Overview

overview

10

Static

static

3

2fdcb7115d...84.dll

windows7-x64

10

2fdcb7115d...84.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 02:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2fdcb7115dec02a898b6b1d7fbe1804ee333309422550f5271851241e70d6d84.dll

  • Size

    672KB

  • MD5

    97176ef73c7fea0611f6188ad70f6b18

  • SHA1

    b5e7852bd4a55d61670b6a89feac9c18a13763ff

  • SHA256

    2fdcb7115dec02a898b6b1d7fbe1804ee333309422550f5271851241e70d6d84

  • SHA512

    44f957869dc757fba5ed83bac42d51fb28c942b13e3730c86e518dab1ad3311887013adaed70d213054c34cfd6815eff44e51f590e322c8b67e71c91e629bcc4

  • SSDEEP

    6144:o34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:oIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fdcb7115dec02a898b6b1d7fbe1804ee333309422550f5271851241e70d6d84.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2292
  • C:\Windows\system32\perfmon.exe
    C:\Windows\system32\perfmon.exe
    1⤵
      PID:2832
    • C:\Users\Admin\AppData\Local\fzh\perfmon.exe
      C:\Users\Admin\AppData\Local\fzh\perfmon.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2732
    • C:\Windows\system32\msra.exe
      C:\Windows\system32\msra.exe
      1⤵
        PID:2580
      • C:\Users\Admin\AppData\Local\kblTNx\msra.exe
        C:\Users\Admin\AppData\Local\kblTNx\msra.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2608
      • C:\Windows\system32\Dxpserver.exe
        C:\Windows\system32\Dxpserver.exe
        1⤵
          PID:1984
        • C:\Users\Admin\AppData\Local\1xVfIB\Dxpserver.exe
          C:\Users\Admin\AppData\Local\1xVfIB\Dxpserver.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1936

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1xVfIB\Dxpserver.exe
          Filesize

          259KB

          MD5

          4d38389fb92e43c77a524fd96dbafd21

          SHA1

          08014e52f6894cad4f1d1e6fc1a703732e9acd19

          SHA256

          070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

          SHA512

          02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

          Download Submit

        • C:\Users\Admin\AppData\Local\fzh\perfmon.exe
          Filesize

          168KB

          MD5

          3eb98cff1c242167df5fdbc6441ce3c5

          SHA1

          730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

          SHA256

          6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

          SHA512

          f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

          Download Submit

        • C:\Users\Admin\AppData\Local\kblTNx\msra.exe
          Filesize

          636KB

          MD5

          e79df53bad587e24b3cf965a5746c7b6

          SHA1

          87a97ec159a3fc1db211f3c2c62e4d60810e7a70

          SHA256

          4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

          SHA512

          9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Adlnwv.lnk
          Filesize

          904B

          MD5

          4d1ddc2378817eff463d87ab801972f2

          SHA1

          04ef1c12c792754c8d33c37b6ebc08145f441998

          SHA256

          bcb9d4de60cdb5b2efa11d6911047730c49546d523f76ccd23cb975acce32d93

          SHA512

          644e88242ea927fea3cf7c8efe50f7b4dd7ad92449b759977edc0f23e15ce08caaeffe6dd66595738ed3a884c67a876885a2acd25a13137eb96ab7b59d88f9b9

          Download Submit

        • \Users\Admin\AppData\Local\1xVfIB\XmlLite.dll
          Filesize

          676KB

          MD5

          115a968efe930affce21d995f3714699

          SHA1

          d8cc0065a319bc4228b0ddf526bf384fd1691e56

          SHA256

          10ba40c2e9f901c4c5b2fe5a1543fb6dd7ecf415ef1a7bc86e7c1d333f8ddfb2

          SHA512

          bb2496949b45cea4f4a32155ab4106b39a27fe3302cd950324cf8dd6089951ab9b551330ce0b0890bad0ba524ede7d97375fbdadceae0a1754b099ff396c1e99

          Download Submit

        • \Users\Admin\AppData\Local\fzh\credui.dll
          Filesize

          676KB

          MD5

          52a4edff099246f415bc78d88abd43e3

          SHA1

          1511c3f8e3f3abfc056b58db0953038439acbb8f

          SHA256

          53b0db2e6a0ac29a7be3d1f33d29f2c4f850177f2e190ca13bc943d1df1a1017

          SHA512

          021aa8269f2b3e8cce0d88d548f886828113b115a254ff14d4ab07d356dd4dc619902b37186ec89a1af5968b82fe94ab41545422ff255851186255af5ba1e8ac

          Download Submit

        • \Users\Admin\AppData\Local\kblTNx\NDFAPI.DLL
          Filesize

          676KB

          MD5

          12b57217539dd643d3dff93c3389de49

          SHA1

          7b066e5bfae4976f6cd51f2cca0df7e26120c551

          SHA256

          1f945a3524332b10341ae152abe02e2e5b0c4a6e121fd213135bbbdb855bae34

          SHA512

          794747ab23b3a627e8f629a9ea4be30d0df64429dddf1a4384f7a6b84be09ef62cf5568a51eb0c7ed363f0da5fbac9a12d56caab6308b63feebd0f3f7aefb8e8

          Download Submit

        • memory/1192-12-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1192-45-0x00000000772A6000-0x00000000772A7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-3-0x00000000772A6000-0x00000000772A7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-10-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1192-9-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1192-7-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1192-6-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1192-24-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1192-17-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1192-16-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1192-26-0x0000000077640000-0x0000000077642000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-25-0x0000000077610000-0x0000000077612000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-36-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1192-35-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1192-4-0x0000000002570000-0x0000000002571000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-15-0x0000000002550000-0x0000000002557000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1192-8-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1192-11-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1192-14-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1192-13-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1936-113-0x000007FEF65C0000-0x000007FEF6669000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2292-44-0x000007FEF6BA0000-0x000007FEF6C48000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2292-2-0x0000000000530000-0x0000000000537000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2292-0-0x000007FEF6BA0000-0x000007FEF6C48000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2608-84-0x000007FEF65C0000-0x000007FEF6669000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2608-81-0x000007FEF65C0000-0x000007FEF6669000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2608-80-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2732-57-0x000007FEF6C50000-0x000007FEF6CF9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2732-53-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2732-54-0x000007FEF6C50000-0x000007FEF6CF9000-memory.dmp

          Filesize

          676KB

          Download