Overview

overview

10

Static

static

3

c9e4101015...ad.dll

windows7-x64

10

c9e4101015...ad.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14/03/2024, 23:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c9e410101585f3d589b601831c9d51ad.dll

  • Size

    1.4MB

  • MD5

    c9e410101585f3d589b601831c9d51ad

  • SHA1

    bbbb4c0a677d6621e43b0bddca7b51249d7b6bb4

  • SHA256

    44b1f722fbb4844f2ac3cd62429abbb980d3c9965e92b670cef7b59e7ec18c2e

  • SHA512

    60c52fc35ef42abaaa49fe6c9e0310b5037109b723a0584d97b28ea03114f56e9e96b3180a90a4a832d38534a8002888c153d75f9f1977439213618320c7438e

  • SSDEEP

    12288:bVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1U:6fP7fWsK5z9A+WGAW+V5SB6Ct4bnbU

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c9e410101585f3d589b601831c9d51ad.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2480
  • C:\Windows\system32\msdtc.exe
    C:\Windows\system32\msdtc.exe
    1⤵
      PID:2412
    • C:\Users\Admin\AppData\Local\1bC09y\msdtc.exe
      C:\Users\Admin\AppData\Local\1bC09y\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2460
    • C:\Windows\system32\ddodiag.exe
      C:\Windows\system32\ddodiag.exe
      1⤵
        PID:524
      • C:\Users\Admin\AppData\Local\XWv5jxFe\ddodiag.exe
        C:\Users\Admin\AppData\Local\XWv5jxFe\ddodiag.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:472
      • C:\Windows\system32\mblctr.exe
        C:\Windows\system32\mblctr.exe
        1⤵
          PID:2700
        • C:\Users\Admin\AppData\Local\znDRYv\mblctr.exe
          C:\Users\Admin\AppData\Local\znDRYv\mblctr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2716

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1bC09y\VERSION.dll
          Filesize

          1.4MB

          MD5

          44042a326916c9ed18e7f91d315a1968

          SHA1

          8707433b2fac3e89631a9878e523560e990ae43c

          SHA256

          06db8865f0ec1d904472e880e798555e63f619ab5bf6af990995bfab40352420

          SHA512

          a014922538733e707ea2b0ee3bd1275dd712ee1e7e2e6b3bf5a82d5a928d536e3fbc0f459ec20cfc14dac94ce6c5db6c12c17ee76081abe38975d18498e38000

          Download Submit

        • C:\Users\Admin\AppData\Local\XWv5jxFe\XmlLite.dll
          Filesize

          1.4MB

          MD5

          322e4ece8fcda5f06c61d21da8439652

          SHA1

          bcb1cb3d992dfa61d557e167a7b005df73fac7fd

          SHA256

          c25bf7b776fbe7626b265265f11856fbf94b8fc69d6c9abb08dee712da92ea74

          SHA512

          d82c35bed86f5c887e7728e0da421ddd2105c0b32e4249821ea08a0d79876fdd69ad5d437a70210647d8158301fb2d7e84a9bffbe8506c0e601e2d3ede48f7c9

          Download Submit

        • C:\Users\Admin\AppData\Local\znDRYv\UxTheme.dll
          Filesize

          1.4MB

          MD5

          ccf0f804e5724453a557b9cb68fa7f6a

          SHA1

          7ca7090bf9ef4aaec1db49dac0726fcf1ea693ea

          SHA256

          6dc6013d8e49b69f97348e9a85fc5a578b46bcefa02ad2d912076484269cb0ef

          SHA512

          6a69ba57af412714a882652166c2540668e75aed098b42680524052f6fabf1405c2ce20caa05f8920612e08fccff888f803c7d2f2510e616cf0ceeda24b13c88

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zlaomnuc.lnk
          Filesize

          1KB

          MD5

          47af3fcc272a8352465b3c5477b0ffcc

          SHA1

          be9574797d1fdee6d943edfa5354a7b9df2fd7f2

          SHA256

          89c98179a574d96c48eba1ae3984222ff5c96591f6b7b2f5f3f6b7d25b523034

          SHA512

          1b780d4660b26e0d784c6e2639fe3683ca2e3a7f3063aee097ad500b99601fe206ae4e63beb98302e9042cca6ee721e961481d41f5a048987035d290d50b005f

          Download Submit

        • \Users\Admin\AppData\Local\1bC09y\msdtc.exe
          Filesize

          138KB

          MD5

          de0ece52236cfa3ed2dbfc03f28253a8

          SHA1

          84bbd2495c1809fcd19b535d41114e4fb101466c

          SHA256

          2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

          SHA512

          69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

          Download Submit

        • \Users\Admin\AppData\Local\XWv5jxFe\ddodiag.exe
          Filesize

          42KB

          MD5

          509f9513ca16ba2f2047f5227a05d1a8

          SHA1

          fe8d63259cb9afa17da7b7b8ede4e75081071b1a

          SHA256

          ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

          SHA512

          ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

          Download Submit

        • \Users\Admin\AppData\Local\znDRYv\mblctr.exe
          Filesize

          935KB

          MD5

          fa4c36b574bf387d9582ed2c54a347a8

          SHA1

          149077715ee56c668567e3a9cb9842284f4fe678

          SHA256

          b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f

          SHA512

          1f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55

          Download Submit

        • memory/472-90-0x0000000140000000-0x0000000140161000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/472-84-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1192-22-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-37-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-13-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-12-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-11-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-20-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-21-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-19-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-18-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-17-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-26-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-27-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-25-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-24-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-23-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-123-0x0000000076E76000-0x0000000076E77000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-28-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-29-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-30-0x0000000002910000-0x0000000002917000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1192-14-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-38-0x0000000076F81000-0x0000000076F82000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-39-0x00000000770E0000-0x00000000770E2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-48-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-52-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-16-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-15-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-4-0x0000000076E76000-0x0000000076E77000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-5-0x0000000002930000-0x0000000002931000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-10-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-7-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1192-9-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2460-72-0x0000000140000000-0x0000000140161000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2460-66-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2460-67-0x0000000140000000-0x0000000140161000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2480-8-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2480-0-0x00000000002A0000-0x00000000002A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2480-1-0x0000000140000000-0x0000000140160000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2716-104-0x0000000000270000-0x0000000000277000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2716-107-0x0000000140000000-0x0000000140161000-memory.dmp

          Filesize

          1.4MB

          Download