Overview

overview

10

Static

static

3

db433f7069...0a.dll

windows7-x64

10

db433f7069...0a.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-10-2024 23:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db433f70692c1bb245625c99f1860d748aef2021c8918d5f1433ed12a043650a.dll

  • Size

    1.4MB

  • MD5

    e74399f942cf0cf81df1e8a4972bb8bb

  • SHA1

    13416b3359fb3b1ce03acca069454bb4c228b3f0

  • SHA256

    db433f70692c1bb245625c99f1860d748aef2021c8918d5f1433ed12a043650a

  • SHA512

    09968cb2afead5f2626ed4c85471ffa0b80fab89066e4662dd07f86824a9873f149fa840950123989fe9fdee44649de6f52a7975da6d57ff29094ddfb4b459d0

  • SSDEEP

    12288:DkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64Cw1:DkMZ+gf4ltGd8H1fYO0q2G1Ahw1

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\db433f70692c1bb245625c99f1860d748aef2021c8918d5f1433ed12a043650a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2780
  • C:\Windows\system32\WFS.exe
    C:\Windows\system32\WFS.exe
    1⤵
      PID:2268
    • C:\Users\Admin\AppData\Local\dnmz\WFS.exe
      C:\Users\Admin\AppData\Local\dnmz\WFS.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1812
    • C:\Windows\system32\DWWIN.EXE
      C:\Windows\system32\DWWIN.EXE
      1⤵
        PID:1976
      • C:\Users\Admin\AppData\Local\uWGH\DWWIN.EXE
        C:\Users\Admin\AppData\Local\uWGH\DWWIN.EXE
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2884
      • C:\Windows\system32\psr.exe
        C:\Windows\system32\psr.exe
        1⤵
          PID:2828
        • C:\Users\Admin\AppData\Local\Jbn27dXv\psr.exe
          C:\Users\Admin\AppData\Local\Jbn27dXv\psr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2444

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Jbn27dXv\OLEACC.dll
          Filesize

          1.4MB

          MD5

          08835935987a8b42e790e682dd5f5995

          SHA1

          bd9280f2c338c0e69c8d93ee342b96853e979aea

          SHA256

          77ec903e2ab0021d5dea959ef9c0e6ee2c13b217a5f268165cc5a7397b52138e

          SHA512

          653f26b727b8b216cedd2d9f71f355d665526df36b43a3c88f54d94ec0059d03cdb156fd3e7716b9414b000d32de2ff8a22b83fc5d4817c9546a23bb7c34aa62

          Download Submit

        • C:\Users\Admin\AppData\Local\dnmz\MFC42u.dll
          Filesize

          1.4MB

          MD5

          9085d0a1147ae1d415978ee6c74bda3d

          SHA1

          7adfede9aefd04dab291307d0a6d1aa9bf2cb7bb

          SHA256

          5293684e0be2e53999999b9d8eac0468661bd962d5aaa8ccc2d8890cb43a4765

          SHA512

          18134d963a31ed1dc5dac19e21d46d1411979a6e6c05ce495f9004626e077ccfb2cd70b33514987fc466a9a8da55b8339f3aabf1b8242494cada4583a0616da0

          Download Submit

        • C:\Users\Admin\AppData\Local\uWGH\VERSION.dll
          Filesize

          1.4MB

          MD5

          5ffa85dd3be922ebc362f20f73a9c8e8

          SHA1

          8c99d7cd3be2ea4ef3d08b899c4d85d179f5d394

          SHA256

          f3e255644ef69f3bf7cd729fa3afda1b497a23412591dab1adf3d0d075411fe2

          SHA512

          da979629976d2301258b16fc8c7c667e7b89e8f14bf83f575b00dcbf21f3d6977f6f9db1cdddbb975128b8a635840dbe0fc6c5f8a86f5da45ec7f0f26292d9b7

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ncfyujonfo.lnk
          Filesize

          1KB

          MD5

          49d67e89cc813d8301f9ade690091d82

          SHA1

          20143c9bfc023fd37c8855b093428fd1373370c2

          SHA256

          81e91c01dc343829b1e9d9ef432298a436a886eeee917c30eb2cec2fc8d1af76

          SHA512

          13295dd84b8d11fbd958bdc013e7809a52e24b6c26ee6a6df61ca9e75be7c93e9efa84fae9347b76947a0d6546f61ee7b57f2d59b9d6c8e813c6fdd4e58fa442

          Download Submit

        • \Users\Admin\AppData\Local\Jbn27dXv\psr.exe
          Filesize

          715KB

          MD5

          a80527109d75cba125d940b007eea151

          SHA1

          facf32a9ede6abfaa09368bfdfcfec8554107272

          SHA256

          68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

          SHA512

          77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

          Download Submit

        • \Users\Admin\AppData\Local\dnmz\WFS.exe
          Filesize

          951KB

          MD5

          a943d670747778c7597987a4b5b9a679

          SHA1

          c48b760ff9762205386563b93e8884352645ef40

          SHA256

          1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

          SHA512

          3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

          Download Submit

        • \Users\Admin\AppData\Local\uWGH\DWWIN.EXE
          Filesize

          149KB

          MD5

          25247e3c4e7a7a73baeea6c0008952b1

          SHA1

          8087adb7a71a696139ddc5c5abc1a84f817ab688

          SHA256

          c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

          SHA512

          bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

          Download Submit

        • memory/1220-10-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1220-38-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1220-28-0x0000000077970000-0x0000000077972000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1220-19-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1220-18-0x00000000025B0000-0x00000000025B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1220-17-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1220-16-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1220-15-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1220-14-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1220-13-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1220-12-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1220-3-0x0000000077706000-0x0000000077707000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1220-9-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1220-8-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1220-39-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1220-29-0x00000000779A0000-0x00000000779A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1220-4-0x00000000029D0000-0x00000000029D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1220-48-0x0000000077706000-0x0000000077707000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1220-27-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1220-11-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1220-6-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1220-7-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1812-61-0x0000000140000000-0x000000014016E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1812-56-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1812-57-0x0000000140000000-0x000000014016E000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2444-94-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2780-47-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2780-0-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2780-2-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2884-73-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2884-75-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2884-78-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download