Overview

overview

10

Static

static

3

f3ee4f0ee0...59.dll

windows7-x64

10

f3ee4f0ee0...59.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3ee4f0ee0df0701d4a42338b1e36ef39c8d4e7fb4726b015cd31ebb2dfbdf59.dll

  • Size

    952KB

  • MD5

    60615daea6718bb366a3360c61da8582

  • SHA1

    a27c75340da626b4a9635a4e8d92ec3ee5c1bb3b

  • SHA256

    f3ee4f0ee0df0701d4a42338b1e36ef39c8d4e7fb4726b015cd31ebb2dfbdf59

  • SHA512

    9ccf9349ea4dab95292f9bda79a05cc8d96427cef00395c30f936b2ca7b19abf28d657d41f7c5eb1273c52078673b3007cf18b6a377b051e8bf417221405d9df

  • SSDEEP

    6144:e34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTx:eIKp/UWCZdCDh2IZDwAFRpR6Aul+

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f3ee4f0ee0df0701d4a42338b1e36ef39c8d4e7fb4726b015cd31ebb2dfbdf59.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4960
  • C:\Windows\system32\slui.exe
    C:\Windows\system32\slui.exe
    1⤵
      PID:1656
    • C:\Users\Admin\AppData\Local\vhz\slui.exe
      C:\Users\Admin\AppData\Local\vhz\slui.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:740
    • C:\Windows\system32\DmNotificationBroker.exe
      C:\Windows\system32\DmNotificationBroker.exe
      1⤵
        PID:2024
      • C:\Users\Admin\AppData\Local\bAEBoBj\DmNotificationBroker.exe
        C:\Users\Admin\AppData\Local\bAEBoBj\DmNotificationBroker.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1132
      • C:\Windows\system32\MoUsoCoreWorker.exe
        C:\Windows\system32\MoUsoCoreWorker.exe
        1⤵
          PID:676
        • C:\Users\Admin\AppData\Local\6IWS68\MoUsoCoreWorker.exe
          C:\Users\Admin\AppData\Local\6IWS68\MoUsoCoreWorker.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3300

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\6IWS68\MoUsoCoreWorker.exe
          Filesize

          1.6MB

          MD5

          47c6b45ff22b73caf40bb29392386ce3

          SHA1

          7e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9

          SHA256

          cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0

          SHA512

          c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331

          Download Submit

        • C:\Users\Admin\AppData\Local\6IWS68\XmlLite.dll
          Filesize

          956KB

          MD5

          3e3719e0f681dccc18a338947c97f0c0

          SHA1

          8c341a8a216f4c2adeaa6cf6e8d5068a772619bb

          SHA256

          41520b3d3cd1f12805e517dc4b2211150240812a020d7a371f072460296ff8f0

          SHA512

          f3852e507fb5f2e77a88fa0129cd0cb9af84fd1b291cbc7755665173cbe10d32e520bd3865d8daf6c9fea5072ebd045484949ac95af0afcd6856220f13cf39ac

          Download Submit

        • C:\Users\Admin\AppData\Local\bAEBoBj\DUI70.dll
          Filesize

          1.2MB

          MD5

          d8bcc16e58df9eba8719317b8cfca2ce

          SHA1

          2ea207245f0785e376d4bc0c626b38119019cd00

          SHA256

          ceb914ca83da8e78d03b235372a0031f347556045470a4e77ab525a1d75acef7

          SHA512

          b89671f41cbf603c3010c45bf6b82237eaa395091f0766eb2a129a542283c8049e09271be0c3adee04aa32641d77f202eb63c685d05acd19e6c682f888b61ecc

          Download Submit

        • C:\Users\Admin\AppData\Local\bAEBoBj\DmNotificationBroker.exe
          Filesize

          32KB

          MD5

          f0bdc20540d314a2aad951c7e2c88420

          SHA1

          4ab344595a4a81ab5f31ed96d72f217b4cee790b

          SHA256

          f87537e5f26193a2273380f86cc9ac16d977f65b0eff2435e40be830fd99f7b5

          SHA512

          cb69e35b2954406735264a4ae8fe1eca1bd4575f553ab2178c70749ab997bda3c06496d2fce97872c51215a19093e51eea7cc8971af62ad9d5726f3a0d2730aa

          Download Submit

        • C:\Users\Admin\AppData\Local\vhz\SLC.dll
          Filesize

          956KB

          MD5

          a3d5286429727eb30bda487057844ea9

          SHA1

          8bcfee9d669b620accb3bf5ad1fd44a12b45b00c

          SHA256

          5b2c60096fa2a2dc2c09dfc6c8e3b054f71f698f20d1fedcf5e90c1ac716efdb

          SHA512

          ae8bb5dd1a06ce0c79cc7aa422676e53afde47caae0f7c5ab3a80332c86d53574d1982797667a801ea7e5aed991c3c3de13454ec9f9d5a07f32aa50e54476a17

          Download Submit

        • C:\Users\Admin\AppData\Local\vhz\slui.exe
          Filesize

          534KB

          MD5

          eb725ea35a13dc18eac46aa81e7f2841

          SHA1

          c0b3304c970324952e18c4a51073e3bdec73440b

          SHA256

          25e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff

          SHA512

          39192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fkasxldymr.lnk
          Filesize

          1KB

          MD5

          b878c232dfed22b4586970712455c46b

          SHA1

          a8bfed2930e9f5dc9a373309ef9ce221b85bd580

          SHA256

          ea410e013ad7431875dffc859f25f63aa39fadf2c2717d4eb176caa25e0ad4a8

          SHA512

          9cbe6b895102f219ddd95d9d88cd239c7160828572d41ca32bb484ffda56a1524db15792b363486cea594e80c2b59ececa6f3f6366eccd597da7d5cfcd67dffd

          Download Submit

        • memory/740-52-0x00007FFA3C5F0000-0x00007FFA3C6DF000-memory.dmp

          Filesize

          956KB

          Download

        • memory/740-48-0x00007FFA3C5F0000-0x00007FFA3C6DF000-memory.dmp

          Filesize

          956KB

          Download

        • memory/740-47-0x00000229B64E0000-0x00000229B64E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1132-67-0x00007FFA3C5A0000-0x00007FFA3C6D4000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1132-65-0x0000025585290000-0x0000025585297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1132-63-0x00007FFA3C5A0000-0x00007FFA3C6D4000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3300-82-0x00007FFA3C5F0000-0x00007FFA3C6DF000-memory.dmp

          Filesize

          956KB

          Download

        • memory/3356-28-0x00007FFA5AF50000-0x00007FFA5AF60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3356-15-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3356-9-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3356-8-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3356-7-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3356-11-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3356-6-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3356-37-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3356-5-0x00007FFA5923A000-0x00007FFA5923B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3356-13-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3356-12-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3356-10-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3356-26-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3356-27-0x00007FFA5AF60000-0x00007FFA5AF70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3356-3-0x0000000002350000-0x0000000002351000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3356-17-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3356-18-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3356-25-0x00000000004D0000-0x00000000004D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3356-16-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3356-14-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/4960-0-0x00007FFA4BCF0000-0x00007FFA4BDDE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/4960-40-0x00007FFA4BCF0000-0x00007FFA4BDDE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/4960-2-0x0000021B956D0000-0x0000021B956D7000-memory.dmp

          Filesize

          28KB

          Download