Overview

overview

10

Static

static

3

5a157047ea...96.dll

windows7-x64

10

5a157047ea...96.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-01-2025 01:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a157047eafbf851e6fe87a68dfb489bf4bac615c2698797b5129fe3a8a6a996.dll

  • Size

    780KB

  • MD5

    8fa9b4c27bd3e4304a59e5e72d68cd9c

  • SHA1

    c20c63a23dcda13bea5c22fbee61015cc55018d1

  • SHA256

    5a157047eafbf851e6fe87a68dfb489bf4bac615c2698797b5129fe3a8a6a996

  • SHA512

    b0ef9910306ed36e8ab3b9db673b503c7e4ee4fe33fa0bed57619a6cc8496e56200451e1d7ec5d7980db9b810bb8fa15b0296c5d757750322b22b240ff1c7e80

  • SSDEEP

    12288:nbP23onr2XV7KrPqgmNiQhDOy4/AT4r/E16K1QS/lsHAGHdDvRQ2sd1gqQ:nbe42XV7KWgmjDR/T4a/Mdjm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5a157047eafbf851e6fe87a68dfb489bf4bac615c2698797b5129fe3a8a6a996.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1860
  • C:\Windows\system32\UI0Detect.exe
    C:\Windows\system32\UI0Detect.exe
    1⤵
      PID:1748
    • C:\Users\Admin\AppData\Local\ZKzCFba0\UI0Detect.exe
      C:\Users\Admin\AppData\Local\ZKzCFba0\UI0Detect.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2412
    • C:\Windows\system32\RDVGHelper.exe
      C:\Windows\system32\RDVGHelper.exe
      1⤵
        PID:2600
      • C:\Users\Admin\AppData\Local\omYIaSJi\RDVGHelper.exe
        C:\Users\Admin\AppData\Local\omYIaSJi\RDVGHelper.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2700
      • C:\Windows\system32\psr.exe
        C:\Windows\system32\psr.exe
        1⤵
          PID:2968
        • C:\Users\Admin\AppData\Local\q7oSWD7eC\psr.exe
          C:\Users\Admin\AppData\Local\q7oSWD7eC\psr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2524

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\ZKzCFba0\UI0Detect.exe
          Filesize

          40KB

          MD5

          3cbdec8d06b9968aba702eba076364a1

          SHA1

          6e0fcaccadbdb5e3293aa3523ec1006d92191c58

          SHA256

          b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

          SHA512

          a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

          Download Submit

        • C:\Users\Admin\AppData\Local\ZKzCFba0\WINSTA.dll
          Filesize

          788KB

          MD5

          5ae3e956a5123bfdc49f2005df1500cd

          SHA1

          d86c15cca57bae74780aa60c3282189f841b4da9

          SHA256

          e6cd27850d2cdcc9c36218f19a157c1805eb0b8a166e7691ae294dfc58f29515

          SHA512

          2947e6193e674eaa3edb44d6a1f223e3d2d09986463b441ca5285080c86e247b4d674955b6a8a028966b39045720991caabd001a05077ed0fa85bc4d9d931e02

          Download Submit

        • C:\Users\Admin\AppData\Local\omYIaSJi\dwmapi.dll
          Filesize

          780KB

          MD5

          31a6854f19cc88d23ebf49aca63e8403

          SHA1

          d330b06de39f67b11db0cdd1bc46303f3b91ab7c

          SHA256

          925fe9dc20dd39b94a3aac277b23c21290618662b676605e24dfe12b396b9ad7

          SHA512

          c94939e429128d501f18c003d2da5b63868d225614786a2fece38ebf97f5723040bb08cbdf87283f308f3059972098304e91d49c519d432284528bdbe5087c89

          Download Submit

        • C:\Users\Admin\AppData\Local\q7oSWD7eC\XmlLite.dll
          Filesize

          780KB

          MD5

          b294ac6a4f6687c2d4c9da519c964b3d

          SHA1

          8651c15edd438eca517cc78b09565b0b3928d5c2

          SHA256

          2e497f556294cb5fcc23215b6e09061a300177f81a5f75eae322e5deb5f0fcd3

          SHA512

          74d4c40152b6ef22b3f515a52e36ab9b3e1939fd8a8f2900c0a3e7f12d6aff8114e02c7d42bea5fd908fe6346d46218624b689308ef249f4689c33b008db4961

          Download Submit

        • C:\Users\Admin\AppData\Local\q7oSWD7eC\psr.exe
          Filesize

          715KB

          MD5

          a80527109d75cba125d940b007eea151

          SHA1

          facf32a9ede6abfaa09368bfdfcfec8554107272

          SHA256

          68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

          SHA512

          77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Adlnwv.lnk
          Filesize

          1KB

          MD5

          e02d292e4f70206353bd3c26279eda8f

          SHA1

          27811e73db0091bd012f77d47925bf7e5a48663e

          SHA256

          9e472022268c63ed2754ab7d233f003c498d95927afc1bb76a1cbb4a977b034e

          SHA512

          d3870706817249fee5acb20961517dbffdf74f9865c4c996f3f0b89d408c5a5a1f8ae9ca8e60606bcaebffe7556f050e186f58e1bb993e793f623d163f4296be

          Download Submit

        • \Users\Admin\AppData\Local\omYIaSJi\RDVGHelper.exe
          Filesize

          93KB

          MD5

          53fda4af81e7c4895357a50e848b7cfe

          SHA1

          01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

          SHA256

          62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

          SHA512

          dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

          Download Submit

        • memory/1216-14-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1216-22-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1216-106-0x0000000077666000-0x0000000077667000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-13-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1216-4-0x0000000077666000-0x0000000077667000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-10-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1216-9-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1216-8-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1216-24-0x0000000077871000-0x0000000077872000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-25-0x00000000779D0000-0x00000000779D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1216-34-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1216-39-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1216-40-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1216-48-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1216-23-0x0000000002990000-0x0000000002997000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1216-15-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1216-7-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1216-5-0x00000000029B0000-0x00000000029B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-12-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1860-11-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1860-0-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1860-3-0x0000000000330000-0x0000000000337000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2412-52-0x0000000140000000-0x00000001400C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2412-57-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2412-58-0x0000000140000000-0x00000001400C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2524-94-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/2524-93-0x0000000000510000-0x0000000000517000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2700-70-0x0000000000260000-0x0000000000267000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2700-76-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download