Overview

overview

10

Static

static

3

Trojan.Win...FS.dll

windows7-x64

10

Trojan.Win...FS.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-09-2024 18:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Trojan.Win64.Dridex.ASFS.dll

  • Size

    1.8MB

  • MD5

    0911f9a26ce4142acbb04da26b9d54f0

  • SHA1

    6e443ef54eb8b28725f0717cba6ccdc03d66ba77

  • SHA256

    98f5cbef3bae29cbc52bcb0224d5964f69ab793f2296a6954e68ffdf26636d8f

  • SHA512

    bc42593e5dc3c2dd52f45ff292db1eab892cf53b158f3018e6a6e2795e47f01700c80b85b5297e9541c2c6e5a3317d5325d84f99b8b82ec3780f049350b9ece6

  • SSDEEP

    24576:y6UQsIUK6eiyaJt2TlBuWA+ypYKLDGxaaxg1qpRai:nUQsIUK6eiyaJYTlBQ+mxH9au1eRai

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Trojan.Win64.Dridex.ASFS.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3908
  • C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    1⤵
      PID:3356
    • C:\Users\Admin\AppData\Local\AfMgGG\dialer.exe
      C:\Users\Admin\AppData\Local\AfMgGG\dialer.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3624
    • C:\Windows\system32\systemreset.exe
      C:\Windows\system32\systemreset.exe
      1⤵
        PID:1808
      • C:\Users\Admin\AppData\Local\6mq\systemreset.exe
        C:\Users\Admin\AppData\Local\6mq\systemreset.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2280
      • C:\Windows\system32\wscript.exe
        C:\Windows\system32\wscript.exe
        1⤵
          PID:536
        • C:\Users\Admin\AppData\Local\uR7nMBP0\wscript.exe
          C:\Users\Admin\AppData\Local\uR7nMBP0\wscript.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1460

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\6mq\DUI70.dll
          Filesize

          2.1MB

          MD5

          da5e0a4cc99822f24e6a09a45dba2ba3

          SHA1

          220d0491b2157c4f569487569b348c65e850ee56

          SHA256

          fc1e6d13b677aec0477763299dc58f70e727e0068e28ba9326e29b99da2d9606

          SHA512

          a52b8b735af7fcb9a651557e31b7f875508d01d1df814ea194193e23355348294de87ac3c8db03784128dade393fad40a806afa9e28897f6cb89e740ea16b969

          Download Submit

        • C:\Users\Admin\AppData\Local\6mq\systemreset.exe
          Filesize

          508KB

          MD5

          325ff647506adb89514defdd1c372194

          SHA1

          84234ff97d6ddc8a4ea21303ea842aa76a74e0ea

          SHA256

          ebff6159a7627234f94f606afa2e55e98e1548fd197d22779a5fcff24aa477ad

          SHA512

          8a9758f4af0264be08d684125827ef11efe651138059f6b463c52476f8a8e1bed94d093042f85893cb3e37c5f3ba7b55c6ce9394595001e661bccbc578da3868

          Download Submit

        • C:\Users\Admin\AppData\Local\AfMgGG\TAPI32.dll
          Filesize

          1.8MB

          MD5

          00832ccf5b31d46a6f3b3107dd25772e

          SHA1

          e490063e3c006d6b18115571ca56c03107d74768

          SHA256

          ea683df4bffc74b9d1dc9ac41e24a1032afbc82c7b044bc3b405a00ff0a51f95

          SHA512

          d2bfa8b681dbb80d9592d7db7165df594b48a7f7bcdc2da4de3073681b5cb21ab8c2f6adf18b481b10886258b9f652297bbaff3b58656fc8c03e6ba19804721c

          Download Submit

        • C:\Users\Admin\AppData\Local\AfMgGG\dialer.exe
          Filesize

          39KB

          MD5

          b2626bdcf079c6516fc016ac5646df93

          SHA1

          838268205bd97d62a31094d53643c356ea7848a6

          SHA256

          e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb

          SHA512

          615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971

          Download Submit

        • C:\Users\Admin\AppData\Local\uR7nMBP0\VERSION.dll
          Filesize

          1.8MB

          MD5

          142a9b5f7ab42cb1497a79885bbcccd0

          SHA1

          36e3af484a30725558689a3b00c5ecfd92aedbb6

          SHA256

          fc046745e68ef9222b6588fbd0d893a3a9ae68b0773cdfcc21fd3113ab325483

          SHA512

          7003eedfbcdca09f2ce21fec4fce8a39c24200597faf29655fa6872f7ae1f2b35f24c67460631ac6d521c145fe28fe9cbcfbf01c86b7d29096e981618e6c4e31

          Download Submit

        • C:\Users\Admin\AppData\Local\uR7nMBP0\wscript.exe
          Filesize

          166KB

          MD5

          a47cbe969ea935bdd3ab568bb126bc80

          SHA1

          15f2facfd05daf46d2c63912916bf2887cebd98a

          SHA256

          34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100

          SHA512

          f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppmzgvduo.lnk
          Filesize

          1KB

          MD5

          a51a963368869d2927fbb639d7434db0

          SHA1

          a82fd38968733b7fc769237ac3bda8d351aec5e9

          SHA256

          d22c668056a6b4b02165869ba87176ddca9810d616aaf9e5fae6c300a40e881f

          SHA512

          8bb66b07546de3d06b6486442d773115420e65dbf0a83dcb73db0a76dbea77eeae287cf339c4a1baaefe369f514297a4aa947c4e74ca7901b3620c19efa3685a

          Download Submit

        • memory/1460-86-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/1460-85-0x000002A8818D0000-0x000002A8818D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1460-90-0x0000000140000000-0x00000001401CB000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2280-70-0x0000000140000000-0x0000000140210000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/2280-69-0x000001A74D720000-0x000001A74D727000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2280-74-0x0000000140000000-0x0000000140210000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/3348-22-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3348-19-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3348-17-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3348-16-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3348-15-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3348-14-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3348-13-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3348-12-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3348-11-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3348-10-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3348-8-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3348-7-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3348-23-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3348-43-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3348-4-0x0000000002850000-0x0000000002851000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3348-18-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3348-21-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3348-3-0x00007FFF162EA000-0x00007FFF162EB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3348-9-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3348-6-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3348-20-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3348-32-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3348-33-0x00007FFF167E0000-0x00007FFF167F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3348-34-0x00007FFF167D0000-0x00007FFF167E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3348-31-0x00000000009F0000-0x00000000009F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3624-58-0x0000000140000000-0x00000001401CC000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3624-54-0x0000000140000000-0x00000001401CC000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3624-53-0x000001F4254B0000-0x000001F4254B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3908-0-0x000001995F400000-0x000001995F407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3908-46-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3908-1-0x0000000140000000-0x00000001401CA000-memory.dmp

          Filesize

          1.8MB

          Download