Overview

overview

10

Static

static

3

f3ee4f0ee0...59.dll

windows7-x64

10

f3ee4f0ee0...59.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3ee4f0ee0df0701d4a42338b1e36ef39c8d4e7fb4726b015cd31ebb2dfbdf59.dll

  • Size

    952KB

  • MD5

    60615daea6718bb366a3360c61da8582

  • SHA1

    a27c75340da626b4a9635a4e8d92ec3ee5c1bb3b

  • SHA256

    f3ee4f0ee0df0701d4a42338b1e36ef39c8d4e7fb4726b015cd31ebb2dfbdf59

  • SHA512

    9ccf9349ea4dab95292f9bda79a05cc8d96427cef00395c30f936b2ca7b19abf28d657d41f7c5eb1273c52078673b3007cf18b6a377b051e8bf417221405d9df

  • SSDEEP

    6144:e34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTx:eIKp/UWCZdCDh2IZDwAFRpR6Aul+

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f3ee4f0ee0df0701d4a42338b1e36ef39c8d4e7fb4726b015cd31ebb2dfbdf59.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2892
  • C:\Windows\system32\SystemPropertiesComputerName.exe
    C:\Windows\system32\SystemPropertiesComputerName.exe
    1⤵
      PID:2656
    • C:\Users\Admin\AppData\Local\cNqpNPF\SystemPropertiesComputerName.exe
      C:\Users\Admin\AppData\Local\cNqpNPF\SystemPropertiesComputerName.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2196
    • C:\Windows\system32\Dxpserver.exe
      C:\Windows\system32\Dxpserver.exe
      1⤵
        PID:1264
      • C:\Users\Admin\AppData\Local\0LDxVJ\Dxpserver.exe
        C:\Users\Admin\AppData\Local\0LDxVJ\Dxpserver.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2944
      • C:\Windows\system32\mstsc.exe
        C:\Windows\system32\mstsc.exe
        1⤵
          PID:2916
        • C:\Users\Admin\AppData\Local\lBFo\mstsc.exe
          C:\Users\Admin\AppData\Local\lBFo\mstsc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1880

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\cNqpNPF\SYSDM.CPL
          Filesize

          956KB

          MD5

          6571975387e2366624c9fca5125df0ca

          SHA1

          6f7b01d3e5a7750a9b3905351ce30849d2c95cb5

          SHA256

          f397bc47a18019c2081c893da2b0b90d5ff9d4ba38f3f47114a02b0a611a352a

          SHA512

          792b9a1ca5944a1039d2f387539c9f1b6fc005f0aaf09b5ab51dc59ac7ee29734a344fc0a1379c3173fd81006131dd9f1a0cb605e4ba0fa4df9c8617fd6d35df

          Download Submit

        • C:\Users\Admin\AppData\Local\lBFo\credui.dll
          Filesize

          956KB

          MD5

          60e2e01b34b89cd58dcc85547af391da

          SHA1

          a33f424b2231c1376d21dd2782b85288982a6ebc

          SHA256

          a80a60a1cf8ce2324e095fa7454eb304fc4d03296235b41e7658c34ec58bbd1a

          SHA512

          3ec4ef538844f0c4d7bcc115c48becd683e6c9cabf4d771fb45a5b48ae163acb062a8c12235d8a48b305bf6a45100746dac4be73a33f3cb2c0ad71f635d60e0f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Adlnwv.lnk
          Filesize

          1KB

          MD5

          8c9ac3addccb913cc9822d805a74edcf

          SHA1

          d922e44c2bb3b37f0629007d763d5aefa96618dd

          SHA256

          40b9897c9f5d2821068323ea63cacf3dfbdd18bf938ba56aa9353cf81e5c3b35

          SHA512

          69e88d8828f971d992413bab89ee66f5c80c69d9307921fe7ff517a1c0875857af5f0eaeb055b158bc56743c3866145be26d68b85a35417741339bc060db95d9

          Download Submit

        • \Users\Admin\AppData\Local\0LDxVJ\Dxpserver.exe
          Filesize

          259KB

          MD5

          4d38389fb92e43c77a524fd96dbafd21

          SHA1

          08014e52f6894cad4f1d1e6fc1a703732e9acd19

          SHA256

          070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

          SHA512

          02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

          Download Submit

        • \Users\Admin\AppData\Local\0LDxVJ\XmlLite.dll
          Filesize

          956KB

          MD5

          3985e90f225a812a8dad0614b065791b

          SHA1

          cc76eb1acb88945ef416bfba4abfb36beb766acf

          SHA256

          470e1169b6fa001dd172855b300bc069c77d0a6ea7b9f625f5c984da864175b4

          SHA512

          4fc2f0b570608ff6e5c9f1ac430a29d1fc0f7fe76d79d3af12cf1e18da0facb93fbfe8bc1296dea6ab1cabfc052744db078476e1fd2d61b5f337d362adbc015b

          Download Submit

        • \Users\Admin\AppData\Local\cNqpNPF\SystemPropertiesComputerName.exe
          Filesize

          80KB

          MD5

          bd889683916aa93e84e1a75802918acf

          SHA1

          5ee66571359178613a4256a7470c2c3e6dd93cfa

          SHA256

          0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

          SHA512

          9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

          Download Submit

        • \Users\Admin\AppData\Local\lBFo\mstsc.exe
          Filesize

          1.1MB

          MD5

          50f739538ef014b2e7ec59431749d838

          SHA1

          b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

          SHA256

          85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

          SHA512

          02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

          Download Submit

        • memory/1252-26-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1252-38-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1252-17-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1252-16-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1252-15-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1252-14-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1252-12-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1252-11-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1252-9-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1252-8-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1252-7-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1252-3-0x00000000775D6000-0x00000000775D7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1252-28-0x0000000077870000-0x0000000077872000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1252-27-0x0000000077840000-0x0000000077842000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1252-37-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1252-18-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1252-4-0x0000000002530000-0x0000000002531000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1252-47-0x00000000775D6000-0x00000000775D7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1252-25-0x0000000002510000-0x0000000002517000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1252-10-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1252-6-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1252-13-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1880-93-0x000007FEF67B0000-0x000007FEF689F000-memory.dmp

          Filesize

          956KB

          Download

        • memory/2196-57-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2196-60-0x000007FEF6DB0000-0x000007FEF6E9F000-memory.dmp

          Filesize

          956KB

          Download

        • memory/2196-55-0x000007FEF6DB0000-0x000007FEF6E9F000-memory.dmp

          Filesize

          956KB

          Download

        • memory/2892-46-0x000007FEF67B0000-0x000007FEF689E000-memory.dmp

          Filesize

          952KB

          Download

        • memory/2892-0-0x00000000000A0000-0x00000000000A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2892-1-0x000007FEF67B0000-0x000007FEF689E000-memory.dmp

          Filesize

          952KB

          Download

        • memory/2944-74-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2944-72-0x000007FEF67B0000-0x000007FEF689F000-memory.dmp

          Filesize

          956KB

          Download

        • memory/2944-77-0x000007FEF67B0000-0x000007FEF689F000-memory.dmp

          Filesize

          956KB

          Download