Overview

overview

10

Static

static

3

aa1b8808ff...f7.dll

windows7-x64

10

aa1b8808ff...f7.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2024, 00:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    aa1b8808ff9218215966c40200f6c4364ccfeeac09577d53e4070ac340c921f7.dll

  • Size

    668KB

  • MD5

    98dc96aa9c3710d257132e09fb20d7be

  • SHA1

    d88827076938c59663be2404e1d3b225b39b677c

  • SHA256

    aa1b8808ff9218215966c40200f6c4364ccfeeac09577d53e4070ac340c921f7

  • SHA512

    57c1b0de9117d953848428b8e77e0a08d66f04472f337d028138476ec7b57ac7cf28121d8ee47a3c430cdf13fc0865fd11eeb6050db3e80d83453dd8eb3ddce0

  • SSDEEP

    6144:434xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:4IKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 12 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa1b8808ff9218215966c40200f6c4364ccfeeac09577d53e4070ac340c921f7.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2600
  • C:\Windows\system32\mblctr.exe
    C:\Windows\system32\mblctr.exe
    1⤵
      PID:2248
    • C:\Users\Admin\AppData\Local\pvcBC\mblctr.exe
      C:\Users\Admin\AppData\Local\pvcBC\mblctr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2676
    • C:\Windows\system32\msdtc.exe
      C:\Windows\system32\msdtc.exe
      1⤵
        PID:2572
      • C:\Users\Admin\AppData\Local\pGHO\msdtc.exe
        C:\Users\Admin\AppData\Local\pGHO\msdtc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2064
      • C:\Windows\system32\cmstp.exe
        C:\Windows\system32\cmstp.exe
        1⤵
          PID:2736
        • C:\Users\Admin\AppData\Local\u10HeuBte\cmstp.exe
          C:\Users\Admin\AppData\Local\u10HeuBte\cmstp.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2500

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\pGHO\VERSION.dll
          Filesize

          672KB

          MD5

          df5999774ba99f24d95840558ac2258d

          SHA1

          8c42393eabb65a58f73acf611567128f9ef17952

          SHA256

          bc9b430b92013945134315287d97e6c0cea597f2bd8f4c7ba5522ed6d02f07bb

          SHA512

          21b8336e7084c47d3aeb018c365fbe615721311fe1e9f627a175e963113704e287097d0661e58c3a20edaa5c9b8d03354ebcb1d757d35ec351492b7eecb43147

          Download Submit

        • C:\Users\Admin\AppData\Local\pvcBC\WTSAPI32.dll
          Filesize

          672KB

          MD5

          1bcbca9ef3f89eadfc94de4cd066d9cb

          SHA1

          e0b261645589db6975dc5afaeaac94bc36854c79

          SHA256

          e4302d6bfe8458c23dce50b332d3919862d46f47235cce9083ced6d123a25837

          SHA512

          84c292f5778ee6a4ebffced0d5ca807a81bf9340f33be1ee016e28a9a0ec7128b9b1096729d4340b5caafea990f6352a4a63f274de989070c6a1f8b69addf2e5

          Download Submit

        • C:\Users\Admin\AppData\Local\u10HeuBte\VERSION.dll
          Filesize

          672KB

          MD5

          c80ef317f509ec5877f52992d653a45b

          SHA1

          93d7d72a535b384da8ee77123298763bf22b7da2

          SHA256

          d903f2edaa2387bf49b141c8a52c2bb3cab5799ed04e758afb8a2604277a8cf1

          SHA512

          4878c789c69bd170ab56f88b5bf0fe99686399c97f677f23d9bc15812ee5f7dd80c48a60789cb1b62f873bc5b975fb5e9d2633e08d6e5499bcdb64b9e2bbd247

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wbvsyha.lnk
          Filesize

          1010B

          MD5

          5dc25528b36cf0589cf5c49dad354019

          SHA1

          2f6d89eb0d51fe290f10b09a786bb201dd637a84

          SHA256

          80e6390f22098bab46c4e0ecac2a2be26d9af8561c95b5a5345105cbbca777ea

          SHA512

          ff6150c628d0d28abf7df1af03b61f365281e84ada5cef0adbcb7e53bb7662aa12c0254285f2b8c0c8ff9d4211fc656b8dcdf7863602d014ee2f55feffae70d3

          Download Submit

        • \Users\Admin\AppData\Local\pGHO\msdtc.exe
          Filesize

          138KB

          MD5

          de0ece52236cfa3ed2dbfc03f28253a8

          SHA1

          84bbd2495c1809fcd19b535d41114e4fb101466c

          SHA256

          2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

          SHA512

          69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

          Download Submit

        • \Users\Admin\AppData\Local\pvcBC\mblctr.exe
          Filesize

          935KB

          MD5

          fa4c36b574bf387d9582ed2c54a347a8

          SHA1

          149077715ee56c668567e3a9cb9842284f4fe678

          SHA256

          b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f

          SHA512

          1f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55

          Download Submit

        • \Users\Admin\AppData\Local\u10HeuBte\cmstp.exe
          Filesize

          90KB

          MD5

          74c6da5522f420c394ae34b2d3d677e3

          SHA1

          ba135738ef1fb2f4c2c6c610be2c4e855a526668

          SHA256

          51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

          SHA512

          bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

          Download Submit

        • memory/1200-24-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1200-45-0x0000000076C36000-0x0000000076C37000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1200-14-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1200-13-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1200-12-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1200-11-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1200-10-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1200-9-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1200-8-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1200-26-0x0000000076ED0000-0x0000000076ED2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1200-25-0x0000000076EA0000-0x0000000076EA2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1200-3-0x0000000076C36000-0x0000000076C37000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1200-35-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1200-36-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1200-4-0x0000000002A50000-0x0000000002A51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1200-16-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1200-23-0x0000000002A30000-0x0000000002A37000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1200-15-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1200-7-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1200-6-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2064-70-0x000007FEF5B90000-0x000007FEF5C38000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2064-74-0x000007FEF5B90000-0x000007FEF5C38000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2500-86-0x000007FEF6190000-0x000007FEF6238000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2500-90-0x000007FEF6190000-0x000007FEF6238000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2600-44-0x000007FEF6BE0000-0x000007FEF6C87000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2600-1-0x000007FEF6BE0000-0x000007FEF6C87000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2600-0-0x0000000000420000-0x0000000000427000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2676-58-0x000007FEF6C90000-0x000007FEF6D38000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2676-53-0x000007FEF6C90000-0x000007FEF6D38000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2676-55-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download