Overview

overview

10

Static

static

3

7ecf0f43a5...44.dll

windows7-x64

10

7ecf0f43a5...44.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 13:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ecf0f43a5389996d85ecc78bd128506009eca558379d5fb8802037b35da1544.dll

  • Size

    936KB

  • MD5

    e6080347ef82059989855367f707b6f5

  • SHA1

    af2f5c40bdd1b55fde1fab97d91e5e7e12733731

  • SHA256

    7ecf0f43a5389996d85ecc78bd128506009eca558379d5fb8802037b35da1544

  • SHA512

    6a58fb67a3cc61fdccbe8335309964d1c2d2cc9db2d1e47797fa0ba2de69631f71ba4499e9b65d921846832f33e358356ac917f836616d6a0d08209767f1c82b

  • SSDEEP

    12288:DPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:DtKTrsKSKBTSb6DUXWq8

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ecf0f43a5389996d85ecc78bd128506009eca558379d5fb8802037b35da1544.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1396
  • C:\Windows\system32\dccw.exe
    C:\Windows\system32\dccw.exe
    1⤵
      PID:2836
    • C:\Users\Admin\AppData\Local\RM6L4a0\dccw.exe
      C:\Users\Admin\AppData\Local\RM6L4a0\dccw.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4464
    • C:\Windows\system32\RdpSa.exe
      C:\Windows\system32\RdpSa.exe
      1⤵
        PID:3500
      • C:\Users\Admin\AppData\Local\f4FjAmN\RdpSa.exe
        C:\Users\Admin\AppData\Local\f4FjAmN\RdpSa.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1700
      • C:\Windows\system32\tcmsetup.exe
        C:\Windows\system32\tcmsetup.exe
        1⤵
          PID:1432
        • C:\Users\Admin\AppData\Local\1q3aNsSC\tcmsetup.exe
          C:\Users\Admin\AppData\Local\1q3aNsSC\tcmsetup.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1596

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1q3aNsSC\TAPI32.dll
          Filesize

          944KB

          MD5

          fd233bdb42408e9f0163e7c366788808

          SHA1

          cf91fe0e11070d0a45175cd9b4cd70b22e2fde38

          SHA256

          a1826e97ef80dcb97330ec0edd5580735cb216b1cbec5a65bda07245ff26ac9f

          SHA512

          2ca95dbae4ac37b3073782bcd7262911300d7502ac5eb5401787259531e8087feb34d8dab6926c4af7db6ca0bcbd38e2cd04d6281e0d666250aae044b3e83b51

          Download Submit

        • C:\Users\Admin\AppData\Local\1q3aNsSC\tcmsetup.exe
          Filesize

          16KB

          MD5

          58f3b915b9ae7d63431772c2616b0945

          SHA1

          6346e837da3b0f551becb7cac6d160e3063696e9

          SHA256

          e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39

          SHA512

          7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

          Download Submit

        • C:\Users\Admin\AppData\Local\RM6L4a0\dccw.exe
          Filesize

          101KB

          MD5

          cb9374911bf5237179785c739a322c0f

          SHA1

          3f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9

          SHA256

          f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845

          SHA512

          9d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be

          Download Submit

        • C:\Users\Admin\AppData\Local\RM6L4a0\dxva2.dll
          Filesize

          940KB

          MD5

          d1cf3d2c11cd61607e2708fe1a1d1002

          SHA1

          dae881347fff15d936e87f4b18d4512aebd15b4f

          SHA256

          693dd324144acec8382e9ee1f4b2feab16ba7b66fef9a42b6fda7ba198aaf55a

          SHA512

          cf9777e1527b9e78b9eca56d6afcc7645b0eb7b41a0b9e134c241bee7ab66799a7ee925e197584ad976f6c63a7e314ae2eaa68012aeec068f86b63caf0ad4035

          Download Submit

        • C:\Users\Admin\AppData\Local\f4FjAmN\RdpSa.exe
          Filesize

          56KB

          MD5

          5992f5b5d0b296b83877da15b54dd1b4

          SHA1

          0d87be8d4b7aeada4b55d1d05c0539df892f8f82

          SHA256

          32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c

          SHA512

          4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

          Download Submit

        • C:\Users\Admin\AppData\Local\f4FjAmN\WINSTA.dll
          Filesize

          944KB

          MD5

          ad49aeec0c40d985d62a5b84cf73f362

          SHA1

          8ba255b87940a6ee67b53f10ca33d29df057de39

          SHA256

          f05d9c1621eb39dce8636d2478e98e919114289fad053e9b9e7943e20bbf1909

          SHA512

          737f81cdd69c751a23d3bd727580713ec32839429820e56f8a47ac0ccbdcc3e006acb093b65b14a8f81dcef055e1c35b3d4ae975b8bcad34d346df0025fa3741

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eswctkc.lnk
          Filesize

          1KB

          MD5

          5e3dcaf6ca3d22ce043b83a8e668f692

          SHA1

          8ab44599ac3bac66aa1bcddaf478ec7b4b7dd767

          SHA256

          24eabdec0cd578ce971d95a1e499652e21148d5e67926389720e0ec393e8109f

          SHA512

          325e0132129337e05d4868e9657ed2ff45251e3528b2a083afa45be34abc9f3f32d0b576d404cbf376b2c1f123cf84bccda528abb5e82bdd5daa9c9b302b2a1b

          Download Submit

        • memory/1396-1-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1396-37-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1396-0-0x000001FB2B2C0000-0x000001FB2B2C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1596-81-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1700-65-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1700-60-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1700-62-0x00000230A6E70000-0x00000230A6E77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1700-64-0x00007FF7D42D0000-0x00007FF7D42E3000-memory.dmp

          Filesize

          76KB

          Download

        • memory/3528-11-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3528-6-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3528-24-0x00007FFD96120000-0x00007FFD96130000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3528-25-0x00007FFD96110000-0x00007FFD96120000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3528-23-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3528-5-0x00007FFD94AFA000-0x00007FFD94AFB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3528-3-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3528-8-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3528-14-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3528-34-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3528-7-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3528-9-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3528-10-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3528-12-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3528-13-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3528-22-0x0000000002ED0000-0x0000000002ED7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4464-49-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/4464-44-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/4464-46-0x000002709BA50000-0x000002709BA57000-memory.dmp

          Filesize

          28KB

          Download