Overview

overview

10

Static

static

3

48ea1383f6...a5.dll

windows7-x64

10

48ea1383f6...a5.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/02/2025, 21:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48ea1383f689277896530bfa764b94ad28d613fa038c3e418d0f53b4d9b30fa5.dll

  • Size

    780KB

  • MD5

    8af03012f1ac4220846c9fff35b62bfc

  • SHA1

    689874bf9fceea26456670698904b4e29efaf6a1

  • SHA256

    48ea1383f689277896530bfa764b94ad28d613fa038c3e418d0f53b4d9b30fa5

  • SHA512

    6fe0e95d527709523be2099e2aab9ee2b6d82f1490451b4eda49b7bef3a85a8afb8fa543d334f2a7327e7e64809ca75cd2ea9713773c05bc9a979c4a354660b1

  • SSDEEP

    12288:obP23onr2XV7KrPqgmNiQhDOy4/AT4r/E16K1QS/lsHAGHdDvRQ2sd1gqQw:obe42XV7KWgmjDR/T4a/Mdjm1

Score
10/10
dridexbotnetdefense_evasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    defense_evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\48ea1383f689277896530bfa764b94ad28d613fa038c3e418d0f53b4d9b30fa5.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2336
  • C:\Windows\system32\wisptis.exe
    C:\Windows\system32\wisptis.exe
    1⤵
      PID:2744
    • C:\Users\Admin\AppData\Local\7y2r\wisptis.exe
      C:\Users\Admin\AppData\Local\7y2r\wisptis.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2376
    • C:\Windows\system32\dpnsvr.exe
      C:\Windows\system32\dpnsvr.exe
      1⤵
        PID:2588
      • C:\Users\Admin\AppData\Local\4lfrar\dpnsvr.exe
        C:\Users\Admin\AppData\Local\4lfrar\dpnsvr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2536
      • C:\Windows\system32\iexpress.exe
        C:\Windows\system32\iexpress.exe
        1⤵
          PID:1852
        • C:\Users\Admin\AppData\Local\34vaDf\iexpress.exe
          C:\Users\Admin\AppData\Local\34vaDf\iexpress.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2436

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\34vaDf\VERSION.dll
          Filesize

          780KB

          MD5

          1430b5ac20b2c440c5b2dd66c9efc9cf

          SHA1

          5a7c653b175a99b4b78f186d980f27098782bd61

          SHA256

          f84dbbcccf15ee92e37a3ce47cd89537ddc9f7293eb00f309b6e191fa2337845

          SHA512

          b8296451f603ef53583c443447291c7fa408c4ad11100c30e065ff068411e3ec17f580e5f31f52230023d9a3fc6804b3f8206031fdc4419d7bc087271735a133

          Download Submit

        • C:\Users\Admin\AppData\Local\34vaDf\iexpress.exe
          Filesize

          163KB

          MD5

          46fd16f9b1924a2ea8cd5c6716cc654f

          SHA1

          99284bc91cf829e9602b4b95811c1d72977700b6

          SHA256

          9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

          SHA512

          52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

          Download Submit

        • C:\Users\Admin\AppData\Local\4lfrar\WINMM.dll
          Filesize

          788KB

          MD5

          a01d81341663315b077b09de86299445

          SHA1

          2f86659d1f6ee0acd609fce1001847328a15568d

          SHA256

          dbb253ec9384e49132147612ff568f5cf4230f78cd4ee351df18e2b77cf9cd76

          SHA512

          81f554f115de692adf017aa42b77113b740c85f4fdc06fe4e0b338bc0f22c05582e5f59e82bb7f724b969d3cf883f95c31f483655cb6fbffd8f6fcf56c2f08d3

          Download Submit

        • C:\Users\Admin\AppData\Local\7y2r\slc.dll
          Filesize

          784KB

          MD5

          c784ca489e76451299d09587c116c776

          SHA1

          7325da642d5d89bb52c79fbc2c58dcfacd89b57c

          SHA256

          498720706f138c8cb0fc1bc60feb8457059511f3c71711c8082d41ef7da582f1

          SHA512

          5f5ec240233b78fed58d4aa6517602e223a1402ef29f2f0ea7da2becae524e9dd22583faa068c89c01f61aaf2bcb14171454bcbdb89a47cef963c15d0689f399

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yjafzwirjcl.lnk
          Filesize

          1KB

          MD5

          7bf6dbab61555fb565a86daa432e6883

          SHA1

          c349893f371dac7a6b7153b0b677c2a5d0d0f9ae

          SHA256

          4390d1cd8af01c33e9df5e3ad872a40364db34ad2acd9d239cdeffb19a6eda06

          SHA512

          1dfb442c0c75ae6bee51da4714997324343b1896bbfec69560f67a73a8391f59938ca82881b0cada9e6a1bdd1eed462033fa494937216f204447c70c4befc6c0

          Download Submit

        • \Users\Admin\AppData\Local\4lfrar\dpnsvr.exe
          Filesize

          33KB

          MD5

          6806b72978f6bd27aef57899be68b93b

          SHA1

          713c246d0b0b8dcc298afaed4f62aed82789951c

          SHA256

          3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

          SHA512

          43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

          Download Submit

        • \Users\Admin\AppData\Local\7y2r\wisptis.exe
          Filesize

          396KB

          MD5

          02e20372d9d6d28e37ba9704edc90b67

          SHA1

          d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

          SHA256

          3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

          SHA512

          bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

          Download Submit

        • memory/1168-23-0x0000000002540000-0x0000000002547000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1168-22-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1168-15-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1168-14-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1168-13-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1168-25-0x0000000077B90000-0x0000000077B92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1168-11-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1168-10-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1168-9-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1168-8-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1168-35-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1168-40-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1168-24-0x0000000077A31000-0x0000000077A32000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1168-108-0x0000000077826000-0x0000000077827000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1168-4-0x0000000077826000-0x0000000077827000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1168-7-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1168-5-0x0000000002560000-0x0000000002561000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2336-12-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/2336-0-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/2336-3-0x0000000001D90000-0x0000000001D97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2376-53-0x0000000140000000-0x00000001400C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/2376-58-0x0000000140000000-0x00000001400C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/2376-52-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2436-93-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2436-94-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/2536-70-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2536-71-0x0000000140000000-0x00000001400C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2536-76-0x0000000140000000-0x00000001400C5000-memory.dmp

          Filesize

          788KB

          Download