Overview

overview

10

Static

static

3

97b25d2ee6...21.dll

windows7-x64

10

97b25d2ee6...21.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 16:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    97b25d2ee63b52b28c0a7f77f87b4163e106f28f831b765099c641297be1d121.dll

  • Size

    676KB

  • MD5

    a419f6c38aab1882f8e8971dc1f52e13

  • SHA1

    2e28d486ce97a07d3c3a4bf0e1ee7882d2739b42

  • SHA256

    97b25d2ee63b52b28c0a7f77f87b4163e106f28f831b765099c641297be1d121

  • SHA512

    7fd998afc56ff1e09cc2109fb0198f7727378ea07b35162970f900ea49b17825772e1e2492ce4788d1bae7769e11fc6b0273d7db8be6908c88e162457e23ac94

  • SSDEEP

    6144:M34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:MIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\97b25d2ee63b52b28c0a7f77f87b4163e106f28f831b765099c641297be1d121.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1840
  • C:\Windows\system32\rdrleakdiag.exe
    C:\Windows\system32\rdrleakdiag.exe
    1⤵
      PID:2620
    • C:\Users\Admin\AppData\Local\eEv\rdrleakdiag.exe
      C:\Users\Admin\AppData\Local\eEv\rdrleakdiag.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2732
    • C:\Windows\system32\BitLockerWizardElev.exe
      C:\Windows\system32\BitLockerWizardElev.exe
      1⤵
        PID:2248
      • C:\Users\Admin\AppData\Local\8u9Bh3zU0\BitLockerWizardElev.exe
        C:\Users\Admin\AppData\Local\8u9Bh3zU0\BitLockerWizardElev.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2372
      • C:\Windows\system32\winlogon.exe
        C:\Windows\system32\winlogon.exe
        1⤵
          PID:584
        • C:\Users\Admin\AppData\Local\791Atg\winlogon.exe
          C:\Users\Admin\AppData\Local\791Atg\winlogon.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2888

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\791Atg\WINSTA.dll
          Filesize

          684KB

          MD5

          ec6a0d9103c4a8ddf8f64b9db643272c

          SHA1

          1512b2e4d9989faf618f7e27b173a6d4fbb30b42

          SHA256

          44c1704353ab11ba2aabf38c098742ab461832307b5f3a29fee44a77eb66a236

          SHA512

          f77a3e8a03eacbfbea026380aba8405f1615bcb1be3e7834b59f35b7506a97b99daea548fc25fee38187ed3bdbb504b87aa6b1da3b0e2c16f2bb34a08de68b37

          Download Submit

        • C:\Users\Admin\AppData\Local\8u9Bh3zU0\FVEWIZ.dll
          Filesize

          680KB

          MD5

          4f858f02ce19d02d40abbc3ef1956c31

          SHA1

          5d57558856402b64d6af5126f3c250d4b67096c1

          SHA256

          f4aae60d38751a63a72e4e467dca2f6d48038cf0c2e29dda4876e0d6a0855497

          SHA512

          953bc510662d94a0495f4293b1c8e03a5ebda14fb14b43d910456ad9ee2320c7ca63758b9d1a753521981d39545eefa3f2c6b00590d7668d223bf555c89eaae9

          Download Submit

        • C:\Users\Admin\AppData\Local\eEv\VERSION.dll
          Filesize

          680KB

          MD5

          a38fbf44d5b687eac1dc7153ca56f6c2

          SHA1

          96088b7e4299d0259adedec6f218c250252fac73

          SHA256

          47c59288ecf61919166df5fae7b06ac82bef10f7266cb305aee980f7461912b3

          SHA512

          a8be3dbcbbae4d7bb4d70523689378d5f92feee0399c877aeeed4e86985f1f57c3cd1587c38134467d0d90bd59651c2f520a8b9fcbf23fffc812a087e55c7170

          Download Submit

        • C:\Users\Admin\AppData\Local\eEv\rdrleakdiag.exe
          Filesize

          39KB

          MD5

          5e058566af53848541fa23fba4bb5b81

          SHA1

          769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

          SHA256

          ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

          SHA512

          352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk
          Filesize

          1KB

          MD5

          66f48be4f22cd104e9246a5aa0f38da1

          SHA1

          fce1074b62e497b57292c76b43d5516be53e3cc3

          SHA256

          ec4480261ab822408935058ffa4bc5f7073701c816bd2aebce1251abc160691d

          SHA512

          5a3453a1d7671a0129c936917f1060f7ea4e9d6114b1b0a47f3da87a71fcdc3d2f654dd7c3ba99f38c6ee44b92401b8b09002a6cd053e16c0700d531ba43bed0

          Download Submit

        • \Users\Admin\AppData\Local\791Atg\winlogon.exe
          Filesize

          381KB

          MD5

          1151b1baa6f350b1db6598e0fea7c457

          SHA1

          434856b834baf163c5ea4d26434eeae775a507fb

          SHA256

          b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

          SHA512

          df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

          Download Submit

        • \Users\Admin\AppData\Local\8u9Bh3zU0\BitLockerWizardElev.exe
          Filesize

          98KB

          MD5

          73f13d791e36d3486743244f16875239

          SHA1

          ed5ec55dbc6b3bda505f0a4c699c257c90c02020

          SHA256

          2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

          SHA512

          911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

          Download Submit

        • memory/1368-26-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1368-39-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1368-15-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1368-14-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1368-13-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1368-12-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1368-11-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1368-9-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1368-7-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1368-6-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1368-10-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1368-3-0x00000000771C6000-0x00000000771C7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1368-27-0x0000000077430000-0x0000000077432000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1368-28-0x0000000077460000-0x0000000077462000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1368-37-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1368-16-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1368-4-0x0000000002770000-0x0000000002771000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1368-47-0x00000000771C6000-0x00000000771C7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1368-17-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1368-25-0x0000000002750000-0x0000000002757000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1368-8-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1368-18-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1840-46-0x000007FEF6950000-0x000007FEF69F9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1840-0-0x000007FEF6950000-0x000007FEF69F9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1840-2-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2372-74-0x0000000000310000-0x0000000000317000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2372-77-0x000007FEF6390000-0x000007FEF643A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2732-60-0x000007FEF6390000-0x000007FEF643A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2732-57-0x0000000000270000-0x0000000000277000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2732-55-0x000007FEF6390000-0x000007FEF643A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2888-89-0x000007FEF6390000-0x000007FEF643B000-memory.dmp

          Filesize

          684KB

          Download

        • memory/2888-93-0x000007FEF6390000-0x000007FEF643B000-memory.dmp

          Filesize

          684KB

          Download