Overview

overview

10

Static

static

3

4c0249819c...aa.dll

windows7-x64

10

4c0249819c...aa.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-10-2024 07:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c0249819c9ceee38ab90401687c1f349ae91e260f8323835b0388504402e8aa.dll

  • Size

    692KB

  • MD5

    e9531680b8f5142d44285991f2709e0a

  • SHA1

    45d9e59a69ddade77a8f3b4f0edb6deb18e8d3b6

  • SHA256

    4c0249819c9ceee38ab90401687c1f349ae91e260f8323835b0388504402e8aa

  • SHA512

    dbb8b8208e7f6ebf90a715963d9fdbfdb29c66ce079c9b805f116064e5ffbd334f5ef958279460ac3193a1610eca25d90f7e63c078b0e70369c2d0bef3262617

  • SSDEEP

    12288:AqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:AqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c0249819c9ceee38ab90401687c1f349ae91e260f8323835b0388504402e8aa.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:936
  • C:\Windows\system32\ApplySettingsTemplateCatalog.exe
    C:\Windows\system32\ApplySettingsTemplateCatalog.exe
    1⤵
      PID:2072
    • C:\Users\Admin\AppData\Local\2BskaLq\ApplySettingsTemplateCatalog.exe
      C:\Users\Admin\AppData\Local\2BskaLq\ApplySettingsTemplateCatalog.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1660
    • C:\Windows\system32\eudcedit.exe
      C:\Windows\system32\eudcedit.exe
      1⤵
        PID:2088
      • C:\Users\Admin\AppData\Local\KKnbZdI\eudcedit.exe
        C:\Users\Admin\AppData\Local\KKnbZdI\eudcedit.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4720
      • C:\Windows\system32\BitLockerWizardElev.exe
        C:\Windows\system32\BitLockerWizardElev.exe
        1⤵
          PID:2936
        • C:\Users\Admin\AppData\Local\1nGCWvkg4\BitLockerWizardElev.exe
          C:\Users\Admin\AppData\Local\1nGCWvkg4\BitLockerWizardElev.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2704

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1nGCWvkg4\BitLockerWizardElev.exe
          Filesize

          100KB

          MD5

          8ac5a3a20cf18ae2308c64fd707eeb81

          SHA1

          31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

          SHA256

          803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

          SHA512

          85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

          Download Submit

        • C:\Users\Admin\AppData\Local\1nGCWvkg4\FVEWIZ.dll
          Filesize

          696KB

          MD5

          6483a9093b1191ac5ce427ac72561f74

          SHA1

          a920c4e9b73af2831b6f257071827e824519792c

          SHA256

          39c6a96cb01e31e6743732c5319ce76ce34692a913f0f3b52a7c87bfc945002a

          SHA512

          7737946c7da2d1f2cb4f4a1f83d9688e9ed229a98f67076ec764e9a9c25e8a767498001075356f7e431efba3abf7911a6a67cb011fb66812f831934bf2be0e73

          Download Submit

        • C:\Users\Admin\AppData\Local\2BskaLq\ACTIVEDS.dll
          Filesize

          696KB

          MD5

          9fe1b0f823549c0a1174625304440f32

          SHA1

          ecfd01a5b8610265b24ab6a46df58e75cd73243d

          SHA256

          fc529f5dfb9114b82a39a0b68271c1a9d3e2ff0815a3bb21da9527bdc145a01b

          SHA512

          f0e4df158a5b1d6b32896c266f5a22e8d1432afebaace945fea8338344b2ce39fde1851840302f199325fc09a5462654e00c28e3e625557b622601e9979b67f4

          Download Submit

        • C:\Users\Admin\AppData\Local\2BskaLq\ApplySettingsTemplateCatalog.exe
          Filesize

          1.1MB

          MD5

          13af41b1c1c53c7360cd582a82ec2093

          SHA1

          7425f893d1245e351483ab4a20a5f59d114df4e1

          SHA256

          a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

          SHA512

          c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

          Download Submit

        • C:\Users\Admin\AppData\Local\KKnbZdI\MFC42u.dll
          Filesize

          720KB

          MD5

          d57798aeea44f7f00760b4ab4a0d6e72

          SHA1

          1fa99becdd63a24b8ca5ed4e144125ff1fc962f7

          SHA256

          81e37e2c5dad7321cf6d9c4858921f85f715cf7c3c68cc1ac17f6bc0977e68aa

          SHA512

          2514b19079e4d9181a5838670283957b63463917a54f7a5a8d62c76e294f6648de4d2ed89dc3af6a9b64522ae7cc12a9c0300e44ce4ba492f2b47a620c11d4d9

          Download Submit

        • C:\Users\Admin\AppData\Local\KKnbZdI\eudcedit.exe
          Filesize

          365KB

          MD5

          a9de6557179d371938fbe52511b551ce

          SHA1

          def460b4028788ded82dc55c36cb0df28599fd5f

          SHA256

          83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe

          SHA512

          5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zcgcwwxuxxxcbkn.lnk
          Filesize

          1KB

          MD5

          a5b948eec09621080d8e25e1a9a3e31e

          SHA1

          013ae663ad2d67cac7703906d53bb3ebc66740ba

          SHA256

          aae84c71960faea00e3f1bda219529d1cae9cd136eb42c1ccd0787371177f425

          SHA512

          92c9014cf06d1a2c2192f1bcd1dd0020cc1a1e8f7d0fe84d1e40142bcfadd52537884ce0633704748addba382439f35c77902b5a94f1040d115e40ee3da84520

          Download Submit

        • memory/936-36-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/936-0-0x000001BCCCBA0000-0x000001BCCCBA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/936-2-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1660-45-0x000001A1A77B0000-0x000001A1A77B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1660-48-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1660-43-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2704-81-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3488-23-0x00007FFC10BC0000-0x00007FFC10BD0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3488-24-0x00007FFC10BB0000-0x00007FFC10BC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3488-3-0x0000000002720000-0x0000000002721000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3488-6-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3488-7-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3488-9-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3488-10-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3488-33-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3488-22-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3488-5-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3488-12-0x00007FFC0F7AA000-0x00007FFC0F7AB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3488-8-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3488-11-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3488-13-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3488-21-0x00000000006B0000-0x00000000006B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4720-66-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/4720-61-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/4720-63-0x000001C722750000-0x000001C722757000-memory.dmp

          Filesize

          28KB

          Download