Overview

overview

10

Static

static

3

b9414ec1a9...1f.dll

windows7-x64

10

b9414ec1a9...1f.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-10-2024 16:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9414ec1a9551702c1248ce53e3b9f80fd023fb0393c957f3cc949dfcdfcb11f.dll

  • Size

    692KB

  • MD5

    c2b6f8ebb1dd8692d134ed9dd9891cfa

  • SHA1

    1a1eb14433d4be1fb5e464c913a478f286fbf991

  • SHA256

    b9414ec1a9551702c1248ce53e3b9f80fd023fb0393c957f3cc949dfcdfcb11f

  • SHA512

    a6a938cdb0718f6757cffbf122d7f36420b78a20df3727872469c8f4bacf131d5ea596c90b148771e95c89cf9ccc10388f36e19098e491c1dbc0a96ff563befe

  • SSDEEP

    12288:wqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:wqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 8 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b9414ec1a9551702c1248ce53e3b9f80fd023fb0393c957f3cc949dfcdfcb11f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1632
  • C:\Windows\system32\wusa.exe
    C:\Windows\system32\wusa.exe
    1⤵
      PID:4980
    • C:\Users\Admin\AppData\Local\n09H9A5j\wusa.exe
      C:\Users\Admin\AppData\Local\n09H9A5j\wusa.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3968
    • C:\Windows\system32\cmstp.exe
      C:\Windows\system32\cmstp.exe
      1⤵
        PID:4196
      • C:\Users\Admin\AppData\Local\q60\cmstp.exe
        C:\Users\Admin\AppData\Local\q60\cmstp.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:5024
      • C:\Windows\system32\sdclt.exe
        C:\Windows\system32\sdclt.exe
        1⤵
          PID:4764
        • C:\Users\Admin\AppData\Local\xMUT9B\sdclt.exe
          C:\Users\Admin\AppData\Local\xMUT9B\sdclt.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4812

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\n09H9A5j\WTSAPI32.dll
          Filesize

          696KB

          MD5

          924f4e2a003bd39b57a088eb3c4615bf

          SHA1

          73bc835fa1c6ab2b27d534a9e221d8ceb330c00a

          SHA256

          c98e84cd952efa8a8f55edeb1f4c56aadb8586c27a50a80e4e3eff08340647e7

          SHA512

          9d1b369cd9af154671f7637ac20dd6c0cc23750f1eedada5f1b475fdb7cf09727942e7019c047bf7c2372ca6f27b882697e89d2d9092a08d0f3325e24e3a68fe

          Download Submit

        • C:\Users\Admin\AppData\Local\n09H9A5j\wusa.exe
          Filesize

          309KB

          MD5

          e43499ee2b4cf328a81bace9b1644c5d

          SHA1

          b2b55641f2799e3fdb3bea709c9532017bbac59d

          SHA256

          3e30230bbf3ceee3e58162b61eed140e9616210833a6ad7df3e106bc7492d2fb

          SHA512

          04823764520871f9202d346b08a194bdd5f5929db6d5c2f113911f84aece7471c8d3bd2c4256119a303dbe18a0c055dbc5034d80b1f27a43744104544731f52b

          Download Submit

        • C:\Users\Admin\AppData\Local\q60\VERSION.dll
          Filesize

          696KB

          MD5

          5d67d61df79126de5c4b296d9dbd179a

          SHA1

          228953215e6800734e46dac21bae5704b768c360

          SHA256

          009be3655e0bb1103e0375b54c2ec20e374da5141d24e5bced4246789f6822f6

          SHA512

          0eecf5a15153b2bacb1697f02afc3163bc172d3ae9c935a9fcb63071c1da9a9c070527d445c4f4f41f49bfa4e7a8c7cc26a9806c1d566c27bbad777ba1841b9c

          Download Submit

        • C:\Users\Admin\AppData\Local\q60\cmstp.exe
          Filesize

          96KB

          MD5

          4cc43fe4d397ff79fa69f397e016df52

          SHA1

          8fd6cf81ad40c9b123cd75611860a8b95c72869c

          SHA256

          f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c

          SHA512

          851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157

          Download Submit

        • C:\Users\Admin\AppData\Local\xMUT9B\ReAgent.dll
          Filesize

          696KB

          MD5

          ac0c5044fe70aa1f9a81325b050a60ba

          SHA1

          a2b4dcf285d50b7595ce5f99a22f89ff392a2ca5

          SHA256

          6701af47ee04a0458835b717acaf3afd37dbe03a6df0c231c7739f515c2e22a8

          SHA512

          07eccf6159c6f04d42dfa1be9208b265b5aca8b17e6739eaa0f592c5183420d643efd4d21336972743176f6259fc77a28d0dd8f88fd6babcb57639bc9f573d0a

          Download Submit

        • C:\Users\Admin\AppData\Local\xMUT9B\sdclt.exe
          Filesize

          1.2MB

          MD5

          e09d48f225e7abcab14ebd3b8a9668ec

          SHA1

          1c5b9322b51c09a407d182df481609f7cb8c425d

          SHA256

          efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3

          SHA512

          384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Womuvunldsugi.lnk
          Filesize

          1KB

          MD5

          04bf7c06a981c06d247792578cda37c0

          SHA1

          353f10a4dacfab8805e8ee399ff72c0d0af4dede

          SHA256

          995f7312be458dc1ab3c0c7a6ad0a0198ba17c50b7cf162be5ed0d42ac01e7d8

          SHA512

          9ce9fcb0c792f83770b7a3197ac5fd37856cffcf9bb7956501ded7a88704b29c1b5943786defb3cfc7992dbc13b4e6c0c45f221250673c7af2ff0c951ea504d7

          Download Submit

        • memory/1632-1-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1632-0-0x0000024D506A0000-0x0000024D506A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1632-36-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3440-7-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3440-9-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3440-24-0x00007FFDFCD70000-0x00007FFDFCD80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3440-23-0x00007FFDFCD80000-0x00007FFDFCD90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3440-8-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3440-6-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3440-34-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3440-12-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3440-10-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3440-11-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3440-5-0x00007FFDFCBAA000-0x00007FFDFCBAB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3440-22-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3440-3-0x0000000003090000-0x0000000003091000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3440-13-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3440-21-0x0000000000FB0000-0x0000000000FB7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3968-45-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3968-48-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3968-43-0x00000188B6830000-0x00000188B6837000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4812-79-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/5024-64-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/5024-61-0x0000017E5FB70000-0x0000017E5FB77000-memory.dmp

          Filesize

          28KB

          Download