Overview

overview

10

Static

static

3

a63124e1c6...13.dll

windows7-x64

10

a63124e1c6...13.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 12:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a63124e1c689fd3a1bed990b4faf822fcd0a0797b2b2b68609e7d169b494fa13.dll

  • Size

    1.1MB

  • MD5

    a4b1c110a484ba5ca47588ea117ce092

  • SHA1

    82f5efbb7fe1cb100d0521e64311c97ac771a875

  • SHA256

    a63124e1c689fd3a1bed990b4faf822fcd0a0797b2b2b68609e7d169b494fa13

  • SHA512

    fd2bfa5c05f51a8aa9ad3602ec9a6fabfb1178d42f80113bf19700260107415dacc1b7e6d7dbf3b7e2a65665f3b3776b30403f791040430c632224bb3d889309

  • SSDEEP

    12288:nkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:nkMZ+gf4ltGd8H1fYO0q2G1Ah

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a63124e1c689fd3a1bed990b4faf822fcd0a0797b2b2b68609e7d169b494fa13.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2256
  • C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    1⤵
      PID:2792
    • C:\Users\Admin\AppData\Local\0MhB\dialer.exe
      C:\Users\Admin\AppData\Local\0MhB\dialer.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2712
    • C:\Windows\system32\msra.exe
      C:\Windows\system32\msra.exe
      1⤵
        PID:2648
      • C:\Users\Admin\AppData\Local\mMEkhGrUQ\msra.exe
        C:\Users\Admin\AppData\Local\mMEkhGrUQ\msra.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2716
      • C:\Windows\system32\mspaint.exe
        C:\Windows\system32\mspaint.exe
        1⤵
          PID:1680
        • C:\Users\Admin\AppData\Local\hqWK\mspaint.exe
          C:\Users\Admin\AppData\Local\hqWK\mspaint.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1104

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0MhB\TAPI32.dll
          Filesize

          1.1MB

          MD5

          4263cc1f87485f421e745565d480fa12

          SHA1

          5a959f0149138f8310a6dc3a106c9f5cc9f58971

          SHA256

          a4a1e5a93c7e99f92be89d521e3ee8b2f4c953cceab41554a368ee4f68f1970d

          SHA512

          79afb20831ae142ab9fc38bd9844d2df1e4d306f516eb714fc8145d2320ef56123a033b2542d5844fa93e2e4f01a052e5394d15dac395d5e9d6b0c8379662804

          Download Submit

        • C:\Users\Admin\AppData\Local\hqWK\VERSION.dll
          Filesize

          1.1MB

          MD5

          faccb6239830a8526fdc586474005283

          SHA1

          a26534c110fc401b41c2313aab0e67d0e7e6865a

          SHA256

          4bc6e8cd2ff0417ed960fdf524cdf639531e81d8c4273f2ae8108ad7c0a667e5

          SHA512

          57b971909a888235eac416d97b433013565efb2e460f1803f8cce91fc2bb026cc05d2e6c3906cae5f9012e78a14c858d266220a7036374d68c2a8b0728ca6696

          Download Submit

        • C:\Users\Admin\AppData\Local\mMEkhGrUQ\Secur32.dll
          Filesize

          1.1MB

          MD5

          825f46e1a2273329893c2b600445b00c

          SHA1

          15599553cf35bf814e41499a8099c94fbc35ca4e

          SHA256

          a6b4f3c955d9941982027a103d1b15b12aab617a70147e6f744d8f504cfe4dcd

          SHA512

          3b0c63e4cedfaad2753ac186cad74f09eb25842b9db277dd9b6564142c97ffcf4b7090f80e4668303d542e778ecad80fdae5d12199ef7f42223499a90025af68

          Download Submit

        • C:\Users\Admin\AppData\Local\mMEkhGrUQ\msra.exe
          Filesize

          636KB

          MD5

          e79df53bad587e24b3cf965a5746c7b6

          SHA1

          87a97ec159a3fc1db211f3c2c62e4d60810e7a70

          SHA256

          4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

          SHA512

          9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wbvsyha.lnk
          Filesize

          1KB

          MD5

          adc72dcf57fa9a24b8e3202ec61afece

          SHA1

          1dcffb1633d8990323412e96ced0388f3afb934d

          SHA256

          730df27a2ee42002f0e45e74553cc62e104c3a822869a173d03f0f795e2786c9

          SHA512

          41f0ed8393d8e1530026c36a499f6b50a34eab6864f1f476efb747eb7563f3a2a254e8b03930db50e4676568ec5ce780792fb9d6f7cf05e70a55146db585b56b

          Download Submit

        • \Users\Admin\AppData\Local\0MhB\dialer.exe
          Filesize

          34KB

          MD5

          46523e17ee0f6837746924eda7e9bac9

          SHA1

          d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

          SHA256

          23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

          SHA512

          c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

          Download Submit

        • \Users\Admin\AppData\Local\hqWK\mspaint.exe
          Filesize

          6.4MB

          MD5

          458f4590f80563eb2a0a72709bfc2bd9

          SHA1

          3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

          SHA256

          ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

          SHA512

          e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

          Download Submit

        • memory/1104-90-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-12-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-45-0x0000000077BA6000-0x0000000077BA7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-11-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-10-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-24-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-9-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-14-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-6-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-26-0x0000000077E40000-0x0000000077E42000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-25-0x0000000077E10000-0x0000000077E12000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-38-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-35-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-3-0x0000000077BA6000-0x0000000077BA7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-4-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-13-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-23-0x0000000002DD0000-0x0000000002DD7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1204-7-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-8-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-15-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2256-2-0x00000000000B0000-0x00000000000B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2256-44-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2256-0-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2712-58-0x0000000140000000-0x000000014011F000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2712-53-0x0000000140000000-0x000000014011F000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2712-55-0x0000000001F10000-0x0000000001F17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2716-71-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2716-70-0x00000000002A0000-0x00000000002A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2716-75-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download