Overview

overview

10

Static

static

3

8942de37f6...09.dll

windows7-x64

10

8942de37f6...09.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2024 17:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8942de37f64cd1f04b7022ad6d9713df408d9e9449e3942161ccebb970fdc109.dll

  • Size

    1.2MB

  • MD5

    b8839ffc79f088860701573eae079ec2

  • SHA1

    88323714954aec18328ded2cb0a7ea08d5f5714d

  • SHA256

    8942de37f64cd1f04b7022ad6d9713df408d9e9449e3942161ccebb970fdc109

  • SHA512

    4b6d7a362f6f52721a026ce293d9d0b647cea983bc52a896022cf605b6abe127a5532cba24bc07f579ea6e6b0bc542e1b62d93a746015cf606b69c50e5f5ad41

  • SSDEEP

    12288:KqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed0j:KqGBHTxvt+g2gYed0

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8942de37f64cd1f04b7022ad6d9713df408d9e9449e3942161ccebb970fdc109.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2536
  • C:\Windows\system32\vmicsvc.exe
    C:\Windows\system32\vmicsvc.exe
    1⤵
      PID:1224
    • C:\Users\Admin\AppData\Local\dPP19d\vmicsvc.exe
      C:\Users\Admin\AppData\Local\dPP19d\vmicsvc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2944
    • C:\Windows\system32\msra.exe
      C:\Windows\system32\msra.exe
      1⤵
        PID:2732
      • C:\Users\Admin\AppData\Local\QMnD3B\msra.exe
        C:\Users\Admin\AppData\Local\QMnD3B\msra.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2304
      • C:\Windows\system32\rrinstaller.exe
        C:\Windows\system32\rrinstaller.exe
        1⤵
          PID:1476
        • C:\Users\Admin\AppData\Local\noxAcm\rrinstaller.exe
          C:\Users\Admin\AppData\Local\noxAcm\rrinstaller.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2952

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\QMnD3B\UxTheme.dll
          Filesize

          1.2MB

          MD5

          7fb3a611ec8e1de7cc99e57ccbd67218

          SHA1

          a2df507bd86b72237431eced8ecc0442b74fe1cb

          SHA256

          63aed74d1a324d0a5fc6411bf52c605eeb33ec890ebbea941fd1dcbadffdfef7

          SHA512

          79b60b9fa158462b499ae1e0be324cda021fdedf45ec19be20d73bbe2436d539393a6e608477fa9f4eead948a50706b4997cf93b17c8b87e50231f2fa75395f4

          Download Submit

        • C:\Users\Admin\AppData\Local\dPP19d\ACTIVEDS.dll
          Filesize

          1.2MB

          MD5

          9e602b0f737954054941f0606f7aef2c

          SHA1

          07b72db2d21c662bd2719e3d0b025fa7bae957f6

          SHA256

          e3c3cedbd716177a7569b850081d7c289c3dbad4c1305b6ffa49e2489702bf7c

          SHA512

          f0c4ac27b06586551fec09dabcfc82796ce44514fd1cd997240882779c65b7257ce747d35e61027c671624268c34ef07fe58299230fda6e604a27045d07cc924

          Download Submit

        • C:\Users\Admin\AppData\Local\noxAcm\MFPlat.DLL
          Filesize

          1.2MB

          MD5

          72c9bd2981d90b299212d0893bccffae

          SHA1

          5ca154117b2db90abe441afe9c12994a7a1a639f

          SHA256

          57c4fa4ffbc46669a5c9eeb4dd752c82490b7b13304f884b3be5e93aee749391

          SHA512

          a2795433e431b13cf119047b7b638e344c7ea051b56a2a65a0c7df58dac99c9c668f2da061ed02974812f43372111b21c5ce26fccd539dcdfcbfb72488594777

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk
          Filesize

          1KB

          MD5

          a495d87aca3e254c3f192902d73247a2

          SHA1

          2ed2d89b0c330cd2423b9d2bfefb7517a04265b0

          SHA256

          42dfbe36f64cecc34dc527b7d1a9f188fdc51cfa475941ba8cc660dc6b3c29c6

          SHA512

          cd500fe95c0ad5842f6bcf090eabfe2ebcb65849ace5e11c2076c04620fc851da8ee94dd27648d20616fefe6d17fb23e17d6a3cd72d38b96c88bc350854ccece

          Download Submit

        • \Users\Admin\AppData\Local\QMnD3B\msra.exe
          Filesize

          636KB

          MD5

          e79df53bad587e24b3cf965a5746c7b6

          SHA1

          87a97ec159a3fc1db211f3c2c62e4d60810e7a70

          SHA256

          4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

          SHA512

          9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

          Download Submit

        • \Users\Admin\AppData\Local\dPP19d\vmicsvc.exe
          Filesize

          238KB

          MD5

          79e14b291ca96a02f1eb22bd721deccd

          SHA1

          4c8dbff611acd8a92cd2280239f78bebd2a9947e

          SHA256

          d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

          SHA512

          f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

          Download Submit

        • \Users\Admin\AppData\Local\noxAcm\rrinstaller.exe
          Filesize

          54KB

          MD5

          0d3a73b0b30252680b383532f1758649

          SHA1

          9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

          SHA256

          fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

          SHA512

          a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

          Download Submit

        • memory/1188-27-0x0000000077500000-0x0000000077502000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1188-46-0x0000000077166000-0x0000000077167000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-11-0x0000000140000000-0x0000000140128000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-14-0x0000000140000000-0x0000000140128000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-17-0x0000000140000000-0x0000000140128000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-16-0x0000000002E00000-0x0000000002E07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1188-15-0x0000000140000000-0x0000000140128000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-13-0x0000000140000000-0x0000000140128000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-10-0x0000000140000000-0x0000000140128000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-25-0x0000000140000000-0x0000000140128000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-26-0x00000000774D0000-0x00000000774D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1188-3-0x0000000077166000-0x0000000077167000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-37-0x0000000140000000-0x0000000140128000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-36-0x0000000140000000-0x0000000140128000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-4-0x0000000002E20000-0x0000000002E21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-9-0x0000000140000000-0x0000000140128000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-8-0x0000000140000000-0x0000000140128000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-7-0x0000000140000000-0x0000000140128000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-12-0x0000000140000000-0x0000000140128000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1188-6-0x0000000140000000-0x0000000140128000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2304-71-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2304-76-0x0000000140000000-0x0000000140129000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2536-45-0x0000000140000000-0x0000000140128000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2536-0-0x0000000140000000-0x0000000140128000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2536-2-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2944-59-0x0000000140000000-0x0000000140129000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2944-54-0x0000000140000000-0x0000000140129000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2944-56-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2952-88-0x0000000140000000-0x000000014012A000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2952-92-0x0000000140000000-0x000000014012A000-memory.dmp

          Filesize

          1.2MB

          Download