Overview

overview

10

Static

static

3

328aa9b106...5a.dll

windows7-x64

10

328aa9b106...5a.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-10-2024 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    328aa9b1065fe77cc18f9c738b30eb12b1c1bb7c857fd91b075440d5e725885a.dll

  • Size

    696KB

  • MD5

    09eac984a186ff4bc57bbf0d7a04057b

  • SHA1

    fbef060f577b7aac6346db2072fc852aa4832b20

  • SHA256

    328aa9b1065fe77cc18f9c738b30eb12b1c1bb7c857fd91b075440d5e725885a

  • SHA512

    a690df7c00db4aa59b6a19995754820fc704a8f3524ce4394f8f99e2086b83ba835be63e490e63b59641c2e5ffd7cd575a4313021172351afe5d986a6a50980e

  • SSDEEP

    12288:RqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:RqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 8 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\328aa9b1065fe77cc18f9c738b30eb12b1c1bb7c857fd91b075440d5e725885a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1204
  • C:\Windows\system32\SystemPropertiesProtection.exe
    C:\Windows\system32\SystemPropertiesProtection.exe
    1⤵
      PID:2012
    • C:\Users\Admin\AppData\Local\QuSyFo\SystemPropertiesProtection.exe
      C:\Users\Admin\AppData\Local\QuSyFo\SystemPropertiesProtection.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1888
    • C:\Windows\system32\rstrui.exe
      C:\Windows\system32\rstrui.exe
      1⤵
        PID:3948
      • C:\Users\Admin\AppData\Local\jHHVFG\rstrui.exe
        C:\Users\Admin\AppData\Local\jHHVFG\rstrui.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1372
      • C:\Windows\system32\lpksetup.exe
        C:\Windows\system32\lpksetup.exe
        1⤵
          PID:4952
        • C:\Users\Admin\AppData\Local\IyYJ2NB\lpksetup.exe
          C:\Users\Admin\AppData\Local\IyYJ2NB\lpksetup.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:908

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\IyYJ2NB\dpx.dll
          Filesize

          700KB

          MD5

          2dcf730e676328e34b149a28246c66ca

          SHA1

          d6d1019ddcb80b254b25ba207700e303646b06d3

          SHA256

          669eb5828e8d3e694be7da09478365485a1b3fe8c6f2d10007d1f035ddb2b1fc

          SHA512

          1108a3bd92e2f873de44015d047c43f55ba9d9b532c2e3708466275bee5960e1f596bd505e4d17f823a9e8cf7afa7e90260ed8bff5a85dee4afb41813f1e0bc7

          Download Submit

        • C:\Users\Admin\AppData\Local\IyYJ2NB\lpksetup.exe
          Filesize

          728KB

          MD5

          c75516a32e0aea02a184074d55d1a997

          SHA1

          f9396946c078f8b0f28e3a6e21a97eeece31d13f

          SHA256

          cb3cbeaaff7c07b044f70177e2899a87e80840d177238eb7dd25b8d9e20bef22

          SHA512

          92994fdb75b15742e33e6d7a499664b722e45b9c160d8cc42d30bc727044063d589f45853692b5b754df6ff0fd21294dc32fed985b153f93f4bcf9f8c89a5bcc

          Download Submit

        • C:\Users\Admin\AppData\Local\QuSyFo\SYSDM.CPL
          Filesize

          700KB

          MD5

          ca6f2c03ed9869ee95135ede4a435622

          SHA1

          84adbc0cd4d2b5335573440342c68bfeba88e019

          SHA256

          410bdd4cc81533d404a6f921ada4e3c37c4150d30d3aed186b5c75b64eb8bff3

          SHA512

          8d713f41ce397108a313b24d515a6298969ee164a928f6ce3ea02a8fd8f8b523d2f661db5a2b3baef767e0e35897282d31385ccf7c6500dc6277b1ea1b90fb71

          Download Submit

        • C:\Users\Admin\AppData\Local\QuSyFo\SystemPropertiesProtection.exe
          Filesize

          82KB

          MD5

          26640d2d4fa912fc9a354ef6cfe500ff

          SHA1

          a343fd82659ce2d8de3beb587088867cf2ab8857

          SHA256

          a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37

          SHA512

          26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

          Download Submit

        • C:\Users\Admin\AppData\Local\jHHVFG\SPP.dll
          Filesize

          700KB

          MD5

          bb3ffccad97e10c84d947d0e096a9c77

          SHA1

          a333401bd996e74cb109281d646a05db18ff8bb7

          SHA256

          ccb101adc0d21e857dd9586125619cde38b5b2914b3bb271fc6a2cc970b43611

          SHA512

          7d11d671a052bf45ad5af62ac39d0dcb499e3d783c63357ebba9b976dd1b1f14a4180d4a0fcf0f804ac526cabb41cd5caae2614b7bd169753a0cf1ca79919635

          Download Submit

        • C:\Users\Admin\AppData\Local\jHHVFG\rstrui.exe
          Filesize

          268KB

          MD5

          4cad10846e93e85790865d5c0ab6ffd9

          SHA1

          8a223f4bab28afa4c7ed630f29325563c5dcda1a

          SHA256

          9ddcfcaf2ebc810cc2e593446681bc4ccbad39756b1712cf045db8dee6310b4b

          SHA512

          c0db44de0d35a70277f8621a318c5099378da675376e47545cfbfa7412e70a870fd05c92e0d6523ea2e0139d54d9eeaed14973762341fa3154406ae36f4ce7c6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk
          Filesize

          1KB

          MD5

          85e4f9abda03e539780fc8a2ecf68567

          SHA1

          2a6112956e9cf808567118eac052d37ca420edbd

          SHA256

          90e1d9a4500ea7f7bbd1024c8e75fdf569cc45dc6f2a90778effe1124ecdb5dd

          SHA512

          89154951e3a6104ab89dca4ac6bd622ca3388fd39aacf9a3e4f30c56df5c59f33229a453a453b4a8d23cbbbebc63f5886bf89fdfb0105184fb21899bb987f9d7

          Download Submit

        • memory/908-81-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1204-0-0x00000277BFFA0000-0x00000277BFFA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1204-37-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1204-2-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1372-63-0x0000021C74A70000-0x0000021C74A77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1372-66-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1888-49-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1888-45-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1888-44-0x000001EB79B30000-0x000001EB79B37000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3460-12-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3460-34-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3460-6-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3460-7-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3460-8-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3460-9-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3460-23-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3460-24-0x00007FFFF8680000-0x00007FFFF8690000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3460-25-0x00007FFFF8670000-0x00007FFFF8680000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3460-11-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3460-14-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3460-22-0x00000000004D0000-0x00000000004D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3460-13-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3460-10-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3460-3-0x00000000025B0000-0x00000000025B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3460-5-0x00007FFFF7C0A000-0x00007FFFF7C0B000-memory.dmp

          Filesize

          4KB

          Download