Overview

overview

10

Static

static

3

eb0b173b94...24.dll

windows7-x64

10

eb0b173b94...24.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 01:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb0b173b943bf9399a03852622eadadec68805c0d7176f41e0e621822e071724.dll

  • Size

    1.5MB

  • MD5

    a2f81479dcf22bbfa3ea600831b3daac

  • SHA1

    cc7e7e2a99859fc8d06cc8ff59b0c1f7aea122c8

  • SHA256

    eb0b173b943bf9399a03852622eadadec68805c0d7176f41e0e621822e071724

  • SHA512

    cad46194da3ea931cc0487a0530b483a526edad634c01f1dbda52345779258dc66ca777821372e5d74516371ca32c192a164ddc6ce336e677f4dc663cef5f9a8

  • SSDEEP

    12288:dXBQ3fMQyWV0rbDxyBWZh2TvtgHoiemIKI1ydX7wmqzq3wkgJ:xB/Qn0rbD8UZUDtgIiemI51Mwtewkm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\eb0b173b943bf9399a03852622eadadec68805c0d7176f41e0e621822e071724.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1672
  • C:\Windows\system32\rdpshell.exe
    C:\Windows\system32\rdpshell.exe
    1⤵
      PID:548
    • C:\Users\Admin\AppData\Local\Ap99uDS\rdpshell.exe
      C:\Users\Admin\AppData\Local\Ap99uDS\rdpshell.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4456
    • C:\Windows\system32\DmNotificationBroker.exe
      C:\Windows\system32\DmNotificationBroker.exe
      1⤵
        PID:2820
      • C:\Users\Admin\AppData\Local\ptuRfitC\DmNotificationBroker.exe
        C:\Users\Admin\AppData\Local\ptuRfitC\DmNotificationBroker.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4416
      • C:\Windows\system32\wusa.exe
        C:\Windows\system32\wusa.exe
        1⤵
          PID:4896
        • C:\Users\Admin\AppData\Local\fWuw\wusa.exe
          C:\Users\Admin\AppData\Local\fWuw\wusa.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:772

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Ap99uDS\dwmapi.dll
          Filesize

          1.5MB

          MD5

          315fa9fea93a619e0d317d70948b977e

          SHA1

          5d3566b586f0b813669700baf89dc736f8bbeebf

          SHA256

          3a9322f07cc089f6dc567531c4ef74bfb83e854e450def09a2cb2e3fe4b4bac7

          SHA512

          f03f6103a9b77846a4f1b5249e947e50d9f4e8a3f3bcc959f31d204ee8f306d4d642f71a535bb8f26a069c9647a085502cffab0eb0bc271d8e14228cd3b8670a

          Download Submit

        • C:\Users\Admin\AppData\Local\Ap99uDS\rdpshell.exe
          Filesize

          468KB

          MD5

          428066713f225bb8431340fa670671d4

          SHA1

          47f6878ff33317c3fc09c494df729a463bda174c

          SHA256

          da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

          SHA512

          292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

          Download Submit

        • C:\Users\Admin\AppData\Local\fWuw\dpx.dll
          Filesize

          1.5MB

          MD5

          6090b71fd8c5be213c91f86cc9c32e28

          SHA1

          ece64f4a0a59f96b393511bbb1be723a04ee7610

          SHA256

          8119da6920ad055c33d79a2d62d13755f8c2c583741693ad1caca78482fcab2b

          SHA512

          ecf4343665680198d4c715970b1f3ede8c13376981ef161e04ea56df6daf4f1ad85b3aa4c2e7b8bdb1ce10e53a6b35ea12b4ba9d7c6c621e8fd0fbeb93b07f59

          Download Submit

        • C:\Users\Admin\AppData\Local\fWuw\wusa.exe
          Filesize

          309KB

          MD5

          e43499ee2b4cf328a81bace9b1644c5d

          SHA1

          b2b55641f2799e3fdb3bea709c9532017bbac59d

          SHA256

          3e30230bbf3ceee3e58162b61eed140e9616210833a6ad7df3e106bc7492d2fb

          SHA512

          04823764520871f9202d346b08a194bdd5f5929db6d5c2f113911f84aece7471c8d3bd2c4256119a303dbe18a0c055dbc5034d80b1f27a43744104544731f52b

          Download Submit

        • C:\Users\Admin\AppData\Local\ptuRfitC\DUI70.dll
          Filesize

          1.8MB

          MD5

          d0389dce5d9dcfec054fdbc2319521c7

          SHA1

          4961d7332a1fcd9791b18d24ad02078d36b12fcf

          SHA256

          1ee086a0c78dcfcfd0d0f0131d10e8941e1f44d9383d2593da29cd13645f134c

          SHA512

          51fe8fc628a82acd547675b2352f340556bab2f10b6417d3f8b98243dbff2c9c1162d2e1baee2a19cba804e2a96cd03069a14819fbc4581b904b136b14700f40

          Download Submit

        • C:\Users\Admin\AppData\Local\ptuRfitC\DmNotificationBroker.exe
          Filesize

          32KB

          MD5

          f0bdc20540d314a2aad951c7e2c88420

          SHA1

          4ab344595a4a81ab5f31ed96d72f217b4cee790b

          SHA256

          f87537e5f26193a2273380f86cc9ac16d977f65b0eff2435e40be830fd99f7b5

          SHA512

          cb69e35b2954406735264a4ae8fe1eca1bd4575f553ab2178c70749ab997bda3c06496d2fce97872c51215a19093e51eea7cc8971af62ad9d5726f3a0d2730aa

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zcgcwwxuxxxcbkn.lnk
          Filesize

          1KB

          MD5

          7288c5ba533ca14b2d13a3c9d04d04f2

          SHA1

          4d079a31ec74c81de3515bc736f43c4091bf9a27

          SHA256

          d9e9e2db94c9a04f9d13cb1137daac4f98e8f85ca175c6a2e1a83c4c84d59e06

          SHA512

          b713b7998739fde426f4fddb74e8657b3f63b801464b23f9e86ec0e565fadab7c27e98b76abac73d34f5638f0aa95c911958a0d1a23e3b0bb7dd8e70db9ea9c6

          Download Submit

        • memory/772-87-0x00007FF8F3CA0000-0x00007FF8F3E20000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1672-0-0x000001B2AADB0000-0x000001B2AADB7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1672-2-0x00007FF8F3CA0000-0x00007FF8F3E1F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1672-44-0x00007FF8F3CA0000-0x00007FF8F3E1F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3448-11-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3448-32-0x00007FF902270000-0x00007FF902280000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3448-18-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3448-17-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3448-16-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3448-15-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3448-14-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3448-13-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3448-12-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3448-22-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3448-9-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3448-8-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3448-7-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3448-19-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3448-6-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3448-21-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3448-30-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3448-31-0x00007FF902280000-0x00007FF902290000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3448-3-0x0000000002F50000-0x0000000002F51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3448-5-0x00007FF9007BA000-0x00007FF9007BB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3448-10-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3448-41-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3448-29-0x0000000000EE0000-0x0000000000EE7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3448-20-0x0000000140000000-0x000000014017F000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4416-68-0x00007FF8F3C50000-0x00007FF8F3E15000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/4416-72-0x00007FF8F3C50000-0x00007FF8F3E15000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/4416-67-0x0000020C69050000-0x0000020C69057000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4456-56-0x00007FF8F3CA0000-0x00007FF8F3E20000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4456-53-0x00000271EC960000-0x00000271EC967000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4456-51-0x00007FF8F3CA0000-0x00007FF8F3E20000-memory.dmp

          Filesize

          1.5MB

          Download