Overview

overview

10

Static

static

3

1b5c27cfe8...d2.dll

windows7-x64

10

1b5c27cfe8...d2.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 01:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b5c27cfe83c97a8a00dffd74caa9464e5a52bd2ffcac5382db378ef008f49d2.dll

  • Size

    1.5MB

  • MD5

    39273691ed194c18055810147be4d04f

  • SHA1

    09e52e5ef498c927672313f1b9899d0697929bf1

  • SHA256

    1b5c27cfe83c97a8a00dffd74caa9464e5a52bd2ffcac5382db378ef008f49d2

  • SHA512

    923ab6d6db240e2605ae869ee9c05bc3bf15889c516a5a0fa7483065fb6a539dbcc28eaa1ad44ec7569da980117bca055255abf370fb6e2ba1846f283135859c

  • SSDEEP

    12288:lXBQ3fMQyWV0rbDxyBWZh2TvtgHoiemIKI1ydX7wmqzq3wkgJ:5B/Qn0rbD8UZUDtgIiemI51Mwtewkm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1b5c27cfe83c97a8a00dffd74caa9464e5a52bd2ffcac5382db378ef008f49d2.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:548
  • C:\Windows\system32\PresentationHost.exe
    C:\Windows\system32\PresentationHost.exe
    1⤵
      PID:3032
    • C:\Users\Admin\AppData\Local\PcIBjbt\PresentationHost.exe
      C:\Users\Admin\AppData\Local\PcIBjbt\PresentationHost.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:380
    • C:\Windows\system32\perfmon.exe
      C:\Windows\system32\perfmon.exe
      1⤵
        PID:744
      • C:\Users\Admin\AppData\Local\wNQuAqh\perfmon.exe
        C:\Users\Admin\AppData\Local\wNQuAqh\perfmon.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:216
      • C:\Windows\system32\bdechangepin.exe
        C:\Windows\system32\bdechangepin.exe
        1⤵
          PID:2492
        • C:\Users\Admin\AppData\Local\lCTG7V\bdechangepin.exe
          C:\Users\Admin\AppData\Local\lCTG7V\bdechangepin.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2024

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\PcIBjbt\PresentationHost.exe
          Filesize

          276KB

          MD5

          ef27d65b92d89e8175e6751a57ed9d93

          SHA1

          7279b58e711b459434f047e9098f9131391c3778

          SHA256

          17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

          SHA512

          40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

          Download Submit

        • C:\Users\Admin\AppData\Local\PcIBjbt\VERSION.dll
          Filesize

          1.5MB

          MD5

          5037c738ec8a81e3a8c978db8998558e

          SHA1

          c085a13cf000e5cc4ef9c05b968a590ba6f219e7

          SHA256

          c72fbcf03f2840b9d7235a7a4d65d1c566c107c9ae11d2032d49fa432fc683fd

          SHA512

          ee582f2de2a77766a29f5e320e18c46d21fcbab8f9da14db152f469a65f5b0dc6cac47cb67ebfa65ae8c6f0a983903cdb44bbced74dcfdad9f72fe5a269053b6

          Download Submit

        • C:\Users\Admin\AppData\Local\lCTG7V\DUI70.dll
          Filesize

          1.8MB

          MD5

          cb7016115bc8367bb49bca34f40e455c

          SHA1

          a3b9c03ba02f625b9abdc64702f8c69bc52ff63e

          SHA256

          a992b947620662900003d9cd97d8824b142a54b581ff5ed662c0f145ab478f47

          SHA512

          4e857b6f26207da698c3c1c0c3746803cbdbd87bddbed0a3f41d40721b43f61b0f2ccd68ecf35e243970ae887929eb58c6c63adb371a92160f62e115f51fb307

          Download Submit

        • C:\Users\Admin\AppData\Local\lCTG7V\bdechangepin.exe
          Filesize

          373KB

          MD5

          601a28eb2d845d729ddd7330cbae6fd6

          SHA1

          5cf9f6f9135c903d42a7756c638333db8621e642

          SHA256

          4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

          SHA512

          1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

          Download Submit

        • C:\Users\Admin\AppData\Local\wNQuAqh\credui.dll
          Filesize

          1.5MB

          MD5

          b29e1bb74ed62e688ea0c4422ec86aa9

          SHA1

          143367d7842584de5c5b2b2745448b1da55e4fe6

          SHA256

          821796f4b1c8f7e08324f56ad2bbf99102bf5dc47571df0658fef93bc91ac1c5

          SHA512

          ddc8e9df39f1981261a7d460ebccdd873b1724ce09f479197eb5ef800edf81f180cec716da4fc31e94183b9de0f2f3443df242f175d0d69580a693124701bc77

          Download Submit

        • C:\Users\Admin\AppData\Local\wNQuAqh\perfmon.exe
          Filesize

          177KB

          MD5

          d38aa59c3bea5456bd6f95c73ad3c964

          SHA1

          40170eab389a6ba35e949f9c92962646a302d9ef

          SHA256

          5f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c

          SHA512

          59fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zugrajzkhopu.lnk
          Filesize

          1KB

          MD5

          a96260ce3547ef1396f09a2a0a598428

          SHA1

          0d39d7d1b61b25c2a3f1dd74b4eafe21eb8822cf

          SHA256

          df7e9d24a05ce29c3ab50b39812326ac8252444c5ed4dddfd6bf0e0d9bb23647

          SHA512

          cda818f8a68ea71b4d8ff1b1e28d6c4b5cfdccd79faa1b8cc4bcde2291056eff922e9e0ec2c36035dd42626511fc14e77e3aa16bb129cd444c649ee2053e09f5

          Download Submit

        • memory/216-72-0x00007FFCCA980000-0x00007FFCCAAFF000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/216-69-0x0000024F01AC0000-0x0000024F01AC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/380-56-0x00007FFCCA980000-0x00007FFCCAAFF000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/380-51-0x00007FFCCA980000-0x00007FFCCAAFF000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/380-53-0x0000028B49A60000-0x0000028B49A67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/548-0-0x000001F443A50000-0x000001F443A57000-memory.dmp

          Filesize

          28KB

          Download

        • memory/548-44-0x00007FFCCA980000-0x00007FFCCAAFE000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/548-2-0x00007FFCCA980000-0x00007FFCCAAFE000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2024-83-0x00007FFCCA930000-0x00007FFCCAAF4000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2024-87-0x00007FFCCA930000-0x00007FFCCAAF4000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3344-18-0x0000000140000000-0x000000014017E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3344-12-0x0000000140000000-0x000000014017E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3344-7-0x0000000140000000-0x000000014017E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3344-9-0x0000000140000000-0x000000014017E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3344-6-0x0000000140000000-0x000000014017E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3344-30-0x0000000140000000-0x000000014017E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3344-31-0x00007FFCDA200000-0x00007FFCDA210000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3344-32-0x00007FFCDA1F0000-0x00007FFCDA200000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3344-41-0x0000000140000000-0x000000014017E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3344-10-0x0000000140000000-0x000000014017E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3344-11-0x0000000140000000-0x000000014017E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3344-8-0x0000000140000000-0x000000014017E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3344-13-0x0000000140000000-0x000000014017E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3344-14-0x0000000140000000-0x000000014017E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3344-15-0x0000000140000000-0x000000014017E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3344-16-0x0000000140000000-0x000000014017E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3344-19-0x0000000140000000-0x000000014017E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3344-21-0x0000000140000000-0x000000014017E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3344-29-0x0000000000800000-0x0000000000807000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3344-22-0x0000000140000000-0x000000014017E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3344-20-0x0000000140000000-0x000000014017E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3344-17-0x0000000140000000-0x000000014017E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3344-3-0x0000000000980000-0x0000000000981000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3344-5-0x00007FFCD9A5A000-0x00007FFCD9A5B000-memory.dmp

          Filesize

          4KB

          Download