Overview

overview

10

Static

static

3

d616010470...27.dll

windows7-x64

10

d616010470...27.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 05:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d616010470e5a7f7633e4f505709437b4d672312c57ab1724f3339bbc5acc727.dll

  • Size

    664KB

  • MD5

    192f752bbdcb5e33312abe8fd40eb318

  • SHA1

    efaccfee37c0fa32a1b45b156ad4e65a33bab91e

  • SHA256

    d616010470e5a7f7633e4f505709437b4d672312c57ab1724f3339bbc5acc727

  • SHA512

    0ed59a18735e566cc458b3c3dd27d07fa62d1ec55f67ea3e9f8779ac0ce7373da046ed4dc7b4420d33ec6e810b317f56317b8ba4861825221a2b4ed54cfc9f0e

  • SSDEEP

    6144:W34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:WIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d616010470e5a7f7633e4f505709437b4d672312c57ab1724f3339bbc5acc727.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1740
  • C:\Windows\system32\wisptis.exe
    C:\Windows\system32\wisptis.exe
    1⤵
      PID:2512
    • C:\Users\Admin\AppData\Local\rAmZdgd\wisptis.exe
      C:\Users\Admin\AppData\Local\rAmZdgd\wisptis.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2952
    • C:\Windows\system32\msdt.exe
      C:\Windows\system32\msdt.exe
      1⤵
        PID:2732
      • C:\Users\Admin\AppData\Local\YzsiFAaR\msdt.exe
        C:\Users\Admin\AppData\Local\YzsiFAaR\msdt.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2680
      • C:\Windows\system32\SndVol.exe
        C:\Windows\system32\SndVol.exe
        1⤵
          PID:2116
        • C:\Users\Admin\AppData\Local\3ri4\SndVol.exe
          C:\Users\Admin\AppData\Local\3ri4\SndVol.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2656

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3ri4\UxTheme.dll
          Filesize

          668KB

          MD5

          66c7159405228266a68ff1bcd7f6e9f2

          SHA1

          caf9f84ec4ad0991f8ed93b4732aeb7e9910ad18

          SHA256

          9fdadac47237572c57513550937c1efba281fa3c1052be70d17dbeadb2c2580e

          SHA512

          3a2887ba5185e4a841b1847428edfdf611e489137ba4ec904b16e5d532db7d1cccf51d151b9886c2467d03893eef59b87fb740b8c1688ff1181f2917940f7b27

          Download Submit

        • C:\Users\Admin\AppData\Local\YzsiFAaR\wer.dll
          Filesize

          668KB

          MD5

          3c7a59b3b71836ff7cb9f69fef18718f

          SHA1

          9196925b179c2f21a5da1b628d949d428fc90712

          SHA256

          665cf77801a4bde80ea68c29fef695f09adf8ca6d43fc4ae556852c79312e21e

          SHA512

          318172e85efc0404d3dc13819038df1057e3edda8b7386994291910778382b43763f8d2c205b9860224568014b2a61ebfb09c959b9020f31ae1bee5ff9ef3483

          Download Submit

        • C:\Users\Admin\AppData\Local\rAmZdgd\slc.dll
          Filesize

          668KB

          MD5

          ede7412998c3777d51469d8ffaee57d7

          SHA1

          e68fa68701d3e428058a67583acb0f7c6139e025

          SHA256

          1956a662b3c06140fc00195901aefd1a48f83818c36fd6b55c275b8114b7e17a

          SHA512

          a5bffeef9c37e145534febc95565d16dbd15fa98e870e26306eea1ea4d2868fa9f1f97ba3794abaa296a453d6cb3a5584f999ad4eb3fd8fbbc26afffe4cdaec2

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk
          Filesize

          1KB

          MD5

          714ee5ea82885e28e3afe28f25893d6d

          SHA1

          4b1a2b0d8dac588168431e6f3f07214a36b271f2

          SHA256

          8f03e65aa226b91d453fab86c64e61fdc93922f494f990b5ab6dd5821e79e7db

          SHA512

          33a60f124f6dbec7998b264efff2709cde2dde275b2fafacf67ccdeebd93c92a0d27897c341e794c47b27ea5190badff31a5feed5fabea1f78cd8b009b716ae8

          Download Submit

        • \Users\Admin\AppData\Local\3ri4\SndVol.exe
          Filesize

          267KB

          MD5

          c3489639ec8e181044f6c6bfd3d01ac9

          SHA1

          e057c90b675a6da19596b0ac458c25d7440b7869

          SHA256

          a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

          SHA512

          63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

          Download Submit

        • \Users\Admin\AppData\Local\YzsiFAaR\msdt.exe
          Filesize

          1.0MB

          MD5

          aecb7b09566b1f83f61d5a4b44ae9c7e

          SHA1

          3a4a2338c6b5ac833dc87497e04fe89c5481e289

          SHA256

          fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

          SHA512

          6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

          Download Submit

        • \Users\Admin\AppData\Local\rAmZdgd\wisptis.exe
          Filesize

          396KB

          MD5

          02e20372d9d6d28e37ba9704edc90b67

          SHA1

          d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

          SHA256

          3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

          SHA512

          bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

          Download Submit

        • memory/1272-24-0x0000000077950000-0x0000000077952000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1272-3-0x00000000775E6000-0x00000000775E7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1272-12-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1272-11-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1272-10-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1272-9-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1272-8-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1272-22-0x00000000029D0000-0x00000000029D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1272-25-0x0000000077980000-0x0000000077982000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1272-7-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1272-23-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1272-34-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1272-35-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1272-13-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1272-44-0x00000000775E6000-0x00000000775E7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1272-14-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1272-15-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1272-4-0x00000000029F0000-0x00000000029F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1272-6-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1740-43-0x000007FEF7B90000-0x000007FEF7C36000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1740-0-0x000007FEF7B90000-0x000007FEF7C36000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1740-2-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2656-87-0x000007FEF7BF0000-0x000007FEF7C97000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2680-66-0x0000000000150000-0x0000000000157000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2680-71-0x000007FEF7BF0000-0x000007FEF7C97000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2952-56-0x000007FEF7BF0000-0x000007FEF7C97000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2952-52-0x000007FEF7BF0000-0x000007FEF7C97000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2952-54-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download