Overview

overview

10

Static

static

3

4af88f0bf5...eb.dll

windows7-x64

10

4af88f0bf5...eb.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2024 17:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4af88f0bf58a337253e7ef9a79dc197102c9e3b2f156b0d5a54998d514ee3eeb.dll

  • Size

    700KB

  • MD5

    6bd456cfeba026cd573f86e5531ea384

  • SHA1

    66a88b459322450c073b8c4626f9967e951775c5

  • SHA256

    4af88f0bf58a337253e7ef9a79dc197102c9e3b2f156b0d5a54998d514ee3eeb

  • SHA512

    a35d4de20a6d51f668e08509255b7ba6ae8085170118c23f65202eb22d7687ae1474a29227f57410e146ca3ab27397d86329acfb08c48806308665f561943f3a

  • SSDEEP

    12288:pqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:pqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4af88f0bf58a337253e7ef9a79dc197102c9e3b2f156b0d5a54998d514ee3eeb.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3024
  • C:\Windows\system32\msra.exe
    C:\Windows\system32\msra.exe
    1⤵
      PID:2784
    • C:\Users\Admin\AppData\Local\bFYxAn\msra.exe
      C:\Users\Admin\AppData\Local\bFYxAn\msra.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2984
    • C:\Windows\system32\DmNotificationBroker.exe
      C:\Windows\system32\DmNotificationBroker.exe
      1⤵
        PID:4460
      • C:\Users\Admin\AppData\Local\sYwMS46d\DmNotificationBroker.exe
        C:\Users\Admin\AppData\Local\sYwMS46d\DmNotificationBroker.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3784
      • C:\Windows\system32\iexpress.exe
        C:\Windows\system32\iexpress.exe
        1⤵
          PID:3144
        • C:\Users\Admin\AppData\Local\to9n8\iexpress.exe
          C:\Users\Admin\AppData\Local\to9n8\iexpress.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3036

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\bFYxAn\UxTheme.dll
          Filesize

          704KB

          MD5

          18d2ce6cea4d4972f03f41446dc3766f

          SHA1

          a6aeeb512fd1588374c79c2328f0c987d136f4f1

          SHA256

          d5be25a0e3a3caeb685b65c0da2cc4f6caa1095dab827eb7d8ecdf08f5996ae8

          SHA512

          0f4283fa63065784b1344847ce05d42df43e17906734e4818fb5d697f099f2512214e864ef5964dedbd4cfc8aff3d8b2babd5827c426ed4341dbf43f19f1d4a4

          Download Submit

        • C:\Users\Admin\AppData\Local\bFYxAn\msra.exe
          Filesize

          579KB

          MD5

          dcda3b7b8eb0bfbccb54b4d6a6844ad6

          SHA1

          316a2925e451f739f45e31bc233a95f91bf775fa

          SHA256

          011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae

          SHA512

          18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5

          Download Submit

        • C:\Users\Admin\AppData\Local\sYwMS46d\DUI70.dll
          Filesize

          980KB

          MD5

          6bb08d42b926761747fd12e2dcccef81

          SHA1

          5d0fffdb1796b65153850ca62e1901e06c14fb76

          SHA256

          562acd3eca3200388a2abbce42ed4f4bd5b3a739d95e1cf245ca36a3b642cca3

          SHA512

          a1994259aa18e9d5eb1ea6f3c3c31d25f87694989c96f92341efe5356eabf693df634676066df5e0acbb0e645d30e1bd510647c02fd85ee83327eb41886c7778

          Download Submit

        • C:\Users\Admin\AppData\Local\sYwMS46d\DmNotificationBroker.exe
          Filesize

          32KB

          MD5

          f0bdc20540d314a2aad951c7e2c88420

          SHA1

          4ab344595a4a81ab5f31ed96d72f217b4cee790b

          SHA256

          f87537e5f26193a2273380f86cc9ac16d977f65b0eff2435e40be830fd99f7b5

          SHA512

          cb69e35b2954406735264a4ae8fe1eca1bd4575f553ab2178c70749ab997bda3c06496d2fce97872c51215a19093e51eea7cc8971af62ad9d5726f3a0d2730aa

          Download Submit

        • C:\Users\Admin\AppData\Local\to9n8\VERSION.dll
          Filesize

          704KB

          MD5

          72a7f903570523efcc5b0799b09feb6f

          SHA1

          d7802821904fdfbde080608b5c314d8aefd8fba6

          SHA256

          2b30511c6cd46d11499760de7916ae977264755f3f0e1c0fa09e75bd2879d3d4

          SHA512

          82660acd7c0d748e53b7d7cc757b92772f46a94e3a3d4d31232fedc45e3b4ba0f46a8a37573e16988a5a70c1e9796d59b1732255ef0fe9cdb290320a73ef4ac5

          Download Submit

        • C:\Users\Admin\AppData\Local\to9n8\iexpress.exe
          Filesize

          166KB

          MD5

          17b93a43e25d821d01af40ba6babcc8c

          SHA1

          97c978d78056d995f751dfef1388d7cce4cc404a

          SHA256

          d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3

          SHA512

          6b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yxuzhivmkyvewy.lnk
          Filesize

          1KB

          MD5

          d58c80de0caa2c9647148b338620a2b1

          SHA1

          7a31e722feb1a5cd35bf029ae5f1e19fb7a306f8

          SHA256

          371359a2924317e605c3d34ecbabf0ee22997f2b174130c0fce78f75b713b21c

          SHA512

          548e307307fa0455019b1116cb2a18dcfd0586609d3fea39eaad8e54fb1b2127134cabd3088ab2e2c00a72e93466b3b6696b991c2954f41e9c0583f109fa5c92

          Download Submit

        • memory/2984-50-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/2984-46-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/2984-45-0x00000295D93D0000-0x00000295D93D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3024-38-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3024-0-0x000001FA98AE0000-0x000001FA98AE7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3024-1-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3036-82-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/3036-80-0x00007FF76F890000-0x00007FF76F8C0000-memory.dmp

          Filesize

          192KB

          Download

        • memory/3464-13-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3464-11-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3464-26-0x00007FFFB49B0000-0x00007FFFB49C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3464-35-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3464-24-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3464-7-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3464-8-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3464-9-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3464-10-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3464-25-0x00007FFFB49C0000-0x00007FFFB49D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3464-12-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3464-15-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3464-4-0x0000000001580000-0x0000000001581000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3464-3-0x00007FFFB335A000-0x00007FFFB335B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3464-6-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3464-23-0x0000000001510000-0x0000000001517000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3464-14-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3784-66-0x0000000140000000-0x00000001400F5000-memory.dmp

          Filesize

          980KB

          Download

        • memory/3784-62-0x0000000140000000-0x00000001400F5000-memory.dmp

          Filesize

          980KB

          Download

        • memory/3784-61-0x000002D91A730000-0x000002D91A737000-memory.dmp

          Filesize

          28KB

          Download