Overview

overview

10

Static

static

3

299ca619e6...cb.dll

windows7-x64

10

299ca619e6...cb.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-10-2024 20:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    299ca619e685fd6048d3e32a1e87442a7c0452851d0a10d1917e9599701d95cb.dll

  • Size

    940KB

  • MD5

    f31d12c6f9c83ee5bc000f73237d823d

  • SHA1

    9524ee61a2d9bd0f246ea128226d9b06ff4275d8

  • SHA256

    299ca619e685fd6048d3e32a1e87442a7c0452851d0a10d1917e9599701d95cb

  • SHA512

    8b59d757c0f00e6c65515bb1374f4bccd20e419ffc5c9b19ca90e275d4222bd9f53849cce7e349fdb03bf2092beb3b1321d7049662beb95a4bf5fc503ee6ce90

  • SSDEEP

    12288:wPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:wtKTrsKSKBTSb6DUXWq8

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\299ca619e685fd6048d3e32a1e87442a7c0452851d0a10d1917e9599701d95cb.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2176
  • C:\Windows\system32\tabcal.exe
    C:\Windows\system32\tabcal.exe
    1⤵
      PID:1512
    • C:\Users\Admin\AppData\Local\dnAir0X\tabcal.exe
      C:\Users\Admin\AppData\Local\dnAir0X\tabcal.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2196
    • C:\Windows\system32\LicensingUI.exe
      C:\Windows\system32\LicensingUI.exe
      1⤵
        PID:3068
      • C:\Users\Admin\AppData\Local\O4wIb\LicensingUI.exe
        C:\Users\Admin\AppData\Local\O4wIb\LicensingUI.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2020
      • C:\Windows\system32\mfpmp.exe
        C:\Windows\system32\mfpmp.exe
        1⤵
          PID:3440
        • C:\Users\Admin\AppData\Local\zJAAVmqa\mfpmp.exe
          C:\Users\Admin\AppData\Local\zJAAVmqa\mfpmp.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1972

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\O4wIb\DUI70.dll
          Filesize

          1.2MB

          MD5

          2d30b7858347cd0f7e821f4bb719c6a8

          SHA1

          c382a59fe65d9018db4737211989ad6ff472db10

          SHA256

          3fb65fbfc1fcd5b3bc0d622d5b8b5dcd0a8c25281ddc74eaee6ee34b714da1c3

          SHA512

          fdf1658d1a68a3380d3abeab1ac22d89b4712de2929f305c247df23ce042238c40d6386ce0ea316169f00098c0ef7d838e47c0b17d12cc1e0f408849373bae57

          Download Submit

        • C:\Users\Admin\AppData\Local\O4wIb\LicensingUI.exe
          Filesize

          142KB

          MD5

          8b4abc637473c79a003d30bb9c7a05e5

          SHA1

          d1cab953c16d4fdec2b53262f56ac14a914558ca

          SHA256

          0e9eb89aa0df9bb84a8f11b0bb3e9d89905355de34c91508968b4cb78bc3f6c5

          SHA512

          5a40c846c5b3a53ae09114709239d8238c322a7d3758b20ed3fc8e097fc1409f62b4990557c1192e894eabfa89741a9d88bd5175850d039b97dfdf380d1c6eeb

          Download Submit

        • C:\Users\Admin\AppData\Local\dnAir0X\HID.DLL
          Filesize

          944KB

          MD5

          d2e3ee7a1be791bae0d04e4410c03e97

          SHA1

          45e7924d2abe8f6e71b291fc125b435fc25fc5c9

          SHA256

          84d8e5e27f6acab473d4db0a854b63a2ae7247dcc711531429cb960b04fca8b8

          SHA512

          af1c656af85ffff88002d706765dfe68a2398b9100ecb83a5566ad05b015a72868181ee9f87826cd2be09ddcbefcf05aa2a86ed61288882903bd184a277f938d

          Download Submit

        • C:\Users\Admin\AppData\Local\dnAir0X\tabcal.exe
          Filesize

          84KB

          MD5

          40f4014416ff0cbf92a9509f67a69754

          SHA1

          1798ff7324724a32c810e2075b11c09b41e4fede

          SHA256

          f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

          SHA512

          646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

          Download Submit

        • C:\Users\Admin\AppData\Local\zJAAVmqa\MFPlat.DLL
          Filesize

          948KB

          MD5

          3fdabf14b6e59903557333a69ec98337

          SHA1

          2868ee94dc7d338667e2ba123ad917405fe0e587

          SHA256

          4e0b4bc0f5d573dfa76c0e643e24384ebe5f4bcc676243aee3af06f8c51b22fd

          SHA512

          1867950b4bad8ad7252d1968781402e32caf649e0dce0d6fd28714ed4c888f22e7c9e56649064dea7e8118f202b747c4f041f9f2083a82d80324a1785b800118

          Download Submit

        • C:\Users\Admin\AppData\Local\zJAAVmqa\mfpmp.exe
          Filesize

          46KB

          MD5

          8f8fd1988973bac0c5244431473b96a5

          SHA1

          ce81ea37260d7cafe27612606cf044921ad1304c

          SHA256

          27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e

          SHA512

          a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk
          Filesize

          1KB

          MD5

          81867e246963a7971e86ab889d0fd1d1

          SHA1

          b95b596ac6adcff89401c573de2b1a1a66841088

          SHA256

          9a2aeb28272805923b6202839c4f08d35a0fa46dcd6aac1979af92f59d3b7d84

          SHA512

          eef976125224d70f204cce8186ea8ce158bd7be43c95963ad83292f05e12ba0a792efe916f4c60dbd8b3fe52eaecda2d49c8553d3b735e00b67d73a2de419d79

          Download Submit

        • memory/1972-77-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/1972-81-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/2020-63-0x0000017578360000-0x0000017578367000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2020-66-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2020-61-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2176-2-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2176-38-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2176-1-0x0000023B5AC90000-0x0000023B5AC97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2196-50-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2196-45-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2196-47-0x0000017C7D200000-0x0000017C7D207000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3380-11-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3380-3-0x0000000002A00000-0x0000000002A01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3380-5-0x00007FFE8A9CA000-0x00007FFE8A9CB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3380-12-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3380-8-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3380-9-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3380-10-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3380-25-0x00007FFE8BC20000-0x00007FFE8BC30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3380-26-0x00007FFE8BC10000-0x00007FFE8BC20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3380-24-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3380-36-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3380-13-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3380-14-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3380-23-0x0000000000900000-0x0000000000907000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3380-15-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3380-7-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3380-6-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download