Overview

overview

10

Static

static

3

8c74a5957b...de.dll

windows7-x64

10

8c74a5957b...de.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-10-2024 00:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c74a5957b9bf68722fb5b45ee791d9eb62a6ece1cbc3cc97c726556df7bc8de.dll

  • Size

    700KB

  • MD5

    c594f03ac5b4fe79eb093364db1115fe

  • SHA1

    ec0557352f8922a2f5241910b20e29e742d76263

  • SHA256

    8c74a5957b9bf68722fb5b45ee791d9eb62a6ece1cbc3cc97c726556df7bc8de

  • SHA512

    f942344aecf5f5af63a5e6dc3bae4c00f08b42927f122b0a947fd8e97096b6f6725540b17794d072cd3daebf94102d0701127515332b70e83cff27de559c3d4d

  • SSDEEP

    12288:pqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:pqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8c74a5957b9bf68722fb5b45ee791d9eb62a6ece1cbc3cc97c726556df7bc8de.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3052
  • C:\Windows\system32\raserver.exe
    C:\Windows\system32\raserver.exe
    1⤵
      PID:2852
    • C:\Users\Admin\AppData\Local\sDN9vdQ\raserver.exe
      C:\Users\Admin\AppData\Local\sDN9vdQ\raserver.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2132
    • C:\Windows\system32\notepad.exe
      C:\Windows\system32\notepad.exe
      1⤵
        PID:2576
      • C:\Users\Admin\AppData\Local\tLpVw\notepad.exe
        C:\Users\Admin\AppData\Local\tLpVw\notepad.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2456
      • C:\Windows\system32\icardagt.exe
        C:\Windows\system32\icardagt.exe
        1⤵
          PID:640
        • C:\Users\Admin\AppData\Local\A7QEwmP\icardagt.exe
          C:\Users\Admin\AppData\Local\A7QEwmP\icardagt.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2060

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\A7QEwmP\UxTheme.dll
          Filesize

          704KB

          MD5

          f0ed0a336f8460cd2f52b3857fe6e5d1

          SHA1

          a3d9cb7c4b96194d49cc50eb232f67738042446c

          SHA256

          5a8859c83ebf39553432f220715bb60518d0e5490f0b2a40060547aafa98f2c6

          SHA512

          fe4b304a102a9a9075eea7d77bbe30dccd54c9824b91d3487d54621442e716aa0dc1139f21931963fdf5a14aa90faebe19dcb56afbeb7fd0defdaa2813b2283f

          Download Submit

        • C:\Users\Admin\AppData\Local\sDN9vdQ\WTSAPI32.dll
          Filesize

          704KB

          MD5

          3ac74b2777bf6ff74c4f5dfc37cbb952

          SHA1

          026660e56bacfb2dc0fc4b9820d2d0c9be2bb8db

          SHA256

          62f41fc849536e954d46320773017dbed0bb327c8112cfbe4eec483ac9071214

          SHA512

          a0ee3697a90a9721b6baf0cc51324e0eb0dedfff91f33032a47cd5246d88003f22852a4d971c02737b2e9fa69a2da6c0efd593491908974ed64aa6c84a62210b

          Download Submit

        • C:\Users\Admin\AppData\Local\tLpVw\VERSION.dll
          Filesize

          704KB

          MD5

          b4660d68ee1906d4cb66f8b40269bead

          SHA1

          0a8a522767db7d2efd6f1e2864a50568828d32a7

          SHA256

          900260154076701daae0e7b83c3ea64723ec3d7281a43192356c9cef8ea38a19

          SHA512

          06a2733981f5f389c698c2bf46c8b5ae41ee9c4c3ef0d41d2497cce7629d3ffb248c7822368dadfea0b0a63663e32e404627cd56153767cbfa8b0c309e873a2f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gwifj.lnk
          Filesize

          1KB

          MD5

          769656a7c9be7ffaa7b92114dc6ab001

          SHA1

          f2adf471c64bbfd6aa3de6f4bbdca53d69d8af73

          SHA256

          a1a35903744a7011cef680948038092007dca10650e2416017ea186c9e35d2ec

          SHA512

          e46412f606e9d5378bf3ceae14d18976b0c0c695756d11533ebd34503a9431428448075ade5f6d5a2df1fc26e6536fafd9ff11fcadc89a4f1b7adf2409f177de

          Download Submit

        • \Users\Admin\AppData\Local\A7QEwmP\icardagt.exe
          Filesize

          1.3MB

          MD5

          2fe97a3052e847190a9775431292a3a3

          SHA1

          43edc451ac97365600391fa4af15476a30423ff6

          SHA256

          473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

          SHA512

          93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

          Download Submit

        • \Users\Admin\AppData\Local\sDN9vdQ\raserver.exe
          Filesize

          123KB

          MD5

          cd0bc0b6b8d219808aea3ecd4e889b19

          SHA1

          9f8f4071ce2484008e36fdfd963378f4ebad703f

          SHA256

          16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

          SHA512

          84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

          Download Submit

        • \Users\Admin\AppData\Local\tLpVw\notepad.exe
          Filesize

          189KB

          MD5

          f2c7bb8acc97f92e987a2d4087d021b1

          SHA1

          7eb0139d2175739b3ccb0d1110067820be6abd29

          SHA256

          142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

          SHA512

          2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

          Download Submit

        • memory/1076-25-0x0000000077620000-0x0000000077622000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1076-3-0x00000000772B6000-0x00000000772B7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1076-24-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1076-13-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1076-12-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1076-11-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1076-10-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1076-9-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1076-23-0x0000000002550000-0x0000000002557000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1076-14-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1076-26-0x0000000077650000-0x0000000077652000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1076-36-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1076-35-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1076-8-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1076-45-0x00000000772B6000-0x00000000772B7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1076-15-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1076-7-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1076-4-0x0000000002570000-0x0000000002571000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1076-6-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/2060-90-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/2132-58-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/2132-55-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2132-53-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/2456-74-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/3052-44-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3052-0-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3052-2-0x0000000000420000-0x0000000000427000-memory.dmp

          Filesize

          28KB

          Download