Overview

overview

10

Static

static

3

44b1063452...cb.dll

windows7-x64

10

44b1063452...cb.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 20:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44b1063452fdb12ba26b5e6c2b2b1f71330b165f1ab8cbb2f199c048f519e8cb.dll

  • Size

    940KB

  • MD5

    2d9b177ec1f707009b9a808af771d99a

  • SHA1

    a390ee7e32d4c73c0eca3b23134cd990684d4a67

  • SHA256

    44b1063452fdb12ba26b5e6c2b2b1f71330b165f1ab8cbb2f199c048f519e8cb

  • SHA512

    bcc1b7b6a32d43adfb20e81b095d842a1d7c0e197a1f742189cfbdd6fe96f24336f39de968f304ab7955ce66197aaf9ff3a99e12252eadd5adfe6ee6b94849d7

  • SSDEEP

    12288:CPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:CtKTrsKSKBTSb6DUXWq8

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\44b1063452fdb12ba26b5e6c2b2b1f71330b165f1ab8cbb2f199c048f519e8cb.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1768
  • C:\Windows\system32\PresentationHost.exe
    C:\Windows\system32\PresentationHost.exe
    1⤵
      PID:516
    • C:\Users\Admin\AppData\Local\6qSTg6\PresentationHost.exe
      C:\Users\Admin\AppData\Local\6qSTg6\PresentationHost.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2124
    • C:\Windows\system32\psr.exe
      C:\Windows\system32\psr.exe
      1⤵
        PID:628
      • C:\Users\Admin\AppData\Local\t8QUy\psr.exe
        C:\Users\Admin\AppData\Local\t8QUy\psr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:868
      • C:\Windows\system32\mmc.exe
        C:\Windows\system32\mmc.exe
        1⤵
          PID:1484
        • C:\Users\Admin\AppData\Local\LpODb0Fvl\mmc.exe
          C:\Users\Admin\AppData\Local\LpODb0Fvl\mmc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4444

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\6qSTg6\PresentationHost.exe
          Filesize

          276KB

          MD5

          ef27d65b92d89e8175e6751a57ed9d93

          SHA1

          7279b58e711b459434f047e9098f9131391c3778

          SHA256

          17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

          SHA512

          40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

          Download Submit

        • C:\Users\Admin\AppData\Local\6qSTg6\VERSION.dll
          Filesize

          944KB

          MD5

          5b00738ee75678fc5a156b31d7c8b156

          SHA1

          5dcfc0e4682870d0f2fb0c39d99474be7e77d30a

          SHA256

          26402da61ff14db495fd28e5415f2c2087adbefbcee4292b5637d9459fa6e2fa

          SHA512

          a7c98856e44a99ce4f047035083f9a8f4fe68ea501178b0826b3a239a1869dc61909e57657ee47fc358590de2276e70d626efec1e17badf3517f2ad8f7d4720a

          Download Submit

        • C:\Users\Admin\AppData\Local\LpODb0Fvl\DUser.dll
          Filesize

          948KB

          MD5

          d5444caa16a3ad20ab73e7062f720160

          SHA1

          8b05f1f7a1574e1b2c7338750be383e182afbef1

          SHA256

          a69df0453c2e281545ca6e45bbdda78b270c85d448da84e94e8d0e6f608590cd

          SHA512

          75168271738f29d2f53a9c874d538999e62b352b50855c01f90a055890238fc57ade786feb482073e30b32e1549db8c064fa092d6121e0ca8cc7d335ef08885c

          Download Submit

        • C:\Users\Admin\AppData\Local\LpODb0Fvl\mmc.exe
          Filesize

          1.8MB

          MD5

          8c86b80518406f14a4952d67185032d6

          SHA1

          9269f1fbcf65fefbc88a2e239519c21efe0f6ba5

          SHA256

          895eef1eda5700a425934ae3782d4741dfefb7deafa53891bde490150187b98a

          SHA512

          1bbdaa3ae8b5716ad2bd517055533e286ddb8a6c23cbc7aa602143dbb1ae132b513088ab61527c49737c554269c51416cceb80206ac8128ac6b003f1864eb099

          Download Submit

        • C:\Users\Admin\AppData\Local\t8QUy\VERSION.dll
          Filesize

          944KB

          MD5

          af592f4999ffdd841115cf24d35220c2

          SHA1

          de8abf631fcf7abbbeafd435c1b4e348b3ae4afa

          SHA256

          6c654268a1597c4ee9ba49c12baadd59a4c29f8216352c0589b91bf9e5284aa3

          SHA512

          37bb632a1d1a171a48859838d0bafe6d6b89aca71a41a9b859c5586a9504ae23fed695f96ec0a0ccdc7821c5e0d184aab02e0a8dec8b823a07ee643ba615a956

          Download Submit

        • C:\Users\Admin\AppData\Local\t8QUy\psr.exe
          Filesize

          232KB

          MD5

          ad53ead5379985081b7c3f1f357e545a

          SHA1

          6f5aa32c1d15fbf073558fadafd046d97b60184e

          SHA256

          4f0144f0e3e721b44babbf41b513942e4117f730546105480571f9c8fce56a1f

          SHA512

          433098bd74c34fbadfa447ef45cfa9dc076aef4cf7f2a0a6fe79d5e67f2504eebe8aa31fc1b7a4c5eeb20ede2c5485f75ad0fd77b4ecba3d68ca63313e6f6ea0

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yxuzhivmkyvewy.lnk
          Filesize

          1KB

          MD5

          ee02243d11b868211952b2872d5e77dd

          SHA1

          af6f1aac14f5c48cbdb128948ea1ee540920fdfd

          SHA256

          5c6c8cd51aad41d81ba9384f90f95f6aab74698dec0bec749ffc0abfe091c766

          SHA512

          c1630889764af7197aa855fadd3340569e64f513aa6b2407c119df299709646242a086bb33a5061e889fca9b2837718a277dc850e6b79f4cfb7c5437d59658f3

          Download Submit

        • memory/868-62-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/868-66-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1768-0-0x0000000000530000-0x0000000000537000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1768-38-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1768-1-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2124-51-0x000002876D5A0000-0x000002876D68C000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2124-46-0x000002876D5A0000-0x000002876D68C000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2124-48-0x000002876D760000-0x000002876D767000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3436-13-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3436-26-0x00007FFB79B90000-0x00007FFB79BA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3436-6-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3436-35-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3436-8-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3436-9-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3436-10-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3436-11-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3436-25-0x00007FFB79BA0000-0x00007FFB79BB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3436-7-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3436-24-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3436-15-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3436-23-0x0000000000A00000-0x0000000000A07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3436-14-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3436-12-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3436-3-0x0000000000D10000-0x0000000000D11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-5-0x00007FFB77EBA000-0x00007FFB77EBB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4444-80-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/4444-78-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download