Overview

overview

10

Static

static

3

14428c7813...ab.dll

windows7-x64

10

14428c7813...ab.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 07:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    14428c7813afa82b51e9e7c3414150907f27d1a86772d8c85873078c06e87eab.dll

  • Size

    1.1MB

  • MD5

    3b20b57c1a38d810a1ad07271a1a2fea

  • SHA1

    e2ea64f5665cf9d79b69e8156964617a3c2d0ded

  • SHA256

    14428c7813afa82b51e9e7c3414150907f27d1a86772d8c85873078c06e87eab

  • SHA512

    ed9fde35767cf9f76d7d37fe1b3540032013fae2f79d3de6b288e446053630a0609372d9e517e03444472279910169286b8339bd63ba9f25ace6ddc88f23a6b2

  • SSDEEP

    12288:MkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:MkMZ+gf4ltGd8H1fYO0q2G1Ah

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\14428c7813afa82b51e9e7c3414150907f27d1a86772d8c85873078c06e87eab.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2648
  • C:\Windows\system32\PresentationHost.exe
    C:\Windows\system32\PresentationHost.exe
    1⤵
      PID:4912
    • C:\Users\Admin\AppData\Local\Qd4z7\PresentationHost.exe
      C:\Users\Admin\AppData\Local\Qd4z7\PresentationHost.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4400
    • C:\Windows\system32\MDMAppInstaller.exe
      C:\Windows\system32\MDMAppInstaller.exe
      1⤵
        PID:412
      • C:\Users\Admin\AppData\Local\GLm3kG\MDMAppInstaller.exe
        C:\Users\Admin\AppData\Local\GLm3kG\MDMAppInstaller.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3320
      • C:\Windows\system32\RecoveryDrive.exe
        C:\Windows\system32\RecoveryDrive.exe
        1⤵
          PID:1540
        • C:\Users\Admin\AppData\Local\RE1S\RecoveryDrive.exe
          C:\Users\Admin\AppData\Local\RE1S\RecoveryDrive.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3100

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\GLm3kG\MDMAppInstaller.exe
          Filesize

          151KB

          MD5

          30e978cc6830b04f1e7ed285cccaa746

          SHA1

          e915147c17e113c676c635e2102bbff90fb7aa52

          SHA256

          dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766

          SHA512

          331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214

          Download Submit

        • C:\Users\Admin\AppData\Local\GLm3kG\WTSAPI32.dll
          Filesize

          1.1MB

          MD5

          9a781dfc577bee319f76ad0ab12ba3b8

          SHA1

          ac0189eb549b7a5ff2733b619411690af7d551d1

          SHA256

          f561364d0d015842e1a2a00ceef2354a58598c60e6ac6aec42563247768b3d16

          SHA512

          9bcd375d2c2ce43b8dea8ece0375e30c57357b627859c4990f78ee7a76a08872c2ec8fb4bf546c48e7f4b107493d72ebfcb5c3e423893dca53e090245184a33b

          Download Submit

        • C:\Users\Admin\AppData\Local\Qd4z7\PresentationHost.exe
          Filesize

          276KB

          MD5

          ef27d65b92d89e8175e6751a57ed9d93

          SHA1

          7279b58e711b459434f047e9098f9131391c3778

          SHA256

          17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

          SHA512

          40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

          Download Submit

        • C:\Users\Admin\AppData\Local\Qd4z7\VERSION.dll
          Filesize

          1.1MB

          MD5

          d202b4f3d8afd7768940c222c56bf9ed

          SHA1

          ed42160a34ad16a82b23e3f7a2ad1662eb25aa19

          SHA256

          c9e2d09c43992c0d41fa278b3723c4809104b19a67f609a1f825672ae0ec1774

          SHA512

          0af811f0c751c04f3fbc8af684471f9156d3490f23ca20b8f4a254bf64e429d8e9a54c0b86a492892643f7d404991700aaef842fed8504f54766b84c898bbb2e

          Download Submit

        • C:\Users\Admin\AppData\Local\RE1S\RecoveryDrive.exe
          Filesize

          911KB

          MD5

          b9b3dc6f2eb89e41ff27400952602c74

          SHA1

          24ae07e0db3ace0809d08bbd039db3a9d533e81b

          SHA256

          630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

          SHA512

          7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

          Download Submit

        • C:\Users\Admin\AppData\Local\RE1S\UxTheme.dll
          Filesize

          1.1MB

          MD5

          15f4ec5c74c6f7646bbc1a00d1c3ecaa

          SHA1

          57a30636accd5378b3c3298a1aff4188e9ca715c

          SHA256

          693dfe616c0be251cc9c2324ce39ae405393d06f47593fd4316f012848f8b7b1

          SHA512

          82d3f285162523463e0e85e81cc69acb9a5685455de9f605b533dfd53de9bdde697645e50bec3fae3f9ef018e99dd50366f6130539ae928a414984b2dfd9e467

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eswctkc.lnk
          Filesize

          1KB

          MD5

          6ce5de7fe6e8ece011423852047de9f9

          SHA1

          072609ad6585cf1482d8153ab0076a93e3ec9f09

          SHA256

          be475b319c860c40c4f8a8141901b622375b238538343453f753307ae057a9d6

          SHA512

          d6d4919e20445ee6322deeaf505924bd1b567151f39aa7964ceb043aeee99bb63940380abd298d890f44961bf5719c75888b1b5f140c62c53f481b801eed80f8

          Download Submit

        • memory/2648-1-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2648-37-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2648-0-0x000001CC2E3E0000-0x000001CC2E3E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3100-81-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3320-66-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3320-61-0x00000247079D0000-0x00000247079D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3320-63-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3420-12-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3420-14-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3420-6-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3420-34-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3420-8-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3420-10-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3420-11-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3420-4-0x00007FFD4D59A000-0x00007FFD4D59B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3420-3-0x0000000003440000-0x0000000003441000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3420-9-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3420-23-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3420-24-0x00007FFD4F360000-0x00007FFD4F370000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3420-25-0x00007FFD4F350000-0x00007FFD4F360000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3420-7-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3420-22-0x00000000012D0000-0x00000000012D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3420-13-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/4400-50-0x000001C296ED0000-0x000001C296FED000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/4400-45-0x000001C296ED0000-0x000001C296FED000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/4400-47-0x000001C297090000-0x000001C297097000-memory.dmp

          Filesize

          28KB

          Download