Overview

overview

10

Static

static

3

87f7e4782f...47.dll

windows7-x64

10

87f7e4782f...47.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 14:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    87f7e4782faff19b704c3881d94a1ba35fefd2ffe10b55399af5a9ca43227447.dll

  • Size

    692KB

  • MD5

    65411740b33c7475d67552a92d3c4054

  • SHA1

    d1191e086f3faa2f2168a28eac66d7360c94d5e9

  • SHA256

    87f7e4782faff19b704c3881d94a1ba35fefd2ffe10b55399af5a9ca43227447

  • SHA512

    3bdb279bba9946af41d4bccc9b2bed4c8f37fc03d0cc53d0845311645ba39d6a30ca0e8d6bbe7bc8a1d94c8cacaeb8f515686b226e59b8ec06f6d6242c85fb03

  • SSDEEP

    12288:cqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:cqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\87f7e4782faff19b704c3881d94a1ba35fefd2ffe10b55399af5a9ca43227447.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2312
  • C:\Windows\system32\slui.exe
    C:\Windows\system32\slui.exe
    1⤵
      PID:2580
    • C:\Users\Admin\AppData\Local\IuDcHb86y\slui.exe
      C:\Users\Admin\AppData\Local\IuDcHb86y\slui.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2836
    • C:\Windows\system32\dwm.exe
      C:\Windows\system32\dwm.exe
      1⤵
        PID:2616
      • C:\Users\Admin\AppData\Local\V04\dwm.exe
        C:\Users\Admin\AppData\Local\V04\dwm.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2712
      • C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
        C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
        1⤵
          PID:1860
        • C:\Users\Admin\AppData\Local\XwhK2vi\WindowsAnytimeUpgradeResults.exe
          C:\Users\Admin\AppData\Local\XwhK2vi\WindowsAnytimeUpgradeResults.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1488

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\IuDcHb86y\WINBRAND.dll
          Filesize

          696KB

          MD5

          812df921029c6cf8186f78091f33600d

          SHA1

          bd03fe6c14855dcd87014572b0d02e53fc007ab5

          SHA256

          365f7730368c571df259d086c7c2a545492c6261d1fac3c7242caf0672d25913

          SHA512

          ffd8e8579a0560c274c8d0c8bf711b567b3a9586d749904214eb9045ffba1b742b7ef25e22857b22547ac7cbd4d5480929d9d35ac6a8a061a24f9423e926a951

          Download Submit

        • C:\Users\Admin\AppData\Local\V04\UxTheme.dll
          Filesize

          696KB

          MD5

          6d128ebd14461e34cb46bc14ffc4b11c

          SHA1

          2b8f1c14bc431974add07ada3a2888b4e7ea3b95

          SHA256

          51b3a58bf6cfbdf980666237207d6b61d0111994a6d5ee9c9eb86ea7bb6df928

          SHA512

          bedafe72fe6662fc0ad04e1ebbbd722e5f519c161fca6ed5d8fe584b63553f948931e6126fc6582ac7ee2c0df9c795f3991c889a8981aa104075f54113df2b6e

          Download Submit

        • C:\Users\Admin\AppData\Local\XwhK2vi\DUI70.dll
          Filesize

          900KB

          MD5

          3b7c0362c8aa3a036544701e919b3b4b

          SHA1

          5b49ad8add19f46781a8cab414afdd236591f07c

          SHA256

          175ce01f3b8b78edb09432586491447b6d166d54c6bce0674defbb0912853889

          SHA512

          4187d70447f9551c2c3454c011380efee8520cb353015e2bc57a32bf05c0810b72c573beed257038703e2924a2b3bbb0076cb744a45f25dd7d32165191f473e4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ykefwsdudlbqds.lnk
          Filesize

          1KB

          MD5

          5faae1ee155dac867214c9371e7cfc86

          SHA1

          f40926d6633d925319dbd17ca3e526de86707772

          SHA256

          aef1eaf6cb58b89b9c5d73af318a8a42914f695b723f2dd3d9a0a0c5931091f8

          SHA512

          0c10e87d0a530407c30682fbc2c87d92f5ddb91d19531dd4be229ac83a2995be4b0ae024580c8c4b641d8ca25e6b3c0266816f9fac38dfc24b4b4ab3337d38b4

          Download Submit

        • \Users\Admin\AppData\Local\IuDcHb86y\slui.exe
          Filesize

          341KB

          MD5

          c5ce5ce799387e82b7698a0ee5544a6d

          SHA1

          ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

          SHA256

          34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

          SHA512

          79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

          Download Submit

        • \Users\Admin\AppData\Local\V04\dwm.exe
          Filesize

          117KB

          MD5

          f162d5f5e845b9dc352dd1bad8cef1bc

          SHA1

          35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

          SHA256

          8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

          SHA512

          7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

          Download Submit

        • \Users\Admin\AppData\Local\XwhK2vi\WindowsAnytimeUpgradeResults.exe
          Filesize

          288KB

          MD5

          6f3f29905f0ec4ce22c1fd8acbf6c6de

          SHA1

          68bdfefe549dfa6262ad659f1578f3e87d862773

          SHA256

          e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b

          SHA512

          16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

          Download Submit

        • memory/1208-33-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1208-21-0x00000000024E0000-0x00000000024E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1208-10-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1208-9-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1208-8-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1208-7-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1208-22-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1208-24-0x0000000077DC0000-0x0000000077DC2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1208-23-0x0000000077D90000-0x0000000077D92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1208-3-0x0000000077A26000-0x0000000077A27000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-35-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1208-4-0x0000000002500000-0x0000000002501000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-43-0x0000000077A26000-0x0000000077A27000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-11-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1208-12-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1208-6-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1208-13-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1488-82-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/1488-86-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/2312-42-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/2312-2-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2312-0-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/2712-68-0x0000000000200000-0x0000000000207000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2712-72-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2836-56-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2836-52-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2836-51-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download