Overview

overview

10

Static

static

3

0bc57ba35f...b1.dll

windows7-x64

10

0bc57ba35f...b1.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 14:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0bc57ba35fdd2ba7868a82512650b287f7168d52d25c4fddb8b423b773eaa6b1.dll

  • Size

    1.1MB

  • MD5

    bd5c5e5fd3ccc87376233a873effa08e

  • SHA1

    76e9011550b052c0f12294f12fa77fa53e7b309e

  • SHA256

    0bc57ba35fdd2ba7868a82512650b287f7168d52d25c4fddb8b423b773eaa6b1

  • SHA512

    92c6e4b56d30701b09ebdc414a8547cb41a09fa16c390d58663b2b5e861e3dcb608adcdd6cda3fc01c10fb38ca1b4d4f72d062862e9617a14eaff670c28a3cf3

  • SSDEEP

    12288:wkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:wkMZ+gf4ltGd8H1fYO0q2G1Ah

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0bc57ba35fdd2ba7868a82512650b287f7168d52d25c4fddb8b423b773eaa6b1.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2844
  • C:\Windows\system32\msra.exe
    C:\Windows\system32\msra.exe
    1⤵
      PID:3252
    • C:\Users\Admin\AppData\Local\jDlAoXF\msra.exe
      C:\Users\Admin\AppData\Local\jDlAoXF\msra.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2644
    • C:\Windows\system32\recdisc.exe
      C:\Windows\system32\recdisc.exe
      1⤵
        PID:3988
      • C:\Users\Admin\AppData\Local\zuQM\recdisc.exe
        C:\Users\Admin\AppData\Local\zuQM\recdisc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1056
      • C:\Windows\system32\bdechangepin.exe
        C:\Windows\system32\bdechangepin.exe
        1⤵
          PID:2364
        • C:\Users\Admin\AppData\Local\Uje6\bdechangepin.exe
          C:\Users\Admin\AppData\Local\Uje6\bdechangepin.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4904

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Uje6\DUI70.dll
          Filesize

          1.4MB

          MD5

          1e60f6c00d9836c8701b13ea96c28f1f

          SHA1

          027a1ee9a8e57c0fdf46fa8a621e1551dfa54a27

          SHA256

          d5a301e30d2199a011ce35672834c15764d678d0d2084e2d78f06910dcad96f8

          SHA512

          1066f9ccffffeccff9eae2983371e31cde41d1926588e51b348bfb4426870372ef285f56d73404062c46a407737adaf33dda1e9bfbb4c43587f1713082e3563e

          Download Submit

        • C:\Users\Admin\AppData\Local\Uje6\bdechangepin.exe
          Filesize

          373KB

          MD5

          601a28eb2d845d729ddd7330cbae6fd6

          SHA1

          5cf9f6f9135c903d42a7756c638333db8621e642

          SHA256

          4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

          SHA512

          1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

          Download Submit

        • C:\Users\Admin\AppData\Local\jDlAoXF\NDFAPI.DLL
          Filesize

          1.1MB

          MD5

          eb5b3389025bdfb69c6a3b9426f67c3a

          SHA1

          247e172ce2c362a0a54efb4a7162d7d094eb5927

          SHA256

          7c8b83a271af8f647e17d0420313da1674dc78f6b44a7a14d00cc68b294a1301

          SHA512

          1ca95d301ebe42bf11f424b92ac9addfe1a16e1e2fbb39d8f925ebff5dcecd24552a1af90ce3620561141c49101e06fb9fa2be8c240ef5edf7045bbc9c7733e2

          Download Submit

        • C:\Users\Admin\AppData\Local\jDlAoXF\msra.exe
          Filesize

          579KB

          MD5

          dcda3b7b8eb0bfbccb54b4d6a6844ad6

          SHA1

          316a2925e451f739f45e31bc233a95f91bf775fa

          SHA256

          011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae

          SHA512

          18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5

          Download Submit

        • C:\Users\Admin\AppData\Local\zuQM\ReAgent.dll
          Filesize

          1.1MB

          MD5

          507648f75445e8f041e1365957d077f6

          SHA1

          bfa9617924e842926cf6697dd85a675ac5e59a42

          SHA256

          e98fd288de1036795b4c03cd52d33d80fa86878b3ba1d0085794a75886cc60a6

          SHA512

          cd253a278b30ac800416539f5c63e192cb81b690cb559cf934640885f3b62b4fc1c8f81d6c119f5bee57ba7cefa0a9084928582935bf2ebe26d2c9207354b86c

          Download Submit

        • C:\Users\Admin\AppData\Local\zuQM\recdisc.exe
          Filesize

          193KB

          MD5

          18afee6824c84bf5115bada75ff0a3e7

          SHA1

          d10f287a7176f57b3b2b315a5310d25b449795aa

          SHA256

          0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e

          SHA512

          517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Womuvunldsugi.lnk
          Filesize

          1KB

          MD5

          d80a326d447d9b1e5773369cd3d72d58

          SHA1

          d430612e94eedc85aafc83acc3bd0dfad8c8eb41

          SHA256

          d467d0c1be920caa76e1cc836ffe0e4ff506a142f407eef2d3bddc0fa510a538

          SHA512

          f1add1abd854ff50799fe27e777f69e56183c4faf0b317b95d09e7a732617af55968c8a05535e944f3d4703f06185c94bfea16c5bde7c693651c8ae6decdb3d1

          Download Submit

        • memory/1056-66-0x0000000140000000-0x0000000140124000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1056-63-0x0000015015F80000-0x0000015015F87000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2644-50-0x0000000140000000-0x0000000140124000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2644-47-0x0000024D53810000-0x0000024D53817000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2644-45-0x0000000140000000-0x0000000140124000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2844-0-0x00000170E6CA0000-0x00000170E6CA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2844-38-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2844-1-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3500-24-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3500-12-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3500-3-0x0000000000900000-0x0000000000901000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3500-5-0x00007FF935F6A000-0x00007FF935F6B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3500-6-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3500-15-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3500-8-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3500-9-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3500-10-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3500-7-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3500-35-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3500-25-0x00007FF9364C0000-0x00007FF9364D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3500-26-0x00007FF9364B0000-0x00007FF9364C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3500-13-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3500-23-0x0000000000830000-0x0000000000837000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3500-14-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3500-11-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/4904-81-0x0000000140000000-0x0000000140169000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4904-77-0x0000000140000000-0x0000000140169000-memory.dmp

          Filesize

          1.4MB

          Download