Overview

overview

10

Static

static

3

21980ef35d...6c.dll

windows7-x64

10

21980ef35d...6c.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11-01-2025 11:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21980ef35dee23086acef389e6ce648d8ff396da56b7482b5bc8774120c74b6c.dll

  • Size

    724KB

  • MD5

    755eb0def2568d37a1d149b3018bdcce

  • SHA1

    e69c1d12dc3d2aa730aa8a9d94757c73777bd54d

  • SHA256

    21980ef35dee23086acef389e6ce648d8ff396da56b7482b5bc8774120c74b6c

  • SHA512

    2ef40d5038c63489149fde266db0e1d440f45a4e8056353ef7e4a70c8df65917a782ceb139955af8cd814704b29c58e548c47c3e521b872fe8e62301d54301ec

  • SSDEEP

    12288:KO3+ivi0RNOR/5DH2InMtdhtvX2tvJljUWcJxm/Osj3lx7l6X0k97L4HAF3itk:7vdvOZ9H2+Mt7tvX2tvJljT/mi1xJ6tX

Score
10/10
dridexbotnetevasionloaderpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Loader 'dmod' strings 12 IoCs

    Detects 'dmod' strings in Dridex loader.

    botnetloader
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\21980ef35dee23086acef389e6ce648d8ff396da56b7482b5bc8774120c74b6c.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2540
  • C:\Windows\system32\SystemPropertiesProtection.exe
    C:\Windows\system32\SystemPropertiesProtection.exe
    1⤵
      PID:2820
    • C:\Users\Admin\AppData\Local\TOCKpK\SystemPropertiesProtection.exe
      C:\Users\Admin\AppData\Local\TOCKpK\SystemPropertiesProtection.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2224
    • C:\Windows\system32\SystemPropertiesAdvanced.exe
      C:\Windows\system32\SystemPropertiesAdvanced.exe
      1⤵
        PID:2228
      • C:\Users\Admin\AppData\Local\vtKr6L\SystemPropertiesAdvanced.exe
        C:\Users\Admin\AppData\Local\vtKr6L\SystemPropertiesAdvanced.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2128
      • C:\Windows\system32\spreview.exe
        C:\Windows\system32\spreview.exe
        1⤵
          PID:2960
        • C:\Users\Admin\AppData\Local\zSHdNGj\spreview.exe
          C:\Users\Admin\AppData\Local\zSHdNGj\spreview.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2968

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\TOCKpK\SYSDM.CPL
          Filesize

          728KB

          MD5

          4b5fbec1fe5e6aaacbb5bfbc7bdb554b

          SHA1

          3f1a5bde867849c75afc7aa5aed5d8ae95c91eb2

          SHA256

          869bde802ea34d6b2b4aacef1b915c262ab880433ae4157865b9eb00a3419888

          SHA512

          46dfe2363f0cbeaf682aa3241476829f7f5777a421382ab364454ef1560198f30ab14cb9692284aefb7e8738fda8c7e3a327d9454391166643196eec100d95d6

          Download Submit

        • C:\Users\Admin\AppData\Local\vtKr6L\SYSDM.CPL
          Filesize

          728KB

          MD5

          852df725ea9e1e950d6ce8e8214f1fa4

          SHA1

          93985f1659102b8c5e19534222f6746bc57e0f93

          SHA256

          ecc583a90edd13577998b672834526bbc51aeeca86ad5cfcf40095de0fadb513

          SHA512

          b1c3bae5f3e5b4d58500c863df6631527ffbadc3c5edff44751f22b0b920beb539aa450d6f63f061d6606587e03315ef2ae696f39fdc556296d1b14af825699d

          Download Submit

        • C:\Users\Admin\AppData\Local\zSHdNGj\sqmapi.dll
          Filesize

          728KB

          MD5

          63bbae183021656efdc6c2c194cd5aa1

          SHA1

          6375d700b40d849bb9107d2d1452960c7c7d5edb

          SHA256

          12d01db33d0d3defb79352b4a93121db7e96cb3ae8dae82580bdf4430f3cbca0

          SHA512

          da5c55f3b6596baa526843dbb08066d8758857c4ddd5a2752178e40fd49fd3b2d03f07d5a05b23320ae5db24b98a69b34e700dab526aed316b87b507c8a02e79

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk
          Filesize

          1KB

          MD5

          b5dfd9c0c9775de76c9195a195fdcae9

          SHA1

          33082eb8c02c04ecad1beddfb8c057007f013b96

          SHA256

          c9c0929bce6141854b36c1028bc588a043b3bd510fc42fccf344f8f61f84e69c

          SHA512

          21bd60010d5206e9f881c4f624ac71208000d1713e39fe2918a6dbf8bde0bccbb79e49621d105940c04223545938429690182e7c7a7f0992df210c2b3cf758cd

          Download Submit

        • \Users\Admin\AppData\Local\TOCKpK\SystemPropertiesProtection.exe
          Filesize

          80KB

          MD5

          05138d8f952d3fff1362f7c50158bc38

          SHA1

          780bc59fcddf06a7494d09771b8340acffdcc720

          SHA256

          753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

          SHA512

          27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

          Download Submit

        • \Users\Admin\AppData\Local\vtKr6L\SystemPropertiesAdvanced.exe
          Filesize

          80KB

          MD5

          25dc1e599591871c074a68708206e734

          SHA1

          27a9dffa92d979d39c07d889fada536c062dac77

          SHA256

          a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

          SHA512

          f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

          Download Submit

        • \Users\Admin\AppData\Local\zSHdNGj\spreview.exe
          Filesize

          294KB

          MD5

          704cd4cac010e8e6d8de9b778ed17773

          SHA1

          81856abf70640f102b8b3defe2cf65669fe8e165

          SHA256

          4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

          SHA512

          b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

          Download Submit

        • memory/1220-23-0x0000000002200000-0x0000000002207000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1220-25-0x0000000077E70000-0x0000000077E72000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1220-4-0x0000000077AD6000-0x0000000077AD7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1220-16-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1220-15-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1220-14-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1220-12-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1220-11-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1220-10-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1220-9-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1220-8-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1220-5-0x0000000002660000-0x0000000002661000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1220-36-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1220-35-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1220-44-0x0000000077AD6000-0x0000000077AD7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1220-24-0x0000000077CE1000-0x0000000077CE2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1220-22-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1220-7-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1220-13-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/2128-70-0x0000000000170000-0x0000000000177000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2128-71-0x000007FEF7FA0000-0x000007FEF8056000-memory.dmp

          Filesize

          728KB

          Download

        • memory/2128-76-0x000007FEF7FA0000-0x000007FEF8056000-memory.dmp

          Filesize

          728KB

          Download

        • memory/2224-58-0x000007FEF80D0000-0x000007FEF8186000-memory.dmp

          Filesize

          728KB

          Download

        • memory/2224-55-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2224-52-0x000007FEF80D0000-0x000007FEF8186000-memory.dmp

          Filesize

          728KB

          Download

        • memory/2540-29-0x000007FEF8010000-0x000007FEF80C5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/2540-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2540-1-0x000007FEF8010000-0x000007FEF80C5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/2968-88-0x000007FEF73C0000-0x000007FEF7476000-memory.dmp

          Filesize

          728KB

          Download

        • memory/2968-93-0x000007FEF73C0000-0x000007FEF7476000-memory.dmp

          Filesize

          728KB

          Download