Overview

overview

10

Static

static

3

5804717cee...1b.dll

windows7-x64

10

5804717cee...1b.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-01-2025 00:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5804717ceea8c1a310409fe782bc20fededc7325e6da871a60ed5330eb11b11b.dll

  • Size

    804KB

  • MD5

    e199895d7c54205f000375ba064ac88b

  • SHA1

    77a94bea1030a908a1c08a19e507f29fca3de34e

  • SHA256

    5804717ceea8c1a310409fe782bc20fededc7325e6da871a60ed5330eb11b11b

  • SHA512

    1bc2efb59234fc071d3b549d90a69d6c5d4b80ade97fcb887fa97b6bcd0e8ab3905c9e608d355f192829e2ddb5d3d86d0a17fb28dddc34f9f07ce0f15ffeca02

  • SSDEEP

    24576:KWyoHFMVMKkN3ZvxEhb0IsaQ4KriCo0j6IjG:tnuVMK6vx2RsIKNrjG

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5804717ceea8c1a310409fe782bc20fededc7325e6da871a60ed5330eb11b11b.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2900
  • C:\Windows\system32\wextract.exe
    C:\Windows\system32\wextract.exe
    1⤵
      PID:3680
    • C:\Users\Admin\AppData\Local\ZVpMF\wextract.exe
      C:\Users\Admin\AppData\Local\ZVpMF\wextract.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4500
    • C:\Windows\system32\MusNotificationUx.exe
      C:\Windows\system32\MusNotificationUx.exe
      1⤵
        PID:2864
      • C:\Users\Admin\AppData\Local\0lXOZv\MusNotificationUx.exe
        C:\Users\Admin\AppData\Local\0lXOZv\MusNotificationUx.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3464
      • C:\Windows\system32\SystemSettingsAdminFlows.exe
        C:\Windows\system32\SystemSettingsAdminFlows.exe
        1⤵
          PID:2780
        • C:\Users\Admin\AppData\Local\SHJPXVoBq\SystemSettingsAdminFlows.exe
          C:\Users\Admin\AppData\Local\SHJPXVoBq\SystemSettingsAdminFlows.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:220

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0lXOZv\MusNotificationUx.exe
          Filesize

          615KB

          MD5

          869a214114a81712199f3de5d69d9aad

          SHA1

          be973e4188eff0d53fdf0e9360106e8ad946d89f

          SHA256

          405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361

          SHA512

          befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

          Download Submit

        • C:\Users\Admin\AppData\Local\0lXOZv\XmlLite.dll
          Filesize

          804KB

          MD5

          506b7cc8f095068e8bbe8f980342011e

          SHA1

          1833d7111d672d45bd4f1c090c23f5fbee6866ed

          SHA256

          50d49283866e98444e6f474404656ee2f7f91fe0c811d7e23133d9e7787aae23

          SHA512

          52fa66f29b674c3bcd3a49dba47e269092a099813292fe75cd72d1916325f1bcdf21a8793510e310edb72e8b36c0be0cf06f07b1396b3ec9f8f699759a67a17d

          Download Submit

        • C:\Users\Admin\AppData\Local\SHJPXVoBq\SystemSettingsAdminFlows.exe
          Filesize

          506KB

          MD5

          50adb2c7c145c729b9de8b7cf967dd24

          SHA1

          a31757f08da6f95156777c1132b6d5f1db3d8f30

          SHA256

          a7a2e7122d27308df37b7ab718ef3ac239e4216669f51331e34e205f59fb0aec

          SHA512

          715b4c93e79e896da1cf86cf4455a84cba1aeac34b6fd72d2afdf203a2034f6f8fac1d6501f0dd277a17bd1d7ab73ddd1887e01a99f2d26f39efeb94d0aac9b0

          Download Submit

        • C:\Users\Admin\AppData\Local\SHJPXVoBq\newdev.dll
          Filesize

          804KB

          MD5

          f2d805d36545ac0b3817ff92229d7be7

          SHA1

          9ef30c192323359dcaca037d348e75298d9be0a0

          SHA256

          ab66ad2c7884f2186de71f28d573137cfd14fa7e3b986153b83c3e81cf2947ea

          SHA512

          28b57e54f82a0f3d82853bd9fe082bfc108bbe403ba94408d27c59c2e420ba1ae44c3f70bbbb7bf56f37c42a5e311ab8eed11c85587060f7d5fe498de3020dda

          Download Submit

        • C:\Users\Admin\AppData\Local\ZVpMF\VERSION.dll
          Filesize

          804KB

          MD5

          d0d870fff83aca1896a14be1ee3d8ddc

          SHA1

          8296c8e338d87de6714ff4fad81d504e660d5f97

          SHA256

          06fbb2cf63489b8ff2a7dbfe57b168dfeecac2384c217431f936f6475f4a9b7f

          SHA512

          68ddb83dec11b841ec9714421745d6e30232adca18b7ab1ca13fc1240c45c2150c45850e9c4c60f0b8016ff3a16e99fb3eb3fbdd488055e521083956bb7ab295

          Download Submit

        • C:\Users\Admin\AppData\Local\ZVpMF\wextract.exe
          Filesize

          143KB

          MD5

          56e501e3e49cfde55eb1caabe6913e45

          SHA1

          ab2399cbf17dbee7b302bea49e40d4cee7caea76

          SHA256

          fbb6dc62abeeb222b49a63f43dc6eea96f3d7e9a8da55381c15d57a5d099f3e0

          SHA512

          2b536e86cbd8ab026529ba2c72c0fda97e9b6f0bc4fd96777024155852670cb41d17937cde372a44cdbad3e53b8cd3ef1a4a3ee9b34dfb3c2069822095f7a172

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Womuvunldsugi.lnk
          Filesize

          1KB

          MD5

          213b08e592024ca883b865941882baa4

          SHA1

          9c254ca58eb8cb0204ff56c5c5e1078de9d5b637

          SHA256

          5cd155ed99141a0e48faefc2900ef824813b31090c6f9673a41d2b722f012a00

          SHA512

          8603397286a497e9cf0b9ff556a176889b3ca17ac85db79c9602674ffcb50df4199dbdebddae9537410083762fef4d1d30b3196816baf9c39940f059acfc3ccf

          Download Submit

        • memory/220-83-0x00007FFEBA370000-0x00007FFEBA439000-memory.dmp

          Filesize

          804KB

          Download

        • memory/2900-0-0x0000000000B00000-0x0000000000B07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2900-1-0x00007FFEBA090000-0x00007FFEBA159000-memory.dmp

          Filesize

          804KB

          Download

        • memory/2900-14-0x00007FFEBA090000-0x00007FFEBA159000-memory.dmp

          Filesize

          804KB

          Download

        • memory/3464-67-0x00007FFEBA090000-0x00007FFEBA159000-memory.dmp

          Filesize

          804KB

          Download

        • memory/3464-66-0x0000029291F40000-0x0000029291F47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3520-11-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/3520-12-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/3520-26-0x00007FFEC83A0000-0x00007FFEC83B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3520-25-0x00000000024E0000-0x00000000024E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3520-15-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/3520-22-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/3520-10-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/3520-9-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/3520-8-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/3520-16-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/3520-13-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/3520-7-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/3520-4-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3520-35-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/3520-33-0x0000000140000000-0x00000001400C9000-memory.dmp

          Filesize

          804KB

          Download

        • memory/3520-6-0x00007FFEC769A000-0x00007FFEC769B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4500-47-0x0000028012EF0000-0x0000028012EF7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4500-50-0x00007FFEBA370000-0x00007FFEBA439000-memory.dmp

          Filesize

          804KB

          Download

        • memory/4500-44-0x00007FFEBA370000-0x00007FFEBA439000-memory.dmp

          Filesize

          804KB

          Download