Overview

overview

10

Static

static

3

ad0b18cfa7...10.dll

windows7-x64

10

ad0b18cfa7...10.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 15:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad0b18cfa7d60fe654fbe6a1cd60aab989d005842ee266b22d02d37113eee410.dll

  • Size

    692KB

  • MD5

    4e9ee8c6b8009c8373d5eeb12b6a011f

  • SHA1

    a91bd75d1d9b349e6a8f663757c8de44572776a2

  • SHA256

    ad0b18cfa7d60fe654fbe6a1cd60aab989d005842ee266b22d02d37113eee410

  • SHA512

    aec16fa91604cf5fad9be022e6c0d8a28fe64c5cf9b18fe196ca21bde8403e4f555f8066e26d9fd15d4d257bf8669b3c89d886b0e4259d227c5785ad28017644

  • SSDEEP

    12288:AqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:AqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ad0b18cfa7d60fe654fbe6a1cd60aab989d005842ee266b22d02d37113eee410.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2224
  • C:\Windows\system32\spreview.exe
    C:\Windows\system32\spreview.exe
    1⤵
      PID:2640
    • C:\Users\Admin\AppData\Local\Jnzv\spreview.exe
      C:\Users\Admin\AppData\Local\Jnzv\spreview.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2788
    • C:\Windows\system32\sigverif.exe
      C:\Windows\system32\sigverif.exe
      1⤵
        PID:1992
      • C:\Users\Admin\AppData\Local\pmG\sigverif.exe
        C:\Users\Admin\AppData\Local\pmG\sigverif.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3020
      • C:\Windows\system32\cttune.exe
        C:\Windows\system32\cttune.exe
        1⤵
          PID:2024
        • C:\Users\Admin\AppData\Local\zGsFAEJx\cttune.exe
          C:\Users\Admin\AppData\Local\zGsFAEJx\cttune.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1924

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Jnzv\sqmapi.dll
          Filesize

          696KB

          MD5

          b53f81e09e832ab9ba678f3976f17d01

          SHA1

          795cebd121bd022872a0b152a0d7535a6f1c474c

          SHA256

          3f368f1bdedb55e0ed2aa28e73598b6ffde290f637f5bc2314f8824c13d8d07d

          SHA512

          70660b9a726a156b8afebe21b3eb4a4186b49cdfa17527f840b2bf765e34f2b658146cafc925d13caf8c96efdced85c0b7439dbbca8e5f969c1d8c1e883fa87e

          Download Submit

        • C:\Users\Admin\AppData\Local\pmG\VERSION.dll
          Filesize

          696KB

          MD5

          e2bed00ee702cd485082e1d796ccf936

          SHA1

          72fb73a4cad1816104ac704c031addbd71432f0f

          SHA256

          9650a9864c6b0e93b1c6596ac78fcd352c6502a4919a40a8f1418fc2b48815d3

          SHA512

          8a22cb03f4010b280a1d80022c1fe6f4cae4e12a7211935fa09dc6e4badceaa1ed5ecd7db1c33cec9c0fd3a86eab984d4f6522b080aab34857f693ac6b8e137e

          Download Submit

        • C:\Users\Admin\AppData\Local\zGsFAEJx\UxTheme.dll
          Filesize

          696KB

          MD5

          c8095a8b88fa3746f9a32ced30871c3b

          SHA1

          7425aa296e022605478ba74172b873e72323b280

          SHA256

          84eb2903ca800b7de0e152fc6fa1b9b63a69b18324769bcf948eaa45737a5baf

          SHA512

          7bafdde1c1a867cb83927fb8c0dabc7d8161ac46517e66089dbcb5b4071e64e0dbe2560e7d29860cc12fac8830de1829548f5f9f25fe24cd107f866b33bf5a49

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Adlnwv.lnk
          Filesize

          1KB

          MD5

          d5bee4d437e52e453253705e77a76dd5

          SHA1

          bda3faec9d43feb983c88657e657a32188181bb1

          SHA256

          dc1dfbf2250ddb8c7d719be359a6d4a59d7fecad74cb15d73c1dcb21eb1de919

          SHA512

          374b64454bdd4c0aa73127bab581881a30469453273a32f6aa7c2c436c4e27d0afc5dc127a46239b58e68418b48aea24570afc31f232d8d6793d66ea3e803313

          Download Submit

        • \Users\Admin\AppData\Local\Jnzv\spreview.exe
          Filesize

          294KB

          MD5

          704cd4cac010e8e6d8de9b778ed17773

          SHA1

          81856abf70640f102b8b3defe2cf65669fe8e165

          SHA256

          4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

          SHA512

          b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

          Download Submit

        • \Users\Admin\AppData\Local\pmG\sigverif.exe
          Filesize

          73KB

          MD5

          e8e95ae5534553fc055051cee99a7f55

          SHA1

          4e0f668849fd546edd083d5981ed685d02a68df4

          SHA256

          9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

          SHA512

          5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

          Download Submit

        • \Users\Admin\AppData\Local\zGsFAEJx\cttune.exe
          Filesize

          314KB

          MD5

          7116848fd23e6195fcbbccdf83ce9af4

          SHA1

          35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

          SHA256

          39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

          SHA512

          e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

          Download Submit

        • memory/1192-35-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1192-12-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1192-9-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1192-8-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1192-7-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1192-10-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1192-22-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1192-24-0x0000000077A10000-0x0000000077A12000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-23-0x00000000779E0000-0x00000000779E2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-3-0x0000000077676000-0x0000000077677000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-34-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1192-5-0x0000000002E70000-0x0000000002E71000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-43-0x0000000077676000-0x0000000077677000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-11-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1192-21-0x0000000002C10000-0x0000000002C17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1192-6-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1192-13-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1924-89-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2224-42-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/2224-2-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2224-1-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/2788-56-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2788-52-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2788-51-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3020-68-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3020-73-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download