Overview

overview

10

Static

static

3

21980ef35d...6c.dll

windows7-x64

10

21980ef35d...6c.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2025 11:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21980ef35dee23086acef389e6ce648d8ff396da56b7482b5bc8774120c74b6c.dll

  • Size

    724KB

  • MD5

    755eb0def2568d37a1d149b3018bdcce

  • SHA1

    e69c1d12dc3d2aa730aa8a9d94757c73777bd54d

  • SHA256

    21980ef35dee23086acef389e6ce648d8ff396da56b7482b5bc8774120c74b6c

  • SHA512

    2ef40d5038c63489149fde266db0e1d440f45a4e8056353ef7e4a70c8df65917a782ceb139955af8cd814704b29c58e548c47c3e521b872fe8e62301d54301ec

  • SSDEEP

    12288:KO3+ivi0RNOR/5DH2InMtdhtvX2tvJljUWcJxm/Osj3lx7l6X0k97L4HAF3itk:7vdvOZ9H2+Mt7tvX2tvJljT/mi1xJ6tX

Score
10/10
dridexbotnetevasionloaderpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Loader 'dmod' strings 11 IoCs

    Detects 'dmod' strings in Dridex loader.

    botnetloader
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\21980ef35dee23086acef389e6ce648d8ff396da56b7482b5bc8774120c74b6c.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1692
  • C:\Windows\system32\osk.exe
    C:\Windows\system32\osk.exe
    1⤵
      PID:2952
    • C:\Users\Admin\AppData\Local\Uh6AAO\osk.exe
      C:\Users\Admin\AppData\Local\Uh6AAO\osk.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2700
    • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
      C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
      1⤵
        PID:2252
      • C:\Users\Admin\AppData\Local\yBXBsbHv\SystemPropertiesDataExecutionPrevention.exe
        C:\Users\Admin\AppData\Local\yBXBsbHv\SystemPropertiesDataExecutionPrevention.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2324
      • C:\Windows\system32\slui.exe
        C:\Windows\system32\slui.exe
        1⤵
          PID:2808
        • C:\Users\Admin\AppData\Local\1W2c\slui.exe
          C:\Users\Admin\AppData\Local\1W2c\slui.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2816

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1W2c\WINBRAND.dll
          Filesize

          728KB

          MD5

          072360cc185dc88802abecc97874d8d3

          SHA1

          f7142b90b4728ca381febc4a199e37f1bb50bc31

          SHA256

          74bd5efe9e55b7f160ddff553ea2ec779fa119ce6395f9f51043fcf82eb5ebf0

          SHA512

          bc413428a5882d056314c1a48c0bb6f4a96f0041363377d049c42f28fcafc9a0dcc6912dd3465518e745e0b28c387c5679dff7fb479d38453e7475fbf20c6059

          Download Submit

        • C:\Users\Admin\AppData\Local\Uh6AAO\dwmapi.dll
          Filesize

          728KB

          MD5

          5e953eba8575f35af9efa9e6b2d36779

          SHA1

          69ff0d6c5a7df48fb040a8f6b790de8a02ec65c5

          SHA256

          b777ce209cfffb5692e03ed5d5bdbe73c0e556aee48a9ca621e77c9524960bee

          SHA512

          fceb94f2d8ef3ce75ce5f4a1c8badf37be38d3a9c4835aebc971e7e05aebc044a6e9efdb8b0309970ff9752aa0a6ed5ef8757e1c5b7844c50d03bdf9a695c6db

          Download Submit

        • C:\Users\Admin\AppData\Local\yBXBsbHv\SYSDM.CPL
          Filesize

          728KB

          MD5

          179c0cb5b9d41fbf63a3c9e8dd30a854

          SHA1

          cbcdf9f2b113bef495c3b673cdb8eaa6ad63c0dc

          SHA256

          66e1b60dfd7829c3b9f7da61f0495cc7fb6df3351dbcce68ad2f35a5dc8986eb

          SHA512

          afa4a3e7832e310c33f738fe876b109019fc5ca776b80480d015c1e933dbec358ce1dfaf221e90aea94e3de31b9af2d5e3087e0161e764c441ba936635de02b1

          Download Submit

        • C:\Users\Admin\AppData\Local\yBXBsbHv\SystemPropertiesDataExecutionPrevention.exe
          Filesize

          80KB

          MD5

          e43ff7785fac643093b3b16a9300e133

          SHA1

          a30688e84c0b0a22669148fe87680b34fcca2fba

          SHA256

          c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

          SHA512

          61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ncfyujonfo.lnk
          Filesize

          1KB

          MD5

          295c8e4f53dbf0c27712a1bb6c5c134f

          SHA1

          a33458605b422caa3c5e66ff9454083cc40333af

          SHA256

          4ab7e95a12620cf9b0fb7e5f88e5258bba1b6cdecf19b5e01f3979cde9174b9e

          SHA512

          55c3fda7599b5c2b083b80565795ba571b12067e2111ae82d3e2f43bf7be175e0ffb8799785ed80416c31c65bedb5a65551e22c1cb517e16fcd5af0e82111b9f

          Download Submit

        • \Users\Admin\AppData\Local\1W2c\slui.exe
          Filesize

          341KB

          MD5

          c5ce5ce799387e82b7698a0ee5544a6d

          SHA1

          ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

          SHA256

          34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

          SHA512

          79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

          Download Submit

        • \Users\Admin\AppData\Local\Uh6AAO\osk.exe
          Filesize

          676KB

          MD5

          b918311a8e59fb8ccf613a110024deba

          SHA1

          a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

          SHA256

          e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

          SHA512

          e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

          Download Submit

        • memory/1204-14-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1204-16-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1204-4-0x0000000077026000-0x0000000077027000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-13-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1204-12-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1204-11-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1204-10-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1204-9-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1204-8-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1204-25-0x00000000772C0000-0x00000000772C2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-24-0x0000000077131000-0x0000000077132000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-34-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1204-35-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1204-5-0x0000000002D40000-0x0000000002D41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-44-0x0000000077026000-0x0000000077027000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-15-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1204-22-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1204-7-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1204-23-0x0000000002D20000-0x0000000002D27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1692-43-0x000007FEF6770000-0x000007FEF6825000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1692-0-0x000007FEF6770000-0x000007FEF6825000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1692-3-0x0000000000130000-0x0000000000137000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2324-70-0x00000000002A0000-0x00000000002A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2324-71-0x000007FEF6050000-0x000007FEF6106000-memory.dmp

          Filesize

          728KB

          Download

        • memory/2324-76-0x000007FEF6050000-0x000007FEF6106000-memory.dmp

          Filesize

          728KB

          Download

        • memory/2700-58-0x000007FEF6830000-0x000007FEF68E6000-memory.dmp

          Filesize

          728KB

          Download

        • memory/2700-53-0x000007FEF6830000-0x000007FEF68E6000-memory.dmp

          Filesize

          728KB

          Download

        • memory/2700-52-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2816-93-0x000007FEF6050000-0x000007FEF6106000-memory.dmp

          Filesize

          728KB

          Download