Overview

overview

10

Static

static

3

a63124e1c6...13.dll

windows7-x64

10

a63124e1c6...13.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 12:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a63124e1c689fd3a1bed990b4faf822fcd0a0797b2b2b68609e7d169b494fa13.dll

  • Size

    1.1MB

  • MD5

    a4b1c110a484ba5ca47588ea117ce092

  • SHA1

    82f5efbb7fe1cb100d0521e64311c97ac771a875

  • SHA256

    a63124e1c689fd3a1bed990b4faf822fcd0a0797b2b2b68609e7d169b494fa13

  • SHA512

    fd2bfa5c05f51a8aa9ad3602ec9a6fabfb1178d42f80113bf19700260107415dacc1b7e6d7dbf3b7e2a65665f3b3776b30403f791040430c632224bb3d889309

  • SSDEEP

    12288:nkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:nkMZ+gf4ltGd8H1fYO0q2G1Ah

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a63124e1c689fd3a1bed990b4faf822fcd0a0797b2b2b68609e7d169b494fa13.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1984
  • C:\Windows\system32\recdisc.exe
    C:\Windows\system32\recdisc.exe
    1⤵
      PID:2776
    • C:\Users\Admin\AppData\Local\VMnGWQLc\recdisc.exe
      C:\Users\Admin\AppData\Local\VMnGWQLc\recdisc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2784
    • C:\Windows\system32\VaultSysUi.exe
      C:\Windows\system32\VaultSysUi.exe
      1⤵
        PID:2736
      • C:\Users\Admin\AppData\Local\obONd\VaultSysUi.exe
        C:\Users\Admin\AppData\Local\obONd\VaultSysUi.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2340
      • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
        C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
        1⤵
          PID:1256
        • C:\Users\Admin\AppData\Local\5YJXCDEb\SystemPropertiesDataExecutionPrevention.exe
          C:\Users\Admin\AppData\Local\5YJXCDEb\SystemPropertiesDataExecutionPrevention.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:380

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5YJXCDEb\SYSDM.CPL
          Filesize

          1.1MB

          MD5

          22f83ddf303f133121deb79d235d754e

          SHA1

          cbdeb0d10166510d4663c0ae9160f1c74fb7d5b2

          SHA256

          9adcbca5fe567ed9afa37e2a25c697cbcfbe7e68317ccefaa81a1f2644f9bdf4

          SHA512

          ab5b20186348d48d6613c5103516049984796dd95cfa6de45ad4862993b1877db3f22941aa6e46194e4197bc691d631f2c9886fdb3d80814c15499bfa290dc7d

          Download Submit

        • C:\Users\Admin\AppData\Local\VMnGWQLc\ReAgent.dll
          Filesize

          1.1MB

          MD5

          bb213261c4550594e2f6a6a69de6c9f4

          SHA1

          d95e4ed3802b46580ade9aaa6a5320628d12e8f6

          SHA256

          b7033c6a607365c804f91df710eaaa9fafd5a8be6fc01f4f37d6c6d0f3511a05

          SHA512

          85825824d3ad263d63335744486899f8e04682858b912aa14bc4f92b540a43f121d2b832c9ce7254cf24865efaaf6e2e544974e165761c0752a6fade88e945d7

          Download Submit

        • C:\Users\Admin\AppData\Local\obONd\credui.dll
          Filesize

          1.1MB

          MD5

          a342fc3a596d92235508dfa79399b924

          SHA1

          eacb29eb9a9db8a074a0e3faf24721d3584357b1

          SHA256

          c10d3fa72bfdaca425b767f372547315fec7191713656219ca9684d1cbf45250

          SHA512

          cda4d581aab4e729f47d1b0018bbe18e5a47dbe0d698655fef48ee38a4c0c33552d04925ca0769648ef95c2ebe94cd52c49f4f240211d0e1ed09be6f4cc38459

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ukatmrkmywz.lnk
          Filesize

          1KB

          MD5

          785813f817d26357f318c7c8a2bec774

          SHA1

          2bf8588734821d8e19f5cac8810e7333358aaa12

          SHA256

          38a7fa5567376bc554517c349a88b67f55e78f820c5b988b62f87eba51f504e3

          SHA512

          2adb02f81bf1948b1ea6428b5b80417bd79c7b8e4a3c5ffd0d6f7031a2b3b2c887dfe5a729cb6bbf21de631f73af122df6f30083d26fcd1c2d2a464140a5cbef

          Download Submit

        • \Users\Admin\AppData\Local\5YJXCDEb\SystemPropertiesDataExecutionPrevention.exe
          Filesize

          80KB

          MD5

          e43ff7785fac643093b3b16a9300e133

          SHA1

          a30688e84c0b0a22669148fe87680b34fcca2fba

          SHA256

          c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

          SHA512

          61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

          Download Submit

        • \Users\Admin\AppData\Local\VMnGWQLc\recdisc.exe
          Filesize

          232KB

          MD5

          f3b306179f1840c0813dc6771b018358

          SHA1

          dec7ce3c13f7a684cb52ae6007c99cf03afef005

          SHA256

          dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

          SHA512

          9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

          Download Submit

        • \Users\Admin\AppData\Local\obONd\VaultSysUi.exe
          Filesize

          39KB

          MD5

          f40ef105d94350d36c799ee23f7fec0f

          SHA1

          ee3a5cfe8b807e1c1718a27eb97fa134360816e3

          SHA256

          eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

          SHA512

          f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

          Download Submit

        • memory/380-94-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1236-25-0x0000000077C30000-0x0000000077C32000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1236-45-0x00000000778C6000-0x00000000778C7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1236-13-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1236-12-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1236-11-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1236-10-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1236-9-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1236-8-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1236-3-0x00000000778C6000-0x00000000778C7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1236-26-0x0000000077C60000-0x0000000077C62000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1236-36-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1236-35-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1236-4-0x0000000002E30000-0x0000000002E31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1236-15-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1236-23-0x0000000002E10000-0x0000000002E17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1236-24-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1236-7-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1236-6-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1236-14-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1984-44-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1984-0-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1984-2-0x00000000001B0000-0x00000000001B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2340-75-0x00000000000F0000-0x00000000000F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2340-78-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2784-58-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2784-55-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2784-53-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download