Overview

overview

10

Static

static

3

d3520a682e...d4.dll

windows7-x64

10

d3520a682e...d4.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 15:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d3520a682e5bc9190f954ecba113c31ae5aaef3cebdd5deaae12a5845fa449d4.dll

  • Size

    1.1MB

  • MD5

    03ba8398a126fa806383c66c8d69ba43

  • SHA1

    3c3d0b73ae14fa215b32418adbcb836addd8de29

  • SHA256

    d3520a682e5bc9190f954ecba113c31ae5aaef3cebdd5deaae12a5845fa449d4

  • SHA512

    1b154d637599acc42a07a5dcf2deb3c1dd5dea933fd40f7f1adeb8876adecbf78d897d44fc819fa9abb96f6d96166321b33e8162004e611970b3f3a360b22fac

  • SSDEEP

    12288:EkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:EkMZ+gf4ltGd8H1fYO0q2G1Ah

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3520a682e5bc9190f954ecba113c31ae5aaef3cebdd5deaae12a5845fa449d4.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2348
  • C:\Windows\system32\cmstp.exe
    C:\Windows\system32\cmstp.exe
    1⤵
      PID:3012
    • C:\Users\Admin\AppData\Local\Z55qo9Yv\cmstp.exe
      C:\Users\Admin\AppData\Local\Z55qo9Yv\cmstp.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2704
    • C:\Windows\system32\SystemPropertiesRemote.exe
      C:\Windows\system32\SystemPropertiesRemote.exe
      1⤵
        PID:2752
      • C:\Users\Admin\AppData\Local\NTsK\SystemPropertiesRemote.exe
        C:\Users\Admin\AppData\Local\NTsK\SystemPropertiesRemote.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2628
      • C:\Windows\system32\AdapterTroubleshooter.exe
        C:\Windows\system32\AdapterTroubleshooter.exe
        1⤵
          PID:2624
        • C:\Users\Admin\AppData\Local\WIEt\AdapterTroubleshooter.exe
          C:\Users\Admin\AppData\Local\WIEt\AdapterTroubleshooter.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2316

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\NTsK\SYSDM.CPL
          Filesize

          1.1MB

          MD5

          c8cef1990d9fbef914f9d9dfb7849eb5

          SHA1

          0acb4f34d4d4768efa9332f0e0b4bb43cd079a92

          SHA256

          f200fa430722ad574f89be82eb294ecae01b3f3a21f6fc2d3081f6e2d982d808

          SHA512

          cadfcda59ee39decd1957a9759bf62b6888db1d9132906c4690add9b8a59707aac7a3c9c73922ac592a35dcf6c512f3941448e39b5a3a2f9c2580dc9d2a69451

          Download Submit

        • C:\Users\Admin\AppData\Local\WIEt\d3d9.dll
          Filesize

          1.1MB

          MD5

          8f3734172c3207c91f490a3ad886546c

          SHA1

          a6668836a2e67dc80a0c44d1cd7b8c8cc73e6dcc

          SHA256

          9bd2144a5b406e013f93a91035827e70ffa3057ddfa8b26140f8d9c5fb6f5f20

          SHA512

          325a6120534e804395bb84526e90447707098d9576c47aa56902ad41f67237bb20a34a5448180e1c4c14899cbfe8a42db641e2729c54b23eddfda5155e9f04d7

          Download Submit

        • C:\Users\Admin\AppData\Local\Z55qo9Yv\VERSION.dll
          Filesize

          1.1MB

          MD5

          e4dedc20cd9d331a2fcae5d4fa0820a1

          SHA1

          e29bbeb3b9a4fdbcd1bb113ced19027e523233ab

          SHA256

          13cd31e4e8298d61e4b4f90cab1773609d75ff98e7ac96661c734f39203c718b

          SHA512

          84bf8582b7f3b921aa9b2ab20e790fbd285dfbc5da7fee23aa51b19116ab46595b2016313ec8ee3f6d4c547b27b9c083dd1193a25662259b18344f9f7395fd4f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk
          Filesize

          1KB

          MD5

          035d58bf43d7fd80e8dd74b0d8dbc11f

          SHA1

          0821ee4c11ccfa52d6fb6b7fe8586ec76d31f034

          SHA256

          36791a63a81c656e44474f89d546aad21e43574aae4b5c329a8b6e60ee269941

          SHA512

          8a30a9b32764f4eefff3f0bfe46e66cb826f6479bb19739319e97a5a614b95b5e3f02c5846331a58e9f22e0d8f128b82d5d320baf4b6417e67db3c1493c6b769

          Download Submit

        • \Users\Admin\AppData\Local\NTsK\SystemPropertiesRemote.exe
          Filesize

          80KB

          MD5

          d0d7ac869aa4e179da2cc333f0440d71

          SHA1

          e7b9a58f5bfc1ec321f015641a60978c0c683894

          SHA256

          5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

          SHA512

          1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

          Download Submit

        • \Users\Admin\AppData\Local\WIEt\AdapterTroubleshooter.exe
          Filesize

          39KB

          MD5

          d4170c9ff5b2f85b0ce0246033d26919

          SHA1

          a76118e8775e16237cf00f2fb79718be0dc84db1

          SHA256

          d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da

          SHA512

          9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

          Download Submit

        • \Users\Admin\AppData\Local\Z55qo9Yv\cmstp.exe
          Filesize

          90KB

          MD5

          74c6da5522f420c394ae34b2d3d677e3

          SHA1

          ba135738ef1fb2f4c2c6c610be2c4e855a526668

          SHA256

          51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

          SHA512

          bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

          Download Submit

        • memory/1204-25-0x0000000077AC0000-0x0000000077AC2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-44-0x0000000077726000-0x0000000077727000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-13-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-12-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-11-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-10-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-8-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-6-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-24-0x0000000077A90000-0x0000000077A92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-3-0x0000000077726000-0x0000000077727000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-34-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-35-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-4-0x0000000002890000-0x0000000002891000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-22-0x0000000002870000-0x0000000002877000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1204-23-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-14-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-7-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1204-9-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2316-90-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2348-43-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2348-0-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2348-2-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2628-71-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2628-74-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2704-57-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2704-54-0x0000000001F10000-0x0000000001F17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2704-52-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download