Overview

overview

10

Static

static

3

bf4a030404...b6.dll

windows7-x64

10

bf4a030404...b6.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-10-2024 00:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf4a030404a33a8c559e6247a6a7dde969beac784237a4bc09ee9782a6b13eb6.dll

  • Size

    700KB

  • MD5

    22bb81fe492c73919a75ae4152bd6da9

  • SHA1

    93ea623df22f23cfba08fce532ae04b037f6f93f

  • SHA256

    bf4a030404a33a8c559e6247a6a7dde969beac784237a4bc09ee9782a6b13eb6

  • SHA512

    60cad20be3e4548eab668e1c1c280d9588241638f320e2d9f36587ea89754c47e47ac4ca692182b7707d326ee6c88229b350f39ef11cf1e9c2b1b2fbf2cc704c

  • SSDEEP

    12288:JqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:JqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bf4a030404a33a8c559e6247a6a7dde969beac784237a4bc09ee9782a6b13eb6.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:5040
  • C:\Windows\system32\RdpSa.exe
    C:\Windows\system32\RdpSa.exe
    1⤵
      PID:4624
    • C:\Users\Admin\AppData\Local\34KDBb\RdpSa.exe
      C:\Users\Admin\AppData\Local\34KDBb\RdpSa.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3576
    • C:\Windows\system32\msinfo32.exe
      C:\Windows\system32\msinfo32.exe
      1⤵
        PID:4204
      • C:\Users\Admin\AppData\Local\vFha3\msinfo32.exe
        C:\Users\Admin\AppData\Local\vFha3\msinfo32.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4352
      • C:\Windows\system32\RecoveryDrive.exe
        C:\Windows\system32\RecoveryDrive.exe
        1⤵
          PID:2728
        • C:\Users\Admin\AppData\Local\jmmib1u\RecoveryDrive.exe
          C:\Users\Admin\AppData\Local\jmmib1u\RecoveryDrive.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2792

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\34KDBb\RdpSa.exe
          Filesize

          56KB

          MD5

          5992f5b5d0b296b83877da15b54dd1b4

          SHA1

          0d87be8d4b7aeada4b55d1d05c0539df892f8f82

          SHA256

          32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c

          SHA512

          4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

          Download Submit

        • C:\Users\Admin\AppData\Local\34KDBb\WINSTA.dll
          Filesize

          708KB

          MD5

          1057bec46fb851a7c5bfc4e222919390

          SHA1

          db5534dcee761610c08a5feb38b26266175d7322

          SHA256

          0c0bad13573d1c12006cc7d4c95025752029465c10c424f8179b9f0b60556ca6

          SHA512

          155637711b295bddf8708478f7d54d0ec7731b03aaa8988696f1fd5e8270af4ea2075744665ae3152729263993de3020861811a47bca1ecdba990520395148d3

          Download Submit

        • C:\Users\Admin\AppData\Local\jmmib1u\RecoveryDrive.exe
          Filesize

          911KB

          MD5

          b9b3dc6f2eb89e41ff27400952602c74

          SHA1

          24ae07e0db3ace0809d08bbd039db3a9d533e81b

          SHA256

          630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

          SHA512

          7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

          Download Submit

        • C:\Users\Admin\AppData\Local\jmmib1u\UxTheme.dll
          Filesize

          704KB

          MD5

          d07cc9dd83d8eb97c7bc1b6f2074c75c

          SHA1

          d6a65914d9e829531c4f8af2a8939ae509a9bd8c

          SHA256

          2a59c395e1f3f8af24b2e6c3b7e4db0aad11463a4fd34e28496cadb5cef7b929

          SHA512

          b13cfaa100226ea4ba240bebef295da07f931d68eefe932503071cb3210bc7f8327fc39d6daa862a116f7acc036b0ee4ffa76ff3e0e4457217445bf6eca41ccb

          Download Submit

        • C:\Users\Admin\AppData\Local\vFha3\SLC.dll
          Filesize

          704KB

          MD5

          02f76180d49cba2b5e2bbbd0e97bf9ae

          SHA1

          7f478536e16ec8bcfa226ed2cadbf7020b5bf86d

          SHA256

          12acab01c811dbf50bd58703f3fc179babe6d10b386aad2ee0b861159f76fe7a

          SHA512

          b88949b33dbf6c6f70fbf9fae0da913ae7713f5b0412ca6bb150b8f6cdf3b33a19166ff5b5eb8122378d6a8391d8c816ad6557fa7b50cc4530fcba594d873b44

          Download Submit

        • C:\Users\Admin\AppData\Local\vFha3\msinfo32.exe
          Filesize

          376KB

          MD5

          0aed91da63713bf9f881b03a604a1c9d

          SHA1

          b1b2d292cb1a4c13dc243b5eab13afb316a28b9a

          SHA256

          5cf1604d2473661266e08fc0e4e144ea98f99b7584c43585eb2b01551130fd14

          SHA512

          04bca9b321d702122b6e72c2ad15b7cd98924e5dfc3b8dd0e907ea28fd7826d3f72b98c67242b6698594df648d3c2b6b0952bb52a2363b687bbe44a66e830c03

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fkasxldymr.lnk
          Filesize

          1KB

          MD5

          4322da7bf0bfbd219ea93ea624e6ec14

          SHA1

          9098a3f373c3fbcffec34e6319943fa8a0f5c72e

          SHA256

          eb1264fe47ec5da8868e6198a593df71231e6543c523534e47f933d39aecf053

          SHA512

          8d912c89e0521a5c2e8b2d0c301c5ac08ef5596103489e897b7949ab719ce6c2cc27598856bfcfc8513bfd07b1b25651c141bd362c67d29898e3cccdcca3e9b2

          Download Submit

        • memory/2792-81-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/3436-25-0x00007FFB656A0000-0x00007FFB656B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3436-15-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3436-11-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3436-10-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3436-9-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3436-8-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3436-7-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3436-24-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3436-4-0x00000000009A0000-0x00000000009A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-26-0x00007FFB65690000-0x00007FFB656A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3436-36-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3436-3-0x00007FFB649CA000-0x00007FFB649CB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-13-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3436-12-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3436-6-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3436-14-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3436-23-0x00000000028F0000-0x00000000028F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3576-50-0x0000000140000000-0x00000001400B1000-memory.dmp

          Filesize

          708KB

          Download

        • memory/3576-47-0x000002088A9A0000-0x000002088A9A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3576-45-0x0000000140000000-0x00000001400B1000-memory.dmp

          Filesize

          708KB

          Download

        • memory/4352-62-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/4352-61-0x000001B0092A0000-0x000001B0092A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4352-66-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/5040-38-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/5040-2-0x0000022792570000-0x0000022792577000-memory.dmp

          Filesize

          28KB

          Download

        • memory/5040-0-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download