Overview

overview

10

Static

static

3

4b9e28d775...8f.dll

windows7-x64

10

4b9e28d775...8f.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-10-2024 07:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b9e28d775612f9c757d7f7daef0c07823e6764a5f6716a0b9d5e8ae21850d8f.dll

  • Size

    968KB

  • MD5

    5453dd8223f092553390e303d02d3160

  • SHA1

    db579b41e2b925e52a32d67c44d5efadcdb52c91

  • SHA256

    4b9e28d775612f9c757d7f7daef0c07823e6764a5f6716a0b9d5e8ae21850d8f

  • SHA512

    9b3f0cca2e9b8d1af6b86a232606a57a44480f08ecb5854539f517a56d229a7b3a227cf7415caee70f040ee79cdea6cce0139ec99776664785966467199ca82d

  • SSDEEP

    12288:NqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4BaedthD:NqGBHTxvt+g2gYedth

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b9e28d775612f9c757d7f7daef0c07823e6764a5f6716a0b9d5e8ae21850d8f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4424
  • C:\Windows\system32\rdpinit.exe
    C:\Windows\system32\rdpinit.exe
    1⤵
      PID:4788
    • C:\Users\Admin\AppData\Local\j46xnG\rdpinit.exe
      C:\Users\Admin\AppData\Local\j46xnG\rdpinit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4560
    • C:\Windows\system32\upfc.exe
      C:\Windows\system32\upfc.exe
      1⤵
        PID:876
      • C:\Users\Admin\AppData\Local\L7vWT\upfc.exe
        C:\Users\Admin\AppData\Local\L7vWT\upfc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1672
      • C:\Windows\system32\Netplwiz.exe
        C:\Windows\system32\Netplwiz.exe
        1⤵
          PID:1680
        • C:\Users\Admin\AppData\Local\CkglG\Netplwiz.exe
          C:\Users\Admin\AppData\Local\CkglG\Netplwiz.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4676

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\CkglG\NETPLWIZ.dll
          Filesize

          972KB

          MD5

          ce8af5226097a63f4539cabddded08be

          SHA1

          1ef1fd017a9c9c8cbfeb98e28da1e43ce26833cf

          SHA256

          01963f2fd539d45f3c14dbac2f4711172c638e7adb8bb8539f98adecd0da7d5b

          SHA512

          8061bb09b8a58bb9d140d724ea6d80abd370d798b8e9b5ad14623c03991599ba01b7a2d3c1be978fe7441563a4eb3f1937310d9e68d1a1bd3e30fb157f82e393

          Download Submit

        • C:\Users\Admin\AppData\Local\CkglG\Netplwiz.exe
          Filesize

          40KB

          MD5

          520a7b7065dcb406d7eca847b81fd4ec

          SHA1

          d1b3b046a456630f65d482ff856c71dfd2f335c8

          SHA256

          8323b44b6e69f02356a5ab0d03a4fc87b953edcbd85c2b6281bf92bc0a3b224d

          SHA512

          7aea2810f38d1640d4aa87efbbe20783fe7b8e7f588864a3a384a37c91108d906abd89b235672608c98c46ed76db2b0039462098a1064ebe4108ec37b6087914

          Download Submit

        • C:\Users\Admin\AppData\Local\L7vWT\XmlLite.dll
          Filesize

          972KB

          MD5

          8731b45bdb9e7db214a02b10d01a9d46

          SHA1

          597a060219b916edb21820656872276029e275fe

          SHA256

          ed8f891beed858106068c1563818d43542a708c19ff2d26063cf356a6108904f

          SHA512

          82ffb14fd26bbd666b9f7caf285ba2c21c50f1f50eedf6c0ccadf172b006ac48f2f1f8c57ace29a363a83d2d805e7e8bd5fc92b9feb8012d8e804ea4ba26c51a

          Download Submit

        • C:\Users\Admin\AppData\Local\L7vWT\upfc.exe
          Filesize

          118KB

          MD5

          299ea296575ccb9d2c1a779062535d5c

          SHA1

          2497169c13b0ba46a6be8a1fe493b250094079b7

          SHA256

          ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2

          SHA512

          02fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa

          Download Submit

        • C:\Users\Admin\AppData\Local\j46xnG\WINSTA.dll
          Filesize

          976KB

          MD5

          4ca8e6d980289adbaf419536c135c753

          SHA1

          9e58533cf3a9a1fc954d45de78a69faf944fd37f

          SHA256

          bdb6b57cb85d5b5da5838bc2f1d47418ef8780d9a4909b7a016697c5adbe1f95

          SHA512

          eddb0bccec6c2aaf09fcfe37a4f9c87623bafe25ac1eabfa7a0ee5fc42a5dfdad2d68004e138a291de15443615ad6cea94addae131d1e05186cb8bbcd4f085e2

          Download Submit

        • C:\Users\Admin\AppData\Local\j46xnG\rdpinit.exe
          Filesize

          343KB

          MD5

          b0ecd76d99c5f5134aeb52460add6f80

          SHA1

          51462078092c9d6b7fa2b9544ffe0a49eb258106

          SHA256

          51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

          SHA512

          16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk
          Filesize

          1KB

          MD5

          092c46a685febb0c409126f15bf5907e

          SHA1

          bf20a4a08322b7233d98b762ebf22d9cde1eee7d

          SHA256

          ebad2a99e1d5f38c895fb74a46af5a32334144bcd64b899982b99c28f16e04d8

          SHA512

          c46120d23e8ad931deacb108feb16e37984e55d27da29e177850901d2eb1b007658e835f8b22f80345abd6b12eb1f7b344465dae873d1bb45a3f6c4db6d0e624

          Download Submit

        • memory/1672-65-0x0000000140000000-0x00000001400F3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/1672-61-0x0000000140000000-0x00000001400F3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/1672-60-0x0000019FC5A30000-0x0000019FC5A37000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3544-11-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/3544-21-0x0000000000C80000-0x0000000000C87000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3544-22-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/3544-33-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/3544-8-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/3544-7-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/3544-6-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/3544-3-0x0000000002B90000-0x0000000002B91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3544-5-0x00007FFC366EA000-0x00007FFC366EB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3544-24-0x00007FFC36970000-0x00007FFC36980000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3544-9-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/3544-10-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/3544-12-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/3544-23-0x00007FFC36980000-0x00007FFC36990000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3544-13-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/4424-1-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/4424-37-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4424-36-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/4424-2-0x00007FFC36990000-0x00007FFC36B85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4560-49-0x0000000140000000-0x00000001400F4000-memory.dmp

          Filesize

          976KB

          Download

        • memory/4560-46-0x0000026D9A150000-0x0000026D9A157000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4560-44-0x0000000140000000-0x00000001400F4000-memory.dmp

          Filesize

          976KB

          Download

        • memory/4676-80-0x0000000140000000-0x00000001400F3000-memory.dmp

          Filesize

          972KB

          Download