Overview

overview

10

Static

static

3

e39f3bcdca...07.dll

windows7-x64

10

e39f3bcdca...07.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    17-02-2025 07:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e39f3bcdcae4e78e73305f92a83fb3b4e438ccd669c1692321271d0a8d70d607.dll

  • Size

    776KB

  • MD5

    57625062489581e062e1dcfcf2e6dddc

  • SHA1

    e04d7fdf4a710f91205a0aff59b5da2196c65154

  • SHA256

    e39f3bcdcae4e78e73305f92a83fb3b4e438ccd669c1692321271d0a8d70d607

  • SHA512

    c9f08913371c44ca7b5173d4522a219ab3e974e326051a2c953ade08e9a031fb2afae99ba506dd304d8b5fe2c1f082317f0dfd93d68a7cd8e155c415fd2bb250

  • SSDEEP

    12288:NGVNJAvuPFUl/faxmVlBLXKCgFfEK7JRLeHlX//ve7Lt:w3JAvRl/fKQKCgFfx4P/vaLt

Score
10/10
dridexbotnetdefense_evasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    defense_evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e39f3bcdcae4e78e73305f92a83fb3b4e438ccd669c1692321271d0a8d70d607.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:1180
  • C:\Windows\system32\winlogon.exe
    C:\Windows\system32\winlogon.exe
    1⤵
      PID:2932
    • C:\Users\Admin\AppData\Local\G84ICIx\winlogon.exe
      C:\Users\Admin\AppData\Local\G84ICIx\winlogon.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2648
    • C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      1⤵
        PID:1524
      • C:\Users\Admin\AppData\Local\krA\dialer.exe
        C:\Users\Admin\AppData\Local\krA\dialer.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: GetForegroundWindowSpam
        PID:3008
      • C:\Windows\system32\calc.exe
        C:\Windows\system32\calc.exe
        1⤵
          PID:2080
        • C:\Users\Admin\AppData\Local\DvD\calc.exe
          C:\Users\Admin\AppData\Local\DvD\calc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious behavior: GetForegroundWindowSpam
          PID:2096

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\G84ICIx\WINSTA.dll
          Filesize

          784KB

          MD5

          7fb0f6125484d66ba6cb6f02c06eda8f

          SHA1

          dc1d6d7b0edadf0b830d4664cfba911b4baf2a1f

          SHA256

          1778d351feb4020399de15a7bcadd7c426dc45a78840eb14b37f3606c9a273d4

          SHA512

          474e3e8e82d3c124f8b7b57bb4abc1a0784114c7854250e8bc22b4005cf9de065781f98e69c69dc3791e4c31a96106d19c66d43cc0d0e70fe18e4c55f0ea440c

          Download Submit

        • C:\Users\Admin\AppData\Local\krA\TAPI32.dll
          Filesize

          784KB

          MD5

          7879ce704c17bca116bbba6faa67ac07

          SHA1

          fecbfacee0aff5f2fd578b940458072116ae735c

          SHA256

          270e229def6ebb0b9b49a97688e151cae19fd46174d489340f76b62f745e7447

          SHA512

          9db1319ee25c638b63a45ad4f9a35198970f9bcc565bbf99b739bb9a7119d2832f5dd042bcdd34944b4bdd0dcd24c5f1ba5d71925855138ace09eefc44e202ed

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Kkwpdvbxvgx.lnk
          Filesize

          1KB

          MD5

          2f1209776fb4e4d060520fbf86509c91

          SHA1

          82d9afdac6f87ce6da8fb630a58faef47f46c69b

          SHA256

          c9fe6dbdba752e649a598dbc3b865d5be9ecd465e4d46767e3147ed2c365b43a

          SHA512

          939a6012d2e7564151c23f6a064418eca8fd4996ea20f53aa9eec862eb1065a8cee5d99b0785415e7a9b650fcd02fc773aa14a2a5e16058bfa4172639a221237

          Download Submit

        • \Users\Admin\AppData\Local\DvD\UxTheme.dll
          Filesize

          780KB

          MD5

          4021d7b80ca213311fb27094e46251fe

          SHA1

          c8d03bbad8994f96f4a0c02c2ea980b6c06e9b23

          SHA256

          a202cd009c48f0f03d4a9587fd122a95848158c9ce46ab15dd21a97707a977e3

          SHA512

          17389eb96513e3f0fdaf1a15c17f057a4bcc4a6ca1a0bcfa68b3d36c79ea937c858227f25efffcc9b517eb2b80d2fcda559a3788dcf6317523e691ebeb9aa345

          Download Submit

        • \Users\Admin\AppData\Local\DvD\calc.exe
          Filesize

          897KB

          MD5

          10e4a1d2132ccb5c6759f038cdb6f3c9

          SHA1

          42d36eeb2140441b48287b7cd30b38105986d68f

          SHA256

          c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

          SHA512

          9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

          Download Submit

        • \Users\Admin\AppData\Local\G84ICIx\winlogon.exe
          Filesize

          381KB

          MD5

          1151b1baa6f350b1db6598e0fea7c457

          SHA1

          434856b834baf163c5ea4d26434eeae775a507fb

          SHA256

          b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

          SHA512

          df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

          Download Submit

        • \Users\Admin\AppData\Local\krA\dialer.exe
          Filesize

          34KB

          MD5

          46523e17ee0f6837746924eda7e9bac9

          SHA1

          d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

          SHA256

          23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

          SHA512

          c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

          Download Submit

        • memory/1180-11-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1180-3-0x0000000000390000-0x0000000000397000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1180-0-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1188-7-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1188-8-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1188-13-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1188-12-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1188-23-0x0000000077121000-0x0000000077122000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-24-0x0000000077280000-0x0000000077282000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1188-33-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1188-37-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1188-4-0x0000000076F16000-0x0000000076F17000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-14-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1188-21-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1188-22-0x0000000002130000-0x0000000002137000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1188-105-0x0000000076F16000-0x0000000076F17000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-9-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1188-10-0x0000000140000000-0x00000001400C2000-memory.dmp

          Filesize

          776KB

          Download

        • memory/1188-5-0x0000000002150000-0x0000000002151000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2096-88-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/2096-93-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/2096-87-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2648-54-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2648-51-0x0000000140000000-0x00000001400C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/2648-57-0x0000000140000000-0x00000001400C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/3008-75-0x0000000140000000-0x00000001400C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/3008-72-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download