Overview

overview

10

Static

static

3

4aa9b7b5b5...8a.dll

windows7-x64

10

4aa9b7b5b5...8a.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 11:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4aa9b7b5b577b6596e284ef74944718f3e790cbdda9f8fc30c065a545dab628a.dll

  • Size

    1.1MB

  • MD5

    47256612c3c8c8f506e0755af28551e8

  • SHA1

    c72c90635b24feadcd786fef8cfe756eaa14b4cb

  • SHA256

    4aa9b7b5b577b6596e284ef74944718f3e790cbdda9f8fc30c065a545dab628a

  • SHA512

    c84b91c039127bf34c2bf3996fe5c044dbd34ca248f8117966d4a43582f4e87578b471675278a6f46ba20fe58856144c8498d435e4df15075a087a81815e0075

  • SSDEEP

    12288:IkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:IkMZ+gf4ltGd8H1fYO0q2G1Ah

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4aa9b7b5b577b6596e284ef74944718f3e790cbdda9f8fc30c065a545dab628a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3672
  • C:\Windows\system32\SystemPropertiesProtection.exe
    C:\Windows\system32\SystemPropertiesProtection.exe
    1⤵
      PID:4144
    • C:\Users\Admin\AppData\Local\muqlYP\SystemPropertiesProtection.exe
      C:\Users\Admin\AppData\Local\muqlYP\SystemPropertiesProtection.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:944
    • C:\Windows\system32\GamePanel.exe
      C:\Windows\system32\GamePanel.exe
      1⤵
        PID:1600
      • C:\Users\Admin\AppData\Local\0woGdy6ZX\GamePanel.exe
        C:\Users\Admin\AppData\Local\0woGdy6ZX\GamePanel.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3436
      • C:\Windows\system32\shrpubw.exe
        C:\Windows\system32\shrpubw.exe
        1⤵
          PID:3988
        • C:\Users\Admin\AppData\Local\u1c1x\shrpubw.exe
          C:\Users\Admin\AppData\Local\u1c1x\shrpubw.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2992

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0woGdy6ZX\GamePanel.exe
          Filesize

          1.2MB

          MD5

          266f6a62c16f6a889218800762b137be

          SHA1

          31b9bd85a37bf0cbb38a1c30147b83671458fa72

          SHA256

          71f8f11f26f3a7c1498373f20f0f4cc960513d0383fe24906eeb1bc9678beecd

          SHA512

          b21d9b0656ab6bd3b158922722a332f07096ddd4215c802776c5807c9cf6ece40082dd986ea6867bdc8d22878ce035a5c8dfcc26cfae94aeee059701b6bf1e68

          Download Submit

        • C:\Users\Admin\AppData\Local\0woGdy6ZX\dwmapi.dll
          Filesize

          1.1MB

          MD5

          4e9cb1593a73cb0bec22e9f115eb7de4

          SHA1

          209b585707d3b686220f084632a093500aa44f6b

          SHA256

          f2d32ff2ced8807ac9a49d88086caafb9f39b091c1acd58d18131b18b8ece3b8

          SHA512

          e38f52eb3d21bd38c576516c5540c8c9c2db46815cd4d159d4bc050cb44fae9cb88604683b738f20517621edfb6d0d6df8f14cdb0f2a416515ccc57783d95586

          Download Submit

        • C:\Users\Admin\AppData\Local\muqlYP\SYSDM.CPL
          Filesize

          1.1MB

          MD5

          836615462c69b906d11586905fe92c7a

          SHA1

          a2fbe85cc6c739b8663c02d1d9815be73d4f46c6

          SHA256

          a66aa809aaef13a3c26925b0a1ae9c9abb88773574125ab3ed86c64be472903f

          SHA512

          bf1023601f96df94f7686f7095c83f5e6a1a5cfab6f5be19d6f7955d842e0684571a7bc1eed8ab9aa85b6fad8cacce31476c5eee9424ac33d23af115b3cc0346

          Download Submit

        • C:\Users\Admin\AppData\Local\muqlYP\SystemPropertiesProtection.exe
          Filesize

          82KB

          MD5

          26640d2d4fa912fc9a354ef6cfe500ff

          SHA1

          a343fd82659ce2d8de3beb587088867cf2ab8857

          SHA256

          a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37

          SHA512

          26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

          Download Submit

        • C:\Users\Admin\AppData\Local\u1c1x\MFC42u.dll
          Filesize

          1.1MB

          MD5

          c5fce8279cd9f71ec6f2cd6e7364649e

          SHA1

          90f83345da7d2daaecb5e3a8f38ac9627af4e023

          SHA256

          c8d55c3ae19c06d317d08bbcd8e124c0613f89dd34a19a12b787c40c4e77afcb

          SHA512

          482b98ef793ef59946a7baca50d63268ee49fb0db42a4da4f1e76accc477ade35d5dab3f6f4d6709bbbf413acc607aa8a9aed8fd00049923217a6cd103c10b94

          Download Submit

        • C:\Users\Admin\AppData\Local\u1c1x\shrpubw.exe
          Filesize

          59KB

          MD5

          9910d5c62428ec5f92b04abf9428eec9

          SHA1

          05f27d7515e8ae1fa3bc974ec65b864ec4c9ac8b

          SHA256

          6b84e6e55d8572d7edf0b6243d00abb651fcb0cddddac8461de5f9bb80035a2e

          SHA512

          01be043f7ff879a683e53962eec58456ba200d6787ea66581bb62669ae65d5e58a5577cdf23441165f7a535fce1dec933e3ad2465c72172b4a1488b24ce722cb

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ltmfycbfnis.lnk
          Filesize

          1KB

          MD5

          bc47529407c911baf374ea49d5783476

          SHA1

          8b13e9cc719948fab8e2e0668ee37f722569f346

          SHA256

          5de3e8061bf1adaa4b848c273af7cbdb4e2a063982cd0eeb0d0f1eadd97b0fb6

          SHA512

          2edba9bd89f26003d9f10907f0c477e11beaed1a8a6f2ebfefb0921782fc6c43773007715dfcb987b0fe9430569c11eee37f0fb5c33898e98febd60c807a2ef3

          Download Submit

        • memory/944-46-0x0000014E90A70000-0x0000014E90A77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/944-44-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/944-49-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2992-75-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2992-79-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3436-64-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-13-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-22-0x00000000011B0000-0x00000000011B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3440-25-0x00007FFA2E850000-0x00007FFA2E860000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3440-24-0x00007FFA2E860000-0x00007FFA2E870000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3440-34-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-4-0x00007FFA2CE6A000-0x00007FFA2CE6B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3440-7-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-8-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-9-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-10-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-11-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-3-0x0000000003140000-0x0000000003141000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3440-14-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-23-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-12-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3440-6-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3672-0-0x00000271BEFD0000-0x00000271BEFD7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3672-37-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3672-1-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download