Overview

overview

10

Static

static

3

8c74a5957b...de.dll

windows7-x64

10

8c74a5957b...de.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-10-2024 00:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c74a5957b9bf68722fb5b45ee791d9eb62a6ece1cbc3cc97c726556df7bc8de.dll

  • Size

    700KB

  • MD5

    c594f03ac5b4fe79eb093364db1115fe

  • SHA1

    ec0557352f8922a2f5241910b20e29e742d76263

  • SHA256

    8c74a5957b9bf68722fb5b45ee791d9eb62a6ece1cbc3cc97c726556df7bc8de

  • SHA512

    f942344aecf5f5af63a5e6dc3bae4c00f08b42927f122b0a947fd8e97096b6f6725540b17794d072cd3daebf94102d0701127515332b70e83cff27de559c3d4d

  • SSDEEP

    12288:pqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:pqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 8 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8c74a5957b9bf68722fb5b45ee791d9eb62a6ece1cbc3cc97c726556df7bc8de.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1400
  • C:\Windows\system32\recdisc.exe
    C:\Windows\system32\recdisc.exe
    1⤵
      PID:1620
    • C:\Users\Admin\AppData\Local\sjlfl2\recdisc.exe
      C:\Users\Admin\AppData\Local\sjlfl2\recdisc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1848
    • C:\Windows\system32\ApplicationFrameHost.exe
      C:\Windows\system32\ApplicationFrameHost.exe
      1⤵
        PID:1248
      • C:\Users\Admin\AppData\Local\uM9ZVI\ApplicationFrameHost.exe
        C:\Users\Admin\AppData\Local\uM9ZVI\ApplicationFrameHost.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1104
      • C:\Windows\system32\ApplySettingsTemplateCatalog.exe
        C:\Windows\system32\ApplySettingsTemplateCatalog.exe
        1⤵
          PID:4304
        • C:\Users\Admin\AppData\Local\yzm\ApplySettingsTemplateCatalog.exe
          C:\Users\Admin\AppData\Local\yzm\ApplySettingsTemplateCatalog.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3324

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\sjlfl2\ReAgent.dll
          Filesize

          704KB

          MD5

          e661e870cb62cb71cc89a5789bd94699

          SHA1

          f133d53190ffe46f07a9c32cbf6b0344e26407d0

          SHA256

          62522b7aa95c1b060336072a5e4d2bde8d45515228476afac63f9004af90da83

          SHA512

          eebeef0483a7ef8dd81984462e7b1cce3c91c3b4767704a1e819ed566b4c14ed8c03f10539d2e8544d77b1bd85119d12ab33477571cc691d032b450fa5cdc5d6

          Download Submit

        • C:\Users\Admin\AppData\Local\sjlfl2\recdisc.exe
          Filesize

          193KB

          MD5

          18afee6824c84bf5115bada75ff0a3e7

          SHA1

          d10f287a7176f57b3b2b315a5310d25b449795aa

          SHA256

          0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e

          SHA512

          517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845

          Download Submit

        • C:\Users\Admin\AppData\Local\uM9ZVI\ApplicationFrameHost.exe
          Filesize

          76KB

          MD5

          d58a8a987a8dafad9dc32a548cc061e7

          SHA1

          f79fc9e0ab066cad530b949c2153c532a5223156

          SHA256

          cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4

          SHA512

          93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265

          Download Submit

        • C:\Users\Admin\AppData\Local\uM9ZVI\dxgi.dll
          Filesize

          704KB

          MD5

          ab5e75c006522792ecb039ca8c4ae739

          SHA1

          4ea9593d084f90fffc7dc75d39b5e6e44c1ba0d4

          SHA256

          a02e2be56cde31a1ea84d59b88935c4589b367f4555ed74fed0a07697cd13a03

          SHA512

          380f1ad55fc5ef1b3cd71fab8707380cbf18d0d5925ae530306d66260aad8f7cf6180fa40038f68c46ed3d83ed48d22a3ece85f01a80980217fbe5d3df235919

          Download Submit

        • C:\Users\Admin\AppData\Local\yzm\ACTIVEDS.dll
          Filesize

          704KB

          MD5

          787959b32dc01f206f42121f038769a1

          SHA1

          3c380b815ab1f76472eb6c3d61711252bc8bfe3d

          SHA256

          2a8dae4efebabb618855bccda3f41650205d071a64b59f896742ea2cc75f6c1d

          SHA512

          de1c518da16b76fca688c47a922fe826989d2b67c87350c474ff4a79ad593ea69df12e7abb43d319d2125b9d8f5aa2ac0745734fd4e5c5fe8a2f235c146d2706

          Download Submit

        • C:\Users\Admin\AppData\Local\yzm\ApplySettingsTemplateCatalog.exe
          Filesize

          1.1MB

          MD5

          13af41b1c1c53c7360cd582a82ec2093

          SHA1

          7425f893d1245e351483ab4a20a5f59d114df4e1

          SHA256

          a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

          SHA512

          c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zcgcwwxuxxxcbkn.lnk
          Filesize

          1KB

          MD5

          56397f956132e7e8c767106f55f8fe74

          SHA1

          1ffae2f23d93e118a49fb67d6a1db61cede37159

          SHA256

          a14352ad2e1f7652572c1d998ec87585b8d2a2e0a474dec67aa21ef32ee5f410

          SHA512

          50ea0e8decb41c6e801c645ee19ac534a6a6fd43495b5fc158d48ab0612eafaa7cbf1dd7b8e59f7b2d3c017e5bed609ad9def32e953c1d28f6ad9fa7a99db2d8

          Download Submit

        • memory/1104-66-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/1104-63-0x00000242DBB10000-0x00000242DBB17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1400-0-0x0000024796E10000-0x0000024796E17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1400-38-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1400-1-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1848-50-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/1848-46-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/1848-45-0x00000280C91A0000-0x00000280C91A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3324-81-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/3404-13-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3404-12-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3404-35-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3404-7-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3404-8-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3404-9-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3404-10-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3404-25-0x00007FFC4C3E0000-0x00007FFC4C3F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3404-26-0x00007FFC4C3D0000-0x00007FFC4C3E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3404-6-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3404-24-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3404-15-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3404-23-0x0000000001100000-0x0000000001107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3404-14-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3404-11-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3404-4-0x00007FFC4B43A000-0x00007FFC4B43B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3404-3-0x0000000001440000-0x0000000001441000-memory.dmp

          Filesize

          4KB

          Download