Overview

overview

10

Static

static

3

794e1fc591...43.dll

windows7-x64

10

794e1fc591...43.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/02/2025, 11:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    794e1fc591d09ba1650cb356384f33dc3a1a4810cb9c64f9d30b24b8c3ac8a43.dll

  • Size

    780KB

  • MD5

    1554104d7f9db2f8a779405eb5707b9b

  • SHA1

    77434050361476de655662ac77e4543ed387f653

  • SHA256

    794e1fc591d09ba1650cb356384f33dc3a1a4810cb9c64f9d30b24b8c3ac8a43

  • SHA512

    f278140c72faf11cf14cfe885016034dd735ad569c8ee5cb9ae4a6d5694e7ed91b491ae02ef9473d1554d2da19292598d44414c1c714b506929be0fb46307ad1

  • SSDEEP

    24576:aWyoHFMVMKkN3ZvxEhb0IsaQ4KriCo0j6Ij+:dnuVMK6vx2RsIKNrj+

Score
10/10
dridexbotnetdefense_evasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    defense_evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\794e1fc591d09ba1650cb356384f33dc3a1a4810cb9c64f9d30b24b8c3ac8a43.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1660
  • C:\Windows\system32\SystemPropertiesAdvanced.exe
    C:\Windows\system32\SystemPropertiesAdvanced.exe
    1⤵
      PID:2564
    • C:\Users\Admin\AppData\Local\BxhhVvfu\SystemPropertiesAdvanced.exe
      C:\Users\Admin\AppData\Local\BxhhVvfu\SystemPropertiesAdvanced.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2756
    • C:\Windows\system32\xpsrchvw.exe
      C:\Windows\system32\xpsrchvw.exe
      1⤵
        PID:2724
      • C:\Users\Admin\AppData\Local\zW3\xpsrchvw.exe
        C:\Users\Admin\AppData\Local\zW3\xpsrchvw.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2668
      • C:\Windows\system32\wisptis.exe
        C:\Windows\system32\wisptis.exe
        1⤵
          PID:1248
        • C:\Users\Admin\AppData\Local\eictkfcRm\wisptis.exe
          C:\Users\Admin\AppData\Local\eictkfcRm\wisptis.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1552

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\BxhhVvfu\SYSDM.CPL
          Filesize

          780KB

          MD5

          a05358cee02e83f1128856aa422a886b

          SHA1

          157bfc87322cba6135cbe06d100ac18e4e0d3064

          SHA256

          0d835d93fdf2d1e300d2bd3e74e2086270541446b80fddb4d9720b693eae81b2

          SHA512

          e17b9d2b1ad8b4ed3a32c78004de529a6edb24ed0616eb9e7545e154618ef8bbe419c42bf637d7b0511e52f27063fd64b691f6cf4468c7bb548d5cb6673be310

          Download Submit

        • C:\Users\Admin\AppData\Local\eictkfcRm\HID.DLL
          Filesize

          784KB

          MD5

          70ae5cffdf821d7b4f3dfff6e80b6b42

          SHA1

          5d3afb6492f7e1868dd67f07ef715248f0a82f1d

          SHA256

          87cce18d46e773fe2149bac73aaff24ee3f078d16e9c5d36645654e8ed9b4900

          SHA512

          9585ce01f1332535265d659bbfaacb74440a55210c299ff5d106018bb88b818f4129be42d9d9236863cb7633d9e9e391d0da929f599423898e71eb63a22bdd12

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yjafzwirjcl.lnk
          Filesize

          1KB

          MD5

          bd8e6bcd125eb05de54925e8150956fc

          SHA1

          831e26db978d778d836cc06b4087b0d22cca3670

          SHA256

          51c719cef515fbb81abaff496eb7863a382bb713da1cdd56565da4eeade9e9b4

          SHA512

          bbdde33aacdc9c81c7dac7e4a3fce02725024b46751affc9362ab42e199640c16532574ad49f54d6e39a95a05e34b271b1b2791d21fcf0888f46a63b496bcc5b

          Download Submit

        • \Users\Admin\AppData\Local\BxhhVvfu\SystemPropertiesAdvanced.exe
          Filesize

          80KB

          MD5

          25dc1e599591871c074a68708206e734

          SHA1

          27a9dffa92d979d39c07d889fada536c062dac77

          SHA256

          a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

          SHA512

          f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

          Download Submit

        • \Users\Admin\AppData\Local\eictkfcRm\wisptis.exe
          Filesize

          396KB

          MD5

          02e20372d9d6d28e37ba9704edc90b67

          SHA1

          d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

          SHA256

          3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

          SHA512

          bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

          Download Submit

        • \Users\Admin\AppData\Local\zW3\WINMM.dll
          Filesize

          788KB

          MD5

          72605534c93924166b3421959b422c6c

          SHA1

          ca9d144fc2147845f1f8dafe015409c5c336567c

          SHA256

          96be985459135a912acdaa4ddb790e1b5848ec6153386ea9a03e496ef18d9285

          SHA512

          550309839611c065013457ceec94fdf40c01f988d16e2fd9375ceec1e93ab59ecffc911f7e92e0b69e5755e8111404e1c346911cf0235a354d11ba25a5bc3107

          Download Submit

        • \Users\Admin\AppData\Local\zW3\xpsrchvw.exe
          Filesize

          4.6MB

          MD5

          492cb6a624d5dad73ee0294b5db37dd6

          SHA1

          e74806af04a5147ccabfb5b167eb95a0177c43b3

          SHA256

          ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

          SHA512

          63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

          Download Submit

        • memory/1224-30-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1224-16-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1224-23-0x0000000002D60000-0x0000000002D67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1224-22-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1224-15-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1224-14-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1224-13-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1224-102-0x00000000773D6000-0x00000000773D7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1224-11-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1224-10-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1224-9-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1224-4-0x00000000773D6000-0x00000000773D7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1224-36-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1224-39-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1224-25-0x0000000077640000-0x0000000077642000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1224-24-0x00000000774E1000-0x00000000774E2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1224-7-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1224-8-0x0000000140000000-0x00000001400C3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1224-5-0x0000000002D80000-0x0000000002D81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1552-83-0x000007FEF63A0000-0x000007FEF6464000-memory.dmp

          Filesize

          784KB

          Download

        • memory/1552-88-0x000007FEF63A0000-0x000007FEF6464000-memory.dmp

          Filesize

          784KB

          Download

        • memory/1660-0-0x0000000000230000-0x0000000000237000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1660-12-0x000007FEF6B20000-0x000007FEF6BE3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/1660-1-0x000007FEF6B20000-0x000007FEF6BE3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/2668-66-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2668-67-0x000007FEF63A0000-0x000007FEF6465000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2668-71-0x000007FEF63A0000-0x000007FEF6465000-memory.dmp

          Filesize

          788KB

          Download

        • memory/2756-54-0x000007FEF6BF0000-0x000007FEF6CB3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/2756-49-0x000007FEF6BF0000-0x000007FEF6CB3000-memory.dmp

          Filesize

          780KB

          Download

        • memory/2756-48-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download