Overview

overview

10

Static

static

3

96245ac3af...c9.dll

windows7-x64

10

96245ac3af...c9.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 02:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    96245ac3afbbd284ab0a250ef29178ad97dbaa475fe1f7231636c29bdbd1a6c9.dll

  • Size

    672KB

  • MD5

    f4ad23ec7d76d48355a204d4cca86bb9

  • SHA1

    21cc90073ea6b2e99f535272e4ec2127c6dfd4c3

  • SHA256

    96245ac3afbbd284ab0a250ef29178ad97dbaa475fe1f7231636c29bdbd1a6c9

  • SHA512

    bdf9ff9cea9d581d4f81524e720985ff82f52ed10267410c43cbeeae018afb2b5b0708d7666393df02284e08736060e124beba414de4a5648a91f6c952f3ab7a

  • SSDEEP

    6144:U34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:UIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\96245ac3afbbd284ab0a250ef29178ad97dbaa475fe1f7231636c29bdbd1a6c9.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2324
  • C:\Windows\system32\rdpinit.exe
    C:\Windows\system32\rdpinit.exe
    1⤵
      PID:2312
    • C:\Users\Admin\AppData\Local\GFpHvA2\rdpinit.exe
      C:\Users\Admin\AppData\Local\GFpHvA2\rdpinit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1732
    • C:\Windows\system32\vmicsvc.exe
      C:\Windows\system32\vmicsvc.exe
      1⤵
        PID:2848
      • C:\Users\Admin\AppData\Local\0TAA\vmicsvc.exe
        C:\Users\Admin\AppData\Local\0TAA\vmicsvc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:880
      • C:\Windows\system32\rekeywiz.exe
        C:\Windows\system32\rekeywiz.exe
        1⤵
          PID:2532
        • C:\Users\Admin\AppData\Local\dbS\rekeywiz.exe
          C:\Users\Admin\AppData\Local\dbS\rekeywiz.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2336

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0TAA\ACTIVEDS.dll
          Filesize

          676KB

          MD5

          e0d5e06927bfab53305c1541666bd9c2

          SHA1

          2b592b57e22549d9127d760e78a4a2bef57f5f56

          SHA256

          c195dce5c2b67248680798d35b98fc6eb5811409a06fb29fa09f347a9bfef588

          SHA512

          6037a58b3119ae34e3f09889b1a9e5a438ddfc3980ea320a1f468b0f15a66c84f2a8e56a65d96873635b1f8ae3c465a4484552b9751d917a07ad2acf4900d835

          Download Submit

        • C:\Users\Admin\AppData\Local\dbS\rekeywiz.exe
          Filesize

          67KB

          MD5

          767c75767b00ccfd41a547bb7b2adfff

          SHA1

          91890853a5476def402910e6507417d400c0d3cb

          SHA256

          bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

          SHA512

          f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

          Download Submit

        • C:\Users\Admin\AppData\Local\dbS\slc.dll
          Filesize

          676KB

          MD5

          f7fb63ce79e8b39900d8f00a21c1937c

          SHA1

          f9941710af8c122c75da08e9daa57bf4bb16d208

          SHA256

          c0bd1dd7604fd1200cc9f21e4bbb77364f15e84ff6c371f71248da7a0bd9f706

          SHA512

          b3274557b3ce549ecf3f6edf6f2b612d703a39b9d5fc7926817ce7a4a0278ce1792a77a4c5a8fb3fd65763337e0961d62552d2aa7320092419d178d9c28cc98b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk
          Filesize

          1KB

          MD5

          38041e2838f8248e5737dc23248f2c8d

          SHA1

          1edae4d8a42760681c16677ac2299e6ccefb64cc

          SHA256

          083007119f8faa79efb9a4e2ee6127872cd2f349d7185818034ac381b252f754

          SHA512

          a1ecb154023320122f0766049200572ccd59dce042ad7cd9b96c671acad1da8e22c18dc95c3b5643e262339c63b34342b7d07a1500959a22da2bae5031e5446d

          Download Submit

        • \Users\Admin\AppData\Local\0TAA\vmicsvc.exe
          Filesize

          238KB

          MD5

          79e14b291ca96a02f1eb22bd721deccd

          SHA1

          4c8dbff611acd8a92cd2280239f78bebd2a9947e

          SHA256

          d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

          SHA512

          f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

          Download Submit

        • \Users\Admin\AppData\Local\GFpHvA2\rdpinit.exe
          Filesize

          174KB

          MD5

          664e12e0ea009cc98c2b578ff4983c62

          SHA1

          27b302c0108851ac6cc37e56590dd9074b09c3c9

          SHA256

          00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

          SHA512

          f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

          Download Submit

        • \Users\Admin\AppData\Local\GFpHvA2\slc.dll
          Filesize

          676KB

          MD5

          b73705883ae6516186b2525952e1f4d8

          SHA1

          320a71b5358f1fa82bf9bf3d1c24e3883e9f3ef7

          SHA256

          35dca974867f8bcdf5b5ce87e1c0f16e7066201da965d3071f68b150576fb1ec

          SHA512

          a8d2a998f51cbd4e1703050e4f1ab3b11e5270b7650e62f652efd15e592bbf26ac64d750919bd26cadfe6d52db8ead9d89514715d7141e677bed85a8e0fed21f

          Download Submit

        • memory/880-75-0x000007FEFB230000-0x000007FEFB2D9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/880-70-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1252-25-0x0000000077790000-0x0000000077792000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1252-45-0x0000000077526000-0x0000000077527000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1252-15-0x0000000002E60000-0x0000000002E67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1252-13-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-11-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-17-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-16-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-24-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-26-0x00000000777C0000-0x00000000777C2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1252-3-0x0000000077526000-0x0000000077527000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1252-35-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-36-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-4-0x0000000002E80000-0x0000000002E81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1252-14-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-12-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-10-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-6-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-7-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-8-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-9-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1732-58-0x000007FEFB230000-0x000007FEFB2D9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1732-53-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1732-54-0x000007FEFB230000-0x000007FEFB2D9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2324-44-0x000007FEFB0B0000-0x000007FEFB158000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2324-0-0x000007FEFB0B0000-0x000007FEFB158000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2324-2-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2336-87-0x000007FEFB0B0000-0x000007FEFB159000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2336-91-0x000007FEFB0B0000-0x000007FEFB159000-memory.dmp

          Filesize

          676KB

          Download