Overview

overview

10

Static

static

3

079c9b5405...dd.dll

windows7-x64

10

079c9b5405...dd.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 14:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    079c9b54059a2d71584c2abaf4295b20bfbd0510564ec0166404a0d6cd8aa5dd.dll

  • Size

    1.1MB

  • MD5

    b0c305619b4621dd6b6b10af932a4b2e

  • SHA1

    f3ee38cace8615b6fba326e5261f048d24e7ff74

  • SHA256

    079c9b54059a2d71584c2abaf4295b20bfbd0510564ec0166404a0d6cd8aa5dd

  • SHA512

    af8719bf73dc454b8b64cb7b203b4dcb097aa3ea03376c592193bf4cf4ec36204fa59b95e400a369dbd4a9a833c4d64f4c2ffb6418b82e290c3736b3dcb9a0b5

  • SSDEEP

    12288:ckMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:ckMZ+gf4ltGd8H1fYO0q2G1Ah

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\079c9b54059a2d71584c2abaf4295b20bfbd0510564ec0166404a0d6cd8aa5dd.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2688
  • C:\Windows\system32\sdclt.exe
    C:\Windows\system32\sdclt.exe
    1⤵
      PID:1044
    • C:\Users\Admin\AppData\Local\BOat2bY5p\sdclt.exe
      C:\Users\Admin\AppData\Local\BOat2bY5p\sdclt.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3020
    • C:\Windows\system32\msra.exe
      C:\Windows\system32\msra.exe
      1⤵
        PID:2900
      • C:\Users\Admin\AppData\Local\Hx4iICm\msra.exe
        C:\Users\Admin\AppData\Local\Hx4iICm\msra.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3012
      • C:\Windows\system32\SystemPropertiesAdvanced.exe
        C:\Windows\system32\SystemPropertiesAdvanced.exe
        1⤵
          PID:1648
        • C:\Users\Admin\AppData\Local\drEt\SystemPropertiesAdvanced.exe
          C:\Users\Admin\AppData\Local\drEt\SystemPropertiesAdvanced.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1004

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\BOat2bY5p\WTSAPI32.dll
          Filesize

          1.1MB

          MD5

          805518328e280e9d4f1c27ebba1fafdb

          SHA1

          5dc6866709a656c3c4645f0a1c30a7d19b6c6dc7

          SHA256

          2c858906e72a424876e270d2b695f97ec07b407afa650232be22893d787d0908

          SHA512

          327fc183fdd2ffd5ab21952f21712c27f938d8a5fbd7fbf70ba07ca8ccb1ccdd868a915c3ec498826425ec1916950c7172bb0a9d9dfe2fa8b62761f636c6b01a

          Download Submit

        • C:\Users\Admin\AppData\Local\BOat2bY5p\sdclt.exe
          Filesize

          1.2MB

          MD5

          cdebd55ffbda3889aa2a8ce52b9dc097

          SHA1

          4b3cbfff5e57fa0cb058e93e445e3851063646cf

          SHA256

          61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

          SHA512

          2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

          Download Submit

        • C:\Users\Admin\AppData\Local\drEt\SYSDM.CPL
          Filesize

          1.1MB

          MD5

          de5137a192e43e272ac352847990291a

          SHA1

          5162886def7917ef9b88d103709d9b1620af0f72

          SHA256

          5d3ab6193201899c467eccce95b0620b70f9102af21945f75a692cd633f361d6

          SHA512

          01a8a04e46e642829a61620174b3e64726a6d1cd6a284c1b5ebee39bea64147ecfefbe75f14abfbd360bcd3a9fe7cf3287d8eaa0b7707c003fc967ace1ed53bb

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wbvsyha.lnk
          Filesize

          1KB

          MD5

          a37caf4533401c412ce60dde2dd4feae

          SHA1

          38a9ea483aeb7b1f3f35ce410f4b0b1ab91068d0

          SHA256

          5697bb6326a6e9bfa6974ec67f40d8ffca8d96f6f848c29ecf31f50babf9609b

          SHA512

          ec62027d213ce5f52cee00cb2518bed913812987337373fb697a89f5d54bcbd3141ec4d1a0cc81d19c67b40ed555caf67d8a37fa5c39fa630dcc0d84a59e5437

          Download Submit

        • \Users\Admin\AppData\Local\Hx4iICm\UxTheme.dll
          Filesize

          1.1MB

          MD5

          cfc093ec8c64cb353af45554d67ec596

          SHA1

          f0dbfcc2fa30538318c60d82ee1c3b3f3eb090e9

          SHA256

          6bcfacf975e792bae2231e7779c20e52a6536fb73b95ff51c54de056a4ba8d6e

          SHA512

          7d42c17c3d849816267a695c740070548d3d790b413dd90131e43369df04d13319e6efbbd3dd723c1678bceee072a5e0d07ecfdb79cd51672f9e3bcc9a5db637

          Download Submit

        • \Users\Admin\AppData\Local\Hx4iICm\msra.exe
          Filesize

          636KB

          MD5

          e79df53bad587e24b3cf965a5746c7b6

          SHA1

          87a97ec159a3fc1db211f3c2c62e4d60810e7a70

          SHA256

          4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

          SHA512

          9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

          Download Submit

        • \Users\Admin\AppData\Local\drEt\SystemPropertiesAdvanced.exe
          Filesize

          80KB

          MD5

          25dc1e599591871c074a68708206e734

          SHA1

          27a9dffa92d979d39c07d889fada536c062dac77

          SHA256

          a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

          SHA512

          f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

          Download Submit

        • memory/1004-91-0x0000000140000000-0x0000000140124000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1164-25-0x0000000077470000-0x0000000077472000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1164-45-0x0000000077106000-0x0000000077107000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1164-15-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1164-23-0x0000000002970000-0x0000000002977000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1164-14-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1164-13-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1164-12-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1164-26-0x00000000774A0000-0x00000000774A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1164-3-0x0000000077106000-0x0000000077107000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1164-24-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1164-35-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1164-38-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1164-4-0x0000000003960000-0x0000000003961000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1164-6-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1164-7-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1164-8-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1164-11-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1164-10-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1164-9-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2688-44-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2688-0-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2688-1-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3012-72-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3012-75-0x0000000140000000-0x0000000140124000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3020-58-0x0000000140000000-0x0000000140124000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3020-54-0x0000000140000000-0x0000000140124000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3020-53-0x00000000002A0000-0x00000000002A7000-memory.dmp

          Filesize

          28KB

          Download