Overview

overview

10

Static

static

3

4c29136a7c...ab.dll

windows7-x64

10

4c29136a7c...ab.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-10-2024 20:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c29136a7c79c79409ce8255d3b6157b4fc08a591220993bb90645f2acac2cab.dll

  • Size

    940KB

  • MD5

    4087adacea74316cd6099ea4f269c758

  • SHA1

    a5d17da00274ea0ce366dd891baca90be38b587b

  • SHA256

    4c29136a7c79c79409ce8255d3b6157b4fc08a591220993bb90645f2acac2cab

  • SHA512

    f6377700b210cc2503f495a68dc6485ba880c5a88724657b6851c6889be808d2650f77bd3303c0088da2e518d305b2d29797d565dce19502d8cea4c5b52d29ed

  • SSDEEP

    12288:EPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:EtKTrsKSKBTSb6DUXWq8

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c29136a7c79c79409ce8255d3b6157b4fc08a591220993bb90645f2acac2cab.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1040
  • C:\Windows\system32\DeviceEnroller.exe
    C:\Windows\system32\DeviceEnroller.exe
    1⤵
      PID:1492
    • C:\Users\Admin\AppData\Local\pDl3O6o0\DeviceEnroller.exe
      C:\Users\Admin\AppData\Local\pDl3O6o0\DeviceEnroller.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:620
    • C:\Windows\system32\eudcedit.exe
      C:\Windows\system32\eudcedit.exe
      1⤵
        PID:4844
      • C:\Users\Admin\AppData\Local\kmeivTwh\eudcedit.exe
        C:\Users\Admin\AppData\Local\kmeivTwh\eudcedit.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2756
      • C:\Windows\system32\ApplicationFrameHost.exe
        C:\Windows\system32\ApplicationFrameHost.exe
        1⤵
          PID:1420
        • C:\Users\Admin\AppData\Local\P4V\ApplicationFrameHost.exe
          C:\Users\Admin\AppData\Local\P4V\ApplicationFrameHost.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2772

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\P4V\ApplicationFrameHost.exe
          Filesize

          76KB

          MD5

          d58a8a987a8dafad9dc32a548cc061e7

          SHA1

          f79fc9e0ab066cad530b949c2153c532a5223156

          SHA256

          cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4

          SHA512

          93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265

          Download Submit

        • C:\Users\Admin\AppData\Local\P4V\dxgi.dll
          Filesize

          944KB

          MD5

          b682d9ca8ff9d0aaf67b7e02f2360b93

          SHA1

          f8faf24abd73440bd858db743ddbb83c46581e90

          SHA256

          2004e383147beb13f97d687afff12d34e780739cd2de7435396e6a0b463027bc

          SHA512

          09ffc133e26cf5495477b8ee205278c5a5f34e0dc589db06c681552a273d963cdc1e00887ae8c86ceedcee272806775f95cb69f451dc87f9477719412b76b7d1

          Download Submit

        • C:\Users\Admin\AppData\Local\kmeivTwh\MFC42u.dll
          Filesize

          968KB

          MD5

          c862061a1049f2fe0a952d85da0f1a8e

          SHA1

          30b5d9920bcdfb71ebbe2f0ae82948f2a95d5116

          SHA256

          38048cf501cf8e1e077c6ecbd6e57a895e09e0f4b0fa0c4b0beac78a74bc7340

          SHA512

          02a2a9f535fd5b4bca87e2624be9c119c6ed4106e45f0343241d1e60508fda02de91957d9e222aeb79b1ad0f02b56ece1d31f90c6ba5cffffb6ee41956313ce0

          Download Submit

        • C:\Users\Admin\AppData\Local\kmeivTwh\eudcedit.exe
          Filesize

          365KB

          MD5

          a9de6557179d371938fbe52511b551ce

          SHA1

          def460b4028788ded82dc55c36cb0df28599fd5f

          SHA256

          83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe

          SHA512

          5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

          Download Submit

        • C:\Users\Admin\AppData\Local\pDl3O6o0\DeviceEnroller.exe
          Filesize

          448KB

          MD5

          946d9474533f58d2613078fd14ca7473

          SHA1

          c2620ac9522fa3702a6a03299b930d6044aa5e49

          SHA256

          cf5f5fe084f172e9c435615c1dc6ae7d3bd8c5ec8ea290caa0627c2f392760cb

          SHA512

          3653d41a0553ee63a43490f682c9b528651a6336f28adafc333d4d148577351122db8279ff83ee59bb0a9c17bb384e9f6c9c78677c8c5ed671a42036dec1f8c1

          Download Submit

        • C:\Users\Admin\AppData\Local\pDl3O6o0\XmlLite.dll
          Filesize

          944KB

          MD5

          46acdf6e7e35250c1a6ebbb405c3202e

          SHA1

          e177f5b6473a257cc3dfdc172aca05cc6a2fd605

          SHA256

          1fd93ae31ad204511aaa9df98acee1d3ff3ba458f5492909c0836d92d8ce3102

          SHA512

          6118459992f1ad8a27e0905de9b16b9c329e87df4940875f6122100c8a30a6ba002e9144034e4d7d8b61dd15f9e428f662f7314e67c51ecd04f175454b8892c7

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fkasxldymr.lnk
          Filesize

          1KB

          MD5

          1a4791830f9543e023a74b9feb08a697

          SHA1

          7b3c06259735ddc94f21e948ec7863e3a7c157d4

          SHA256

          52dfdc65b7eb81491cda707636a699a0c4c44eb4a95ef18238b642d8dc6999d5

          SHA512

          58055b98ce141c8364e537e80a9417da192e45b66b955ae9e2789d36e06572ae474702d19aa7c9fa98593cd5410229bbbbe6ed60160e51f42c6183e819c2ad1f

          Download Submit

        • memory/620-50-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/620-46-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/620-45-0x000002662C5A0000-0x000002662C5A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1040-1-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1040-38-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1040-2-0x000001F250860000-0x000001F250867000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2756-63-0x00000226FAE80000-0x00000226FAE87000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2756-61-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/2756-66-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/2772-81-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3364-24-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3364-6-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3364-7-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3364-8-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3364-9-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3364-10-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3364-12-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3364-13-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3364-35-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3364-25-0x00007FFB9F2A0000-0x00007FFB9F2B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3364-26-0x00007FFB9F290000-0x00007FFB9F2A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3364-15-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3364-23-0x0000000000E00000-0x0000000000E07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3364-14-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3364-11-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3364-3-0x00000000027D0000-0x00000000027D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3364-5-0x00007FFB9EDBA000-0x00007FFB9EDBB000-memory.dmp

          Filesize

          4KB

          Download