Overview

overview

10

Static

static

3

9b2a6a5b07...8c.dll

windows7-x64

10

9b2a6a5b07...8c.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2024 16:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b2a6a5b076828f7f0a821e254c49bf74abed0b9974f3fe6f74414210e71ac8c.dll

  • Size

    936KB

  • MD5

    8eef978c00b27044f919df7c554d5520

  • SHA1

    cebd31232222956453ec07290acf6acd42bf1ba7

  • SHA256

    9b2a6a5b076828f7f0a821e254c49bf74abed0b9974f3fe6f74414210e71ac8c

  • SHA512

    1be501d0c1770bc5cb35ef26afb8d7670983888b2d7ce9ab26b3cbbd9d9d582437111ec43b060d6b378df3af9888501e81f03b5506d13e775ae2172d3d84bd41

  • SSDEEP

    12288:bPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8y1:btKTrsKSKBTSb6DUXWq8y1

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9b2a6a5b076828f7f0a821e254c49bf74abed0b9974f3fe6f74414210e71ac8c.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:876
  • C:\Windows\system32\sdclt.exe
    C:\Windows\system32\sdclt.exe
    1⤵
      PID:3048
    • C:\Users\Admin\AppData\Local\3nrmMHk\sdclt.exe
      C:\Users\Admin\AppData\Local\3nrmMHk\sdclt.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2716
    • C:\Windows\system32\winlogon.exe
      C:\Windows\system32\winlogon.exe
      1⤵
        PID:2588
      • C:\Users\Admin\AppData\Local\IoeYpXN1\winlogon.exe
        C:\Users\Admin\AppData\Local\IoeYpXN1\winlogon.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2632
      • C:\Windows\system32\SystemPropertiesProtection.exe
        C:\Windows\system32\SystemPropertiesProtection.exe
        1⤵
          PID:2756
        • C:\Users\Admin\AppData\Local\a3a9\SystemPropertiesProtection.exe
          C:\Users\Admin\AppData\Local\a3a9\SystemPropertiesProtection.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1740

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3nrmMHk\wer.dll
          Filesize

          940KB

          MD5

          c2b592ab8972b3c4f1f95da317bfdfa5

          SHA1

          0569b91f8cfcaaee4d7b4593a222be6561f431c8

          SHA256

          015d9eadbc67925ec53efb9f3cb6af502e46d1432fba7967733d9d1e3bec889d

          SHA512

          6c6bac075aed3308802156d9dbfef661fdd2315ccd6cc6b1cd339f73d78376f2b88d973f96e45755a86be6ed63618409e1e207b8e101f5469f0fd77fa351afcf

          Download Submit

        • C:\Users\Admin\AppData\Local\IoeYpXN1\WINSTA.dll
          Filesize

          944KB

          MD5

          ccd8deee7120c7c744a45ca7165c89a8

          SHA1

          591f3f8a12b6cca1692e8bb156248f7eb5b75a6a

          SHA256

          badd4f50d8ace27e5ff0d9cbe70cc591823635472fa181f3ff5336bfbd605ad0

          SHA512

          01653c91e17b826e266d7858fcc1cc0eefeed61fc782ea53bb9beb84930e8dc8a9047544ed4fa083d6c1dcc1472a3fc9803e3730b472372f7e4ee491fae6e192

          Download Submit

        • C:\Users\Admin\AppData\Local\a3a9\SYSDM.CPL
          Filesize

          940KB

          MD5

          1c543ab352fb959f2f333c36b17340c3

          SHA1

          d0dc3d447e9b8f5de720ee8ef9aa7df7c608b311

          SHA256

          f8a5363b900bbb415f83c1ccc75dbf5ae73edad070c76b0d514a80c43c0cabe9

          SHA512

          0c71ffa16685cefdfa4f533d75ee766273e81085b710d221e424d24d3b066e26cdd4c7d9238ac413b60ac1fd6d5a2c1cc6d110684962743f7eb233c068036302

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ukatmrkmywz.lnk
          Filesize

          1KB

          MD5

          367e33ea53cd30ece067ad07eb421cfb

          SHA1

          6f3cf6b1bd215e6a5a7ac2d5ebf8ce89a8d2b163

          SHA256

          5bdda9879c8a75db92a3067151b0ac1443bacba0ba569f6e0b68b52b85c954cc

          SHA512

          b59a85ce0d3916a88ea7c30b191e7459fa6704ea54aba5bfa7d3df0cfc7b756fd2f7816817459645ad31ae9385845b5d341dffcc80fe934dd9674bb43c1aeeb1

          Download Submit

        • \Users\Admin\AppData\Local\3nrmMHk\sdclt.exe
          Filesize

          1.2MB

          MD5

          cdebd55ffbda3889aa2a8ce52b9dc097

          SHA1

          4b3cbfff5e57fa0cb058e93e445e3851063646cf

          SHA256

          61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

          SHA512

          2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

          Download Submit

        • \Users\Admin\AppData\Local\IoeYpXN1\winlogon.exe
          Filesize

          381KB

          MD5

          1151b1baa6f350b1db6598e0fea7c457

          SHA1

          434856b834baf163c5ea4d26434eeae775a507fb

          SHA256

          b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

          SHA512

          df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

          Download Submit

        • \Users\Admin\AppData\Local\a3a9\SystemPropertiesProtection.exe
          Filesize

          80KB

          MD5

          05138d8f952d3fff1362f7c50158bc38

          SHA1

          780bc59fcddf06a7494d09771b8340acffdcc720

          SHA256

          753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

          SHA512

          27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

          Download Submit

        • memory/876-0-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/876-2-0x00000000002A0000-0x00000000002A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/876-43-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1160-24-0x00000000774A0000-0x00000000774A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1160-7-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1160-14-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1160-13-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1160-23-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1160-25-0x00000000774D0000-0x00000000774D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1160-12-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1160-34-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1160-35-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1160-15-0x0000000002CD0000-0x0000000002CD7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1160-44-0x0000000077136000-0x0000000077137000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1160-11-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1160-8-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1160-3-0x0000000077136000-0x0000000077137000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1160-6-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1160-4-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1160-9-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1160-10-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1740-90-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2632-70-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2632-74-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2632-69-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2716-57-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2716-53-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2716-52-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download