Overview

overview

10

Static

static

3

b5a92b20ca...dd.dll

windows7-x64

10

b5a92b20ca...dd.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 16:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b5a92b20ca55f3df694fbdb63f6d5bd6d7ce96581d341d282223bd33bc0753dd.dll

  • Size

    680KB

  • MD5

    5b9fde8a7db8bc2c53fccd4187db1c8c

  • SHA1

    fcac82c487ba59787aa3e3be98aedd6e2198fc1e

  • SHA256

    b5a92b20ca55f3df694fbdb63f6d5bd6d7ce96581d341d282223bd33bc0753dd

  • SHA512

    88ee1dc23bc6ab839334667e2f82ecfced7b5ac488c1e9f6109f6e1f0d5b245fdaaccbfabb5faa5b67ad91d8780f018daee28dad9ea389ab8defaed4d24f323b

  • SSDEEP

    6144:z34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuT7:zIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 12 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b5a92b20ca55f3df694fbdb63f6d5bd6d7ce96581d341d282223bd33bc0753dd.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2876
  • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
    C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
    1⤵
      PID:2624
    • C:\Users\Admin\AppData\Local\walmxWrI\SystemPropertiesDataExecutionPrevention.exe
      C:\Users\Admin\AppData\Local\walmxWrI\SystemPropertiesDataExecutionPrevention.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1104
    • C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      1⤵
        PID:872
      • C:\Users\Admin\AppData\Local\pxAsl\dialer.exe
        C:\Users\Admin\AppData\Local\pxAsl\dialer.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1672
      • C:\Windows\system32\SystemPropertiesProtection.exe
        C:\Windows\system32\SystemPropertiesProtection.exe
        1⤵
          PID:2580
        • C:\Users\Admin\AppData\Local\iydGmP\SystemPropertiesProtection.exe
          C:\Users\Admin\AppData\Local\iydGmP\SystemPropertiesProtection.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2844

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\iydGmP\SYSDM.CPL
          Filesize

          684KB

          MD5

          28771b855ae16ccace890e978aa67d28

          SHA1

          0be93cfa16296efbae6e627cbaf229005bfaf188

          SHA256

          d341c994bc98fafdd270876296adfb9d2b778530de757e82f2930666e6f7c239

          SHA512

          71864ec63489eafa7fb074e04eea45af05d2cfb4d370b47e17571b8fb66904c792db5e7266918bf918e4bc8b4150c5af4a8e0e85fceaf502bae232e6887ec499

          Download Submit

        • C:\Users\Admin\AppData\Local\pxAsl\TAPI32.dll
          Filesize

          688KB

          MD5

          2023e166eab1b66c9b2419ec29a2ce5f

          SHA1

          2fc3e1670c94bb8c960b3c03c5e7b089641e21a4

          SHA256

          3f86f3d6e81aba5d9561569b4ffd72e2f61fc238958fb806d2cd893e2b68e746

          SHA512

          8ea90fb78f13bcab461550dc8e8cb86d23ed838df3240562864cb4286d7f822e39aa29992fc76bd53cc17073990b5c5fd7aa58d1f149ec13d31164371f046557

          Download Submit

        • C:\Users\Admin\AppData\Local\walmxWrI\SYSDM.CPL
          Filesize

          684KB

          MD5

          f071c4f1549d4f413c8ac558a687df38

          SHA1

          42ba80642ccc9618a1d453ff5a68aecdaa972545

          SHA256

          34159d95a4a05875f1f17f20dc43f336c10a6554e5ddbf9cad72d6940ee99421

          SHA512

          270640a2ac2a53f9e9a38a8431a640f15d7d82d45e9665de48824bb2d8c4dc2c5ef0f37a6017cce5bcb2d09118bdc63b2e7e1acacd5cdfe5ccad06320cbdb212

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk
          Filesize

          1KB

          MD5

          89691408afa1e3343261e5aadcd6cd1f

          SHA1

          9d6ac2350fda892af82cbfee464b3988751243e8

          SHA256

          d94b67edb9eb1aeefda1b4122efa779d2a6ec3518219cd4abc93cd584844ae46

          SHA512

          e4690c1c8d9dcc07b773ca4c174836df29a1c94d86e30a67e5d85654a31698d4e5dc836b1b071b86b5f8797528f4f64650b9ec4f16b7f0c6eb47df4b3a650e02

          Download Submit

        • \Users\Admin\AppData\Local\iydGmP\SystemPropertiesProtection.exe
          Filesize

          80KB

          MD5

          05138d8f952d3fff1362f7c50158bc38

          SHA1

          780bc59fcddf06a7494d09771b8340acffdcc720

          SHA256

          753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

          SHA512

          27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

          Download Submit

        • \Users\Admin\AppData\Local\pxAsl\dialer.exe
          Filesize

          34KB

          MD5

          46523e17ee0f6837746924eda7e9bac9

          SHA1

          d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

          SHA256

          23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

          SHA512

          c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

          Download Submit

        • \Users\Admin\AppData\Local\walmxWrI\SystemPropertiesDataExecutionPrevention.exe
          Filesize

          80KB

          MD5

          e43ff7785fac643093b3b16a9300e133

          SHA1

          a30688e84c0b0a22669148fe87680b34fcca2fba

          SHA256

          c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

          SHA512

          61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

          Download Submit

        • memory/1104-56-0x000007FEF7320000-0x000007FEF73CB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1104-53-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1104-51-0x000007FEF7320000-0x000007FEF73CB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1256-19-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1256-11-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1256-27-0x0000000077010000-0x0000000077012000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1256-26-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1256-18-0x00000000029A0000-0x00000000029A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1256-17-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1256-16-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1256-14-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1256-34-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1256-33-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1256-12-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1256-28-0x0000000077040000-0x0000000077042000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1256-9-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1256-3-0x0000000076CA6000-0x0000000076CA7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1256-43-0x0000000076CA6000-0x0000000076CA7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1256-4-0x00000000029C0000-0x00000000029C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1256-13-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1256-10-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1256-8-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1256-7-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1256-6-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1256-15-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1672-68-0x0000000000210000-0x0000000000217000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1672-69-0x000007FEF71F0000-0x000007FEF729C000-memory.dmp

          Filesize

          688KB

          Download

        • memory/1672-73-0x000007FEF71F0000-0x000007FEF729C000-memory.dmp

          Filesize

          688KB

          Download

        • memory/2844-85-0x000007FEF71F0000-0x000007FEF729B000-memory.dmp

          Filesize

          684KB

          Download

        • memory/2844-89-0x000007FEF71F0000-0x000007FEF729B000-memory.dmp

          Filesize

          684KB

          Download

        • memory/2876-0-0x000007FEF7270000-0x000007FEF731A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2876-42-0x000007FEF7270000-0x000007FEF731A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2876-2-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download