Overview

overview

10

Static

static

3

d3520a682e...d4.dll

windows7-x64

10

d3520a682e...d4.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 15:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d3520a682e5bc9190f954ecba113c31ae5aaef3cebdd5deaae12a5845fa449d4.dll

  • Size

    1.1MB

  • MD5

    03ba8398a126fa806383c66c8d69ba43

  • SHA1

    3c3d0b73ae14fa215b32418adbcb836addd8de29

  • SHA256

    d3520a682e5bc9190f954ecba113c31ae5aaef3cebdd5deaae12a5845fa449d4

  • SHA512

    1b154d637599acc42a07a5dcf2deb3c1dd5dea933fd40f7f1adeb8876adecbf78d897d44fc819fa9abb96f6d96166321b33e8162004e611970b3f3a360b22fac

  • SSDEEP

    12288:EkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:EkMZ+gf4ltGd8H1fYO0q2G1Ah

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3520a682e5bc9190f954ecba113c31ae5aaef3cebdd5deaae12a5845fa449d4.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2260
  • C:\Windows\system32\RecoveryDrive.exe
    C:\Windows\system32\RecoveryDrive.exe
    1⤵
      PID:1004
    • C:\Users\Admin\AppData\Local\xBOOj3Z\RecoveryDrive.exe
      C:\Users\Admin\AppData\Local\xBOOj3Z\RecoveryDrive.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4472
    • C:\Windows\system32\bdechangepin.exe
      C:\Windows\system32\bdechangepin.exe
      1⤵
        PID:1172
      • C:\Users\Admin\AppData\Local\4EmKTZD\bdechangepin.exe
        C:\Users\Admin\AppData\Local\4EmKTZD\bdechangepin.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4336
      • C:\Windows\system32\SystemPropertiesComputerName.exe
        C:\Windows\system32\SystemPropertiesComputerName.exe
        1⤵
          PID:3312
        • C:\Users\Admin\AppData\Local\KF1og1\SystemPropertiesComputerName.exe
          C:\Users\Admin\AppData\Local\KF1og1\SystemPropertiesComputerName.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4616

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\4EmKTZD\DUI70.dll
          Filesize

          1.4MB

          MD5

          7d836121be6a81d82aef271871bc3264

          SHA1

          190ea28f406f94e4d393fa1f522010e50b1b2e4e

          SHA256

          a77e62956647637e8b93271c283fe765ebe028d228cfd3c71dc825002322f957

          SHA512

          90203645f6a86472021cff3f525891e5ae7b2d56ef06fb8efe3c38c3e5ea886f916995013d4e94e58be799c71ebca08b3537e94e1e3b8b8d3110d97d07a9f57f

          Download Submit

        • C:\Users\Admin\AppData\Local\4EmKTZD\bdechangepin.exe
          Filesize

          373KB

          MD5

          601a28eb2d845d729ddd7330cbae6fd6

          SHA1

          5cf9f6f9135c903d42a7756c638333db8621e642

          SHA256

          4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

          SHA512

          1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

          Download Submit

        • C:\Users\Admin\AppData\Local\KF1og1\SYSDM.CPL
          Filesize

          1.1MB

          MD5

          7aa012b9256fcc87bc0341d38b9618db

          SHA1

          545149f9ea47f6efb06a460862f532513b0d1254

          SHA256

          329d07064b5864222dad8ca83a9b3c46bcff304656e05b2c1c3f5dd9d6dcfc3b

          SHA512

          8b5328a6b795f3140edab3da5cc2a27aad643b425cdd89344ab822b28b7e235c31cf2241be53477f47bf05851b20002f81a0ae23499c1f3a3725be518179c3d6

          Download Submit

        • C:\Users\Admin\AppData\Local\KF1og1\SystemPropertiesComputerName.exe
          Filesize

          82KB

          MD5

          6711765f323289f5008a6a2a04b6f264

          SHA1

          d8116fdf73608b4b254ad83c74f2232584d24144

          SHA256

          bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e

          SHA512

          438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

          Download Submit

        • C:\Users\Admin\AppData\Local\xBOOj3Z\ReAgent.dll
          Filesize

          1.1MB

          MD5

          eebcbf8b655d9eacc59c7e9961c19a9e

          SHA1

          1dd54427fb929939bb646b03e85c909ca74ee063

          SHA256

          b9a5b21e3099b8471c71a1d3cc2484c00c471233de5c9eba702114d12a348ce9

          SHA512

          a183ba4f18e2a2544de624bbb8484ec67cfd33f5a8b10defd29189767b30c3f1949b56c78b5addf45cdd7fe1067d7d474e6c4a1d7d9711a7cfd299c24e877aa7

          Download Submit

        • C:\Users\Admin\AppData\Local\xBOOj3Z\RecoveryDrive.exe
          Filesize

          911KB

          MD5

          b9b3dc6f2eb89e41ff27400952602c74

          SHA1

          24ae07e0db3ace0809d08bbd039db3a9d533e81b

          SHA256

          630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

          SHA512

          7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Womuvunldsugi.lnk
          Filesize

          1KB

          MD5

          e9c51046f20b4bad8ff485f3e488170f

          SHA1

          c8c6a220699888bcd6ff03d175f42ef869915bf8

          SHA256

          9024e52c209d79172929daf6357b00d00f2e83b940839e7b3776b4bd71d9d491

          SHA512

          cd66f480824b40faa08b8fde73400350e8fe887229c04f425b0be46e40981a700c4c947ae27a930b466a1010feb16b81ecccfbe3e3721497d728063e95ae462b

          Download Submit

        • memory/2260-37-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2260-2-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2260-0-0x000001DC8D890000-0x000001DC8D897000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3432-23-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3432-7-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3432-11-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3432-10-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3432-9-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3432-8-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3432-6-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3432-24-0x00007FFD9DB80000-0x00007FFD9DB90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3432-34-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3432-25-0x00007FFD9DB70000-0x00007FFD9DB80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3432-13-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3432-5-0x00007FFD9C8EA000-0x00007FFD9C8EB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3432-3-0x0000000000C70000-0x0000000000C71000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3432-12-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3432-22-0x0000000000C00000-0x0000000000C07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3432-14-0x0000000140000000-0x000000014011C000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/4336-60-0x00000252A9230000-0x00000252A9237000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4336-62-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4336-65-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4472-49-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/4472-46-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/4472-44-0x00000217E1B30000-0x00000217E1B37000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4616-80-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download