Overview

overview

10

Static

static

3

aa1b8808ff...f7.dll

windows7-x64

10

aa1b8808ff...f7.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 00:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa1b8808ff9218215966c40200f6c4364ccfeeac09577d53e4070ac340c921f7.dll

  • Size

    668KB

  • MD5

    98dc96aa9c3710d257132e09fb20d7be

  • SHA1

    d88827076938c59663be2404e1d3b225b39b677c

  • SHA256

    aa1b8808ff9218215966c40200f6c4364ccfeeac09577d53e4070ac340c921f7

  • SHA512

    57c1b0de9117d953848428b8e77e0a08d66f04472f337d028138476ec7b57ac7cf28121d8ee47a3c430cdf13fc0865fd11eeb6050db3e80d83453dd8eb3ddce0

  • SSDEEP

    6144:434xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:4IKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa1b8808ff9218215966c40200f6c4364ccfeeac09577d53e4070ac340c921f7.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1444
  • C:\Windows\system32\upfc.exe
    C:\Windows\system32\upfc.exe
    1⤵
      PID:764
    • C:\Users\Admin\AppData\Local\MvIRh6O\upfc.exe
      C:\Users\Admin\AppData\Local\MvIRh6O\upfc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2504
    • C:\Windows\system32\sppsvc.exe
      C:\Windows\system32\sppsvc.exe
      1⤵
        PID:4736
      • C:\Users\Admin\AppData\Local\0je\sppsvc.exe
        C:\Users\Admin\AppData\Local\0je\sppsvc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3856
      • C:\Windows\system32\SndVol.exe
        C:\Windows\system32\SndVol.exe
        1⤵
          PID:1240
        • C:\Users\Admin\AppData\Local\wtMjvVqqj\SndVol.exe
          C:\Users\Admin\AppData\Local\wtMjvVqqj\SndVol.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2644

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0je\XmlLite.dll
          Filesize

          672KB

          MD5

          9b5c4bcf41b3a99a59d5bad8c0f4dd50

          SHA1

          419f87a70a56aba8938c86c5bc909057c82f238a

          SHA256

          c7ca6abd488f4fad9f92659614b91588c1cec53acc3cc498c1f1ed397d92b062

          SHA512

          27e73c9ee0f581c0f8b147cad4c5a064a981d23d4ea6c1c080ae4a963fe43bf635f31e30c8ab5cf590c9f9da91e3645929918c9021bba006e73f3514f3903dee

          Download Submit

        • C:\Users\Admin\AppData\Local\0je\sppsvc.exe
          Filesize

          4.4MB

          MD5

          ec6cef0a81f167668e18fa32f1606fce

          SHA1

          6d56837a388ae5573a38a439cee16e6dde5b4de8

          SHA256

          82c59a2f606ebf1a8a0de16be150600ac63ad8351c6bf3952c27a70257cb70f8

          SHA512

          f40b37675329ca7875d958b4b0019082548a563ada217c7431c2ca5c7f93957b242f095f7f04bcdd6240b97ea99e89bfe3a003f97c43366d00a93768fef7b4c5

          Download Submit

        • C:\Users\Admin\AppData\Local\MvIRh6O\XmlLite.dll
          Filesize

          672KB

          MD5

          29ba49305b4d732dd2d485d9bdc63bce

          SHA1

          d351d34254e49216b5f1e5d1413ecc2a118b0458

          SHA256

          8194dd8bc992ba8722229d2f590f20c3d062c5bf11c7eb1e50db6e50e05c70be

          SHA512

          5d1b4ae664a9f8b8e7f8c7e285a944d9811d9d19f1b25abb43a05f86736d45e841214143147b53d0bd96b8f2e7830e0dea47e91c836b9aee73ff3eada72b5dd3

          Download Submit

        • C:\Users\Admin\AppData\Local\MvIRh6O\upfc.exe
          Filesize

          118KB

          MD5

          299ea296575ccb9d2c1a779062535d5c

          SHA1

          2497169c13b0ba46a6be8a1fe493b250094079b7

          SHA256

          ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2

          SHA512

          02fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa

          Download Submit

        • C:\Users\Admin\AppData\Local\wtMjvVqqj\SndVol.exe
          Filesize

          269KB

          MD5

          c5d939ac3f9d885c8355884199e36433

          SHA1

          b8f277549c23953e8683746e225e7af1c193ad70

          SHA256

          68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605

          SHA512

          8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0

          Download Submit

        • C:\Users\Admin\AppData\Local\wtMjvVqqj\dwmapi.dll
          Filesize

          672KB

          MD5

          a091482f96ad3cd0abc486356280fec0

          SHA1

          41c79290d89a8a5c7be06122fe0f887ee6117073

          SHA256

          d1c5d0b17da1e60f1ba29291439bc199621a00dbe798039b014c06d392c760b3

          SHA512

          eee97e34fc7b175386cc13eebe83573b858c298b22460cbdeec6db51d0aa297efe989241a43e2cdb2e8560278f1bd44e20e23af553aa3ac5789bb6f1a7f07ec2

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk
          Filesize

          1KB

          MD5

          ff2718e982455de55e369005ed6ad09c

          SHA1

          05dfd31952b3e3e7a080f1a449b2e726582ecfc6

          SHA256

          eb1666fdb010c7dd4756f5f22e61b259b8f71c86d06269dae5b99cd668098437

          SHA512

          aef19144ee37551ded3a7dcf32a5444007d26fab69c831c3de09695ca049acd1112fcb131d7cca93628b0bc073d905f6c07115d3a51d1aae0d8abc29353b62fc

          Download Submit

        • memory/1444-1-0x00007FFD91430000-0x00007FFD914D7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1444-0-0x0000022EFFC30000-0x0000022EFFC37000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1444-38-0x00007FFD91430000-0x00007FFD914D7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2504-50-0x00007FFD82BA0000-0x00007FFD82C48000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2504-47-0x000001EFC9F90000-0x000001EFC9F97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2504-45-0x00007FFD82BA0000-0x00007FFD82C48000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2644-81-0x00007FFD82BA0000-0x00007FFD82C48000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3444-15-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-26-0x00007FFDA03D0000-0x00007FFDA03E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3444-8-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-9-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-7-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-6-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-12-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-13-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-25-0x00007FFDA03E0000-0x00007FFDA03F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3444-11-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-35-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-24-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-16-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-23-0x0000000001160000-0x0000000001167000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3444-3-0x00000000034E0000-0x00000000034E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3444-4-0x00007FFD9F9DA000-0x00007FFD9F9DB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3444-14-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-10-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3856-66-0x00007FFD82BA0000-0x00007FFD82C48000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3856-63-0x0000018A4C430000-0x0000018A4C437000-memory.dmp

          Filesize

          28KB

          Download