

overview

10

Static

static

3

525e592cad...40.dll

windows7-x64

10

525e592cad...40.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    21s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2024 07:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    525e592cad025c414c14cee1bcbaeb3a3be1cd42390fc21ce7ef34e028824a40.dll

  • Size

    1.3MB

  • MD5

    f84b2da4a842d7b705d104df3ff1dfac

  • SHA1

    bab36606ed69758eb3dc898583529bb0f6d3b46f

  • SHA256

    525e592cad025c414c14cee1bcbaeb3a3be1cd42390fc21ce7ef34e028824a40

  • SHA512

    c91d9c63d5e95a1f2413a7236fc1c70a6d406c9b498740eb0d0fd25d1a568a17bef6bffd1ef724e2a553ebfc6f330fbbeda92ae837191e2d6967154ba957a7e7

  • SSDEEP

    12288:xXBQ3fMQyWV0rbDxyBWZh2TvtgHoiemIKI1ydX7wmqzq3wkgJ:NB/Qn0rbD8UZUDtgIiemI51Mwtewkm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 12 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\525e592cad025c414c14cee1bcbaeb3a3be1cd42390fc21ce7ef34e028824a40.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2548
  • C:\Windows\system32\StikyNot.exe
    C:\Windows\system32\StikyNot.exe
    1⤵
      PID:2660
    • C:\Users\Admin\AppData\Local\Dw7n\StikyNot.exe
      C:\Users\Admin\AppData\Local\Dw7n\StikyNot.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2600
    • C:\Windows\system32\rrinstaller.exe
      C:\Windows\system32\rrinstaller.exe
      1⤵
        PID:2576
      • C:\Users\Admin\AppData\Local\eaxz\rrinstaller.exe
        C:\Users\Admin\AppData\Local\eaxz\rrinstaller.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2272
      • C:\Windows\system32\rekeywiz.exe
        C:\Windows\system32\rekeywiz.exe
        1⤵
          PID:1504
        • C:\Users\Admin\AppData\Local\1bBvThvo\rekeywiz.exe
          C:\Users\Admin\AppData\Local\1bBvThvo\rekeywiz.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3040

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1bBvThvo\slc.dll
          Filesize

          1.3MB

          MD5

          4bf3ac9de7e8c851e362855952c6e96c

          SHA1

          55eacb07220a7069bb2c3caf7f2f828f56398e52

          SHA256

          4e3544489ba6a7387a13569d7b6af8627514a1c71faf2c0ea9db2845370ae444

          SHA512

          799092247081d00c98f6f6f1f7f9668f45ebecfbaa1e11cc6815414cfde88a33f115247f435907701a300188d5e2aa5ac580f93f91a02352d88b83628b139146

          Download Submit

        • C:\Users\Admin\AppData\Local\Dw7n\DUI70.dll
          Filesize

          1.5MB

          MD5

          80c88f6c5234431074b3f64610cf9244

          SHA1

          5190c7600c4c1976322c8a0c1fb488b929251143

          SHA256

          a279794790b994916fb9085612ce04a4af76a0b246f96929cf3d17c3f342acf6

          SHA512

          35a4e7719938d7befe78def3cb39a8a0f6a390431812f972ea7b09cf88b2c01bf114cba6e1b2cdf4b9356bd5b964fe45c4dc702268d04e156048b4265e7b5219

          Download Submit

        • C:\Users\Admin\AppData\Local\eaxz\MFPlat.DLL
          Filesize

          1.3MB

          MD5

          3032770230992890cc0ce4a8379f8d41

          SHA1

          7f93ab22c437a669a2d4c478bc28fcb24dbc0606

          SHA256

          ac3bf52af699f8db655fe373306ca0ef0d65d9f08c7e4fb72fca2827c809b0ad

          SHA512

          e923120b88e1ae052195409fc95803178b6e978c83e609e5c3cfe8d392abd7838e63dcc67b83ea8259a8f82383960e3c402e976629b305b85bd73c1c7ef1feea

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk
          Filesize

          1KB

          MD5

          046ec0fb2955d3891fc31cd8b87565b6

          SHA1

          04d9f4c64b3c14fb8aa745bd6fa70806adb94d56

          SHA256

          b52c2ec85cfb71c4790f628fc7eded250fa960562b442efa5ef39abc54a7ad90

          SHA512

          8b0ac2dda49276c7ae34b026da25f2bd292e62f59d4375b54a7ace677a32f6319434acf2985ac12ffee26a1d4245dcf3443a21f7c49b33e8aa2bd523c9f51752

          Download Submit

        • \Users\Admin\AppData\Local\1bBvThvo\rekeywiz.exe
          Filesize

          67KB

          MD5

          767c75767b00ccfd41a547bb7b2adfff

          SHA1

          91890853a5476def402910e6507417d400c0d3cb

          SHA256

          bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

          SHA512

          f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

          Download Submit

        • \Users\Admin\AppData\Local\Dw7n\StikyNot.exe
          Filesize

          417KB

          MD5

          b22cb67919ebad88b0e8bb9cda446010

          SHA1

          423a794d26d96d9f812d76d75fa89bffdc07d468

          SHA256

          2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

          SHA512

          f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

          Download Submit

        • \Users\Admin\AppData\Local\eaxz\rrinstaller.exe
          Filesize

          54KB

          MD5

          0d3a73b0b30252680b383532f1758649

          SHA1

          9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

          SHA256

          fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

          SHA512

          a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

          Download Submit

        • memory/1212-10-0x0000000140000000-0x000000014014B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1212-40-0x0000000140000000-0x000000014014B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1212-18-0x0000000140000000-0x000000014014B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1212-28-0x0000000002500000-0x0000000002507000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1212-29-0x0000000140000000-0x000000014014B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1212-21-0x0000000140000000-0x000000014014B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1212-20-0x0000000140000000-0x000000014014B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1212-16-0x0000000140000000-0x000000014014B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1212-15-0x0000000140000000-0x000000014014B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1212-14-0x0000000140000000-0x000000014014B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1212-13-0x0000000140000000-0x000000014014B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1212-12-0x0000000140000000-0x000000014014B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1212-11-0x0000000140000000-0x000000014014B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1212-3-0x0000000076BD6000-0x0000000076BD7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1212-9-0x0000000140000000-0x000000014014B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1212-30-0x0000000076F40000-0x0000000076F42000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1212-31-0x0000000076F70000-0x0000000076F72000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1212-17-0x0000000140000000-0x000000014014B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1212-42-0x0000000140000000-0x000000014014B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1212-4-0x00000000024F0000-0x00000000024F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1212-50-0x0000000076BD6000-0x0000000076BD7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1212-19-0x0000000140000000-0x000000014014B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1212-8-0x0000000140000000-0x000000014014B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1212-7-0x0000000140000000-0x000000014014B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1212-6-0x0000000140000000-0x000000014014B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2272-75-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2272-76-0x000007FEF7290000-0x000007FEF73DD000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2272-80-0x000007FEF7290000-0x000007FEF73DD000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2548-49-0x000007FEF7270000-0x000007FEF73BB000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2548-1-0x000007FEF7270000-0x000007FEF73BB000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2548-2-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2600-63-0x000007FEF7390000-0x000007FEF750F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2600-59-0x000007FEF7390000-0x000007FEF750F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2600-58-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3040-92-0x000007FEF6500000-0x000007FEF664C000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3040-96-0x000007FEF6500000-0x000007FEF664C000-memory.dmp

          Filesize

          1.3MB

          Download