Overview

overview

10

Static

static

3

82095408cb...8b.dll

windows7-x64

10

82095408cb...8b.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 15:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    82095408cb1b096fdf360cc0ed6d8e2ba0232e62e4f37a01aa31b4fc69fc618b.dll

  • Size

    1.4MB

  • MD5

    6ad98a87dfac01169872c8d4fcfcf27d

  • SHA1

    e5c6476f15f2d64c0626335585f0f18ed917248a

  • SHA256

    82095408cb1b096fdf360cc0ed6d8e2ba0232e62e4f37a01aa31b4fc69fc618b

  • SHA512

    1fef8d13244cf1a724bdac23697f48ba5bfd3af84666d713ada3684d6fc7c1b0dd0ce05fdefc898298e5b1b8986160d85787ed0e728d72293344174696b0257b

  • SSDEEP

    12288:+kMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64Cu5:+kMZ+gf4ltGd8H1fYO0q2G1Ahu5

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\82095408cb1b096fdf360cc0ed6d8e2ba0232e62e4f37a01aa31b4fc69fc618b.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2524
  • C:\Windows\system32\rdpclip.exe
    C:\Windows\system32\rdpclip.exe
    1⤵
      PID:2632
    • C:\Users\Admin\AppData\Local\jw2SdB5\rdpclip.exe
      C:\Users\Admin\AppData\Local\jw2SdB5\rdpclip.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1984
    • C:\Windows\system32\OptionalFeatures.exe
      C:\Windows\system32\OptionalFeatures.exe
      1⤵
        PID:2176
      • C:\Users\Admin\AppData\Local\tHOac9r\OptionalFeatures.exe
        C:\Users\Admin\AppData\Local\tHOac9r\OptionalFeatures.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2296
      • C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
        C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
        1⤵
          PID:2960
        • C:\Users\Admin\AppData\Local\OnLfgUX\WindowsAnytimeUpgradeResults.exe
          C:\Users\Admin\AppData\Local\OnLfgUX\WindowsAnytimeUpgradeResults.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2952

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\OnLfgUX\WINBRAND.dll
          Filesize

          1.4MB

          MD5

          b6f65187b82ac5454deb10c1b9f8dc5a

          SHA1

          4dec772e0d34872d215c96c67c0c38b4399532a2

          SHA256

          dabdeffe5c0091beda683354294df5bbfc2ae3516a6ea3bfaf85e6f140b8cd86

          SHA512

          4e184771011fae718514b56a18f8cba39f0607316232937b7f1e5b9e486f01d646e684813628de2810608d60b443cb0e9e525e8191cdc927ff22f28ef84ef4c7

          Download Submit

        • C:\Users\Admin\AppData\Local\jw2SdB5\WTSAPI32.dll
          Filesize

          1.4MB

          MD5

          f0e8b3a0254eed1ff5bed50864365667

          SHA1

          c3558090ea2fe15f9b710343c2680ea2e93dfe22

          SHA256

          069737eb9fe172af84cae12679da9c2ec3acbb1fe1a73015d53bbe7fec5c3046

          SHA512

          33f31448da6b5729df1d5370bec52d18937849322a8e562259d95a5ac34d51975d829aa801d2341924bfab4d8da33b0e58837458eed4f88323a7cc30c979757e

          Download Submit

        • C:\Users\Admin\AppData\Local\tHOac9r\appwiz.cpl
          Filesize

          1.4MB

          MD5

          bb40edfd8a8c5982ded486806258a861

          SHA1

          267a7870f52ccf4ec04ef260af53ab3d3a2d3686

          SHA256

          279ce76506b99783450217b2174b22f2b0a6f7a194a94565132aaa6db240faa6

          SHA512

          e5166550a72dc8cd46e68e4c645beab58e40660afc8b6442c552b1b88107afc166c5a23833eeecaad8dabbfbdcf63f67c89db144302bcfb4f1e2eb691a9b6adc

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ncfyujonfo.lnk
          Filesize

          1KB

          MD5

          03a518cad495b7fd2be0d241c9695de1

          SHA1

          4ffeb0f4c3db7105a84b2bf5c697307c68b904e5

          SHA256

          53432a2ea2b0c527c86643d85f8b79caa7b75c88e3f3629f4f09a86c25c35a7f

          SHA512

          b14b5efe1a5993ac53bded1f063fd1e007dcb468b2764bdac01e1bbdc4b46a79ce32d184f902361b27aa21e2e6241d9cf9b394f6f0e837ff3c9b4c28a4d1900b

          Download Submit

        • \Users\Admin\AppData\Local\OnLfgUX\WindowsAnytimeUpgradeResults.exe
          Filesize

          288KB

          MD5

          6f3f29905f0ec4ce22c1fd8acbf6c6de

          SHA1

          68bdfefe549dfa6262ad659f1578f3e87d862773

          SHA256

          e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b

          SHA512

          16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

          Download Submit

        • \Users\Admin\AppData\Local\jw2SdB5\rdpclip.exe
          Filesize

          206KB

          MD5

          25d284eb2f12254c001afe9a82575a81

          SHA1

          cf131801fdd5ec92278f9e0ae62050e31c6670a5

          SHA256

          837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

          SHA512

          7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

          Download Submit

        • \Users\Admin\AppData\Local\tHOac9r\OptionalFeatures.exe
          Filesize

          95KB

          MD5

          eae7af6084667c8f05412ddf096167fc

          SHA1

          0dbe8aba001447030e48e8ad5466fd23481e6140

          SHA256

          01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

          SHA512

          172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

          Download Submit

        • memory/1180-11-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1180-3-0x0000000077016000-0x0000000077017000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1180-24-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1180-26-0x00000000772B0000-0x00000000772B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1180-25-0x0000000077280000-0x0000000077282000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1180-15-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1180-9-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1180-23-0x0000000002D30000-0x0000000002D37000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1180-7-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1180-12-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1180-10-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1180-35-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1180-37-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1180-4-0x0000000002D50000-0x0000000002D51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1180-45-0x0000000077016000-0x0000000077017000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1180-13-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1180-14-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1180-6-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1180-8-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1984-58-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1984-55-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1984-53-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2296-70-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2296-75-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2524-44-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2524-0-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2524-1-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2952-91-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download