Overview

overview

10

Static

static

3

8b32751a64...86.dll

windows7-x64

10

8b32751a64...86.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 00:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8b32751a6432113ee710babcc5315a8aabf4b5a3647bf15aa345a6e3dd63f086.dll

  • Size

    944KB

  • MD5

    342cec4e287b2f1285f18c63c01fc5e4

  • SHA1

    ba8832830889724887ef7ee003f2a3eed503e4b7

  • SHA256

    8b32751a6432113ee710babcc5315a8aabf4b5a3647bf15aa345a6e3dd63f086

  • SHA512

    517db6bf9b425716f80afac7f2e6d897c2fecf84adfad35cec156809bcfb634ce4700b17f7d3810b5e9b10bbd784665097d62afa1e81f625b8827ea5e81cdec2

  • SSDEEP

    6144:s34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTg:sIKp/UWCZdCDh2IZDwAFRpR6Auk6kK

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8b32751a6432113ee710babcc5315a8aabf4b5a3647bf15aa345a6e3dd63f086.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:5088
  • C:\Windows\system32\wermgr.exe
    C:\Windows\system32\wermgr.exe
    1⤵
      PID:1420
    • C:\Users\Admin\AppData\Local\iDXFUGPP\wermgr.exe
      C:\Users\Admin\AppData\Local\iDXFUGPP\wermgr.exe
      1⤵
      • Executes dropped EXE
      PID:4460
    • C:\Windows\system32\ie4uinit.exe
      C:\Windows\system32\ie4uinit.exe
      1⤵
        PID:1136
      • C:\Users\Admin\AppData\Local\a6l8AIA\ie4uinit.exe
        C:\Users\Admin\AppData\Local\a6l8AIA\ie4uinit.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1768
      • C:\Windows\system32\psr.exe
        C:\Windows\system32\psr.exe
        1⤵
          PID:4068
        • C:\Users\Admin\AppData\Local\rcEQt2X\psr.exe
          C:\Users\Admin\AppData\Local\rcEQt2X\psr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1004
        • C:\Windows\system32\systemreset.exe
          C:\Windows\system32\systemreset.exe
          1⤵
            PID:3656
          • C:\Users\Admin\AppData\Local\c9plyKAQP\systemreset.exe
            C:\Users\Admin\AppData\Local\c9plyKAQP\systemreset.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:1840

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\a6l8AIA\VERSION.dll
            Filesize

            948KB

            MD5

            4aa836fdecbac61911857a48cca63cbe

            SHA1

            19fb4561fadb54e06561b6715f24087640ce5f66

            SHA256

            4892accf0cc691197cba5cd98c0ae48900bc0a3f67a0b33a40a79f2f1d285fbd

            SHA512

            e786b1929b9595fa33dbb2dff71accf7903f85a0ab8ed90eee24816b4cc1d6f9af666fc7ad958b0eef37936f296d47587cd27f1d0d08b7922eae454156283fa5

            Download Submit

          • C:\Users\Admin\AppData\Local\a6l8AIA\ie4uinit.exe
            Filesize

            262KB

            MD5

            a2f0104edd80ca2c24c24356d5eacc4f

            SHA1

            8269b9fd9231f04ed47419bd565c69dc677fab56

            SHA256

            5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c

            SHA512

            e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

            Download Submit

          • C:\Users\Admin\AppData\Local\c9plyKAQP\ReAgent.dll
            Filesize

            948KB

            MD5

            4342db7f6b7328a816d4aa82c371e272

            SHA1

            cb7992c1a776cf0e8a31e9c887adbc606a4ba039

            SHA256

            695ce141cab63df938d575cb62d13828398439fbba46c5803ae422ef49f9549a

            SHA512

            81d8eb1e2fabff2d3d1d691f9b5ac94b230cec673252c053360811070d794de9fb9e5d0972a70b13aa6e41d9123b31ea990f2793d212a7ec6b10d70738aa9566

            Download Submit

          • C:\Users\Admin\AppData\Local\c9plyKAQP\systemreset.exe
            Filesize

            508KB

            MD5

            325ff647506adb89514defdd1c372194

            SHA1

            84234ff97d6ddc8a4ea21303ea842aa76a74e0ea

            SHA256

            ebff6159a7627234f94f606afa2e55e98e1548fd197d22779a5fcff24aa477ad

            SHA512

            8a9758f4af0264be08d684125827ef11efe651138059f6b463c52476f8a8e1bed94d093042f85893cb3e37c5f3ba7b55c6ce9394595001e661bccbc578da3868

            Download Submit

          • C:\Users\Admin\AppData\Local\iDXFUGPP\wermgr.exe
            Filesize

            223KB

            MD5

            f7991343cf02ed92cb59f394e8b89f1f

            SHA1

            573ad9af63a6a0ab9b209ece518fd582b54cfef5

            SHA256

            1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc

            SHA512

            fa3cf314100f5340c7d0f6a70632a308fcadb4b48785753310a053a510169979a89637b8b4fedf4d3690db6b8b55146e323cad70d704c4e2ede4edff5284237d

            Download Submit

          • C:\Users\Admin\AppData\Local\rcEQt2X\XmlLite.dll
            Filesize

            948KB

            MD5

            4487e481ea2d483a2beca6a3cc2a6790

            SHA1

            b54d5a756c60fa4bd957946d0a40430e1e185908

            SHA256

            4b694bdc737ff9b14a7b91911286b593f363dfe2e3bf1073e0460969037ed97c

            SHA512

            4f6bd21df3497b64abee0b1e5ee7265a8b9c5245304f108c9ef0efdb1b21d692f0560399efe0a8087ecc78697def3c5d07b1f81a9979d6a742dffb63cdfe259b

            Download Submit

          • C:\Users\Admin\AppData\Local\rcEQt2X\psr.exe
            Filesize

            232KB

            MD5

            ad53ead5379985081b7c3f1f357e545a

            SHA1

            6f5aa32c1d15fbf073558fadafd046d97b60184e

            SHA256

            4f0144f0e3e721b44babbf41b513942e4117f730546105480571f9c8fce56a1f

            SHA512

            433098bd74c34fbadfa447ef45cfa9dc076aef4cf7f2a0a6fe79d5e67f2504eebe8aa31fc1b7a4c5eeb20ede2c5485f75ad0fd77b4ecba3d68ca63313e6f6ea0

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yxuzhivmkyvewy.lnk
            Filesize

            1KB

            MD5

            d476e5b1ef5ebb97012ba6d14dbb1eb0

            SHA1

            06ea23a52d9c6a7108b1d8380c8402ede554a900

            SHA256

            3a89c30473f2e431e1c7c38b6a650a1d565ddcbafdfd63f9c6ea85ca72720a0a

            SHA512

            89a0a874bdd871a4d2f417da12d736935812db354a64ce69532b61be8727baf4af9906bb0d257fe1bf9aeb223152cf689cc7562ecaba9116657202febc32cbf7

            Download Submit

          • memory/1004-70-0x000001A9A5570000-0x000001A9A5577000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1004-71-0x00007FF82C1F0000-0x00007FF82C2DD000-memory.dmp

            Filesize

            948KB

            Download

          • memory/1004-75-0x00007FF82C1F0000-0x00007FF82C2DD000-memory.dmp

            Filesize

            948KB

            Download

          • memory/1768-59-0x00007FF82C830000-0x00007FF82C91D000-memory.dmp

            Filesize

            948KB

            Download

          • memory/1768-54-0x00007FF82C830000-0x00007FF82C91D000-memory.dmp

            Filesize

            948KB

            Download

          • memory/1768-56-0x00000226C3B70000-0x00000226C3B77000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1840-90-0x00007FF82C1F0000-0x00007FF82C2DD000-memory.dmp

            Filesize

            948KB

            Download

          • memory/3416-12-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-10-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-25-0x00007FF849F00000-0x00007FF849F10000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3416-26-0x00007FF849EF0000-0x00007FF849F00000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3416-36-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-11-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-5-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-6-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-7-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-8-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-9-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-3-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3416-13-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-14-0x00007FF84978A000-0x00007FF84978B000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3416-15-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-24-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-16-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-23-0x0000000000770000-0x0000000000777000-memory.dmp

            Filesize

            28KB

            Download

          • memory/5088-2-0x0000015381460000-0x0000015381467000-memory.dmp

            Filesize

            28KB

            Download

          • memory/5088-38-0x00007FF83B5B0000-0x00007FF83B69C000-memory.dmp

            Filesize

            944KB

            Download

          • memory/5088-1-0x00007FF83B5B0000-0x00007FF83B69C000-memory.dmp

            Filesize

            944KB

            Download