Overview

overview

10

Static

static

3

a52f659bb3...9c.dll

windows7-x64

10

a52f659bb3...9c.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 14:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a52f659bb3d1b5cf058752c904488078b1dab05992f21b858129a829429c279c.dll

  • Size

    1.1MB

  • MD5

    a44d3f9481fa8b38391601fee76a5809

  • SHA1

    60308d0829cf769f88725debddb0c89bbe296e11

  • SHA256

    a52f659bb3d1b5cf058752c904488078b1dab05992f21b858129a829429c279c

  • SHA512

    304af4426f721ed5fc5bc982a120e07b108a31317f67683de5997fbc3cc87b5d34e74662aaffce1ae0d7c86a8613eb152de71c3fd8d069cc209fe990bf42c3c4

  • SSDEEP

    12288:IkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64Cdw:IkMZ+gf4ltGd8H1fYO0q2G1AhW9

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a52f659bb3d1b5cf058752c904488078b1dab05992f21b858129a829429c279c.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2280
  • C:\Windows\system32\msra.exe
    C:\Windows\system32\msra.exe
    1⤵
      PID:2632
    • C:\Users\Admin\AppData\Local\yHq3\msra.exe
      C:\Users\Admin\AppData\Local\yHq3\msra.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2996
    • C:\Windows\system32\rdpshell.exe
      C:\Windows\system32\rdpshell.exe
      1⤵
        PID:2340
      • C:\Users\Admin\AppData\Local\5TPzk4\rdpshell.exe
        C:\Users\Admin\AppData\Local\5TPzk4\rdpshell.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2104
      • C:\Windows\system32\mfpmp.exe
        C:\Windows\system32\mfpmp.exe
        1⤵
          PID:1564
        • C:\Users\Admin\AppData\Local\My6Z\mfpmp.exe
          C:\Users\Admin\AppData\Local\My6Z\mfpmp.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2056

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5TPzk4\WINSTA.dll
          Filesize

          1.1MB

          MD5

          a34e3940194f83c7c0f0c8c30444cbd0

          SHA1

          1382d01411fdc2db81dc4e2a33e3cc33aadd080c

          SHA256

          840550f79d478c5381d69a1a38d1f4c15b8ff91e994dc65068c3b7a82a78d722

          SHA512

          67bdf6440da34c56a764d7025b7e2414b271e904c613c3bd3ce1947b599e39701bc8dd57c34bb123b8b5474e5a456006a4b9a44274f2673369489a7f85d0ec13

          Download Submit

        • C:\Users\Admin\AppData\Local\5TPzk4\rdpshell.exe
          Filesize

          292KB

          MD5

          a62dfcea3a58ba8fcf32f831f018fe3f

          SHA1

          75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

          SHA256

          f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

          SHA512

          9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

          Download Submit

        • C:\Users\Admin\AppData\Local\My6Z\MFPlat.DLL
          Filesize

          1.1MB

          MD5

          35844c7ba362d43b67fc78dbb92c5666

          SHA1

          930d22bfb9cf58f40520078361b3de61fc84e67b

          SHA256

          b07b754b333c58c3598f0b5fdb0b80f3d6f1610b37340397885500ddea1a2602

          SHA512

          a1d416c6ccb7064f9363c8621cb9dbe4556ab8c3256ee0b14e136ec8da449f9ae2fc2d611a9502547274fd8f23757e515878b7efe45c0abab66c4d8ec943634f

          Download Submit

        • C:\Users\Admin\AppData\Local\yHq3\Secur32.dll
          Filesize

          1.1MB

          MD5

          275fa84f19aa035d2defb9d4fde39e21

          SHA1

          7f4db264e50f0f0017aa1e1b4364b364754fef5b

          SHA256

          69b76f28c061b62e65edf3c72a9aa5bfc3dfdb63af3a760c2afa767265be7932

          SHA512

          c3a8315ac35cdbabdbb1efd5b11906409b9ec0fc84742057c4edfba572fd4e51585261d7bbed3ba009e97f3a8ed0ce581265ad8eb9026eaadc2cb6f88f277bba

          Download Submit

        • C:\Users\Admin\AppData\Local\yHq3\msra.exe
          Filesize

          636KB

          MD5

          e79df53bad587e24b3cf965a5746c7b6

          SHA1

          87a97ec159a3fc1db211f3c2c62e4d60810e7a70

          SHA256

          4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

          SHA512

          9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ukatmrkmywz.lnk
          Filesize

          1KB

          MD5

          59588877433e8890959931b1d12d1d42

          SHA1

          7d2dbd3550dbda03943ef579982ddaad553a231a

          SHA256

          51c32ddfc44b8b289f794b80edb4927226f8ee3e31335cdbb7ae0c0fb8c39fd1

          SHA512

          95ff323a7cc6024bfdfc6a844f4781eb12c5d14bc77fab84dae6a377754d5b7151f5cf40e3e13478d9a1298efc6fe0da759654dba70b260ecf9f41ef162752a6

          Download Submit

        • \Users\Admin\AppData\Local\My6Z\mfpmp.exe
          Filesize

          24KB

          MD5

          2d8600b94de72a9d771cbb56b9f9c331

          SHA1

          a0e2ac409159546183aa45875497844c4adb5aac

          SHA256

          7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

          SHA512

          3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

          Download Submit

        • memory/1212-24-0x0000000077370000-0x0000000077372000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1212-44-0x0000000077006000-0x0000000077007000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1212-23-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-14-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-13-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-12-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-7-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-6-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-25-0x00000000773A0000-0x00000000773A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1212-3-0x0000000077006000-0x0000000077007000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1212-34-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-36-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-4-0x0000000002A40000-0x0000000002A41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1212-8-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-9-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-11-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-15-0x0000000002A20000-0x0000000002A27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1212-10-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2056-90-0x0000000140000000-0x0000000140124000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2104-69-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2104-70-0x0000000140000000-0x0000000140124000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2104-74-0x0000000140000000-0x0000000140124000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2280-43-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2280-0-0x00000000002A0000-0x00000000002A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2280-1-0x0000000140000000-0x0000000140122000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2996-57-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2996-52-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2996-54-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download