Overview

overview

10

Static

static

3

5c75ed6162...71.dll

windows7-x64

10

5c75ed6162...71.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2024 17:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5c75ed616297014a3a602a2dd07ed166a38118dd5288db2998b6ed9d4af46971.dll

  • Size

    696KB

  • MD5

    9ddd4fc0449313c0f8928c861e82d59a

  • SHA1

    6ac9b2389831ccb8ee2225ab00b4e7a57c60f144

  • SHA256

    5c75ed616297014a3a602a2dd07ed166a38118dd5288db2998b6ed9d4af46971

  • SHA512

    84be854fad826486d5d39f445b603059d48ecc22be0692607c7747fa45c6ccfa9775854b069ddc72df52241aaec23c8254c63f408f26ada2d3c3fb030bcbc558

  • SSDEEP

    12288:+qJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baedi1:+qGBHTxvt+g2gYedi1

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c75ed616297014a3a602a2dd07ed166a38118dd5288db2998b6ed9d4af46971.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3904
  • C:\Windows\system32\LicensingUI.exe
    C:\Windows\system32\LicensingUI.exe
    1⤵
      PID:1756
    • C:\Users\Admin\AppData\Local\BSZAfTv4u\LicensingUI.exe
      C:\Users\Admin\AppData\Local\BSZAfTv4u\LicensingUI.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:5096
    • C:\Windows\system32\BitLockerWizardElev.exe
      C:\Windows\system32\BitLockerWizardElev.exe
      1⤵
        PID:1144
      • C:\Users\Admin\AppData\Local\zRc8\BitLockerWizardElev.exe
        C:\Users\Admin\AppData\Local\zRc8\BitLockerWizardElev.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4312
      • C:\Windows\system32\rdpinput.exe
        C:\Windows\system32\rdpinput.exe
        1⤵
          PID:1604
        • C:\Users\Admin\AppData\Local\vzpJC\rdpinput.exe
          C:\Users\Admin\AppData\Local\vzpJC\rdpinput.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:964

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\BSZAfTv4u\DUI70.dll
          Filesize

          976KB

          MD5

          cbf2c790b3ea5cd078ea2b147ff76101

          SHA1

          53cca03e4b28213cc2c0fba399e1343e827bae10

          SHA256

          5d7420cf1560f1849570415156a9c2515b9b92d7ccfb6caf27e9f0cb3df763d4

          SHA512

          49cf6e72a33c271869be689a8424e37e41793f15a060e04e1a6a560f00a0aeba6c8803a8be21939853b7642e68e0bf67fa6db8edc638cff7d3d994c92b5ca2ca

          Download Submit

        • C:\Users\Admin\AppData\Local\BSZAfTv4u\LicensingUI.exe
          Filesize

          142KB

          MD5

          8b4abc637473c79a003d30bb9c7a05e5

          SHA1

          d1cab953c16d4fdec2b53262f56ac14a914558ca

          SHA256

          0e9eb89aa0df9bb84a8f11b0bb3e9d89905355de34c91508968b4cb78bc3f6c5

          SHA512

          5a40c846c5b3a53ae09114709239d8238c322a7d3758b20ed3fc8e097fc1409f62b4990557c1192e894eabfa89741a9d88bd5175850d039b97dfdf380d1c6eeb

          Download Submit

        • C:\Users\Admin\AppData\Local\vzpJC\WTSAPI32.dll
          Filesize

          700KB

          MD5

          0ad28fe23894c533a2e310307dc47243

          SHA1

          a45d16bf337ef3d109ac40db9dcd33ec62412f66

          SHA256

          b6d7467236f42bdcaddee68b9da6fef40dfb814365ef8d5fa02c8403f53aec35

          SHA512

          1a9d0aad5734de75204bcfd2fc1caf4bec1e8c36d0c569733ff37452f3fbfddfcc615392499d75f85723ea8f801e76fb4218d6807bda081b9601bec213820c3b

          Download Submit

        • C:\Users\Admin\AppData\Local\vzpJC\rdpinput.exe
          Filesize

          180KB

          MD5

          bd99eeca92869f9a3084d689f335c734

          SHA1

          a2839f6038ea50a4456cd5c2a3ea003e7b77688c

          SHA256

          39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143

          SHA512

          355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

          Download Submit

        • C:\Users\Admin\AppData\Local\zRc8\BitLockerWizardElev.exe
          Filesize

          100KB

          MD5

          8ac5a3a20cf18ae2308c64fd707eeb81

          SHA1

          31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

          SHA256

          803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

          SHA512

          85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

          Download Submit

        • C:\Users\Admin\AppData\Local\zRc8\FVEWIZ.dll
          Filesize

          700KB

          MD5

          4f1868498d74f22b19bf335fdd6086f4

          SHA1

          bb83ca03c9483d3af841e2bde814a2404c3e1590

          SHA256

          fe93ac77883683c5902a29695c0626d7e91316df02cc25cce1efbb277b37902b

          SHA512

          90ae5a7c107699a3a521011a7ca2e550852ef31d35d565c2125141465d2ab95ffa2af827f434a34ae48509a3b82c58d9a520f36f2a3481e5fa391a97005bd29f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ltmfycbfnis.lnk
          Filesize

          1KB

          MD5

          4142db5b8979c8ae21f04c3845dad58f

          SHA1

          62bc45bb9c0a67e1bddd041df80cc77bcc8cb685

          SHA256

          5d8598d6e605983de599d30cd81eb87d9b4a9f10fc497a33624c033386c3ccc5

          SHA512

          7eefc0a300acc0cc96f1461b350e58bd873814961c51a8ff97cb01fa43998c7083c7e2738cc79c89a32f09ff8fc6d9e6c183ab839f8ff218b22d8332e7c125d2

          Download Submit

        • memory/964-80-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3444-12-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3444-34-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3444-25-0x00007FFDAB770000-0x00007FFDAB780000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3444-24-0x00007FFDAB780000-0x00007FFDAB790000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3444-11-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3444-9-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3444-8-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3444-7-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3444-6-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3444-23-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3444-10-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3444-13-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3444-14-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3444-22-0x0000000000350000-0x0000000000357000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3444-3-0x00000000003A0000-0x00000000003A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3444-5-0x00007FFDAB64A000-0x00007FFDAB64B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3904-1-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3904-0-0x0000020609920000-0x0000020609927000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3904-37-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/4312-61-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/4312-65-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/4312-60-0x00000223CA380000-0x00000223CA387000-memory.dmp

          Filesize

          28KB

          Download

        • memory/5096-49-0x0000000140000000-0x00000001400F4000-memory.dmp

          Filesize

          976KB

          Download

        • memory/5096-44-0x0000000140000000-0x00000001400F4000-memory.dmp

          Filesize

          976KB

          Download

        • memory/5096-46-0x000002428B840000-0x000002428B847000-memory.dmp

          Filesize

          28KB

          Download