Overview

overview

10

Static

static

3

15a87a272e...fN.dll

windows7-x64

10

15a87a272e...fN.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-01-2025 09:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15a87a272e27421376d40db82b49f9b9fa6b3cd3843f74273db6b12344b95d5fN.dll

  • Size

    776KB

  • MD5

    2ea02df4d1bd56b7862da01c65d23ff0

  • SHA1

    a5152f9cc2dc61cc043b4c2e339c21772bd59b7e

  • SHA256

    15a87a272e27421376d40db82b49f9b9fa6b3cd3843f74273db6b12344b95d5f

  • SHA512

    ce84da187fdb2b9cda9ebeddbd316d84eddac42c7ee51f2a3b77bc3f447da1a5e27f14f94b29043826def088e32560510cc6db4342a78aaf8df8ee38101aa534

  • SSDEEP

    12288:oGVNJAvuPFUl/faxmVlBLXKCgFfEK7JRLeHlX//ve7:53JAvRl/fKQKCgFfx4P/va

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\15a87a272e27421376d40db82b49f9b9fa6b3cd3843f74273db6b12344b95d5fN.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:3644
  • C:\Windows\system32\raserver.exe
    C:\Windows\system32\raserver.exe
    1⤵
      PID:3944
    • C:\Users\Admin\AppData\Local\EDW\raserver.exe
      C:\Users\Admin\AppData\Local\EDW\raserver.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1380
    • C:\Windows\system32\wlrmdr.exe
      C:\Windows\system32\wlrmdr.exe
      1⤵
        PID:4052
      • C:\Users\Admin\AppData\Local\viUoR\wlrmdr.exe
        C:\Users\Admin\AppData\Local\viUoR\wlrmdr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: GetForegroundWindowSpam
        PID:1384
      • C:\Windows\system32\InfDefaultInstall.exe
        C:\Windows\system32\InfDefaultInstall.exe
        1⤵
          PID:3592
        • C:\Users\Admin\AppData\Local\3GyO9pg\InfDefaultInstall.exe
          C:\Users\Admin\AppData\Local\3GyO9pg\InfDefaultInstall.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious behavior: GetForegroundWindowSpam
          PID:2096

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3GyO9pg\InfDefaultInstall.exe
          Filesize

          13KB

          MD5

          ee18876c1e5de583de7547075975120e

          SHA1

          f7fcb3d77da74deee25de9296a7c7335916504e3

          SHA256

          e59127b5fe82714956c7a1f10392a8673086a8e1f609e059935c7da1fa015a5d

          SHA512

          08bc4d28b8f528582c58175a74871dd33ac97955c3709c991779fc34b5ba4b2ba6ff40476d9f59345b61b0153fd932b0ea539431a67ff5012cb2ac8ab392f73c

          Download Submit

        • C:\Users\Admin\AppData\Local\3GyO9pg\newdev.dll
          Filesize

          780KB

          MD5

          3015bf3a781615a6991a3028ddcd1938

          SHA1

          3f90a2d15e5dac9db8a38fecfe44b26793537890

          SHA256

          d34bc0271a4c318394376f4f58c4ee9d6d545a9a0bca38c8c975ddd54b33d551

          SHA512

          02eae7a9a829f3e25ed0f607c6e54baa96b7ae752651aec093b9f4394d19c332abc6fa13f5ca0869a58316f28ae38b78278283dec29f49b76bf6ad41a408619f

          Download Submit

        • C:\Users\Admin\AppData\Local\EDW\WTSAPI32.dll
          Filesize

          780KB

          MD5

          62c12e56a9134c169b5a4e0609ff25d4

          SHA1

          e74d684dd8d86bce2a735990a9c5ad46e26fb500

          SHA256

          896fbdf2758dc617063279ac440a4f0ec85fb49e3fed2ddd51d28f5488966c07

          SHA512

          9fd74b62618314611e3e3aef0d8b8044f192ec892225bb53b1b23a9dc47d4e487243d7fc0b807837663209404fa8cb5d0384716f4b25c9739f031f00f5024ee1

          Download Submit

        • C:\Users\Admin\AppData\Local\EDW\raserver.exe
          Filesize

          132KB

          MD5

          d1841c6ee4ea45794ced131d4b68b60e

          SHA1

          4be6d2116060d7c723ac2d0b5504efe23198ea01

          SHA256

          38732626242988cc5b8f97fe8d3b030d483046ef66ea90d7ea3607f1adc0600d

          SHA512

          d8bad215872c5956c6e8acac1cd3ad19b85f72b224b068fb71cfd1493705bc7d3390853ba923a1aa461140294f8793247df018484a378e4f026c2a12cb3fa5c9

          Download Submit

        • C:\Users\Admin\AppData\Local\viUoR\DUI70.dll
          Filesize

          1.0MB

          MD5

          aacf4e5f59562cb7316fe88b12608f13

          SHA1

          40c3bfdee9b32b96d5d73e0c2a40ff789d3e8bb3

          SHA256

          331e56b14eefd156e9e39f629515c833ff5df260061f40376b3634924dc51e44

          SHA512

          e1f805d5515edd3c06356d3e77e3e5fde5124728b0d62aa165153df2fcee4493b9b31396469c475fcb99b14a73748406fa5ae92281cf326b3ab5ff6d02551519

          Download Submit

        • C:\Users\Admin\AppData\Local\viUoR\wlrmdr.exe
          Filesize

          66KB

          MD5

          ef9bba7a637a11b224a90bf90a8943ac

          SHA1

          4747ec6efd2d41e049159249c2d888189bb33d1d

          SHA256

          2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

          SHA512

          4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rasxaa.lnk
          Filesize

          1KB

          MD5

          5d8a17d57adbc4aeceb3f4f72f78e032

          SHA1

          6e6b78115888a755b1f96bc31457d79b753156d3

          SHA256

          17770b554f4a5f4ca6720ea07b453705a9ce8cf9e114e1304aeb5bc751503dcd

          SHA512

          aa148021c7062c687c41561cec697b631323efd57c16607610723bcca65f7892bee68c68c29672303837458e9b4d5b544fd22a9a7a94444751e0bbb00d93480f

          Download Submit

        • memory/1380-43-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1380-48-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1380-49-0x0000015853B80000-0x0000015853B87000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1384-63-0x0000000140000000-0x0000000140108000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1384-69-0x000002B46D300000-0x000002B46D307000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1384-64-0x0000000140000000-0x0000000140108000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1384-71-0x0000000140000000-0x0000000140108000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2096-87-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/2096-88-0x000001CAF0DB0000-0x000001CAF0DB7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3380-25-0x00007FFEDFA60000-0x00007FFEDFA70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3380-4-0x0000000002230000-0x0000000002231000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3380-9-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/3380-8-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/3380-7-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/3380-11-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/3380-14-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/3380-10-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/3380-12-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/3380-34-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/3380-22-0x00000000006E0000-0x00000000006E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3380-21-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/3380-5-0x00007FFEDEFEA000-0x00007FFEDEFEB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3380-32-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/3644-1-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/3644-13-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/3644-3-0x000001E0889F0000-0x000001E0889F7000-memory.dmp

          Filesize

          28KB

          Download