Overview

overview

10

Static

static

3

4dce2d4fe2...41.dll

windows7-x64

10

4dce2d4fe2...41.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    107s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2024 17:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4dce2d4fe2054c63b9a870f31a295a3a4f855727508b6da1fe2a2f8a0cbab941.dll

  • Size

    908KB

  • MD5

    a713d62a74696a69c4f6cee26d0d94c2

  • SHA1

    7d37f5b6cb82f71d94ee305e1fccb7879655f830

  • SHA256

    4dce2d4fe2054c63b9a870f31a295a3a4f855727508b6da1fe2a2f8a0cbab941

  • SHA512

    6e4663dcdc40710e39c9fd2b9ff79fb0a0cb5b3bc48883b9c38c826c3c8d498f0dd0b50785c9a5e6d07af73f68f094f5b3ab25427d61cdf7e9fca016f1d68b30

  • SSDEEP

    12288:6qJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:6qGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4dce2d4fe2054c63b9a870f31a295a3a4f855727508b6da1fe2a2f8a0cbab941.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:5020
  • C:\Windows\system32\SppExtComObj.Exe
    C:\Windows\system32\SppExtComObj.Exe
    1⤵
      PID:4220
    • C:\Users\Admin\AppData\Local\0HNK\SppExtComObj.Exe
      C:\Users\Admin\AppData\Local\0HNK\SppExtComObj.Exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2984
    • C:\Windows\system32\ProximityUxHost.exe
      C:\Windows\system32\ProximityUxHost.exe
      1⤵
        PID:1828
      • C:\Users\Admin\AppData\Local\wDxOalf7E\ProximityUxHost.exe
        C:\Users\Admin\AppData\Local\wDxOalf7E\ProximityUxHost.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1104
      • C:\Windows\system32\wusa.exe
        C:\Windows\system32\wusa.exe
        1⤵
          PID:1172
        • C:\Users\Admin\AppData\Local\47R\wusa.exe
          C:\Users\Admin\AppData\Local\47R\wusa.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4468

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0HNK\ACTIVEDS.dll
          Filesize

          912KB

          MD5

          536814e0d7ffcd5a1f091264e3eeccb7

          SHA1

          fdc2e1a9217779ab292c6a1df4e0a0f2133cd8ba

          SHA256

          943cf415ac18a160bc31eee7b2be3bcfee51a4f70420f95abc349a8b93a59ce5

          SHA512

          4842d73e10dd79603c329eb15ae3d7f7f3704fe1f9e9144be8a1188f63b2d02434758c4ea6c74ff798f208cd8ed79e0a7892cc6f8c051f48b22fef140315a1bb

          Download Submit

        • C:\Users\Admin\AppData\Local\0HNK\SppExtComObj.Exe
          Filesize

          559KB

          MD5

          728a78909aa69ca0e976e94482350700

          SHA1

          6508dfcbf37df25cae8ae68cf1fcd4b78084abb7

          SHA256

          2a6581576305771044f07ea0fef27f77859996dbf66c2017e938f90bfc1e010c

          SHA512

          22bf985e71afa58a1365cc733c0aa03dabd4b44e7c6a136eb5f9b870db14470201b4ef88a19fa3864af6c44e79e1a01d6f8806062d9d4861ba7dac77d82074f1

          Download Submit

        • C:\Users\Admin\AppData\Local\47R\WTSAPI32.dll
          Filesize

          912KB

          MD5

          c99be423a71927d0d4be121489cff4af

          SHA1

          08a713ab415745af2a64633c62e1f53aa819b609

          SHA256

          f444ce12ccf205c5491756d199d48f5c811f2ff65027defa33ec0684ff43797e

          SHA512

          91532a0e5475797bf0cdbf69df539606784a7656171557cdf8d042eb87e89746b208f9b4386deb2777a6c0c9baaff6acc8ea9fc5495e35ccc6e4799a5e14410e

          Download Submit

        • C:\Users\Admin\AppData\Local\47R\wusa.exe
          Filesize

          309KB

          MD5

          e43499ee2b4cf328a81bace9b1644c5d

          SHA1

          b2b55641f2799e3fdb3bea709c9532017bbac59d

          SHA256

          3e30230bbf3ceee3e58162b61eed140e9616210833a6ad7df3e106bc7492d2fb

          SHA512

          04823764520871f9202d346b08a194bdd5f5929db6d5c2f113911f84aece7471c8d3bd2c4256119a303dbe18a0c055dbc5034d80b1f27a43744104544731f52b

          Download Submit

        • C:\Users\Admin\AppData\Local\wDxOalf7E\DUI70.dll
          Filesize

          1.2MB

          MD5

          bc02fb27ca04bbeb499e061a61f5ae81

          SHA1

          7fc71e06baf07104baa14417d4fb4d6f69ff0811

          SHA256

          633a5fca70acf0894b6bdafbb39ac42f6013ad5c93c314f9e26ac19ca0ae36e2

          SHA512

          02fee11e657855dc49babd09aa401f935d5f434f4e8b4a441b66d2f376eedef9d9f538639695dca817f4e0e9fd19ac4d772d320ff0806e65c8fecf11f14bacff

          Download Submit

        • C:\Users\Admin\AppData\Local\wDxOalf7E\ProximityUxHost.exe
          Filesize

          263KB

          MD5

          9ea326415b83d77295c70a35feb75577

          SHA1

          f8fc6a4f7f97b242f35066f61d305e278155b8a8

          SHA256

          192bfde77bf280e48f92d1eceacdc7ec4bf31cda46f7d577c7d7c3ec3ac89d8f

          SHA512

          2b1943600f97abcd18778101e33eac00c2bd360a3eff62fef65f668a084d8fa38c3bbdedfc6c2b7e8410aa7c9c3df2734705dc502b4754259121adc9198c3692

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eswctkc.lnk
          Filesize

          1KB

          MD5

          fbfaa4a9f0adecbe83af1a9e48f7ba34

          SHA1

          67f08a91a067856bb5c63905eb12ee6a20e6e1b7

          SHA256

          2af42309fcd7eebcc1d39c47ffec8750484e8de18d1fb7cba6f7bd0d7bf9f1e1

          SHA512

          34995e8f24571379261eb0e7f6b2a3bc4ecd8064bc33f6437eda90fb5a8eb4fe0f5e7bb669bd4a1a62eed742d6a2b9539288ef0103843a865a5fad375a3814b5

          Download Submit

        • memory/1104-66-0x0000000140000000-0x0000000140129000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1104-62-0x0000000140000000-0x0000000140129000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2984-51-0x0000000140000000-0x00000001400E4000-memory.dmp

          Filesize

          912KB

          Download

        • memory/2984-47-0x0000000140000000-0x00000001400E4000-memory.dmp

          Filesize

          912KB

          Download

        • memory/2984-46-0x000001DA03AE0000-0x000001DA03AE7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3460-26-0x00007FFA06680000-0x00007FFA06690000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3460-16-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3460-10-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3460-8-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3460-7-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3460-6-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3460-9-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3460-36-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3460-5-0x00007FFA063FA000-0x00007FFA063FB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3460-13-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3460-14-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3460-12-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3460-25-0x0000000001000000-0x0000000001007000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3460-3-0x0000000002BC0000-0x0000000002BC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3460-27-0x00007FFA06670000-0x00007FFA06680000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3460-24-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3460-15-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/3460-11-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/4468-81-0x0000000140000000-0x00000001400E4000-memory.dmp

          Filesize

          912KB

          Download

        • memory/5020-2-0x0000021032390000-0x0000021032397000-memory.dmp

          Filesize

          28KB

          Download

        • memory/5020-39-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/5020-0-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download