Overview

overview

10

Static

static

3

fd7fddc39d...58.dll

windows7-x64

10

fd7fddc39d...58.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    02-11-2024 02:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd7fddc39d5bc3bc942c4575c57bb305068eed4e8bbe1285733e23ec9b18fb58.dll

  • Size

    672KB

  • MD5

    089bbe4454e8a5806c2c27247bd47c3a

  • SHA1

    837ada8cd4d906788c34507cc413a78389e91c02

  • SHA256

    fd7fddc39d5bc3bc942c4575c57bb305068eed4e8bbe1285733e23ec9b18fb58

  • SHA512

    a789910c2cd0698cd0f383ca4bfa2f54b8c11c640aa74d632ccaf9596c8353c319f0b05612b7b590fc860eaf131a7d783f1ed735f82975e7d77a3332154a937d

  • SSDEEP

    6144:534xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:5IKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\fd7fddc39d5bc3bc942c4575c57bb305068eed4e8bbe1285733e23ec9b18fb58.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2188
  • C:\Windows\system32\spinstall.exe
    C:\Windows\system32\spinstall.exe
    1⤵
      PID:2952
    • C:\Users\Admin\AppData\Local\AYW3qdn\spinstall.exe
      C:\Users\Admin\AppData\Local\AYW3qdn\spinstall.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1264
    • C:\Windows\system32\tcmsetup.exe
      C:\Windows\system32\tcmsetup.exe
      1⤵
        PID:2696
      • C:\Users\Admin\AppData\Local\nZG\tcmsetup.exe
        C:\Users\Admin\AppData\Local\nZG\tcmsetup.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2748
      • C:\Windows\system32\fvenotify.exe
        C:\Windows\system32\fvenotify.exe
        1⤵
          PID:2012
        • C:\Users\Admin\AppData\Local\5aPb238Y\fvenotify.exe
          C:\Users\Admin\AppData\Local\5aPb238Y\fvenotify.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2972

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5aPb238Y\slc.dll
          Filesize

          676KB

          MD5

          00e45c2250a45916e5de6aba9ab457c0

          SHA1

          3b4725d7090b7f8287faaab9c8ac45d2d2f258d4

          SHA256

          f074f950c477318b11d0d3cb4dde6247a3b15d75139dca7d49cf406d26dcbaa2

          SHA512

          9715177b78190bf9e873517d7cbec7c75e516987d5d18f471a89406963d5cdbdb70c8dee0f5664d8dc96beac22b531b2504f98b75e8168c60afc3d0ad67ff5e8

          Download Submit

        • C:\Users\Admin\AppData\Local\AYW3qdn\wer.dll
          Filesize

          676KB

          MD5

          cf7cc4ea48b235e00d465959a5955509

          SHA1

          4786864606aeb51e35e008d76f12d87f6572f047

          SHA256

          1096c8478a9c42dbc0bd3560272da086054cd1b4e0d6fa9b1d8437f47b0ed12c

          SHA512

          d82dc17064f51e56f969c1c0601beab817ad9fd77a5af19aa9272662e7b2aa2f2178295e838984b010eb53a7e5902c85ed7e33333dea585ed67ffcee3b98d8cd

          Download Submit

        • C:\Users\Admin\AppData\Local\nZG\TAPI32.dll
          Filesize

          680KB

          MD5

          324ef7fe47dd37905184d5fb3f59fc4c

          SHA1

          7b1ea58eb4a78382cba54549f5d7ae0d178a9e25

          SHA256

          529d24e7ccee54830a632f917e098eb8c7cf544667c3fbc26d1a6888c110da55

          SHA512

          0c6a3725771f4fe5d242a99e1d325309ba9885357e84a9c95326569ffe7c3b57a8b8503ea8c9766b38f564b9a10724724b73bdffdced4cea063569d69f7298c4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk
          Filesize

          1KB

          MD5

          729677802b5094663b96490e37f4df64

          SHA1

          78778cc9f4ca3f07a7534d3eab05368c291f4c48

          SHA256

          5f0d32292015591d37a546aeed9502085f52ccd50b2152494cc784f80480d531

          SHA512

          51f1c846f705bd91a11754efeea75f9ff0543a97b7f43e403bf27de4eec22ea7cad15fdece94bb1d70b59350ca014e91b30d00880f33f412f1e7f17ad8842448

          Download Submit

        • \Users\Admin\AppData\Local\5aPb238Y\fvenotify.exe
          Filesize

          117KB

          MD5

          e61d644998e07c02f0999388808ac109

          SHA1

          183130ad81ff4c7997582a484e759bf7769592d6

          SHA256

          15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

          SHA512

          310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

          Download Submit

        • \Users\Admin\AppData\Local\AYW3qdn\spinstall.exe
          Filesize

          584KB

          MD5

          29c1d5b330b802efa1a8357373bc97fe

          SHA1

          90797aaa2c56fc2a667c74475996ea1841bc368f

          SHA256

          048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f

          SHA512

          66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

          Download Submit

        • \Users\Admin\AppData\Local\nZG\tcmsetup.exe
          Filesize

          15KB

          MD5

          0b08315da0da7f9f472fbab510bfe7b8

          SHA1

          33ba48fd980216becc532466a5ff8476bec0b31c

          SHA256

          e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

          SHA512

          c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

          Download Submit

        • memory/1264-59-0x000007FEF7BF0000-0x000007FEF7C99000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1264-55-0x000007FEF7BF0000-0x000007FEF7C99000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1264-54-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1272-16-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1272-46-0x00000000775E6000-0x00000000775E7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1272-14-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1272-12-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1272-11-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1272-10-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1272-9-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1272-8-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1272-27-0x0000000077980000-0x0000000077982000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1272-26-0x0000000077950000-0x0000000077952000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1272-3-0x00000000775E6000-0x00000000775E7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1272-37-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1272-39-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1272-15-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1272-25-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1272-6-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1272-13-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1272-24-0x00000000029D0000-0x00000000029D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1272-7-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1272-18-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1272-4-0x00000000029F0000-0x00000000029F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2188-0-0x000007FEF6FB0000-0x000007FEF7058000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2188-36-0x000007FEF6FB0000-0x000007FEF7058000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2188-2-0x0000000000220000-0x0000000000227000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2748-71-0x000007FEF7BF0000-0x000007FEF7C9A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2748-72-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2748-76-0x000007FEF7BF0000-0x000007FEF7C9A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2972-92-0x000007FEF7BF0000-0x000007FEF7C99000-memory.dmp

          Filesize

          676KB

          Download