Overview

overview

10

Static

static

3

87f7e4782f...47.dll

windows7-x64

10

87f7e4782f...47.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-10-2024 14:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    87f7e4782faff19b704c3881d94a1ba35fefd2ffe10b55399af5a9ca43227447.dll

  • Size

    692KB

  • MD5

    65411740b33c7475d67552a92d3c4054

  • SHA1

    d1191e086f3faa2f2168a28eac66d7360c94d5e9

  • SHA256

    87f7e4782faff19b704c3881d94a1ba35fefd2ffe10b55399af5a9ca43227447

  • SHA512

    3bdb279bba9946af41d4bccc9b2bed4c8f37fc03d0cc53d0845311645ba39d6a30ca0e8d6bbe7bc8a1d94c8cacaeb8f515686b226e59b8ec06f6d6242c85fb03

  • SSDEEP

    12288:cqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:cqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\87f7e4782faff19b704c3881d94a1ba35fefd2ffe10b55399af5a9ca43227447.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1064
  • C:\Windows\system32\bdechangepin.exe
    C:\Windows\system32\bdechangepin.exe
    1⤵
      PID:884
    • C:\Users\Admin\AppData\Local\IW3BeSC0\bdechangepin.exe
      C:\Users\Admin\AppData\Local\IW3BeSC0\bdechangepin.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3368
    • C:\Windows\system32\rdpshell.exe
      C:\Windows\system32\rdpshell.exe
      1⤵
        PID:808
      • C:\Users\Admin\AppData\Local\M1h1vBQk\rdpshell.exe
        C:\Users\Admin\AppData\Local\M1h1vBQk\rdpshell.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4224
      • C:\Windows\system32\CloudNotifications.exe
        C:\Windows\system32\CloudNotifications.exe
        1⤵
          PID:3124
        • C:\Users\Admin\AppData\Local\fgM\CloudNotifications.exe
          C:\Users\Admin\AppData\Local\fgM\CloudNotifications.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2552

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\IW3BeSC0\DUI70.dll
          Filesize

          972KB

          MD5

          6441774fad84c1c360d5f1ce17e5ffdb

          SHA1

          3c990fcbf532e726da44b3afd9c64a38d2c4ff1e

          SHA256

          57cd847b6f919ee5ae7dd3becf19c26133f77158afd9efb66e2cd478d0177f87

          SHA512

          f54e6f970e305842944d7ee2420dac95fb7aacfbafce5d80bcc17d274a7ce965c5aac0ac5c1f42704f6f20b4271c4eb1da6483c4f45737a8147497c1029ce3af

          Download Submit

        • C:\Users\Admin\AppData\Local\IW3BeSC0\bdechangepin.exe
          Filesize

          373KB

          MD5

          601a28eb2d845d729ddd7330cbae6fd6

          SHA1

          5cf9f6f9135c903d42a7756c638333db8621e642

          SHA256

          4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

          SHA512

          1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

          Download Submit

        • C:\Users\Admin\AppData\Local\M1h1vBQk\WTSAPI32.dll
          Filesize

          696KB

          MD5

          e0a6f93374258719cec4ca44e0755d11

          SHA1

          3e1c026d68241e527d6481197c07110f74324c3e

          SHA256

          d2b84f7387530a6f7ec6cc0b0f7b0fe99e3c327a5a40c85f435e780a6b7e757a

          SHA512

          d9853d09009540d45010a3578fb55695a8d4883fa93580243c55f69c456a07d54f0373f9db9a578b3f10130411c8601cf983279e3779d7529e47616c333770be

          Download Submit

        • C:\Users\Admin\AppData\Local\M1h1vBQk\rdpshell.exe
          Filesize

          468KB

          MD5

          428066713f225bb8431340fa670671d4

          SHA1

          47f6878ff33317c3fc09c494df729a463bda174c

          SHA256

          da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

          SHA512

          292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

          Download Submit

        • C:\Users\Admin\AppData\Local\fgM\CloudNotifications.exe
          Filesize

          59KB

          MD5

          b50dca49bc77046b6f480db6444c3d06

          SHA1

          cc9b38240b0335b1763badcceac37aa9ce547f9e

          SHA256

          96e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775

          SHA512

          2a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3

          Download Submit

        • C:\Users\Admin\AppData\Local\fgM\UxTheme.dll
          Filesize

          696KB

          MD5

          205f21913df40c9b76f2436357a51e43

          SHA1

          0fca0dd966272febd21b85a6087973af1e84bbbc

          SHA256

          4406efaeb098cd474722adcaafef58c25b2f267a8984ab339ecb65c91a6dffad

          SHA512

          d0ddf508b7ab4e5a5b9de0558b35e291a1ef3a7384e92284e0a8d13e6fa1a4d64f49d70b5bf8cf60d79b9a0c357b5ecf618a7eca6c43f45a0be7d4ab066c2642

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk
          Filesize

          1KB

          MD5

          2754e80d40bcb8b3e8c484d6bada5ffc

          SHA1

          4a81edce87b1d1fe356c82208d86e2a9fbc48b04

          SHA256

          551520697e58fde629941ec4f5d5bc78c6980c1ace1d76b2b84d97bc539e632b

          SHA512

          be306b302e5dfd2a4f09daa95b44d328cada7f141a773bc432b011080e5405b5f98be9425c606d29b03b00c6f734d2bb15a538478fcf7c988f68bdc29cb40587

          Download Submit

        • memory/1064-1-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1064-36-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1064-2-0x00000228FD290000-0x00000228FD297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2552-79-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3368-44-0x0000000140000000-0x00000001400F3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/3368-43-0x00000206BCDF0000-0x00000206BCDF7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3368-48-0x0000000140000000-0x00000001400F3000-memory.dmp

          Filesize

          972KB

          Download

        • memory/3444-33-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3444-22-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3444-3-0x00000000024E0000-0x00000000024E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3444-6-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3444-8-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3444-9-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3444-10-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3444-23-0x00007FFA3F4E0000-0x00007FFA3F4F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3444-24-0x00007FFA3F4D0000-0x00007FFA3F4E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3444-5-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3444-11-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3444-7-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3444-21-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3444-20-0x00007FFA3D99A000-0x00007FFA3D99B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3444-12-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/4224-64-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/4224-60-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/4224-59-0x000002508E7C0000-0x000002508E7C7000-memory.dmp

          Filesize

          28KB

          Download