Overview

overview

10

Static

static

3

0fe4a1f561...b4.dll

windows7-x64

10

0fe4a1f561...b4.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-10-2024 20:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0fe4a1f561c62db783b0319724978bd87d6cd1cb2160c21cee7d6332e6376cb4.dll

  • Size

    936KB

  • MD5

    e3131866f91556ad080fe2a779aa1b17

  • SHA1

    df96ad3471403e2b98e66b15851280ea51e13291

  • SHA256

    0fe4a1f561c62db783b0319724978bd87d6cd1cb2160c21cee7d6332e6376cb4

  • SHA512

    288e9f5ce7ea185db87f0034cc39409c7d9fbbe334e6b71da5569d02d207103a343513985e15286771b841faaccb4bb5f4224bd0419d24d7967f65d71eb93d89

  • SSDEEP

    12288:DPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:DtKTrsKSKBTSb6DUXWq8

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fe4a1f561c62db783b0319724978bd87d6cd1cb2160c21cee7d6332e6376cb4.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1404
  • C:\Windows\system32\ProximityUxHost.exe
    C:\Windows\system32\ProximityUxHost.exe
    1⤵
      PID:4896
    • C:\Users\Admin\AppData\Local\PgMaD\ProximityUxHost.exe
      C:\Users\Admin\AppData\Local\PgMaD\ProximityUxHost.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3056
    • C:\Windows\system32\WMPDMC.exe
      C:\Windows\system32\WMPDMC.exe
      1⤵
        PID:4960
      • C:\Users\Admin\AppData\Local\9jTzTT\WMPDMC.exe
        C:\Users\Admin\AppData\Local\9jTzTT\WMPDMC.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1476
      • C:\Windows\system32\dwm.exe
        C:\Windows\system32\dwm.exe
        1⤵
          PID:2324
        • C:\Users\Admin\AppData\Local\C4R\dwm.exe
          C:\Users\Admin\AppData\Local\C4R\dwm.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2552

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\9jTzTT\OLEACC.dll
          Filesize

          940KB

          MD5

          2a4c670fa86e15946edf1a58638c6ec7

          SHA1

          ef199cf73935a7da13d43962d9158b25df044fcf

          SHA256

          be033c9e9af9e56cccce8d327637ff290e7d914ae1b64f8e0a2e29fc70681628

          SHA512

          203914b92096a7bd7ef50d20427c89ed19ae3c96367bdad6fe3c4953ea9f3a13fc069003b7465802c8b042d25692327701d74c3dc2d25124b40c0f6bdbe1f2b8

          Download Submit

        • C:\Users\Admin\AppData\Local\9jTzTT\WMPDMC.exe
          Filesize

          1.5MB

          MD5

          59ce6e554da0a622febce19eb61c4d34

          SHA1

          176a4a410cb97b3d4361d2aea0edbf17e15d04c7

          SHA256

          c36eba7186f7367fe717595f3372a49503c9613893c2ab2eff38b625a50d04ba

          SHA512

          e9b0d310416b66e0055381391bb6b0c19ee26bbcf0e3bb9ea7d696d5851e6efbdd9bdeb250c74638b7d73b20528ea1dfb718e75ad5977aaad77aae36cc7b7e18

          Download Submit

        • C:\Users\Admin\AppData\Local\C4R\dwm.exe
          Filesize

          92KB

          MD5

          5c27608411832c5b39ba04e33d53536c

          SHA1

          f92f8b7439ce1de4c297046ed1d3ff9f20bc97af

          SHA256

          0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565

          SHA512

          1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

          Download Submit

        • C:\Users\Admin\AppData\Local\C4R\dxgi.dll
          Filesize

          940KB

          MD5

          ea988c8f1b2fe8ae1537a7b8efb74208

          SHA1

          716f79e6adf724ec747b8868f107fe2e125ede05

          SHA256

          c503688c8606c0c3665c5229870d54a47b26fe8db04164e8658f1669d5153fbf

          SHA512

          9612dd202cff8d8eca1b24e7e7339c87825eeecc557969ec6735b1fd42f439b7db4ff4ea684cc7d77efde031b44659b8b4890e04b281eab957907d7d2a67165d

          Download Submit

        • C:\Users\Admin\AppData\Local\PgMaD\DUI70.dll
          Filesize

          1.2MB

          MD5

          5e0a79e509e5726bd7acd7b2b2f3d300

          SHA1

          80b2b3158d1392bf5f9ae20e87abda9655b02a81

          SHA256

          ec586e6e803795dc995fcf96b364160e875ceac950f31a6259be26cd50c7ea8c

          SHA512

          9d372ed4c3efd6d7b06365fb3dd04e8da0bc737d42763bf9d4c7dc540877290eb93b7b3490934e29b5ed9441ac1929eaffbea58bed1827dfcf52c6db0ab4eb5e

          Download Submit

        • C:\Users\Admin\AppData\Local\PgMaD\ProximityUxHost.exe
          Filesize

          263KB

          MD5

          9ea326415b83d77295c70a35feb75577

          SHA1

          f8fc6a4f7f97b242f35066f61d305e278155b8a8

          SHA256

          192bfde77bf280e48f92d1eceacdc7ec4bf31cda46f7d577c7d7c3ec3ac89d8f

          SHA512

          2b1943600f97abcd18778101e33eac00c2bd360a3eff62fef65f668a084d8fa38c3bbdedfc6c2b7e8410aa7c9c3df2734705dc502b4754259121adc9198c3692

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ybgihhkn.lnk
          Filesize

          1KB

          MD5

          ce499053d2f63bb389ffda705ab7b92f

          SHA1

          3370971d5fe211c2b08db02fc3413cad4ca12810

          SHA256

          c2e471cda4bd5b7658829518c71ce9e170b5970146ed1904d45001e54475fda7

          SHA512

          2992e6dd7e680797f40eee7b6daf3dacc9aa5cc960be354b1606616767527a79eebe2a3b2bd45a662fb565debfff0b82de266c6ee332d0c5b4e04ed28e1794cc

          Download Submit

        • memory/1404-0-0x00000150BA720000-0x00000150BA727000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1404-37-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1404-2-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1476-60-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1476-64-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2552-79-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3056-49-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3056-46-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3056-44-0x000001D00C6A0000-0x000001D00C6A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3516-11-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3516-35-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3516-14-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3516-7-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3516-8-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3516-9-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3516-10-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3516-23-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3516-24-0x00007FF8FDB60000-0x00007FF8FDB70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3516-25-0x00007FF8FDB50000-0x00007FF8FDB60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3516-13-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3516-22-0x0000000000440000-0x0000000000447000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3516-12-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3516-6-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3516-5-0x00007FF8FCE2A000-0x00007FF8FCE2B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3516-3-0x0000000002060000-0x0000000002061000-memory.dmp

          Filesize

          4KB

          Download