Overview

overview

10

Static

static

3

14428c7813...ab.dll

windows7-x64

10

14428c7813...ab.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 07:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14428c7813afa82b51e9e7c3414150907f27d1a86772d8c85873078c06e87eab.dll

  • Size

    1.1MB

  • MD5

    3b20b57c1a38d810a1ad07271a1a2fea

  • SHA1

    e2ea64f5665cf9d79b69e8156964617a3c2d0ded

  • SHA256

    14428c7813afa82b51e9e7c3414150907f27d1a86772d8c85873078c06e87eab

  • SHA512

    ed9fde35767cf9f76d7d37fe1b3540032013fae2f79d3de6b288e446053630a0609372d9e517e03444472279910169286b8339bd63ba9f25ace6ddc88f23a6b2

  • SSDEEP

    12288:MkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:MkMZ+gf4ltGd8H1fYO0q2G1Ah

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\14428c7813afa82b51e9e7c3414150907f27d1a86772d8c85873078c06e87eab.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2332
  • C:\Windows\system32\SystemPropertiesComputerName.exe
    C:\Windows\system32\SystemPropertiesComputerName.exe
    1⤵
      PID:2620
    • C:\Users\Admin\AppData\Local\TY7e5bw\SystemPropertiesComputerName.exe
      C:\Users\Admin\AppData\Local\TY7e5bw\SystemPropertiesComputerName.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2732
    • C:\Windows\system32\rrinstaller.exe
      C:\Windows\system32\rrinstaller.exe
      1⤵
        PID:1456
      • C:\Users\Admin\AppData\Local\QsU4\rrinstaller.exe
        C:\Users\Admin\AppData\Local\QsU4\rrinstaller.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2188
      • C:\Windows\system32\msconfig.exe
        C:\Windows\system32\msconfig.exe
        1⤵
          PID:2272
        • C:\Users\Admin\AppData\Local\1ydOO9ZD\msconfig.exe
          C:\Users\Admin\AppData\Local\1ydOO9ZD\msconfig.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:584

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1ydOO9ZD\VERSION.dll
          Filesize

          1.1MB

          MD5

          7e4fefa65eea97055527866dfb1f1b81

          SHA1

          1c266150513ff7e4fe301716cff23eaa14c97e4e

          SHA256

          f0e2500b0271489539994a879fe6a630cef03958f2f09994a5e11f4858a288ad

          SHA512

          6ddf7a84878cb657c8bba2aa44f83553cde86a592a617da190c59f036705febff586d5b1376d42a00cf2901a7be841744a242342fcd09ed584111f79e72477bc

          Download Submit

        • C:\Users\Admin\AppData\Local\QsU4\MFPlat.DLL
          Filesize

          1.1MB

          MD5

          d9ecab7d3e7af7dbacd1216ff50c822f

          SHA1

          206ea932cdda5689055fce8dc87dbe38f0944475

          SHA256

          9082a270e7dc10915db7f5c1107f56c3880524b5a32474941d421c33361920f3

          SHA512

          e4351690a14ef267797a216561444b7d0453d548781e89d81985c2b11048e56670105a02bcc915b85e42900bebb02a5040e1d15ceebeb93764b496c32415697e

          Download Submit

        • C:\Users\Admin\AppData\Local\QsU4\rrinstaller.exe
          Filesize

          54KB

          MD5

          0d3a73b0b30252680b383532f1758649

          SHA1

          9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

          SHA256

          fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

          SHA512

          a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

          Download Submit

        • C:\Users\Admin\AppData\Local\TY7e5bw\SYSDM.CPL
          Filesize

          1.1MB

          MD5

          26fb6fa764bcd1985f7ea05e885ba443

          SHA1

          d2d6484c2ca8b34fcb01ef4c21af1c2c28ce7590

          SHA256

          4370bc1c81b3e2df2c89822bbfdb7804676cf8f3fae3f86e0d2cd053be032e28

          SHA512

          66c2df214388728621c46556ae1e1f2c8f93652f55b1905f6554653cfa7099c12e265370fef521fbaea7923eb8443e801e39dea0253eb1d762bb274f3de8b30a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk
          Filesize

          1KB

          MD5

          686fd5479a7804074091983c198f0589

          SHA1

          a4d3792f89c8225bc72bc6add33bbb96604e818a

          SHA256

          1708c7aabef9ed920b5df2f4e1f8fbd1f0b775a1610d33b1acc8a8e17d023bfa

          SHA512

          2e06f8e1b8c8ee04d8808a512a3fe2e48d01d9ab1c2dd4472a2a3354077d8ff729f22aed8adf3a22778d4a161c286d5d19e9667e71ea8d435091ec1eebc70620

          Download Submit

        • \Users\Admin\AppData\Local\1ydOO9ZD\msconfig.exe
          Filesize

          293KB

          MD5

          e19d102baf266f34592f7c742fbfa886

          SHA1

          c9c9c45b7e97bb7a180064d0a1962429f015686d

          SHA256

          f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

          SHA512

          1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

          Download Submit

        • \Users\Admin\AppData\Local\TY7e5bw\SystemPropertiesComputerName.exe
          Filesize

          80KB

          MD5

          bd889683916aa93e84e1a75802918acf

          SHA1

          5ee66571359178613a4256a7470c2c3e6dd93cfa

          SHA256

          0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

          SHA512

          9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

          Download Submit

        • memory/584-90-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1368-24-0x0000000077430000-0x0000000077432000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1368-12-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1368-10-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1368-9-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1368-8-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1368-7-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1368-23-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1368-25-0x0000000077460000-0x0000000077462000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1368-3-0x00000000771C6000-0x00000000771C7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1368-4-0x0000000002770000-0x0000000002771000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1368-36-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1368-35-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1368-44-0x00000000771C6000-0x00000000771C7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1368-11-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1368-13-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1368-6-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1368-14-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1368-22-0x0000000002750000-0x0000000002757000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2188-69-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2188-71-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2188-74-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2332-34-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2332-0-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2332-2-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2732-57-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2732-54-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2732-52-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download