Overview

overview

10

Static

static

3

915e01432b...1c.dll

windows7-x64

10

915e01432b...1c.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 00:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    915e01432b35339df657eb6eee139103d98a0a8b37a91fd3851e01781a7b041c.dll

  • Size

    676KB

  • MD5

    4158ed3f73bf010337896f8458e8fde9

  • SHA1

    26329d87c00bcad276e278003d19995a5425053f

  • SHA256

    915e01432b35339df657eb6eee139103d98a0a8b37a91fd3851e01781a7b041c

  • SHA512

    7099602f413fa9dbb91ef2dc3208b106a264bba1e96e466ca32cb0772faf90f3358f82eebd5f5fc4b1675bc472bee9baedd68aa2c735fd87800f97da9f703800

  • SSDEEP

    6144:j34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:jIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\915e01432b35339df657eb6eee139103d98a0a8b37a91fd3851e01781a7b041c.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2592
  • C:\Windows\system32\unregmp2.exe
    C:\Windows\system32\unregmp2.exe
    1⤵
      PID:4772
    • C:\Users\Admin\AppData\Local\hW2FO\unregmp2.exe
      C:\Users\Admin\AppData\Local\hW2FO\unregmp2.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1812
    • C:\Windows\system32\CameraSettingsUIHost.exe
      C:\Windows\system32\CameraSettingsUIHost.exe
      1⤵
        PID:2512
      • C:\Users\Admin\AppData\Local\dLgr\CameraSettingsUIHost.exe
        C:\Users\Admin\AppData\Local\dLgr\CameraSettingsUIHost.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4220
      • C:\Windows\system32\SystemPropertiesPerformance.exe
        C:\Windows\system32\SystemPropertiesPerformance.exe
        1⤵
          PID:1608
        • C:\Users\Admin\AppData\Local\2d4dgJ\SystemPropertiesPerformance.exe
          C:\Users\Admin\AppData\Local\2d4dgJ\SystemPropertiesPerformance.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:412

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2d4dgJ\SYSDM.CPL
          Filesize

          680KB

          MD5

          3dd2be91983c2038036e3e1f7b714fdf

          SHA1

          b68873f7bbb017e96ccc3e9aba9125a93011ac1a

          SHA256

          c4e455fd0ab972f5f1009d9fe55513351ea805350f739a0e01e7be7b68fd32b5

          SHA512

          7ec05b0a7364613ff121bb5e0db6b56ca66a42a8b298d6dd20d3c68479ef74bde8a7e5a8dde4c6150cdf9790255583e324d5bae6859fa0a89fce74ceae6a16cb

          Download Submit

        • C:\Users\Admin\AppData\Local\2d4dgJ\SystemPropertiesPerformance.exe
          Filesize

          82KB

          MD5

          e4fbf7cab8669c7c9cef92205d2f2ffc

          SHA1

          adbfa782b7998720fa85678cc85863b961975e28

          SHA256

          b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30

          SHA512

          c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

          Download Submit

        • C:\Users\Admin\AppData\Local\dLgr\CameraSettingsUIHost.exe
          Filesize

          31KB

          MD5

          9e98636523a653c7a648f37be229cf69

          SHA1

          bd4da030e7cf4d55b7c644dfacd26b152e6a14c4

          SHA256

          3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717

          SHA512

          41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

          Download Submit

        • C:\Users\Admin\AppData\Local\dLgr\DUI70.dll
          Filesize

          956KB

          MD5

          d067b58fde720cddd02b546478207bca

          SHA1

          7ff018c1bcc039aa44e45d30155592a8d0aeca80

          SHA256

          69e315fb8d45311693f5a91b9b9d3c2c0eb9629255896a203754e2a7219ebe02

          SHA512

          a4bb94b22c45a34278f2095f5f45dfcae7d7b54230e1c67b3da616c6fa7ea20e5bde15f744e82a4c7d5fb6390a326adedc21a06bdce2c912b1852eaf4090aafe

          Download Submit

        • C:\Users\Admin\AppData\Local\hW2FO\VERSION.dll
          Filesize

          680KB

          MD5

          31be6b48c77f201ea987eafcc35ffbc7

          SHA1

          859c5bb945def507b5dd5093ce69522ad7ee7224

          SHA256

          e3791b7974f82a3bdf8e8cc3b5ab69395756c64e6f5d51473082d7c1f020e1b9

          SHA512

          cc708fd86a9b3a6e3ea8702fcedacea77ece2aecd68289bcf511d3bee950bd32558cbf8247ef8dd988c4977b6b0057a6ee601672dd06803402dc9ed2c369366b

          Download Submit

        • C:\Users\Admin\AppData\Local\hW2FO\unregmp2.exe
          Filesize

          259KB

          MD5

          a6fc8ce566dec7c5873cb9d02d7b874e

          SHA1

          a30040967f75df85a1e3927bdce159b102011a61

          SHA256

          21f41fea24dddc8a32f902af7b0387a53a745013429d8fd3f5fa6916eadc839d

          SHA512

          f83e17dd305eb1bc24cca1f197e2440f9b501eafb9c9d44ede7c88b1520030a87d059bdcb8eadeac1eaedabcbc4fe50206821965d73f0f6671e27edd55c01cbc

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rasxaa.lnk
          Filesize

          1KB

          MD5

          455aac5c6ab5d864b0ccc62f4b32a8d5

          SHA1

          f0cda1ea42efc88576f6cce5f60dc5297c66a03c

          SHA256

          52302c48250d0ce40617dffff650734ce252bf4c77515dbf32c486248991e77a

          SHA512

          3a15ae3473ecdd88a3e040f5e368b5413b0841632483ae40e2e3677cc9b927fac5794d20b49afa301a2b111b44d5df58855cb9864ce59a155555a759dee061ad

          Download Submit

        • memory/412-81-0x00007FF825C00000-0x00007FF825CAA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1812-50-0x00007FF825C00000-0x00007FF825CAA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1812-46-0x00007FF825C00000-0x00007FF825CAA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1812-45-0x0000027BEBD70000-0x0000027BEBD77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2592-0-0x00007FF8268D0000-0x00007FF826979000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2592-38-0x00007FF8268D0000-0x00007FF826979000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2592-2-0x000001E867BA0000-0x000001E867BA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3408-15-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3408-13-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3408-8-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3408-7-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3408-6-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3408-35-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3408-25-0x00007FF834A20000-0x00007FF834A30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3408-26-0x00007FF834A10000-0x00007FF834A20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3408-9-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3408-10-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3408-11-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3408-24-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3408-16-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3408-23-0x00000000007A0000-0x00000000007A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3408-3-0x0000000002450000-0x0000000002451000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3408-5-0x00007FF8341CA000-0x00007FF8341CB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3408-12-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3408-14-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4220-66-0x00007FF825BC0000-0x00007FF825CAF000-memory.dmp

          Filesize

          956KB

          Download

        • memory/4220-61-0x00007FF825BC0000-0x00007FF825CAF000-memory.dmp

          Filesize

          956KB

          Download

        • memory/4220-63-0x000001DA7A7E0000-0x000001DA7A7E7000-memory.dmp

          Filesize

          28KB

          Download