Overview

overview

10

Static

static

3

4c0249819c...aa.dll

windows7-x64

10

4c0249819c...aa.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 07:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c0249819c9ceee38ab90401687c1f349ae91e260f8323835b0388504402e8aa.dll

  • Size

    692KB

  • MD5

    e9531680b8f5142d44285991f2709e0a

  • SHA1

    45d9e59a69ddade77a8f3b4f0edb6deb18e8d3b6

  • SHA256

    4c0249819c9ceee38ab90401687c1f349ae91e260f8323835b0388504402e8aa

  • SHA512

    dbb8b8208e7f6ebf90a715963d9fdbfdb29c66ce079c9b805f116064e5ffbd334f5ef958279460ac3193a1610eca25d90f7e63c078b0e70369c2d0bef3262617

  • SSDEEP

    12288:AqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:AqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c0249819c9ceee38ab90401687c1f349ae91e260f8323835b0388504402e8aa.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1392
  • C:\Windows\system32\SystemPropertiesRemote.exe
    C:\Windows\system32\SystemPropertiesRemote.exe
    1⤵
      PID:2768
    • C:\Users\Admin\AppData\Local\YardgBedd\SystemPropertiesRemote.exe
      C:\Users\Admin\AppData\Local\YardgBedd\SystemPropertiesRemote.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2804
    • C:\Windows\system32\mspaint.exe
      C:\Windows\system32\mspaint.exe
      1⤵
        PID:2348
      • C:\Users\Admin\AppData\Local\mnqhLV\mspaint.exe
        C:\Users\Admin\AppData\Local\mnqhLV\mspaint.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3028
      • C:\Windows\system32\ddodiag.exe
        C:\Windows\system32\ddodiag.exe
        1⤵
          PID:2320
        • C:\Users\Admin\AppData\Local\Frh4\ddodiag.exe
          C:\Users\Admin\AppData\Local\Frh4\ddodiag.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1508

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Frh4\XmlLite.dll
          Filesize

          696KB

          MD5

          1451c88ab9979da154a489df191eb92a

          SHA1

          47a916b732fcab814efdabf8ca1fc4c1aa04bc94

          SHA256

          5b92f3c0dd7505adf676f23da330140470ed5be06ea0a9ae178000ba1255d69e

          SHA512

          ded55fba6d8b0c5138c07ae2f5be1eca904c8f4ac0f58cfeeb0e105b6db4852b10c0933c9c4a039e315fa312674f66b6f2a991a0d4dc60ae5a80d12315778dcc

          Download Submit

        • C:\Users\Admin\AppData\Local\YardgBedd\SYSDM.CPL
          Filesize

          696KB

          MD5

          dacee971cb85e890b3f77b291fb8487c

          SHA1

          4fac914cd5bdb0e70b62a5828dae2425506de058

          SHA256

          38ebe24899a3e5819d543c988c28d15f5f4477fa5028e6fb7062929a4a8e5518

          SHA512

          8906bdbc3113cb337dc7fd58201e79a0b2302e2a77892ffbc23ecfb4eb5af10a5fd34d220aa44f13f66a8081082e4d339fa8ded9d6cda5e188272c979d3cd53a

          Download Submit

        • C:\Users\Admin\AppData\Local\YardgBedd\SystemPropertiesRemote.exe
          Filesize

          80KB

          MD5

          d0d7ac869aa4e179da2cc333f0440d71

          SHA1

          e7b9a58f5bfc1ec321f015641a60978c0c683894

          SHA256

          5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

          SHA512

          1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

          Download Submit

        • C:\Users\Admin\AppData\Local\mnqhLV\WINMM.dll
          Filesize

          700KB

          MD5

          4a166330a67f6d0c6b1a4e85355a9310

          SHA1

          b5d632627cc1e83f8d0db5ae87c2b29cd27ce8c1

          SHA256

          47625342d727646722a1c2b2396dbe5cb8c38d518401c916a03b7ff8ea4b28fa

          SHA512

          025660ed03e56d51bb5ac87569fe340759786d506d54365a3be4abd607b7cd7f2fe4054b8cbe2bedd0d098d48350340405231e5a5c42e32bd1dd7204988f69d7

          Download Submit

        • C:\Users\Admin\AppData\Local\mnqhLV\mspaint.exe
          Filesize

          6.4MB

          MD5

          458f4590f80563eb2a0a72709bfc2bd9

          SHA1

          3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

          SHA256

          ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

          SHA512

          e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ykefwsdudlbqds.lnk
          Filesize

          1KB

          MD5

          7f37db19c8fcc6c5b7138d49daae5a90

          SHA1

          c3831b82ed7746d69f6c039cd71118bc5ed6102d

          SHA256

          37f86dd15f49f19579b761a85dfce9b4b7c5365eca871b74878aae270523a1f6

          SHA512

          956885cf97912ded3e1ec8d5203b9ee069101edbca18f73a6ad9ebc4b7f5c1326078f9c41e6ee8e3a80e9d7beea5fff226c47c06e605ea55ce79daedd921b8bf

          Download Submit

        • \Users\Admin\AppData\Local\Frh4\ddodiag.exe
          Filesize

          42KB

          MD5

          509f9513ca16ba2f2047f5227a05d1a8

          SHA1

          fe8d63259cb9afa17da7b7b8ede4e75081071b1a

          SHA256

          ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

          SHA512

          ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

          Download Submit

        • memory/1208-33-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1208-21-0x0000000002130000-0x0000000002137000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1208-11-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1208-10-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1208-8-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1208-7-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1208-22-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1208-24-0x0000000077670000-0x0000000077672000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1208-23-0x0000000077640000-0x0000000077642000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1208-3-0x00000000773D6000-0x00000000773D7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-34-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1208-4-0x0000000002150000-0x0000000002151000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-43-0x00000000773D6000-0x00000000773D7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-12-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1208-13-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1208-6-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1208-9-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1392-42-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1392-0-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1392-2-0x00000000000A0000-0x00000000000A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1508-89-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2804-56-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2804-52-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2804-51-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3028-68-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3028-69-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3028-73-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download