Overview

overview

10

Static

static

3

075ab26a20...85.dll

windows7-x64

10

075ab26a20...85.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 17:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    075ab26a20020aabdf6ff42b86a7b852167bc3ecdb5bf72f7891bd639779b285.dll

  • Size

    720KB

  • MD5

    547cff20a7fecb219285e1cc582b413c

  • SHA1

    4407b461b33bfaf3092ac7d8a8d9621ed2fb6200

  • SHA256

    075ab26a20020aabdf6ff42b86a7b852167bc3ecdb5bf72f7891bd639779b285

  • SHA512

    a0f789c5641cb62335567f533a8b86e8da02a5b66698e9e1cf21927161861f6a74b847f115c73c35c4d19dffec12cefaf90f5a9783b1824b52481cc49b3a841e

  • SSDEEP

    12288:5qJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:5qGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\075ab26a20020aabdf6ff42b86a7b852167bc3ecdb5bf72f7891bd639779b285.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2124
  • C:\Windows\system32\tcmsetup.exe
    C:\Windows\system32\tcmsetup.exe
    1⤵
      PID:2980
    • C:\Users\Admin\AppData\Local\1Fv\tcmsetup.exe
      C:\Users\Admin\AppData\Local\1Fv\tcmsetup.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2808
    • C:\Windows\system32\UI0Detect.exe
      C:\Windows\system32\UI0Detect.exe
      1⤵
        PID:1912
      • C:\Users\Admin\AppData\Local\Yqg9\UI0Detect.exe
        C:\Users\Admin\AppData\Local\Yqg9\UI0Detect.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2684
      • C:\Windows\system32\rrinstaller.exe
        C:\Windows\system32\rrinstaller.exe
        1⤵
          PID:1044
        • C:\Users\Admin\AppData\Local\qDDaS\rrinstaller.exe
          C:\Users\Admin\AppData\Local\qDDaS\rrinstaller.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2992

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1Fv\TAPI32.dll
          Filesize

          728KB

          MD5

          c83fa833b08831c68357eada5009e44a

          SHA1

          6ae64635f6991efd40da827045e188f18a748943

          SHA256

          2214d25f8061e5a87dab2fa5fcaf4d3775e4e095f4d847730221b63fbf4afc8c

          SHA512

          83bbfdb021e4e0aebc0c518322331807d89a8690b786c59fb586fc59be686fbfa104e8ecceb37dd46b0a25a2275ed7825765cf7ffd376bf5b44ed0aa7ac86c0c

          Download Submit

        • C:\Users\Admin\AppData\Local\Yqg9\WINSTA.dll
          Filesize

          728KB

          MD5

          80def0f2f2936870aca5eb67fdc2cae7

          SHA1

          c2aa692888c7d54ac37194ce5bb660b4f81c4ab7

          SHA256

          06dc95c8f78811b9d3b054befe9398c0521ea40b69ab64d6e67477cedfb644f7

          SHA512

          f19dafdfd8ae686252f6e521fb1252ab604482842ddd0c29b6c94565c3774748565e71b2e488bade1fd3c976286a2f3aaaf270e6dde1baf5bcca144e3a968e44

          Download Submit

        • C:\Users\Admin\AppData\Local\qDDaS\MFPlat.DLL
          Filesize

          728KB

          MD5

          8d73c750361f343d9d5c7178e37276cb

          SHA1

          83cceea7f4cad88eb98888ae346c4b5eebffc1de

          SHA256

          b2f261a0034e913e36a78ade37c0272e03645c5fd0a541609410b08b6fe5f99b

          SHA512

          648418e81bd9ff637e020b749757e981ddd5202c9fa10c7a09be894b216851adaba38638eeea5c23cb6284470eab0aff3cd4af40f93af290eccb065f015ce598

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk
          Filesize

          1KB

          MD5

          ac6a09229e4523573097589ff81e0079

          SHA1

          de90f6d2de12b245b7b265ff98784b89c0bbf7cc

          SHA256

          82e9b8995d84721999f38bb298a3424c8e18329d51897143deb1dfcfd8412e8c

          SHA512

          cdb659fee7b8ec3d5f882ca57f2ec37611ed14f5049f1d5c472cb932b3a56fa88cf230cb537fc3f4d73a6396706dfba2e81d2bb6f1681d24a8d4498c2f7ba99a

          Download Submit

        • \Users\Admin\AppData\Local\1Fv\tcmsetup.exe
          Filesize

          15KB

          MD5

          0b08315da0da7f9f472fbab510bfe7b8

          SHA1

          33ba48fd980216becc532466a5ff8476bec0b31c

          SHA256

          e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

          SHA512

          c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

          Download Submit

        • \Users\Admin\AppData\Local\Yqg9\UI0Detect.exe
          Filesize

          40KB

          MD5

          3cbdec8d06b9968aba702eba076364a1

          SHA1

          6e0fcaccadbdb5e3293aa3523ec1006d92191c58

          SHA256

          b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

          SHA512

          a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

          Download Submit

        • \Users\Admin\AppData\Local\qDDaS\rrinstaller.exe
          Filesize

          54KB

          MD5

          0d3a73b0b30252680b383532f1758649

          SHA1

          9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

          SHA256

          fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

          SHA512

          a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

          Download Submit

        • memory/1260-24-0x0000000077630000-0x0000000077632000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1260-44-0x00000000772C6000-0x00000000772C7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1260-11-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1260-10-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1260-9-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1260-7-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1260-12-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1260-23-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1260-25-0x0000000077660000-0x0000000077662000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1260-3-0x00000000772C6000-0x00000000772C7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1260-34-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1260-35-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1260-4-0x00000000024F0000-0x00000000024F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1260-13-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1260-22-0x00000000024D0000-0x00000000024D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1260-14-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1260-6-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1260-8-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/2124-43-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/2124-2-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2124-0-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/2684-69-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2684-74-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download

        • memory/2808-57-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download

        • memory/2808-53-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download

        • memory/2808-52-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2992-90-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download