Overview

overview

10

Static

static

3

2fdcb7115d...84.dll

windows7-x64

10

2fdcb7115d...84.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 02:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2fdcb7115dec02a898b6b1d7fbe1804ee333309422550f5271851241e70d6d84.dll

  • Size

    672KB

  • MD5

    97176ef73c7fea0611f6188ad70f6b18

  • SHA1

    b5e7852bd4a55d61670b6a89feac9c18a13763ff

  • SHA256

    2fdcb7115dec02a898b6b1d7fbe1804ee333309422550f5271851241e70d6d84

  • SHA512

    44f957869dc757fba5ed83bac42d51fb28c942b13e3730c86e518dab1ad3311887013adaed70d213054c34cfd6815eff44e51f590e322c8b67e71c91e629bcc4

  • SSDEEP

    6144:o34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:oIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fdcb7115dec02a898b6b1d7fbe1804ee333309422550f5271851241e70d6d84.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1180
  • C:\Windows\system32\DeviceEnroller.exe
    C:\Windows\system32\DeviceEnroller.exe
    1⤵
      PID:3632
    • C:\Users\Admin\AppData\Local\rbw\DeviceEnroller.exe
      C:\Users\Admin\AppData\Local\rbw\DeviceEnroller.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1128
    • C:\Windows\system32\OptionalFeatures.exe
      C:\Windows\system32\OptionalFeatures.exe
      1⤵
        PID:5032
      • C:\Users\Admin\AppData\Local\xzpL1O\OptionalFeatures.exe
        C:\Users\Admin\AppData\Local\xzpL1O\OptionalFeatures.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3912
      • C:\Windows\system32\ApplicationFrameHost.exe
        C:\Windows\system32\ApplicationFrameHost.exe
        1⤵
          PID:3412
        • C:\Users\Admin\AppData\Local\R1gbqPuT6\ApplicationFrameHost.exe
          C:\Users\Admin\AppData\Local\R1gbqPuT6\ApplicationFrameHost.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:448

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\R1gbqPuT6\ApplicationFrameHost.exe
          Filesize

          76KB

          MD5

          d58a8a987a8dafad9dc32a548cc061e7

          SHA1

          f79fc9e0ab066cad530b949c2153c532a5223156

          SHA256

          cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4

          SHA512

          93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265

          Download Submit

        • C:\Users\Admin\AppData\Local\R1gbqPuT6\dxgi.dll
          Filesize

          676KB

          MD5

          e362c3c58837e00a29988f0de11ed81e

          SHA1

          0d8f894272807b8636b3efb2d47781a400d1c2a4

          SHA256

          a609ae46e1a6a672b3510406fb582e4fc93e084add06f76f2cecf83df23c6b57

          SHA512

          be74196bcbd2e6d95948bbddfbcd3f17d3878c1662a9a67ad07998201bb3edb8ab681b9428b546d15ea2ff88921244673200c936094cc56461d6fb9a294d5fc5

          Download Submit

        • C:\Users\Admin\AppData\Local\rbw\DeviceEnroller.exe
          Filesize

          448KB

          MD5

          946d9474533f58d2613078fd14ca7473

          SHA1

          c2620ac9522fa3702a6a03299b930d6044aa5e49

          SHA256

          cf5f5fe084f172e9c435615c1dc6ae7d3bd8c5ec8ea290caa0627c2f392760cb

          SHA512

          3653d41a0553ee63a43490f682c9b528651a6336f28adafc333d4d148577351122db8279ff83ee59bb0a9c17bb384e9f6c9c78677c8c5ed671a42036dec1f8c1

          Download Submit

        • C:\Users\Admin\AppData\Local\rbw\XmlLite.dll
          Filesize

          676KB

          MD5

          fd674faf381de2c40e8c4f81bd16e56e

          SHA1

          d5b0eea16047aa9838b6ec27a232c43d5ec5c551

          SHA256

          7ef73ec836fead7d10e79a9589e9e197d300b2030841fb2056c746c61ff62c27

          SHA512

          19bf065e73b1426b0e1436d4e2fdb475d0831c6b6a4ae01df790fb55f8b70172d45a4ec7b2da0c322db382ebd154ed816fca7b4ec2aeb2d22b4ffd93494878c0

          Download Submit

        • C:\Users\Admin\AppData\Local\xzpL1O\OptionalFeatures.exe
          Filesize

          110KB

          MD5

          d6cd8bef71458804dbc33b88ace56372

          SHA1

          a18b58445be2492c5d37abad69b5aa0d29416a60

          SHA256

          fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8

          SHA512

          1bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d

          Download Submit

        • C:\Users\Admin\AppData\Local\xzpL1O\appwiz.cpl
          Filesize

          676KB

          MD5

          c2bde736119454783bde2da06f699fce

          SHA1

          8260e3e7a2780494c8b93465b5dfc1b003f14956

          SHA256

          b0886a1004d453d0acdec72827733428be9b55d3779727c2f708a506315c7d7d

          SHA512

          201abb4c59a747fcde8445443f5c09f641dfc43d88eb613fee1e2f0bc7b32e5fa2b0d918674c740e08171f5a03bb29be4344d857d4abc943bedf8e0c9ca80ce7

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zugrajzkhopu.lnk
          Filesize

          1KB

          MD5

          91780da3f1ef6085fb299d756745bd6d

          SHA1

          bbfdc1b101a69676d870ba63ccc6b978d3302ca0

          SHA256

          e550ea7f7df6ced59de02281152f4edd3bcb473f6e4cfe89baf6c66fb507ba79

          SHA512

          45bdc1b5b013fd2649feca00fd70644991c423aa9eeac9d6de590d44f7faed2cabda66219fd91eb727c86c3e9a9b4e45618d69539cd42b84d8b7e1ec9385a4a4

          Download Submit

        • memory/448-81-0x00007FFDC02B0000-0x00007FFDC0359000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1128-50-0x00007FFDC02B0000-0x00007FFDC0359000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1128-46-0x00007FFDC02B0000-0x00007FFDC0359000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1128-45-0x00000251D99F0000-0x00000251D99F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1180-38-0x00007FFDCFAA0000-0x00007FFDCFB48000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1180-1-0x00007FFDCFAA0000-0x00007FFDCFB48000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1180-0-0x000001A7C93A0000-0x000001A7C93A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3432-15-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3432-24-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3432-9-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3432-8-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3432-7-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3432-35-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3432-11-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3432-12-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3432-13-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3432-10-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3432-26-0x00007FFDDEB30000-0x00007FFDDEB40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3432-25-0x00007FFDDEB40000-0x00007FFDDEB50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3432-16-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3432-23-0x0000000000CB0000-0x0000000000CB7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3432-3-0x00007FFDDE47A000-0x00007FFDDE47B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3432-4-0x0000000002690000-0x0000000002691000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3432-14-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3432-6-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3912-66-0x00007FFDC02B0000-0x00007FFDC0359000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3912-63-0x000002DB16030000-0x000002DB16037000-memory.dmp

          Filesize

          28KB

          Download