Overview

overview

10

Static

static

3

21351817e1...5f.dll

windows7-x64

10

21351817e1...5f.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 07:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21351817e1f2f115e543f9034572210fe04fbea47a16922f3957c805671dc25f.dll

  • Size

    1.2MB

  • MD5

    2a6a4941d8146df58356dd5c72b0478a

  • SHA1

    c6f28c746bddcc4e68512911bc99afe0d8f2d3d9

  • SHA256

    21351817e1f2f115e543f9034572210fe04fbea47a16922f3957c805671dc25f

  • SHA512

    5d36fd395ea33e9a838fca4b5b0a7eabe893fb6e51f39e2aae59ad60c763e6b5bf83e2cedbe9095b74bff682ee300f13c777254e81e4ef724699167f1f5094f9

  • SSDEEP

    6144:k34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTP:kIKp/UWCZdCDh2IZDwAFRpR6Au+

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\21351817e1f2f115e543f9034572210fe04fbea47a16922f3957c805671dc25f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1220
  • C:\Windows\system32\rdrleakdiag.exe
    C:\Windows\system32\rdrleakdiag.exe
    1⤵
      PID:2704
    • C:\Users\Admin\AppData\Local\cmzes9mLU\rdrleakdiag.exe
      C:\Users\Admin\AppData\Local\cmzes9mLU\rdrleakdiag.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3012
    • C:\Windows\system32\Dxpserver.exe
      C:\Windows\system32\Dxpserver.exe
      1⤵
        PID:2576
      • C:\Users\Admin\AppData\Local\3VUihcf\Dxpserver.exe
        C:\Users\Admin\AppData\Local\3VUihcf\Dxpserver.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2988
      • C:\Windows\system32\dwm.exe
        C:\Windows\system32\dwm.exe
        1⤵
          PID:1244
        • C:\Users\Admin\AppData\Local\e327ddg1\dwm.exe
          C:\Users\Admin\AppData\Local\e327ddg1\dwm.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3060

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3VUihcf\dwmapi.dll
          Filesize

          1.2MB

          MD5

          1eedd7d003d4540baee13ba693507c5f

          SHA1

          784c875a220931e037345d8516ef2971de99e6e5

          SHA256

          84b89d28d8ffcdf2b9bacca55b1d3ebe703e573983e8a99cd6a507adbc9fdc22

          SHA512

          5fae9754133616c558fa1d4dab957e619f3f7c41830579c730dd5b8832391051d9e3a4594eb2774543fabc86c4c0f65fe75afb53d75eeb9a5b988bea2a55dbe4

          Download Submit

        • C:\Users\Admin\AppData\Local\cmzes9mLU\wer.dll
          Filesize

          1.2MB

          MD5

          5e5a3571cd628da784e82521bfa7418d

          SHA1

          e8dcda6d0990c0c805cdc81c19054cf3cb3786f7

          SHA256

          2639c0fc4f2939332b23cace6886ddd93ce2d644c98d04aa291c23ecc6908132

          SHA512

          a99c6ed3307611816fd411f873747d5893aec0a3fad647233a2e52b153df4820112fcd4e7a67dc4a79e8ca41958abb5b4caea5a70b1dc42ce097256e450d4660

          Download Submit

        • C:\Users\Admin\AppData\Local\e327ddg1\UxTheme.dll
          Filesize

          1.2MB

          MD5

          eceb0cd4b321f6ab2f5efe42101ef0eb

          SHA1

          dd269e6ac2e3b5f8cabc9bdc94bd3e9d714cf8d5

          SHA256

          dbee9ad55fcd2c9ff31c5e3d96c7882d891bfc7737f639099645aa1a56b1c59e

          SHA512

          013d1b1b6e09954ee67f7ee0e87c112b71e03b61fc246777a803d85f9c306bf89e743f6fcd153b93ad5adaf33eb1771c7c46401085cda6ea0b6cd97a06dcc28d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Kkwpdvbxvgx.lnk
          Filesize

          1KB

          MD5

          b03459a813839763f7851e38589a594b

          SHA1

          c873643688b7c5d2a8ba96ca5363a60a311fcb09

          SHA256

          c2e367900d2f9e1bb3a384e14e652d85cb499b28814237d21a71c20102b7b97a

          SHA512

          d730af9b3d2af1c6493e2e5aeae48b779085f1d798ebe45364d7e67b3b15c8b0cf977e1fe0e368abbfc0e8a7cd3010bdf66b103af338e788713c9b67c830bae8

          Download Submit

        • \Users\Admin\AppData\Local\3VUihcf\Dxpserver.exe
          Filesize

          259KB

          MD5

          4d38389fb92e43c77a524fd96dbafd21

          SHA1

          08014e52f6894cad4f1d1e6fc1a703732e9acd19

          SHA256

          070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

          SHA512

          02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

          Download Submit

        • \Users\Admin\AppData\Local\cmzes9mLU\rdrleakdiag.exe
          Filesize

          39KB

          MD5

          5e058566af53848541fa23fba4bb5b81

          SHA1

          769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

          SHA256

          ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

          SHA512

          352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

          Download Submit

        • \Users\Admin\AppData\Local\e327ddg1\dwm.exe
          Filesize

          117KB

          MD5

          f162d5f5e845b9dc352dd1bad8cef1bc

          SHA1

          35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

          SHA256

          8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

          SHA512

          7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

          Download Submit

        • memory/1184-25-0x0000000002D60000-0x0000000002D67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1184-38-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-14-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-13-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-12-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-11-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-10-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-9-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-8-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-7-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-26-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-3-0x0000000077686000-0x0000000077687000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1184-37-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-28-0x0000000077920000-0x0000000077922000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1184-27-0x00000000778F0000-0x00000000778F2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1184-15-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-4-0x0000000002D80000-0x0000000002D81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1184-47-0x0000000077686000-0x0000000077687000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1184-16-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-17-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-6-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-18-0x0000000140000000-0x0000000140133000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1220-46-0x000007FEF6830000-0x000007FEF6963000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1220-1-0x0000000000420000-0x0000000000427000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1220-0-0x000007FEF6830000-0x000007FEF6963000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2988-74-0x000007FEF6830000-0x000007FEF6964000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2988-76-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2988-79-0x000007FEF6830000-0x000007FEF6964000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3012-55-0x000007FEF6EC0000-0x000007FEF6FF4000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3012-60-0x000007FEF6EC0000-0x000007FEF6FF4000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3012-57-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3060-94-0x000007FEF6830000-0x000007FEF6964000-memory.dmp

          Filesize

          1.2MB

          Download