Overview

overview

10

Static

static

3

da457d69f3...ec.dll

windows7-x64

10

da457d69f3...ec.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 17:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da457d69f37782526f9a253e305e10ccf5c10320f930879b33e30475adf061ec.dll

  • Size

    716KB

  • MD5

    e85e1ec50007aaefe8a569d3931bccf9

  • SHA1

    fbddb1fd526afad1be106f3ac1790fa75866a995

  • SHA256

    da457d69f37782526f9a253e305e10ccf5c10320f930879b33e30475adf061ec

  • SHA512

    691a3e2b10e5c9a0edb8d51a9fc0df29246232cc6c7b67539b3c9256a9be6e0cef58022abef8dbd7e49e8e3c0d21b60dc8b68e484684e0c9e6da9c0cad332766

  • SSDEEP

    12288:NqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4BaedN:NqGBHTxvt+g2gYedN

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\da457d69f37782526f9a253e305e10ccf5c10320f930879b33e30475adf061ec.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1680
  • C:\Windows\system32\shrpubw.exe
    C:\Windows\system32\shrpubw.exe
    1⤵
      PID:2736
    • C:\Users\Admin\AppData\Local\gl2nk\shrpubw.exe
      C:\Users\Admin\AppData\Local\gl2nk\shrpubw.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2844
    • C:\Windows\system32\dccw.exe
      C:\Windows\system32\dccw.exe
      1⤵
        PID:2684
      • C:\Users\Admin\AppData\Local\VcNnc\dccw.exe
        C:\Users\Admin\AppData\Local\VcNnc\dccw.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1416
      • C:\Windows\system32\ComputerDefaults.exe
        C:\Windows\system32\ComputerDefaults.exe
        1⤵
          PID:1140
        • C:\Users\Admin\AppData\Local\pDR4T\ComputerDefaults.exe
          C:\Users\Admin\AppData\Local\pDR4T\ComputerDefaults.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2944

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\VcNnc\dxva2.dll
          Filesize

          720KB

          MD5

          9abbf3f4f6a32b15fab456d040f3b3b7

          SHA1

          314528ea40e94cf3a0826fbe5738b49de071e492

          SHA256

          ed5404f7ec1462bc33551a3be9e64bba16ba63c71c27e752d9bd40df32af418f

          SHA512

          e77a1b4243e45204947c0f928ca88c41420c74f49edcd5cf05ec427b84dc59c39c4338c72a0daeb9d2d08e7cc515700bae003493d352789e749dce20ef44dae1

          Download Submit

        • C:\Users\Admin\AppData\Local\gl2nk\MFC42u.dll
          Filesize

          744KB

          MD5

          7d117b1dce38ffbf700f69951961cecc

          SHA1

          ac76b52713114b1f86468b21e05dd938a8d74ff4

          SHA256

          c6f89eb2a1d66acd6458752e026f550e89739de06f1b60b7a9f5293f01238473

          SHA512

          bd962bf219eebd38278dce1f62a3c61551f297b5a3c27d5183ba4c941149696f13da4b1a85cc9e76fc236b724a9beaae7edb38e24553b5ba5e1f9f21e8cf3623

          Download Submit

        • C:\Users\Admin\AppData\Local\pDR4T\appwiz.cpl
          Filesize

          720KB

          MD5

          22b1e73c2b8e60c367e42d8948d14e8e

          SHA1

          d181b77b046d57323be2230e80fe8be0030fe927

          SHA256

          64230b1ef2137d3d37184a6b331f25b839a1e9a1c632b4419a100eeb5145a191

          SHA512

          1875e0876197e685f05cb91b13fadb1439aa35d841638c35fa88796bdd774845d1b366c790e711cedcf9df050b1468ba760bad1070563d27a1b88ad2575ad4b1

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gwifj.lnk
          Filesize

          1KB

          MD5

          9b30537d9513321d4d919543195ea8dc

          SHA1

          1ad14daac5470c2ef73eafdb91ae125c165883c5

          SHA256

          7b1aefc36b0c91470e2df476d9ec0bf3ef5036f255b6c217a49dbc6696338cb7

          SHA512

          9a4f020671da033eecc0c8e0bf4e63d118a510716f63381f5d8f1d9b9845e8cd387233f8e2bf4daca7359f355f9f376bd86cf80e59cdb060df3c34ee6bc2a0ba

          Download Submit

        • \Users\Admin\AppData\Local\VcNnc\dccw.exe
          Filesize

          861KB

          MD5

          a46cee731351eb4146db8e8a63a5c520

          SHA1

          8ea441e4a77642e12987ac842b36034230edd731

          SHA256

          283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

          SHA512

          3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

          Download Submit

        • \Users\Admin\AppData\Local\gl2nk\shrpubw.exe
          Filesize

          398KB

          MD5

          29e6d0016611c8f948db5ea71372f76c

          SHA1

          01d007a01020370709cd6580717f9ace049647e8

          SHA256

          53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

          SHA512

          300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

          Download Submit

        • \Users\Admin\AppData\Local\pDR4T\ComputerDefaults.exe
          Filesize

          36KB

          MD5

          86bd981f55341273753ac42ea200a81e

          SHA1

          14fe410efc9aeb0a905b984ac27719ff0dd10ea7

          SHA256

          40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

          SHA512

          49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

          Download Submit

        • memory/1284-33-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/1284-13-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/1284-12-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/1284-11-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/1284-10-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/1284-9-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/1284-22-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/1284-24-0x0000000077DA0000-0x0000000077DA2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1284-23-0x0000000077D70000-0x0000000077D72000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1284-3-0x0000000077B06000-0x0000000077B07000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1284-34-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/1284-4-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1284-43-0x0000000077B06000-0x0000000077B07000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1284-21-0x0000000002DD0000-0x0000000002DD7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1284-8-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/1284-6-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/1284-7-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/1416-68-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1416-69-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1416-73-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1680-42-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/1680-2-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1680-0-0x0000000140000000-0x00000001400B3000-memory.dmp

          Filesize

          716KB

          Download

        • memory/2844-56-0x0000000140000000-0x00000001400BA000-memory.dmp

          Filesize

          744KB

          Download

        • memory/2844-52-0x0000000140000000-0x00000001400BA000-memory.dmp

          Filesize

          744KB

          Download

        • memory/2844-51-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2944-89-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download