Overview

overview

10

Static

static

3

9f42706b6c...12.dll

windows7-x64

10

9f42706b6c...12.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 16:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f42706b6c266edd5c6ffd4ee56117063224bc6afea8cfb85d0646029585cd12.dll

  • Size

    676KB

  • MD5

    792dfd2b5224a44183e40fe97050f5c2

  • SHA1

    990c995f30ecfca83fdaa9c347c125c52c610d2a

  • SHA256

    9f42706b6c266edd5c6ffd4ee56117063224bc6afea8cfb85d0646029585cd12

  • SHA512

    1bcc2d01951747d7d6a56b3553888d1828a5523bb60fc1e92dae175274e43505d70b7678c410a87546300893e736a16515592d50da1dc3cedf6b8d6e22bc991e

  • SSDEEP

    6144:r34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:rIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9f42706b6c266edd5c6ffd4ee56117063224bc6afea8cfb85d0646029585cd12.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2060
  • C:\Windows\system32\slui.exe
    C:\Windows\system32\slui.exe
    1⤵
      PID:2856
    • C:\Users\Admin\AppData\Local\JJ0LJL\slui.exe
      C:\Users\Admin\AppData\Local\JJ0LJL\slui.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2736
    • C:\Windows\system32\PresentationSettings.exe
      C:\Windows\system32\PresentationSettings.exe
      1⤵
        PID:2132
      • C:\Users\Admin\AppData\Local\F8oq\PresentationSettings.exe
        C:\Users\Admin\AppData\Local\F8oq\PresentationSettings.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2064
      • C:\Windows\system32\SystemPropertiesRemote.exe
        C:\Windows\system32\SystemPropertiesRemote.exe
        1⤵
          PID:1884
        • C:\Users\Admin\AppData\Local\uQjNf\SystemPropertiesRemote.exe
          C:\Users\Admin\AppData\Local\uQjNf\SystemPropertiesRemote.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2432

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\F8oq\slc.dll
          Filesize

          680KB

          MD5

          f66eca0af81cf89e1dbdcce6aa378477

          SHA1

          6eba669e0f7064a7d52e8997bbd7ae703b0777e0

          SHA256

          9e004f6a71110825f400559bab972ff87e03d1668e36f8e5d7f51b9b144aa9f3

          SHA512

          b942065f50bb8df5c1826aa133b7476e696e8f230deec0c430f01231323eed90a0272715d81b439cd5320449ec87691c0415574bc6b02e9d9f28c1510eee8307

          Download Submit

        • C:\Users\Admin\AppData\Local\JJ0LJL\slc.dll
          Filesize

          680KB

          MD5

          c7c94f5a0c3887391f0b7aca484e45fc

          SHA1

          e9463210bb139f740535061521ee03a0924b05f6

          SHA256

          4c75ebf1d5a7a35ce5c5307668ddbefabc2331212cba0e5cdff2dea93e2feb77

          SHA512

          6ead68844043eb2997856d977c162884b10622e7f22a6f904e5bdc6d60d9dbfe8814e62d37861ef2db5f78b4adc90fa8ed8b31f0c2f6655efa54f376a9e13049

          Download Submit

        • C:\Users\Admin\AppData\Local\uQjNf\SYSDM.CPL
          Filesize

          680KB

          MD5

          e525fa3effbfec499d5fd33f8c33ff26

          SHA1

          1c99fed79f0e54ab7587f5cba585db5e8bb13541

          SHA256

          88ba5d9ad3c3b7525d01b4ccf6b3d71fe1047f83db906807298298276cf97dd0

          SHA512

          4520113f68e2db65b88e7d8683bf834bba7cdcf8e103f88d009e22d3c11524aedc74e922cf67bcd1b3dfaaefa251cdd77a5e5edc7f1bfff25464ae9d4f84158c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk
          Filesize

          1KB

          MD5

          76c531d9324b1b540686bac7f5ca7fc5

          SHA1

          6ff0f368686a51a6b0d2e548354f15a32407598a

          SHA256

          6dc7db3eac779af3fc44e374c47050b24803aeb9be2652e1c4247e7e8384c965

          SHA512

          820611523d367a507d7b431e3e29e4d6c3fd7c5121c5a2aff107101d2164b9497fab2fe4aede54e622f7caaca3c71ffffc1412d496481a00ff4ff5b4062a9a5e

          Download Submit

        • \Users\Admin\AppData\Local\F8oq\PresentationSettings.exe
          Filesize

          172KB

          MD5

          a6f8d318f6041334889481b472000081

          SHA1

          b8cf08ec17b30c8811f2514246fcdff62731dd58

          SHA256

          208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

          SHA512

          60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

          Download Submit

        • \Users\Admin\AppData\Local\JJ0LJL\slui.exe
          Filesize

          341KB

          MD5

          c5ce5ce799387e82b7698a0ee5544a6d

          SHA1

          ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

          SHA256

          34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

          SHA512

          79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

          Download Submit

        • \Users\Admin\AppData\Local\uQjNf\SystemPropertiesRemote.exe
          Filesize

          80KB

          MD5

          d0d7ac869aa4e179da2cc333f0440d71

          SHA1

          e7b9a58f5bfc1ec321f015641a60978c0c683894

          SHA256

          5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

          SHA512

          1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

          Download Submit

        • memory/1192-9-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1192-38-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1192-27-0x0000000077DD0000-0x0000000077DD2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-26-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1192-14-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1192-16-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1192-15-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1192-13-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1192-12-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1192-11-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1192-10-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1192-3-0x0000000077A66000-0x0000000077A67000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-8-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1192-25-0x0000000002210000-0x0000000002217000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1192-4-0x0000000002230000-0x0000000002231000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-28-0x0000000077E00000-0x0000000077E02000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-39-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1192-47-0x0000000077A66000-0x0000000077A67000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-18-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1192-17-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1192-6-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1192-7-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2060-37-0x000007FEFB940000-0x000007FEFB9E9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2060-0-0x000007FEFB940000-0x000007FEFB9E9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2060-2-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2064-72-0x000007FEF8D90000-0x000007FEF8E3A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2064-74-0x0000000000210000-0x0000000000217000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2064-77-0x000007FEF8D90000-0x000007FEF8E3A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2432-93-0x000007FEF8D90000-0x000007FEF8E3A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2736-60-0x000007FEFB940000-0x000007FEFB9EA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2736-56-0x000007FEFB940000-0x000007FEFB9EA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2736-55-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download