Overview

overview

10

Static

static

3

dfff1351a7...88.dll

windows7-x64

10

dfff1351a7...88.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2024 19:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dfff1351a71e2a46724a191232467ee5aae1ab441b331253293ff682272c2a88.dll

  • Size

    724KB

  • MD5

    2ef91939a663dcb029490b73596d0c8c

  • SHA1

    cefb7533cbab4ad4d1bf351bb78ef0e3ca95729d

  • SHA256

    dfff1351a71e2a46724a191232467ee5aae1ab441b331253293ff682272c2a88

  • SHA512

    c6fb10150a279d5098ca52a15edfa05bf39301312345d01aeefff2812a2515f97eb9f2e461857eaa420f3c135457b34a2b931ecf9b0119f1301716fb383aec5a

  • SSDEEP

    12288:RqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:RqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dfff1351a71e2a46724a191232467ee5aae1ab441b331253293ff682272c2a88.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2516
  • C:\Windows\system32\fvenotify.exe
    C:\Windows\system32\fvenotify.exe
    1⤵
      PID:2632
    • C:\Users\Admin\AppData\Local\e1rHZVFMZ\fvenotify.exe
      C:\Users\Admin\AppData\Local\e1rHZVFMZ\fvenotify.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2624
    • C:\Windows\system32\slui.exe
      C:\Windows\system32\slui.exe
      1⤵
        PID:2332
      • C:\Users\Admin\AppData\Local\Oz8p\slui.exe
        C:\Users\Admin\AppData\Local\Oz8p\slui.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3044
      • C:\Windows\system32\sethc.exe
        C:\Windows\system32\sethc.exe
        1⤵
          PID:1740
        • C:\Users\Admin\AppData\Local\A9DlR\sethc.exe
          C:\Users\Admin\AppData\Local\A9DlR\sethc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2696

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\A9DlR\UxTheme.dll
          Filesize

          728KB

          MD5

          2e58c891df1089d4c2e8c1bb312d9d1f

          SHA1

          9de54b934c9ff2dafa5c65ed6c371c78e72ee8a0

          SHA256

          fdadbad132c6136ce3ddc88e156c84bcf21a140782cbf5ed5f642b007b8859f9

          SHA512

          91153ef4e9600029d8a3d0e043726dde1cccf84dfef930c60adf9504b551d29d4720474ae856b499edbfddbb11a47b2bd890f10a4d288d9e381638a2a24bd59b

          Download Submit

        • C:\Users\Admin\AppData\Local\Oz8p\WINBRAND.dll
          Filesize

          728KB

          MD5

          3665779f1371a77ae12106b5a033c3ea

          SHA1

          b3e47b8f453131c9294fe271d81e9cb12f1472b1

          SHA256

          471823b672732f2741fd75f39283b0adfaebd39c09f74f95b84821686f8e375e

          SHA512

          6cd364c80fd551bff7c4d55b77cd53445394728b6fcf159c32115502c14b516665dd90db208474b680c2b00a873d1adbd60003b58e4482654ae85f12a1a70afe

          Download Submit

        • C:\Users\Admin\AppData\Local\e1rHZVFMZ\slc.dll
          Filesize

          728KB

          MD5

          37c0a816d8076eac01199f6d474038d7

          SHA1

          188d374426980db28189977778b91d27f475916f

          SHA256

          41a15fbd36ea1f98cb2d8ff2920b94f80a28cc700b7f5ac0ff12e2d7c191a5a7

          SHA512

          3cf7ec52442468759dffa514a0f518e489dae82e6ab59a02fe64f67ee4d8018945379bde8ab3495ec006bf36a5880da4327d64c92a1385b9e2def03e1efe3248

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gwifj.lnk
          Filesize

          1KB

          MD5

          87af9ba5b157d66501042cbca98dcf39

          SHA1

          9b4ac049686211791196d2918f22b451d4a1dfa3

          SHA256

          bfe51eb41c8b0aa0b895df984654bc67a77720fbff42b2f15bd0e778f801a3a0

          SHA512

          5178a75faa17e7383216469c8a2e6345198b967fb51a6cfa9971cac6851f904985996366d354859872337954c22f7217199a28f9dff7fec1f1d9dd1b58d17ac5

          Download Submit

        • \Users\Admin\AppData\Local\A9DlR\sethc.exe
          Filesize

          272KB

          MD5

          3bcb70da9b5a2011e01e35ed29a3f3f3

          SHA1

          9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

          SHA256

          dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

          SHA512

          69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

          Download Submit

        • \Users\Admin\AppData\Local\Oz8p\slui.exe
          Filesize

          341KB

          MD5

          c5ce5ce799387e82b7698a0ee5544a6d

          SHA1

          ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

          SHA256

          34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

          SHA512

          79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

          Download Submit

        • \Users\Admin\AppData\Local\e1rHZVFMZ\fvenotify.exe
          Filesize

          117KB

          MD5

          e61d644998e07c02f0999388808ac109

          SHA1

          183130ad81ff4c7997582a484e759bf7769592d6

          SHA256

          15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

          SHA512

          310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

          Download Submit

        • memory/1216-26-0x0000000076F40000-0x0000000076F42000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1216-3-0x0000000076CA6000-0x0000000076CA7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-6-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1216-15-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1216-23-0x00000000025E0000-0x00000000025E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1216-14-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1216-13-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1216-12-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1216-24-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1216-10-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1216-25-0x0000000076F10000-0x0000000076F12000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1216-35-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1216-36-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1216-7-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1216-45-0x0000000076CA6000-0x0000000076CA7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-8-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1216-9-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1216-4-0x0000000002E10000-0x0000000002E11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-11-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/2516-44-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/2516-2-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2516-0-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/2624-58-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download

        • memory/2624-54-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download

        • memory/2624-53-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2696-90-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download

        • memory/3044-74-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download