Overview

overview

10

Static

static

3

NoThreatDe...dN.dll

windows7-x64

10

NoThreatDe...dN.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16-09-2024 15:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NoThreatDetected-ddc50ab4f6757dd5480e6aa78969bc0b5cd646742b59bd90855436618a44ebbdN.dll

  • Size

    1.8MB

  • MD5

    e14d296a8d3172360c2d73bd3baab2b0

  • SHA1

    0898ae4f9a6926d308a1e24e7f7a2fab85580541

  • SHA256

    ddc50ab4f6757dd5480e6aa78969bc0b5cd646742b59bd90855436618a44ebbd

  • SHA512

    1874fce4ac65204917ba183d5eb10ae607f9403b3a878f1bc402c80b36959e2cc71fc49f8115710d1a76d07efa5e2bc39429d075d9b4c5c517121add23a23856

  • SSDEEP

    12288:PxE0waBckFdlxVRZ1hcyknDb3PTdcGvnx10k2d2Y6q2mQpxVOa:ZZLVJxVHfcLnDTZcG/xmk2d2qZwq

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\NoThreatDetected-ddc50ab4f6757dd5480e6aa78969bc0b5cd646742b59bd90855436618a44ebbdN.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1628
  • C:\Windows\system32\recdisc.exe
    C:\Windows\system32\recdisc.exe
    1⤵
      PID:2060
    • C:\Users\Admin\AppData\Local\bufyrgFba\recdisc.exe
      C:\Users\Admin\AppData\Local\bufyrgFba\recdisc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2312
    • C:\Windows\system32\rdrleakdiag.exe
      C:\Windows\system32\rdrleakdiag.exe
      1⤵
        PID:764
      • C:\Users\Admin\AppData\Local\YODpKKa92\rdrleakdiag.exe
        C:\Users\Admin\AppData\Local\YODpKKa92\rdrleakdiag.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1684
      • C:\Windows\system32\SndVol.exe
        C:\Windows\system32\SndVol.exe
        1⤵
          PID:2468
        • C:\Users\Admin\AppData\Local\abWTgDU\SndVol.exe
          C:\Users\Admin\AppData\Local\abWTgDU\SndVol.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2908

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\YODpKKa92\VERSION.dll
          Filesize

          1.8MB

          MD5

          2da372acf4a88702c3fa7efe0f8ede3e

          SHA1

          7ce3fc415e0e568602f2757fb820cd564129a6e1

          SHA256

          48e4cd6ac25db4d7f70a4f8cab5a5cbb09ce6cc45b27a44e91725edd3dc6d591

          SHA512

          672951f12c42d2f280f335760b6eebf64dca01923e0d1bb235ae67b46310dd8a004adf8ee5896cec0a3a75a88f01ff97f444c2eed95832fa22c451831cd76f26

          Download Submit

        • C:\Users\Admin\AppData\Local\abWTgDU\dwmapi.dll
          Filesize

          1.8MB

          MD5

          3e1bd15f9f4656d566e30d4d1b1efa4a

          SHA1

          b7e7416e7c1eff7c87af631afe2def12d52b4573

          SHA256

          d9513e182df4cf4bd672845fdfaa0f0e481039c5605f54ce6056897aa65ad78e

          SHA512

          325c3b3a13417d79bca9b0682df4b0052092c627bcab5946760c5715f105beada807faaff657fa1406fa3da322b128cddaed81b233a42ed8ee6e0e7490579961

          Download Submit

        • C:\Users\Admin\AppData\Local\bufyrgFba\ReAgent.dll
          Filesize

          1.8MB

          MD5

          3904d9d39cbfc8c688297ece7968fb71

          SHA1

          b78e56a1d4044cd5170fbd81e843406aa0e001f9

          SHA256

          d5e8da5bac671014ae0fbcb4b8abc2df6ec468364ca2d209a4d16e7460dc985d

          SHA512

          6c200d744a15e5440c74240fd355c2cf2976a70e229cecae5fc5ae6cc342e31433a17faed338b341cfdc412e9593dcd0e725014b1a47c090250131fe68f4d12a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Frhyegfvspmw.lnk
          Filesize

          1KB

          MD5

          fc3f29bd54fbc97c3676f95323ccc846

          SHA1

          b0dcf6807633fb92d0a61caf28e87f5b28a07c48

          SHA256

          8dfba6299593c354b083f74ba30d6e141326634bd9e8368f6fd8a685c96f03d8

          SHA512

          55d735eba90eb09dfce896f667f61a681025532e9a8ece95e5eadccd450b639a2a4d9ca4d4c8063296f31bf37ecf44db7a9bb218ca64b2eb7292eb70c1341c44

          Download Submit

        • \Users\Admin\AppData\Local\YODpKKa92\rdrleakdiag.exe
          Filesize

          39KB

          MD5

          5e058566af53848541fa23fba4bb5b81

          SHA1

          769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

          SHA256

          ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

          SHA512

          352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

          Download Submit

        • \Users\Admin\AppData\Local\abWTgDU\SndVol.exe
          Filesize

          267KB

          MD5

          c3489639ec8e181044f6c6bfd3d01ac9

          SHA1

          e057c90b675a6da19596b0ac458c25d7440b7869

          SHA256

          a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

          SHA512

          63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

          Download Submit

        • \Users\Admin\AppData\Local\bufyrgFba\recdisc.exe
          Filesize

          232KB

          MD5

          f3b306179f1840c0813dc6771b018358

          SHA1

          dec7ce3c13f7a684cb52ae6007c99cf03afef005

          SHA256

          dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

          SHA512

          9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

          Download Submit

        • memory/1268-8-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-16-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-12-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-11-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-10-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-9-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-3-0x0000000076F66000-0x0000000076F67000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1268-40-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-39-0x00000000025F0000-0x00000000025F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1268-32-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-31-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-30-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-28-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-27-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-26-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-25-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-24-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-23-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-22-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-21-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-19-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-18-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-17-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-29-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-15-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-14-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-42-0x0000000077200000-0x0000000077202000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1268-41-0x00000000771D0000-0x00000000771D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1268-53-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-51-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-4-0x0000000002610000-0x0000000002611000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1268-61-0x0000000076F66000-0x0000000076F67000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1268-20-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-13-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-6-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1268-7-0x0000000140000000-0x00000001401CF000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1628-60-0x000007FEF5DD0000-0x000007FEF5F9F000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1628-2-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1628-0-0x000007FEF5DD0000-0x000007FEF5F9F000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1684-86-0x000007FEF5DD0000-0x000007FEF5FA0000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1684-88-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1684-91-0x000007FEF5DD0000-0x000007FEF5FA0000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2312-74-0x000007FEF72E0000-0x000007FEF74B0000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2312-71-0x000007FEF72E0000-0x000007FEF74B0000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2312-69-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2908-107-0x000007FEF5DD0000-0x000007FEF5FA0000-memory.dmp

          Filesize

          1.8MB

          Download