Overview

overview

10

Static

static

3

1a8536a5bb...20.dll

windows7-x64

10

1a8536a5bb...20.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 14:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1a8536a5bb678f5273e7995d810ef105a82d062219e09a7b6f4b632e2532b020.dll

  • Size

    940KB

  • MD5

    a0cb297fd3181bda59066db2281fb496

  • SHA1

    7ba6d4a54cd899bf575da748def486be7dffc70d

  • SHA256

    1a8536a5bb678f5273e7995d810ef105a82d062219e09a7b6f4b632e2532b020

  • SHA512

    3ace28434cf67dcda52b3f6f7bacf03f97e92d76e4d0b69f9e3759c50f0b236f0e673b396a2b255706864bf25409212eafde50ac6374155f2c15c856bcd87390

  • SSDEEP

    12288:YPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:YtKTrsKSKBTSb6DUXWq8

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 8 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a8536a5bb678f5273e7995d810ef105a82d062219e09a7b6f4b632e2532b020.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4128
  • C:\Windows\system32\slui.exe
    C:\Windows\system32\slui.exe
    1⤵
      PID:3280
    • C:\Users\Admin\AppData\Local\GXa\slui.exe
      C:\Users\Admin\AppData\Local\GXa\slui.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3156
    • C:\Windows\system32\BitLockerWizard.exe
      C:\Windows\system32\BitLockerWizard.exe
      1⤵
        PID:1980
      • C:\Users\Admin\AppData\Local\KlD\BitLockerWizard.exe
        C:\Users\Admin\AppData\Local\KlD\BitLockerWizard.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4404
      • C:\Windows\system32\ApplicationFrameHost.exe
        C:\Windows\system32\ApplicationFrameHost.exe
        1⤵
          PID:4556
        • C:\Users\Admin\AppData\Local\KCUwsKI\ApplicationFrameHost.exe
          C:\Users\Admin\AppData\Local\KCUwsKI\ApplicationFrameHost.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1096

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\GXa\SLC.dll
          Filesize

          944KB

          MD5

          509aa5b6143c8e1b6d644d36768ddfcc

          SHA1

          914ab2a56be62b0e8a358b84859ba82939b6b350

          SHA256

          424cdcad2aafc57f9004d7efcf796cd349a6b59eee8cfdda47613593709132ca

          SHA512

          f15f453107658b44ca81c2418a59c6b8f1a17e8c34cdcde86835854d65897d3f507be2303492ce4c43021576b7eaf9a387dc832b982078f7b77268fd1b62d786

          Download Submit

        • C:\Users\Admin\AppData\Local\GXa\slui.exe
          Filesize

          534KB

          MD5

          eb725ea35a13dc18eac46aa81e7f2841

          SHA1

          c0b3304c970324952e18c4a51073e3bdec73440b

          SHA256

          25e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff

          SHA512

          39192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26

          Download Submit

        • C:\Users\Admin\AppData\Local\KCUwsKI\ApplicationFrameHost.exe
          Filesize

          76KB

          MD5

          d58a8a987a8dafad9dc32a548cc061e7

          SHA1

          f79fc9e0ab066cad530b949c2153c532a5223156

          SHA256

          cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4

          SHA512

          93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265

          Download Submit

        • C:\Users\Admin\AppData\Local\KCUwsKI\dxgi.dll
          Filesize

          944KB

          MD5

          5534da785d82d6d5ecbf0d5918471b97

          SHA1

          f8e2909ce4466097e1eda04ba38a6d2c11f061b8

          SHA256

          727f71b022ff50a4139e44840660411e4030b065fbe192e478d77a711d19de7a

          SHA512

          ef73bf549ed2f0220c47c2bdfddd3005986f36642ed42822cc17a73daa9f7ffd507d21a31375a95156912dba30ae1036f98e59fe3e3e4f6fac616397ceed0425

          Download Submit

        • C:\Users\Admin\AppData\Local\KlD\BitLockerWizard.exe
          Filesize

          100KB

          MD5

          6d30c96f29f64b34bc98e4c81d9b0ee8

          SHA1

          4a3adc355f02b9c69bdbe391bfb01469dee15cf0

          SHA256

          7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

          SHA512

          25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

          Download Submit

        • C:\Users\Admin\AppData\Local\KlD\FVEWIZ.dll
          Filesize

          944KB

          MD5

          b4d6101af98777c371a95a3c0aad3d9e

          SHA1

          fd91ac495fa02067be3bbe7d7e1ab4b183c8302f

          SHA256

          514a6d3362517b240bd28349fa70ead62df33448e2e30350017ec1a2ff18d2d9

          SHA512

          579a71a4c78c0856127792f7827127a2dfd47ce9733fde5eb8d812365054d0ddbe50e3a4319ca31f43bcd38ace47dbe363c6d9946ae9f94f5d81dff2044774ee

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fkasxldymr.lnk
          Filesize

          1KB

          MD5

          18870fafff20e2c2b40f5057db4d0d6c

          SHA1

          1d05b67077088c1765c71dc90d6e6f484c5325c9

          SHA256

          ee5b0eacf4fecb04cc9fb43cad49f6092a1ab316e3cd4e7fd70ad0c16c402431

          SHA512

          13ee3d5ba082a6c3da08547abf06b4bd9e1fe9873bc925e2b2d5d4914a6dc7d0984f6f74700703faf8ebf363c2e38b8e45f2847c317f3754e2e4cf8f3feb4234

          Download Submit

        • memory/1096-81-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3156-50-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3156-45-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3156-47-0x000001F977190000-0x000001F977197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3568-12-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3568-26-0x00007FFFB7070000-0x00007FFFB7080000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3568-11-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3568-8-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3568-15-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3568-7-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3568-6-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3568-9-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3568-5-0x00007FFFB522A000-0x00007FFFB522B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3568-25-0x00007FFFB7080000-0x00007FFFB7090000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3568-35-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3568-24-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3568-3-0x0000000002B30000-0x0000000002B31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3568-13-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3568-23-0x0000000000C00000-0x0000000000C07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3568-14-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3568-10-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/4128-0-0x0000025CCB630000-0x0000025CCB637000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4128-38-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/4128-1-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/4404-66-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/4404-63-0x00000231DF9D0000-0x00000231DF9D7000-memory.dmp

          Filesize

          28KB

          Download