Overview

overview

10

Static

static

3

0bc57ba35f...b1.dll

windows7-x64

10

0bc57ba35f...b1.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0bc57ba35fdd2ba7868a82512650b287f7168d52d25c4fddb8b423b773eaa6b1.dll

  • Size

    1.1MB

  • MD5

    bd5c5e5fd3ccc87376233a873effa08e

  • SHA1

    76e9011550b052c0f12294f12fa77fa53e7b309e

  • SHA256

    0bc57ba35fdd2ba7868a82512650b287f7168d52d25c4fddb8b423b773eaa6b1

  • SHA512

    92c6e4b56d30701b09ebdc414a8547cb41a09fa16c390d58663b2b5e861e3dcb608adcdd6cda3fc01c10fb38ca1b4d4f72d062862e9617a14eaff670c28a3cf3

  • SSDEEP

    12288:wkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:wkMZ+gf4ltGd8H1fYO0q2G1Ah

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0bc57ba35fdd2ba7868a82512650b287f7168d52d25c4fddb8b423b773eaa6b1.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:844
  • C:\Windows\system32\DevicePairingWizard.exe
    C:\Windows\system32\DevicePairingWizard.exe
    1⤵
      PID:2656
    • C:\Users\Admin\AppData\Local\fvTiW\DevicePairingWizard.exe
      C:\Users\Admin\AppData\Local\fvTiW\DevicePairingWizard.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3056
    • C:\Windows\system32\EhStorAuthn.exe
      C:\Windows\system32\EhStorAuthn.exe
      1⤵
        PID:1672
      • C:\Users\Admin\AppData\Local\2K2\EhStorAuthn.exe
        C:\Users\Admin\AppData\Local\2K2\EhStorAuthn.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2908
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        1⤵
          PID:2844
        • C:\Users\Admin\AppData\Local\RnrhZz\wermgr.exe
          C:\Users\Admin\AppData\Local\RnrhZz\wermgr.exe
          1⤵
          • Executes dropped EXE
          PID:2912
        • C:\Windows\system32\dwm.exe
          C:\Windows\system32\dwm.exe
          1⤵
            PID:1992
          • C:\Users\Admin\AppData\Local\Ieiktx\dwm.exe
            C:\Users\Admin\AppData\Local\Ieiktx\dwm.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:2044

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\2K2\UxTheme.dll
            Filesize

            1.1MB

            MD5

            216e69e8abb86d4daab3f3db0c576307

            SHA1

            abf4d4022cb4d12249522c0b583ed4cbdb4c2925

            SHA256

            e76724e3072e4c70ef8f8941859ef5f3c69294519f018fc3cf6bba18749e0950

            SHA512

            616826871a4fe5af27569e85fbeb587058e76a703c592081c126e8c5ad3c769678fb4d5563efea1251d91e8f507a7f3cb0008bded068cdbb5b57f2d461fe23eb

            Download Submit

          • C:\Users\Admin\AppData\Local\Ieiktx\UxTheme.dll
            Filesize

            1.1MB

            MD5

            4a503eb8e615d393052facfbea4d4574

            SHA1

            16f6e0dd54c233430ba34e74f4befdba1288ae2e

            SHA256

            0371641a05c97694ec368933b0804e02ae357934fb5f939daf73a9054003f44c

            SHA512

            6e4278ae731e21cd8d44a4e8f9cf9f812c9d607774352b86a73d97b6b5f570e73134ff0f381d3c66643a90ad7a5877790e30ba9b3f2a9aabdc3dc5ca7e799054

            Download Submit

          • C:\Users\Admin\AppData\Local\fvTiW\MFC42u.dll
            Filesize

            1.2MB

            MD5

            343dc0af5c7079c4060832ad1ef6dace

            SHA1

            fa16b4bfc92c812de1a0ca858536fa56fb0dffe1

            SHA256

            1b6acedb44bb5ea8c64ef2369d389aaacbf28d8e49779c2625a2a0bd98a623f0

            SHA512

            2e6f679e242d0aee0ff723a142e5fbd21f6c9beff2df89dae167f4ad8f4f3edb168ef815b814c20c5272b5dbb41d1dbcbc9264fc6fb1c29a15438ea17b8410a6

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk
            Filesize

            1KB

            MD5

            d10e73f6e096e41f7757e9c9e4860ddc

            SHA1

            05c667d71c1dbbaeb4d87480b58d616d18ca987c

            SHA256

            4766cf3263cb01e54591b6ad27af72d317d672123e62bbb6fd3817572d4944a4

            SHA512

            340532bd5e283cefb7f41d31d25f8aa8f22388325d72a886fcd9a52d7b4e34596f6963d57ae455d62c8d593d737e3deebc4264ccabe5628bc104c4dbee5a13e1

            Download Submit

          • \Users\Admin\AppData\Local\2K2\EhStorAuthn.exe
            Filesize

            137KB

            MD5

            3abe95d92c80dc79707d8e168d79a994

            SHA1

            64b10c17f602d3f21c84954541e7092bc55bb5ab

            SHA256

            2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad

            SHA512

            70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

            Download Submit

          • \Users\Admin\AppData\Local\Ieiktx\dwm.exe
            Filesize

            117KB

            MD5

            f162d5f5e845b9dc352dd1bad8cef1bc

            SHA1

            35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

            SHA256

            8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

            SHA512

            7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

            Download Submit

          • \Users\Admin\AppData\Local\RnrhZz\wermgr.exe
            Filesize

            49KB

            MD5

            41df7355a5a907e2c1d7804ec028965d

            SHA1

            453263d230c6317eb4a2eb3aceeec1bbcf5e153d

            SHA256

            207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861

            SHA512

            59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

            Download Submit

          • \Users\Admin\AppData\Local\fvTiW\DevicePairingWizard.exe
            Filesize

            73KB

            MD5

            9728725678f32e84575e0cd2d2c58e9b

            SHA1

            dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

            SHA256

            d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

            SHA512

            a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

            Download Submit

          • memory/844-44-0x0000000140000000-0x0000000140123000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/844-1-0x0000000140000000-0x0000000140123000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/844-0-0x0000000000110000-0x0000000000117000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1256-10-0x0000000140000000-0x0000000140123000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1256-16-0x00000000029A0000-0x00000000029A7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1256-13-0x0000000140000000-0x0000000140123000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1256-12-0x0000000140000000-0x0000000140123000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1256-24-0x0000000140000000-0x0000000140123000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1256-26-0x0000000077040000-0x0000000077042000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1256-25-0x0000000077010000-0x0000000077012000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1256-36-0x0000000140000000-0x0000000140123000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1256-35-0x0000000140000000-0x0000000140123000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1256-8-0x0000000140000000-0x0000000140123000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1256-45-0x0000000076CA6000-0x0000000076CA7000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1256-15-0x0000000140000000-0x0000000140123000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1256-9-0x0000000140000000-0x0000000140123000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1256-3-0x0000000076CA6000-0x0000000076CA7000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1256-14-0x0000000140000000-0x0000000140123000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1256-4-0x00000000029C0000-0x00000000029C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1256-6-0x0000000140000000-0x0000000140123000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1256-7-0x0000000140000000-0x0000000140123000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1256-11-0x0000000140000000-0x0000000140123000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/2044-99-0x0000000140000000-0x0000000140124000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/2908-72-0x0000000000080000-0x0000000000087000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2908-75-0x0000000140000000-0x0000000140124000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/2908-70-0x0000000140000000-0x0000000140124000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3056-58-0x0000000140000000-0x000000014012A000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3056-54-0x0000000140000000-0x000000014012A000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3056-53-0x0000000000170000-0x0000000000177000-memory.dmp

            Filesize

            28KB

            Download