Overview

overview

10

Static

static

3

b9414ec1a9...1f.dll

windows7-x64

10

b9414ec1a9...1f.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9414ec1a9551702c1248ce53e3b9f80fd023fb0393c957f3cc949dfcdfcb11f.dll

  • Size

    692KB

  • MD5

    c2b6f8ebb1dd8692d134ed9dd9891cfa

  • SHA1

    1a1eb14433d4be1fb5e464c913a478f286fbf991

  • SHA256

    b9414ec1a9551702c1248ce53e3b9f80fd023fb0393c957f3cc949dfcdfcb11f

  • SHA512

    a6a938cdb0718f6757cffbf122d7f36420b78a20df3727872469c8f4bacf131d5ea596c90b148771e95c89cf9ccc10388f36e19098e491c1dbc0a96ff563befe

  • SSDEEP

    12288:wqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:wqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b9414ec1a9551702c1248ce53e3b9f80fd023fb0393c957f3cc949dfcdfcb11f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1900
  • C:\Windows\system32\p2phost.exe
    C:\Windows\system32\p2phost.exe
    1⤵
      PID:2572
    • C:\Users\Admin\AppData\Local\Cz8\p2phost.exe
      C:\Users\Admin\AppData\Local\Cz8\p2phost.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2624
    • C:\Windows\system32\icardagt.exe
      C:\Windows\system32\icardagt.exe
      1⤵
        PID:2648
      • C:\Users\Admin\AppData\Local\YyUxID16\icardagt.exe
        C:\Users\Admin\AppData\Local\YyUxID16\icardagt.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1324
      • C:\Windows\system32\SoundRecorder.exe
        C:\Windows\system32\SoundRecorder.exe
        1⤵
          PID:1088
        • C:\Users\Admin\AppData\Local\dtBl166h\SoundRecorder.exe
          C:\Users\Admin\AppData\Local\dtBl166h\SoundRecorder.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1932

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Cz8\P2PCOLLAB.dll
          Filesize

          696KB

          MD5

          02f1e26d8f1efc350c808aedebf1cfd2

          SHA1

          e50c93242c7adaa23947ae9a7b9e194d4bce0b78

          SHA256

          423a1585108d72e8c58e7657ecfbd58aad26c20d90ed1f4935c8d492431bd470

          SHA512

          dca26299b1870ab70f676a54143510659937bdec298ca61142f223d8ce356814c9f0196a6b98c8e605e1f94e4af61d707ee5e42f9e0a915d545bb9635136b044

          Download Submit

        • C:\Users\Admin\AppData\Local\YyUxID16\VERSION.dll
          Filesize

          696KB

          MD5

          44759a9b65ddbaef9d39d5f0dfe6515f

          SHA1

          3e22a3068d1bbcd61eb8c9a7cabff93f0cdd5673

          SHA256

          a3211f2a2b42ecced33941ed6ee273430d377f6e05ba4b61c9c7df8bc00fa284

          SHA512

          86023889e51b00d532f51977a996a2053a0c4ba22490f7353eca8e71d0bea4460c8774be4359e622e6b27daaec4e304062641ff362342130c312267b075cac66

          Download Submit

        • C:\Users\Admin\AppData\Local\dtBl166h\UxTheme.dll
          Filesize

          696KB

          MD5

          406bb96fe3b8cf0c25724407018fc600

          SHA1

          12c3f3d107216803dee1d7e15a635712b8729fb7

          SHA256

          5ee04cb80d620a9c6d5fd613cd5ac57f904b6678f2951f2cc09e6c8f2e11712f

          SHA512

          2d571f9efaba47124ba4940ac10602f0b7521cbbb90654cb0e6fa5a77470ded385761a500b733270913a5c9e92b82a70b3e1244d5f3ecb4e960b13f0a2752b50

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ygxjfqh.lnk
          Filesize

          1KB

          MD5

          45e698334ce2ec2e5c7b99e6f7a7e539

          SHA1

          834ea1f60c579b3da841fcaa4bbd6f131840de30

          SHA256

          593db82b6faa790a56c92256d92dcd6c5b79079ce3f7f24cf637c98c1f3ef1bd

          SHA512

          58124c0f99d970115260b13e0929071d5ab35d3720bb2e710a40e87140b1740fbc19a8fd03b1b17939de7e3201c9f86f4604d876214a4974dd308a38aac226fb

          Download Submit

        • \Users\Admin\AppData\Local\Cz8\p2phost.exe
          Filesize

          172KB

          MD5

          0dbd420477352b278dfdc24f4672b79c

          SHA1

          df446f25be33ac60371557717073249a64e04bb2

          SHA256

          1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

          SHA512

          84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

          Download Submit

        • \Users\Admin\AppData\Local\YyUxID16\icardagt.exe
          Filesize

          1.3MB

          MD5

          2fe97a3052e847190a9775431292a3a3

          SHA1

          43edc451ac97365600391fa4af15476a30423ff6

          SHA256

          473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

          SHA512

          93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

          Download Submit

        • \Users\Admin\AppData\Local\dtBl166h\SoundRecorder.exe
          Filesize

          139KB

          MD5

          47f0f526ad4982806c54b845b3289de1

          SHA1

          8420ea488a2e187fe1b7fcfb53040d10d5497236

          SHA256

          e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

          SHA512

          4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

          Download Submit

        • memory/1232-33-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1232-12-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1232-9-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1232-8-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1232-7-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1232-11-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1232-22-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1232-23-0x00000000776E0000-0x00000000776E2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1232-24-0x0000000077710000-0x0000000077712000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1232-3-0x0000000077476000-0x0000000077477000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1232-34-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1232-4-0x0000000002A50000-0x0000000002A51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1232-43-0x0000000077476000-0x0000000077477000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1232-10-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1232-13-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1232-6-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1232-21-0x0000000002620000-0x0000000002627000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1324-68-0x0000000000230000-0x0000000000237000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1324-73-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1900-42-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1900-2-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1900-0-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1932-89-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2624-56-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2624-53-0x00000000000A0000-0x00000000000A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2624-51-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download