Overview

overview

10

Static

static

3

7630a12359...cc.dll

windows7-x64

10

7630a12359...cc.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 11:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7630a12359a46806fd7136d9900fba44a2221ce67ad7a31007c3857238b6d3cc.dll

  • Size

    1.1MB

  • MD5

    a8a0cf7dacc631b659a49928caab4bff

  • SHA1

    23806c93a27b6a4e7ba07faa15c90cf94e611309

  • SHA256

    7630a12359a46806fd7136d9900fba44a2221ce67ad7a31007c3857238b6d3cc

  • SHA512

    935c4f34c18d7672c02843849091321f30cbd98f7b75395f7389f10510b9ab94e251f9c61e5653fd954145ea0da82b307574decb36c67d7de5220aa683f52d1f

  • SSDEEP

    12288:GkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:GkMZ+gf4ltGd8H1fYO0q2G1Ah

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7630a12359a46806fd7136d9900fba44a2221ce67ad7a31007c3857238b6d3cc.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2100
  • C:\Windows\system32\OptionalFeatures.exe
    C:\Windows\system32\OptionalFeatures.exe
    1⤵
      PID:2256
    • C:\Users\Admin\AppData\Local\yPxjQ05x7\OptionalFeatures.exe
      C:\Users\Admin\AppData\Local\yPxjQ05x7\OptionalFeatures.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2940
    • C:\Windows\system32\fvenotify.exe
      C:\Windows\system32\fvenotify.exe
      1⤵
        PID:3056
      • C:\Users\Admin\AppData\Local\vhybELCv\fvenotify.exe
        C:\Users\Admin\AppData\Local\vhybELCv\fvenotify.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2324
      • C:\Windows\system32\VaultSysUi.exe
        C:\Windows\system32\VaultSysUi.exe
        1⤵
          PID:2344
        • C:\Users\Admin\AppData\Local\fbnP\VaultSysUi.exe
          C:\Users\Admin\AppData\Local\fbnP\VaultSysUi.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1188

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\fbnP\credui.dll
          Filesize

          1.1MB

          MD5

          d845d122459afa3e48ebafec8d2651ec

          SHA1

          2e989bb0ce08dd7d7552292e12baad81b56312e1

          SHA256

          b625b69878962ee3ebaa2863af55ceca422911561fbf2ce9eaaa8a81c3b0d38f

          SHA512

          9b7de9c9d614a4be5089d78530dc43ab993984a403b3268b1289107d52424e9c8f8a0b42e40c0964dd6795d7d9b83744940bd6783dbab27f8967f17d851eca82

          Download Submit

        • C:\Users\Admin\AppData\Local\vhybELCv\slc.dll
          Filesize

          1.1MB

          MD5

          120858ef4d5d9378b98e4819e39a7434

          SHA1

          f9b7f2a99c4341f256e2bb4857cc53f45f03e140

          SHA256

          26257e9c986d547c938c31f26c91b9f2df24a560737d0785de10ffc7c99bf668

          SHA512

          bbde5ff5042343ff36cd139a472d4a8f5b50bf74188690cdcbc8a171ae92bdbe57c927ddd67b618f20eabbdbffb8d7efeaf59cf697824783711c8ffe2667ce29

          Download Submit

        • C:\Users\Admin\AppData\Local\yPxjQ05x7\appwiz.cpl
          Filesize

          1.1MB

          MD5

          98acf0175d2bac6fc0285781785e666a

          SHA1

          e3a74deb03210a2a248101b8c823b3673d17382b

          SHA256

          cec47d94e30bd32c1b2ebbc5f9fefccd71e3bcf3bc70532ac0feb074fc9ba4af

          SHA512

          50d50e665ea8bca61774bf37e0d72c1ffbfbf743d63e5de72a2eb53c2467daf37dd8ce54afad733dbdd7ea6a2c2f42181fd1a9cfc42f2860b1cbe9b7d00d7312

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gwifj.lnk
          Filesize

          1KB

          MD5

          b73dfaf67f4b46a1713e82f93a369b44

          SHA1

          e74d6850c497121814cefc7e562b97d4ff341a5f

          SHA256

          0faedf3df1615184ba0e1d8bb68726fcefecbf4458e62dafd64f9944351cf160

          SHA512

          fd55f70cbca10805adc77147e162675f31ad158bd2ddd3d3501545a29538d9b3bfc49f90c005dfa6377ca91f7ed51feee9a40367e9879538b9fb06e106d76fe4

          Download Submit

        • \Users\Admin\AppData\Local\fbnP\VaultSysUi.exe
          Filesize

          39KB

          MD5

          f40ef105d94350d36c799ee23f7fec0f

          SHA1

          ee3a5cfe8b807e1c1718a27eb97fa134360816e3

          SHA256

          eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

          SHA512

          f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

          Download Submit

        • \Users\Admin\AppData\Local\vhybELCv\fvenotify.exe
          Filesize

          117KB

          MD5

          e61d644998e07c02f0999388808ac109

          SHA1

          183130ad81ff4c7997582a484e759bf7769592d6

          SHA256

          15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

          SHA512

          310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

          Download Submit

        • \Users\Admin\AppData\Local\yPxjQ05x7\OptionalFeatures.exe
          Filesize

          95KB

          MD5

          eae7af6084667c8f05412ddf096167fc

          SHA1

          0dbe8aba001447030e48e8ad5466fd23481e6140

          SHA256

          01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

          SHA512

          172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

          Download Submit

        • memory/1188-94-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1192-15-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1192-45-0x0000000077886000-0x0000000077887000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-7-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1192-12-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1192-23-0x0000000002140000-0x0000000002147000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1192-26-0x0000000077B20000-0x0000000077B22000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-25-0x0000000077AF0000-0x0000000077AF2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-24-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1192-3-0x0000000077886000-0x0000000077887000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-13-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1192-36-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1192-37-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1192-4-0x0000000002510000-0x0000000002511000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-8-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1192-9-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1192-14-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1192-6-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1192-11-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1192-10-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2100-44-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2100-2-0x0000000000390000-0x0000000000397000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2100-0-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2324-70-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2324-75-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2940-58-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2940-54-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2940-53-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download