Overview

overview

10

Static

static

3

915e01432b...1c.dll

windows7-x64

10

915e01432b...1c.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 00:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    915e01432b35339df657eb6eee139103d98a0a8b37a91fd3851e01781a7b041c.dll

  • Size

    676KB

  • MD5

    4158ed3f73bf010337896f8458e8fde9

  • SHA1

    26329d87c00bcad276e278003d19995a5425053f

  • SHA256

    915e01432b35339df657eb6eee139103d98a0a8b37a91fd3851e01781a7b041c

  • SHA512

    7099602f413fa9dbb91ef2dc3208b106a264bba1e96e466ca32cb0772faf90f3358f82eebd5f5fc4b1675bc472bee9baedd68aa2c735fd87800f97da9f703800

  • SSDEEP

    6144:j34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:jIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\915e01432b35339df657eb6eee139103d98a0a8b37a91fd3851e01781a7b041c.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1324
  • C:\Windows\system32\mspaint.exe
    C:\Windows\system32\mspaint.exe
    1⤵
      PID:2768
    • C:\Users\Admin\AppData\Local\NVioWHgg\mspaint.exe
      C:\Users\Admin\AppData\Local\NVioWHgg\mspaint.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2852
    • C:\Windows\system32\recdisc.exe
      C:\Windows\system32\recdisc.exe
      1⤵
        PID:2996
      • C:\Users\Admin\AppData\Local\UHuN\recdisc.exe
        C:\Users\Admin\AppData\Local\UHuN\recdisc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2580
      • C:\Windows\system32\vmicsvc.exe
        C:\Windows\system32\vmicsvc.exe
        1⤵
          PID:536
        • C:\Users\Admin\AppData\Local\8o7Ma\vmicsvc.exe
          C:\Users\Admin\AppData\Local\8o7Ma\vmicsvc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1400

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\8o7Ma\ACTIVEDS.dll
          Filesize

          680KB

          MD5

          0eb1be9741ed61acbb3b193f90ca766b

          SHA1

          bcbc58a38cf809b1e8c817f2fe34856bfd35eb08

          SHA256

          8cfa89d1ebf4b2edf36fddcbb5babf14f1b4aa78f8b3089f5ffbdf470c5f8297

          SHA512

          e23221774bb1ec5d1ba140c239727443b81a00bc220cf33bc57c374f25a8476651b3fd1e97fb49bae6221884659e44abadeb6343894f2a7bc4ad2ac0936fd24e

          Download Submit

        • C:\Users\Admin\AppData\Local\NVioWHgg\MFC42u.dll
          Filesize

          704KB

          MD5

          23a6067ac08d4e1cee758c1a8179b6d2

          SHA1

          6621fa841eee637cf17e33c1c9ba9f37ae1cf520

          SHA256

          2fb52e3f2f54b034052353de3ac41a3c3d50ade41589f469bcb1da222f55e209

          SHA512

          c8fbb51c8ea82e42e2968183fef7458548b1c75ff5840f1c58557645d385741c329112ff68455fb2f54886c23e2bc8f0e059333fac1d39ec6293e564cf6b5a42

          Download Submit

        • C:\Users\Admin\AppData\Local\UHuN\SPP.dll
          Filesize

          680KB

          MD5

          bde78c8c6f7d7f1f909df9d5f01aa0ad

          SHA1

          610318a8d958d1ce704b6f78e6c21d8eebfec539

          SHA256

          be0747168349eab0ebdf54c5e5aa6c480253867eeb588c4e7212a247f6647abf

          SHA512

          e99cbac8eb1e2a4b2625f0a20c00905de06dfbd27c597a165b8407728dd67e786a7f59435e03bb00384fb9bd22b1ad5dc8f409c72007e77a69c3378f2c55eac4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ykefwsdudlbqds.lnk
          Filesize

          1KB

          MD5

          27f079b3d8f57866a07187cab5fd11b5

          SHA1

          f676bb1aad515e5d84bf8fa6a4ec41eebef97633

          SHA256

          01f96dad59a60c4c68192ad48b0449361cabcf9716a8a46f167155daefd10634

          SHA512

          86d5aa215a2f7895dc75aa5fd06bd91fe92d5da66302ff55b4cbec64dff7126cf4d5028cb25ee5e03d6cd039dcda89a843dee6c82a401c2aa8c8c726b775f352

          Download Submit

        • \Users\Admin\AppData\Local\8o7Ma\vmicsvc.exe
          Filesize

          238KB

          MD5

          79e14b291ca96a02f1eb22bd721deccd

          SHA1

          4c8dbff611acd8a92cd2280239f78bebd2a9947e

          SHA256

          d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

          SHA512

          f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

          Download Submit

        • \Users\Admin\AppData\Local\NVioWHgg\mspaint.exe
          Filesize

          6.4MB

          MD5

          458f4590f80563eb2a0a72709bfc2bd9

          SHA1

          3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

          SHA256

          ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

          SHA512

          e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

          Download Submit

        • \Users\Admin\AppData\Local\UHuN\recdisc.exe
          Filesize

          232KB

          MD5

          f3b306179f1840c0813dc6771b018358

          SHA1

          dec7ce3c13f7a684cb52ae6007c99cf03afef005

          SHA256

          dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

          SHA512

          9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

          Download Submit

        • memory/1208-25-0x0000000077640000-0x0000000077642000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1208-45-0x00000000773D6000-0x00000000773D7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-15-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1208-14-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1208-12-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1208-11-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1208-10-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1208-9-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1208-7-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1208-24-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1208-26-0x0000000077670000-0x0000000077672000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1208-3-0x00000000773D6000-0x00000000773D7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-35-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1208-37-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1208-4-0x0000000002150000-0x0000000002151000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-16-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1208-13-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1208-23-0x0000000002130000-0x0000000002137000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1208-6-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1208-8-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1324-44-0x000007FEF6BD0000-0x000007FEF6C79000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1324-0-0x000007FEF6BD0000-0x000007FEF6C79000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1324-2-0x0000000000220000-0x0000000000227000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1400-94-0x000007FEF6370000-0x000007FEF641A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2580-73-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2580-74-0x000007FEF6370000-0x000007FEF641A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2580-78-0x000007FEF6370000-0x000007FEF641A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2852-53-0x000007FEF6C80000-0x000007FEF6D30000-memory.dmp

          Filesize

          704KB

          Download

        • memory/2852-57-0x000007FEF6C80000-0x000007FEF6D30000-memory.dmp

          Filesize

          704KB

          Download

        • memory/2852-55-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download