Overview

overview

10

Static

static

3

d8f78241f9...aN.dll

windows7-x64

10

d8f78241f9...aN.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2024 19:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d8f78241f9e732ff57f1f307c99d7e27796829927283172653634470ab9b90aaN.dll

  • Size

    900KB

  • MD5

    338b828676d1d088ed1bd3a335e9b780

  • SHA1

    4bc3d044e35d9953a71ac426c212b6a3c9de509c

  • SHA256

    d8f78241f9e732ff57f1f307c99d7e27796829927283172653634470ab9b90aa

  • SHA512

    f4f97fcba6d28aad4cc05408cb97e96603b6cab093317457cf72a4c2474114d7dfbb85e0b1f381e1a56c55221db7f4d1cec54e846c31349258f4dd72e0d702e3

  • SSDEEP

    12288:MGVNJAvuPFUl/faxmVlBLXKCgFfEK7JRLeHlX//ve7Y:t3JAvRl/fKQKCgFfx4P/vaY

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d8f78241f9e732ff57f1f307c99d7e27796829927283172653634470ab9b90aaN.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:1148
  • C:\Windows\system32\FileHistory.exe
    C:\Windows\system32\FileHistory.exe
    1⤵
      PID:5024
    • C:\Users\Admin\AppData\Local\wwC2k\FileHistory.exe
      C:\Users\Admin\AppData\Local\wwC2k\FileHistory.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2124
    • C:\Windows\system32\rdpshell.exe
      C:\Windows\system32\rdpshell.exe
      1⤵
        PID:2364
      • C:\Users\Admin\AppData\Local\WdSwS083C\rdpshell.exe
        C:\Users\Admin\AppData\Local\WdSwS083C\rdpshell.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: GetForegroundWindowSpam
        PID:324
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        1⤵
          PID:4000
        • C:\Users\Admin\AppData\Local\zz9Odoi\wermgr.exe
          C:\Users\Admin\AppData\Local\zz9Odoi\wermgr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious behavior: GetForegroundWindowSpam
          PID:3716

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WdSwS083C\dwmapi.dll
          Filesize

          904KB

          MD5

          30a244ca7e492084b9482b10bb3a63ab

          SHA1

          3edaede013fc971f8adead68cdc6146fc2bf80e3

          SHA256

          76f51ea464c1047aebd1386705685b3f201b2ba8c856a7381817335b7290667b

          SHA512

          7696eb3f835f1b376f19e0229fd77906cdd3ffb4f49ee0e03d51eab39ab9d5346efab628d488d310af03c311b63f1375e55e00099cb2f1046c9fc940d9a8f3e8

          Download Submit

        • C:\Users\Admin\AppData\Local\WdSwS083C\rdpshell.exe
          Filesize

          468KB

          MD5

          428066713f225bb8431340fa670671d4

          SHA1

          47f6878ff33317c3fc09c494df729a463bda174c

          SHA256

          da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

          SHA512

          292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

          Download Submit

        • C:\Users\Admin\AppData\Local\wwC2k\FileHistory.exe
          Filesize

          244KB

          MD5

          eeba3dd643ced2781ec1b7e3cd6fa246

          SHA1

          2d394173e603625e231633fc270072e854bac17b

          SHA256

          bee0799a52fe65b8dc291de32f0c8b03b5a067915b1868bc8ba2a1b139c90b87

          SHA512

          222d4fbc7ee57d75889698a0660996293a0143518fdecc1b222618796d76d40f2d3b00b071f92ab917ac8847f195d7de02df55b5e89dad8a80d110e464cd3271

          Download Submit

        • C:\Users\Admin\AppData\Local\wwC2k\UxTheme.dll
          Filesize

          904KB

          MD5

          eda506335138baf7e7cf4c8c8a720039

          SHA1

          ceb81abd747e7f94a0056ce2cd7658b415e90a11

          SHA256

          0fdb40245101b5bd291e12dc2e45243e6e9ddfa70ce5ef893c590d565db2f982

          SHA512

          832dc91811e7df498a4da877808bb9b43ec793f939f96d7cddca0d8342ace1f0347f9593ff3524ab1f8d6ac9a4ef2d78297a0569401dab1a93dce5a96e8f3a3e

          Download Submit

        • C:\Users\Admin\AppData\Local\zz9Odoi\wer.dll
          Filesize

          908KB

          MD5

          d5d908487435d39d56e251a06d687f3f

          SHA1

          5537b69a8f9004ab3f3fd0240947bda6646605b2

          SHA256

          c83d7f4e177392df98d3c3f6a9a39416c61d928a4537b0b544629e3aafa4fbb2

          SHA512

          e502acb24e79f752a5a2c0cb8bcf58c742259898de75a729137bee1f692e279c518a93c73509ebbb1e0401c6e9d43347054318cff40532a3ba64cf29ba5f6bf2

          Download Submit

        • C:\Users\Admin\AppData\Local\zz9Odoi\wermgr.exe
          Filesize

          223KB

          MD5

          f7991343cf02ed92cb59f394e8b89f1f

          SHA1

          573ad9af63a6a0ab9b209ece518fd582b54cfef5

          SHA256

          1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc

          SHA512

          fa3cf314100f5340c7d0f6a70632a308fcadb4b48785753310a053a510169979a89637b8b4fedf4d3690db6b8b55146e323cad70d704c4e2ede4edff5284237d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Sfbjsepzltomqmf.lnk
          Filesize

          1KB

          MD5

          677be8be80a688bdd5cae693be94f3be

          SHA1

          172c4f1affce3ffc68079cfd20dd3c5219ffe762

          SHA256

          be7f9c71548a17c65afaf1ce92a889d441d179ac3734ce6c8d993d2db078f168

          SHA512

          cbaf5b86a121031941b69609c00dc7c3b01a5c8edc4d7118ee1fc5c88fb73ab8501efbdca42301131161af6b38333f5146dd4e8171c0170fdc9d8f465260dfb3

          Download Submit

        • memory/324-82-0x0000000140000000-0x00000001400E2000-memory.dmp

          Filesize

          904KB

          Download

        • memory/324-83-0x0000028F506D0000-0x0000028F506D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1148-29-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/1148-1-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/1148-4-0x000001DB225C0000-0x000001DB225C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1148-0-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/2124-65-0x0000020C01890000-0x0000020C01897000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2124-64-0x0000000140000000-0x00000001400E2000-memory.dmp

          Filesize

          904KB

          Download

        • memory/2124-59-0x0000000140000000-0x00000001400E2000-memory.dmp

          Filesize

          904KB

          Download

        • memory/3536-22-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-14-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-41-0x0000000000670000-0x0000000000677000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3536-27-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-28-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-26-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-25-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-24-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-37-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-21-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-20-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-19-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-18-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-17-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-15-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-30-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-13-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-12-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-11-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-10-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-9-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-48-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-50-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-42-0x00007FFD38B60000-0x00007FFD38B70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3536-16-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-8-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/3536-5-0x00000000007C0000-0x00000000007C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3536-6-0x00007FFD37AEA000-0x00007FFD37AEB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3716-103-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3716-96-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3716-95-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3716-99-0x0000029755880000-0x0000029755887000-memory.dmp

          Filesize

          28KB

          Download