Overview

overview

10

Static

static

3

c857bf0ea2...d8.dll

windows7-x64

10

c857bf0ea2...d8.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 14:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c857bf0ea218b0898ab1dd5a040f82764e2c425235e47df6e8a397cdad220ed8.dll

  • Size

    964KB

  • MD5

    f78235c59196a46c2d2e038800bdc8da

  • SHA1

    868b5ae58f59ee0593388dccc5d720328520a76e

  • SHA256

    c857bf0ea218b0898ab1dd5a040f82764e2c425235e47df6e8a397cdad220ed8

  • SHA512

    5e1b7c716d60bac077b642db4eff4b2b5fb62675c8c7cd509803917ebd377e0af770acb64351e54aaa1b01f72b741157b8da13f9efee418157f5396763c56bfb

  • SSDEEP

    12288:9PVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:9tKTrsKSKBTSb6DUXWq8

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c857bf0ea218b0898ab1dd5a040f82764e2c425235e47df6e8a397cdad220ed8.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:4512
  • C:\Windows\system32\omadmclient.exe
    C:\Windows\system32\omadmclient.exe
    1⤵
      PID:4432
    • C:\Users\Admin\AppData\Local\wuae53Z\omadmclient.exe
      C:\Users\Admin\AppData\Local\wuae53Z\omadmclient.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4080
    • C:\Windows\system32\dccw.exe
      C:\Windows\system32\dccw.exe
      1⤵
        PID:760
      • C:\Users\Admin\AppData\Local\Yj8x\dccw.exe
        C:\Users\Admin\AppData\Local\Yj8x\dccw.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2040
      • C:\Windows\system32\SndVol.exe
        C:\Windows\system32\SndVol.exe
        1⤵
          PID:4544
        • C:\Users\Admin\AppData\Local\2Fg\SndVol.exe
          C:\Users\Admin\AppData\Local\2Fg\SndVol.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2004

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2Fg\SndVol.exe
          Filesize

          269KB

          MD5

          c5d939ac3f9d885c8355884199e36433

          SHA1

          b8f277549c23953e8683746e225e7af1c193ad70

          SHA256

          68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605

          SHA512

          8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0

          Download Submit

        • C:\Users\Admin\AppData\Local\2Fg\UxTheme.dll
          Filesize

          968KB

          MD5

          93051047eb99c50520232f1e56154e7e

          SHA1

          ba0addddc6f11be774c74dafbead8ac80b4f8ce1

          SHA256

          20acfc0a26a4baa417b7aea7699b775c3dd8521a9ef97479f668a0030bdb5e55

          SHA512

          ec8b000df2521a280467edb97abe7c9af97e42982903da22d6f29c35edc9252851001fad80da33d04c259396fe508eb266446d68645338d4493770618cc2e118

          Download Submit

        • C:\Users\Admin\AppData\Local\Yj8x\dccw.exe
          Filesize

          101KB

          MD5

          cb9374911bf5237179785c739a322c0f

          SHA1

          3f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9

          SHA256

          f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845

          SHA512

          9d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be

          Download Submit

        • C:\Users\Admin\AppData\Local\Yj8x\mscms.dll
          Filesize

          972KB

          MD5

          8af5771c81789246ee4849f92fbb7a19

          SHA1

          3df79d127ef78d4ced5d3f778b9a41c3f3fa389d

          SHA256

          123b96070b957676033d7c930068753c9f95bdc2548167c220238603defc4365

          SHA512

          5712d175ac6ec4d6548b0cf876bff5c0bf5ee84ce4acda2c776875a894dd7c39caa49f77f3ad29d62472f0f8ebf4c770574b88be3c4a56b6a423a4da4366f6f4

          Download Submit

        • C:\Users\Admin\AppData\Local\wuae53Z\XmlLite.dll
          Filesize

          968KB

          MD5

          48d292261a2c1da0d5be298ca7096930

          SHA1

          9e51ea8729752e62e038d84a28249759431b5628

          SHA256

          6e4bd119dc5b97a7fb1fc7273a39b86b6de1e246462f22bdf77432bb7091d9b4

          SHA512

          53f03736d299e451a5be57a2f4d2546018446f5a48bb09d1e7ab7d77ab5a3b4f3206bb9655c436530c2e859b0d29afbb4ff1a8a79c15c6e1de92394db01e39e8

          Download Submit

        • C:\Users\Admin\AppData\Local\wuae53Z\omadmclient.exe
          Filesize

          425KB

          MD5

          8992b5b28a996eb83761dafb24959ab4

          SHA1

          697ecb33b8ff5b0e73ef29ce471153b368b1b729

          SHA256

          e0c6c1b082c5d61be95b7fad95155b7cb2e516d6dcd51b8e1554a176876699e7

          SHA512

          4ab0d71f6f9e5a5d0870d8e6eaa4b5db74ea6148de0a00603e3e56303d0fec4722172e0207b9678a5bd0136f2d43d43b9d34907183369ab3b9b9c1484034fe3d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yxuzhivmkyvewy.lnk
          Filesize

          1KB

          MD5

          142aeeeb7ad6f7c44f36b7e67c260f4f

          SHA1

          602aa4cea03f9c5f19d9f3f7413a8ea2df884115

          SHA256

          7c2f5f23ece46d21d4b6f09f91d2b6bfd93cecf3d720c81c821532ead3ba3662

          SHA512

          2f97508ad801f9b382c88375de1e59ca5bf3029d8df272dd563fa101515b862204d0c7e35bf2b0e63e1a331220f47c8cbc4d0822f31ba47b67ef786c7ceca5db

          Download Submit

        • memory/2004-81-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/2040-66-0x0000000140000000-0x00000001400F3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/2040-63-0x000001277C920000-0x000001277C927000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2040-61-0x0000000140000000-0x00000001400F3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/3452-26-0x00007FFA9A290000-0x00007FFA9A2A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3452-13-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3452-11-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3452-5-0x00007FFA9A20A000-0x00007FFA9A20B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3452-24-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3452-3-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3452-25-0x00007FFA9A2A0000-0x00007FFA9A2B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3452-35-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3452-8-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3452-7-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3452-9-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3452-15-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3452-23-0x0000000002B30000-0x0000000002B37000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3452-14-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3452-10-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3452-12-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3452-6-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/4080-50-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/4080-45-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/4080-47-0x000001B8A7AB0000-0x000001B8A7AB7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4512-38-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/4512-2-0x00000000006B0000-0x00000000006B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4512-0-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download