Overview

overview

10

Static

static

3

582465ca47...2f.dll

windows7-x64

10

582465ca47...2f.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 07:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    582465ca47042194af55732c39ecd86302618b932f5b6608c9b1b825c112042f.dll

  • Size

    696KB

  • MD5

    0a3cf587cfebb06a98eb27d2200ddf2a

  • SHA1

    cb58b536bfb54b7ee2795a8939361465a8cb262e

  • SHA256

    582465ca47042194af55732c39ecd86302618b932f5b6608c9b1b825c112042f

  • SHA512

    806a83b20039618e181ccb87f9658cdb6dd25cef4b59d3bfc7c3a65381f1b67440e015dfe4f756f3c7e05ec05f3bba06732e32e51ddabc1295b803254ab9fd0f

  • SSDEEP

    12288:BqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:BqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\582465ca47042194af55732c39ecd86302618b932f5b6608c9b1b825c112042f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2880
  • C:\Windows\system32\javaws.exe
    C:\Windows\system32\javaws.exe
    1⤵
      PID:2008
    • C:\Users\Admin\AppData\Local\6S0zcWdOk\javaws.exe
      C:\Users\Admin\AppData\Local\6S0zcWdOk\javaws.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2620
    • C:\Windows\system32\msdtc.exe
      C:\Windows\system32\msdtc.exe
      1⤵
        PID:2256
      • C:\Users\Admin\AppData\Local\TMBXb9v\msdtc.exe
        C:\Users\Admin\AppData\Local\TMBXb9v\msdtc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2996
      • C:\Windows\system32\UI0Detect.exe
        C:\Windows\system32\UI0Detect.exe
        1⤵
          PID:2944
        • C:\Users\Admin\AppData\Local\cQmH8FaK\UI0Detect.exe
          C:\Users\Admin\AppData\Local\cQmH8FaK\UI0Detect.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2988

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\6S0zcWdOk\VERSION.dll
          Filesize

          700KB

          MD5

          a8df89baba0cbd8ad1fc8a1c9dd7e635

          SHA1

          67dca2fc3a07da14c485bb3e67caa919c5187a22

          SHA256

          22fe0f5ac9c49400cb8934052907b1c889cf56a9881ff2651c19baef7ab6bcfb

          SHA512

          093a0e915bfeffe40979237981d309d088d3a7156bccefb337f41a981475d0cbbe0d7a1c88b75e610ac7e25574eed037eb76863dafae375a9793aa4e98f928f8

          Download Submit

        • C:\Users\Admin\AppData\Local\TMBXb9v\VERSION.dll
          Filesize

          700KB

          MD5

          a659da8087195bbf6376071ccc8d7669

          SHA1

          9f3208affa442888ef10af19b3f14f8dfa1eb208

          SHA256

          efcc72157ee16f3201b7565ab3625cd1226f0537f4468ddec1c5f50509d2a35e

          SHA512

          4e13ec78f09a7cdf4ea07c3493e2a94abac651c9a7cc13e73a2a245c117acadd6495e48e7d56493ac1f261278655dfecf85847d2d0f638cba1d7f7d7fa389ede

          Download Submit

        • C:\Users\Admin\AppData\Local\cQmH8FaK\WTSAPI32.dll
          Filesize

          700KB

          MD5

          e3165c57cb64265de1f0113d7896b531

          SHA1

          8fd247af9304238ee32769818c246277147b1553

          SHA256

          14046fb27f33fa501bb82f0b330ec778276d9409dd1bc599e351b78b84f466bd

          SHA512

          98f4978d82f73ff4e80a4ce5de339de988b547576d5bb89724e0acf7d7cd2e444b6d592091506ea46cd3f8455b68304e365c5b02b83c73e9ac1ba115f3318447

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk
          Filesize

          1017B

          MD5

          c70a26b5f6c56f9349ed77be26c86d3c

          SHA1

          e1bef76298b1b32f282e1a56f6798f1a80f06c2c

          SHA256

          323a5aa916996807c7fb37e4639a9747cb9862bba539fbb917330f27e3005ca9

          SHA512

          a5958ee28e7cae91cb2731ae1ee57c5544c32520a9c4f7435e1e6123353147bf0adc7cdc4bed1f649b582c2c09552fa25200b8132e5949397373df327b023abb

          Download Submit

        • \Users\Admin\AppData\Local\6S0zcWdOk\javaws.exe
          Filesize

          312KB

          MD5

          f94bc1a70c942621c4279236df284e04

          SHA1

          8f46d89c7db415a7f48ccd638963028f63df4e4f

          SHA256

          be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c

          SHA512

          60edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52

          Download Submit

        • \Users\Admin\AppData\Local\TMBXb9v\msdtc.exe
          Filesize

          138KB

          MD5

          de0ece52236cfa3ed2dbfc03f28253a8

          SHA1

          84bbd2495c1809fcd19b535d41114e4fb101466c

          SHA256

          2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

          SHA512

          69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

          Download Submit

        • \Users\Admin\AppData\Local\cQmH8FaK\UI0Detect.exe
          Filesize

          40KB

          MD5

          3cbdec8d06b9968aba702eba076364a1

          SHA1

          6e0fcaccadbdb5e3293aa3523ec1006d92191c58

          SHA256

          b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

          SHA512

          a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

          Download Submit

        • memory/1352-24-0x0000000077D80000-0x0000000077D82000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1352-44-0x0000000077A16000-0x0000000077A17000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1352-9-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1352-8-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1352-7-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1352-6-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1352-23-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1352-10-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1352-25-0x0000000077DB0000-0x0000000077DB2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1352-3-0x0000000077A16000-0x0000000077A17000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1352-35-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1352-34-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1352-4-0x0000000002590000-0x0000000002591000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1352-11-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1352-12-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1352-13-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1352-14-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1352-22-0x0000000002570000-0x0000000002577000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2620-57-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/2620-54-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2620-52-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/2880-43-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2880-0-0x00000000002A0000-0x00000000002A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2880-1-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2988-90-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/2996-69-0x0000000000080000-0x0000000000087000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2996-74-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download