Overview

overview

10

Static

static

3

bbd6d896a5...ca.dll

windows7-x64

10

bbd6d896a5...ca.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-10-2024 17:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bbd6d896a535b1e9b382eda903972c62e1aeb045c9fb4057a8aae51feb85eeca.dll

  • Size

    720KB

  • MD5

    f859e1567e45f47b3b3746c4fb49e3f5

  • SHA1

    e824cabc3b25fe5173ff02fbb4b3e7912bd71a72

  • SHA256

    bbd6d896a535b1e9b382eda903972c62e1aeb045c9fb4057a8aae51feb85eeca

  • SHA512

    bc5b15dbe0dbb3f77dca8839123c95e77a2733af33827fc911e24404ab1dd793f04cab91669a075ab7fef7f6fa1d64ef6c8888d642a862c07a90c41ea3ebc29b

  • SSDEEP

    12288:ZqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:ZqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bbd6d896a535b1e9b382eda903972c62e1aeb045c9fb4057a8aae51feb85eeca.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3592
  • C:\Windows\system32\wermgr.exe
    C:\Windows\system32\wermgr.exe
    1⤵
      PID:4284
    • C:\Users\Admin\AppData\Local\FTZ\wermgr.exe
      C:\Users\Admin\AppData\Local\FTZ\wermgr.exe
      1⤵
      • Executes dropped EXE
      PID:3764
    • C:\Windows\system32\FXSCOVER.exe
      C:\Windows\system32\FXSCOVER.exe
      1⤵
        PID:2000
      • C:\Users\Admin\AppData\Local\mWF\FXSCOVER.exe
        C:\Users\Admin\AppData\Local\mWF\FXSCOVER.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4748
      • C:\Windows\system32\Netplwiz.exe
        C:\Windows\system32\Netplwiz.exe
        1⤵
          PID:3872
        • C:\Users\Admin\AppData\Local\FPC\Netplwiz.exe
          C:\Users\Admin\AppData\Local\FPC\Netplwiz.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:916
        • C:\Windows\system32\Dxpserver.exe
          C:\Windows\system32\Dxpserver.exe
          1⤵
            PID:1328
          • C:\Users\Admin\AppData\Local\t1mSN\Dxpserver.exe
            C:\Users\Admin\AppData\Local\t1mSN\Dxpserver.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:4412

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\FPC\NETPLWIZ.dll
            Filesize

            724KB

            MD5

            a0b8771ca40de00f80f331f29af97786

            SHA1

            3b556fe9d6ce703254346313235c221d200be328

            SHA256

            c1a166c9f21795923a63f3b7f88ea2e4d972b7f9bd1d2d3d496cc11fcce50855

            SHA512

            2e9ca72b74f70a0af80be6ddab736a52c46e33e43a506ce86257d936d0ce35ec6c74066405ad785659d29fae42508365065470838998335e3b0929c2ed0fa840

            Download Submit

          • C:\Users\Admin\AppData\Local\FPC\Netplwiz.exe
            Filesize

            40KB

            MD5

            520a7b7065dcb406d7eca847b81fd4ec

            SHA1

            d1b3b046a456630f65d482ff856c71dfd2f335c8

            SHA256

            8323b44b6e69f02356a5ab0d03a4fc87b953edcbd85c2b6281bf92bc0a3b224d

            SHA512

            7aea2810f38d1640d4aa87efbbe20783fe7b8e7f588864a3a384a37c91108d906abd89b235672608c98c46ed76db2b0039462098a1064ebe4108ec37b6087914

            Download Submit

          • C:\Users\Admin\AppData\Local\FTZ\wermgr.exe
            Filesize

            223KB

            MD5

            f7991343cf02ed92cb59f394e8b89f1f

            SHA1

            573ad9af63a6a0ab9b209ece518fd582b54cfef5

            SHA256

            1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc

            SHA512

            fa3cf314100f5340c7d0f6a70632a308fcadb4b48785753310a053a510169979a89637b8b4fedf4d3690db6b8b55146e323cad70d704c4e2ede4edff5284237d

            Download Submit

          • C:\Users\Admin\AppData\Local\mWF\FXSCOVER.exe
            Filesize

            242KB

            MD5

            5769f78d00f22f76a4193dc720d0b2bd

            SHA1

            d62b6cab057e88737cba43fe9b0c6d11a28b53e8

            SHA256

            40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31

            SHA512

            b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

            Download Submit

          • C:\Users\Admin\AppData\Local\mWF\MFC42u.dll
            Filesize

            748KB

            MD5

            9e64ad8f75b0c0f9ac46c617cecaeb5f

            SHA1

            e1d2a2942a99ba50fc54f34ba4cb1b7062daaf34

            SHA256

            5ea9875064b302ebd81518bea4eb4ce6537121dc26bb7cb5710f508a8093be2f

            SHA512

            e77de1b9e09e55cf053c1cb458de6dc0bad0bac7c79f3c7e701ec10d93f4a0fff5e084d456e89aa47a3e07aaea33d44d3b2792b548218bec4c8c369b882b63f2

            Download Submit

          • C:\Users\Admin\AppData\Local\t1mSN\Dxpserver.exe
            Filesize

            310KB

            MD5

            6344f1a7d50da5732c960e243c672165

            SHA1

            b6d0236f79d4f988640a8445a5647aff5b5410f7

            SHA256

            b1081651ac33610824e2088ff64d1655993dd3d6073af1e5ffe0b4a0027f502f

            SHA512

            73f6fa01b880e6619fafa065c171bd0a2b7b2d908762b5aca15f2b8d856b5501b3884e3566ef9b8032c8cbf9bb15116e60c22fded4656c8857c974cda4213d65

            Download Submit

          • C:\Users\Admin\AppData\Local\t1mSN\XmlLite.dll
            Filesize

            724KB

            MD5

            acfc44e1ff7c1cd0284df1c64a1be7e4

            SHA1

            130bb1916a6783fd4ececf7486e0254d9142431c

            SHA256

            268d618e8289e4c08352f566169820e509b111f5141db217068ccdcbb0b7b4de

            SHA512

            cedb86624ccdb011fb06a07217657d0dd03b0fe30b69a4dc0261846f8db113eadddbbaa0a086789d99d2a3bfc687257b7d802d2e516d0e4f8167ac8dceb58c19

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yxuzhivmkyvewy.lnk
            Filesize

            1KB

            MD5

            5b9b4d61f8696fa0cc2bc4994c8f33e0

            SHA1

            93ef0ca5b044a7b679e5f09239e34ccbcdec763d

            SHA256

            400852ada9be86b0a1b7abb11c093e574a4505cdd8db0443e089bc32332accb3

            SHA512

            7b820b7884f5d717c3377d934c016c35dd5f91b5635548e8b39592db018061e76d887fa187e7d8f50bdf3cc1696f95d3d2a5c53ec9ffe8890e44aea85e373a6f

            Download Submit

          • memory/916-73-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/916-69-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/916-68-0x000001F5D8B80000-0x000001F5D8B87000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3356-7-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3356-14-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3356-10-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3356-9-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3356-8-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3356-3-0x00000000032B0000-0x00000000032B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3356-13-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3356-5-0x00007FFFE941A000-0x00007FFFE941B000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3356-34-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3356-24-0x00007FFFEB360000-0x00007FFFEB370000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3356-25-0x00007FFFEB350000-0x00007FFFEB360000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3356-6-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3356-11-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3356-23-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3356-22-0x00000000012E0000-0x00000000012E7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3356-12-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3592-37-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3592-0-0x00000189E6590000-0x00000189E6597000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3592-1-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/4412-88-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/4748-57-0x0000000140000000-0x00000001400BB000-memory.dmp

            Filesize

            748KB

            Download

          • memory/4748-54-0x00000210D4FC0000-0x00000210D4FC7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/4748-52-0x0000000140000000-0x00000001400BB000-memory.dmp

            Filesize

            748KB

            Download