Overview

overview

10

Static

static

3

94a90a4eb2...12.dll

windows7-x64

10

94a90a4eb2...12.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 04:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94a90a4eb25abcbbac0c023c3736473b5a29df02f1a702ca86d037b5ca244312.dll

  • Size

    664KB

  • MD5

    ce92fb27287b8d8da3b53825faebe282

  • SHA1

    b0b3a97dcfecb6a25ad52cfca9a9f8708eaa3a76

  • SHA256

    94a90a4eb25abcbbac0c023c3736473b5a29df02f1a702ca86d037b5ca244312

  • SHA512

    27f0d045d02c93cc1ebc5e5ab22716fa48d02d00f02445b3e215c980e01ef1d688cbbd732924113fdb691ec076fefa0ee8f5124b4164544168397b6129a8f215

  • SSDEEP

    6144:S34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:SIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\94a90a4eb25abcbbac0c023c3736473b5a29df02f1a702ca86d037b5ca244312.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1964
  • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
    C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
    1⤵
      PID:2600
    • C:\Users\Admin\AppData\Local\AMSXU\SystemPropertiesDataExecutionPrevention.exe
      C:\Users\Admin\AppData\Local\AMSXU\SystemPropertiesDataExecutionPrevention.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2976
    • C:\Windows\system32\isoburn.exe
      C:\Windows\system32\isoburn.exe
      1⤵
        PID:2196
      • C:\Users\Admin\AppData\Local\7srFoWLSy\isoburn.exe
        C:\Users\Admin\AppData\Local\7srFoWLSy\isoburn.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2380
      • C:\Windows\system32\SystemPropertiesHardware.exe
        C:\Windows\system32\SystemPropertiesHardware.exe
        1⤵
          PID:1440
        • C:\Users\Admin\AppData\Local\fXp\SystemPropertiesHardware.exe
          C:\Users\Admin\AppData\Local\fXp\SystemPropertiesHardware.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2332

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\7srFoWLSy\UxTheme.dll
          Filesize

          668KB

          MD5

          778bc8dae30ebbefaaaba9d8c6bad52f

          SHA1

          df2511e0bc985da76e0c9c2be19a34801bdc08b3

          SHA256

          ef7d38fa2e2f7d9a1edcb8c625500d6fe30cd00a9eda019297303df9cd399441

          SHA512

          ba8e4a1cb25c72c196a040c39e68909f2724431bec4ffda0d9e37123d9091d8b0d9e4ffb2e3e042746dbed58a95045eb65776e08f89299322eec2f791f79637e

          Download Submit

        • C:\Users\Admin\AppData\Local\AMSXU\SYSDM.CPL
          Filesize

          668KB

          MD5

          476cc868355015b42780ddec7b6ef9a6

          SHA1

          209da7b215b01ea0b30db4f790fcdeaa31c967ec

          SHA256

          87c746af7f9fec5bd7d78e46b0134c52deb4cb2e44d315a469ee92befd7a99cb

          SHA512

          e6b1bced56499ac4fdae648416316bab06e4948346d4e5d622fca754c8381e353ad673948ecbdcb89d8a8440e8d5cb5f3860dac3391526fdf68338917568323b

          Download Submit

        • C:\Users\Admin\AppData\Local\fXp\SYSDM.CPL
          Filesize

          668KB

          MD5

          c699b9d6f5cb23bde8d871af2943e8fb

          SHA1

          323a813f7cc0311d7cef1cabba53c791e7815c06

          SHA256

          671674786a725cd8daedee31401fbf661432018a535682cb13b02fc6c64aa448

          SHA512

          c4a119d54390bdce5e22daeda5d38de65532c3504399ed69b823b095391a233e6b458219e156ab40a394adc243de5f43552917f9421de3001e13ef21e0838410

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gwifj.lnk
          Filesize

          1KB

          MD5

          60023de9d7307cae735533964bf6de3b

          SHA1

          3741240798d44daad4f1289c17e211a004d84daf

          SHA256

          a422f3f1b80e0544ecc3a80f2b776e7b6cc71561678ce691deecaaef0b72ce32

          SHA512

          d5de6382427ff3d71e8ebbb7684c0395a660e569b4db4195b81efcd2b837f0af04551b5b47d1863d0984a91bcb7dd466a79ae8884ddafcf1a19b2213d43e47d4

          Download Submit

        • \Users\Admin\AppData\Local\7srFoWLSy\isoburn.exe
          Filesize

          89KB

          MD5

          f8051f06e1c4aa3f2efe4402af5919b1

          SHA1

          bbcf3711501dfb22b04b1a6f356d95a6d5998790

          SHA256

          50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

          SHA512

          5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

          Download Submit

        • \Users\Admin\AppData\Local\AMSXU\SystemPropertiesDataExecutionPrevention.exe
          Filesize

          80KB

          MD5

          e43ff7785fac643093b3b16a9300e133

          SHA1

          a30688e84c0b0a22669148fe87680b34fcca2fba

          SHA256

          c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

          SHA512

          61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

          Download Submit

        • \Users\Admin\AppData\Local\fXp\SystemPropertiesHardware.exe
          Filesize

          80KB

          MD5

          c63d722641c417764247f683f9fb43be

          SHA1

          948ec61ebf241c4d80efca3efdfc33fe746e3b98

          SHA256

          4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

          SHA512

          7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

          Download Submit

        • memory/1268-14-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1268-15-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1268-3-0x0000000076B56000-0x0000000076B57000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1268-13-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1268-12-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1268-11-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1268-10-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1268-9-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1268-23-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1268-24-0x0000000076EC0000-0x0000000076EC2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1268-25-0x0000000076EF0000-0x0000000076EF2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1268-34-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1268-35-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1268-6-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1268-44-0x0000000076B56000-0x0000000076B57000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1268-22-0x0000000002180000-0x0000000002187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1268-8-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1268-7-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1268-4-0x00000000021A0000-0x00000000021A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1964-43-0x000007FEF7120000-0x000007FEF71C6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1964-0-0x000007FEF7120000-0x000007FEF71C6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1964-2-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2332-90-0x000007FEF70A0000-0x000007FEF7147000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2380-69-0x000007FEF70A0000-0x000007FEF7147000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2380-71-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2380-74-0x000007FEF70A0000-0x000007FEF7147000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2976-57-0x000007FEF71D0000-0x000007FEF7277000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2976-53-0x000007FEF71D0000-0x000007FEF7277000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2976-52-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download