Overview

overview

10

Static

static

3

164ec74b8c...17.dll

windows7-x64

10

164ec74b8c...17.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    164ec74b8cd92223749f1f843b8518c3e337360376a5edcda388525029bb3117.dll

  • Size

    676KB

  • MD5

    1bf1ac0d053766f0b3f1463c6896953c

  • SHA1

    73aafbff8a7ea3dabe84d5047add7442e52d43b0

  • SHA256

    164ec74b8cd92223749f1f843b8518c3e337360376a5edcda388525029bb3117

  • SHA512

    d292fd9143a267c4dbde98fe9f014cee96686579d8fb8ff692b7dfa420cac3085dd361fb06f81476cfb72ff72a5e53e9f15195dc4ceeeff57e9188b1ac5343d4

  • SSDEEP

    6144:u34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:uIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\164ec74b8cd92223749f1f843b8518c3e337360376a5edcda388525029bb3117.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2344
  • C:\Windows\system32\shrpubw.exe
    C:\Windows\system32\shrpubw.exe
    1⤵
      PID:3028
    • C:\Users\Admin\AppData\Local\QR4\shrpubw.exe
      C:\Users\Admin\AppData\Local\QR4\shrpubw.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2704
    • C:\Windows\system32\BitLockerWizard.exe
      C:\Windows\system32\BitLockerWizard.exe
      1⤵
        PID:2720
      • C:\Users\Admin\AppData\Local\fS9Sw9Y4\BitLockerWizard.exe
        C:\Users\Admin\AppData\Local\fS9Sw9Y4\BitLockerWizard.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2740
      • C:\Windows\system32\RDVGHelper.exe
        C:\Windows\system32\RDVGHelper.exe
        1⤵
          PID:1616
        • C:\Users\Admin\AppData\Local\lKtQKy\RDVGHelper.exe
          C:\Users\Admin\AppData\Local\lKtQKy\RDVGHelper.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2412

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\QR4\ACLUI.dll
          Filesize

          680KB

          MD5

          7bb2a303435adeab8b26c53fd2e53f84

          SHA1

          541f33ee798ab1da9d3e8599f11987b938b28aba

          SHA256

          f6ccae122fd7c2b59ad795be0d6fa08b5551c8b59cf02a06197a907d15e5c20a

          SHA512

          e22c232183281e7726333aa243adb21c4f32d53a8132942df1812200861235704f347945e58f8d8dc2e526ec9821ac1197fe0ec5546ed870828ebc62c145f8ba

          Download Submit

        • C:\Users\Admin\AppData\Local\fS9Sw9Y4\BitLockerWizard.exe
          Filesize

          98KB

          MD5

          08a761595ad21d152db2417d6fdb239a

          SHA1

          d84c1bc2e8c9afce9fb79916df9bca169f93a936

          SHA256

          ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

          SHA512

          8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

          Download Submit

        • C:\Users\Admin\AppData\Local\fS9Sw9Y4\FVEWIZ.dll
          Filesize

          680KB

          MD5

          b8af434534d089dfafde35e83a7a55be

          SHA1

          f87205a83475eb2854f25e7a34d5be106b4f9d5b

          SHA256

          106456b5e06e54cd6262d77bb64fc54803d83673650365206d04ef76a45a86ba

          SHA512

          b74696a0f6a41f198e56b3d0dd9ff4e67c64b5f51b6e63e979bd917213ff93b0e83c0adeee2b17c8196860b66afec0724c0b26f73f6fde8ec9df9f903a267adb

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk
          Filesize

          1KB

          MD5

          d7bec3d1666f26c8292b2e9a163c9594

          SHA1

          7f3602c9ff30b135ac755b166fe7789a4778cd66

          SHA256

          435019a96a64940a3811761f66a426414364cefeb8822bdab0ac68a4a115692c

          SHA512

          cb2418c90635faf66f0356bbd4c7e04d98ea90c68e632604ea801873d68c027183e5f010c6e5374c9b50961b43fb414230f5f69da4897f9d1f5f3eef1fcc1285

          Download Submit

        • \Users\Admin\AppData\Local\QR4\shrpubw.exe
          Filesize

          398KB

          MD5

          29e6d0016611c8f948db5ea71372f76c

          SHA1

          01d007a01020370709cd6580717f9ace049647e8

          SHA256

          53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

          SHA512

          300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

          Download Submit

        • \Users\Admin\AppData\Local\lKtQKy\RDVGHelper.exe
          Filesize

          93KB

          MD5

          53fda4af81e7c4895357a50e848b7cfe

          SHA1

          01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

          SHA256

          62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

          SHA512

          dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

          Download Submit

        • \Users\Admin\AppData\Local\lKtQKy\WTSAPI32.dll
          Filesize

          680KB

          MD5

          269516ed80339a4885ac6941234efa0f

          SHA1

          3dd2fbcc4cee2d06635ba1b2031ea3b3465292cd

          SHA256

          0c8f7d265ae22860d8ded03daddb9f07a35c9b1b1c0c1a2b426290317c94a707

          SHA512

          18560cb201ca44735c293f82f5c12e529009612d3abb55470e0740638910ceb3d8e53d10ca75672b0a776b2ac5427430bfd3342d6ecbf41825db25641d8b58d9

          Download Submit

        • memory/1268-26-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1268-38-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1268-11-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1268-18-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1268-25-0x0000000002A00000-0x0000000002A07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1268-17-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1268-16-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1268-15-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1268-14-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1268-12-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1268-10-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1268-3-0x00000000770B6000-0x00000000770B7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1268-27-0x0000000077420000-0x0000000077422000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1268-28-0x0000000077450000-0x0000000077452000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1268-37-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1268-6-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1268-4-0x0000000002A20000-0x0000000002A21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1268-47-0x00000000770B6000-0x00000000770B7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1268-7-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1268-8-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1268-13-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1268-9-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2344-46-0x000007FEFAEE0000-0x000007FEFAF89000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2344-1-0x000007FEFAEE0000-0x000007FEFAF89000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2344-2-0x0000000000220000-0x0000000000227000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2412-93-0x000007FEF76F0000-0x000007FEF779A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2704-60-0x000007FEF7630000-0x000007FEF76DA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2704-57-0x000007FEF7630000-0x000007FEF76DA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2704-55-0x0000000001CE0000-0x0000000001CE7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2740-72-0x000007FEF76F0000-0x000007FEF779A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2740-74-0x0000000000210000-0x0000000000217000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2740-77-0x000007FEF76F0000-0x000007FEF779A000-memory.dmp

          Filesize

          680KB

          Download