Overview

overview

10

Static

static

3

75744da9a6...7d.dll

windows7-x64

10

75744da9a6...7d.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 03:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    75744da9a671242b908e36a14db2b512b454f506e6eee9e77da3bec1e7225f7d.dll

  • Size

    664KB

  • MD5

    5f6c31f53f65a1fdb86734c3f9ee7840

  • SHA1

    a8c5aeb8b426258e84fb7b4bd181f85db18405ae

  • SHA256

    75744da9a671242b908e36a14db2b512b454f506e6eee9e77da3bec1e7225f7d

  • SHA512

    a1713364329e883b9a62409ce721ce7fbc929814e196c8eb18a3bf121cf2eea83d875869d1c8702ef7f9888e4f11659201132554d0101ecf6d0d89592025d242

  • SSDEEP

    6144:y34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTg:yIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\75744da9a671242b908e36a14db2b512b454f506e6eee9e77da3bec1e7225f7d.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2384
  • C:\Windows\system32\unregmp2.exe
    C:\Windows\system32\unregmp2.exe
    1⤵
      PID:2840
    • C:\Users\Admin\AppData\Local\uwmA\unregmp2.exe
      C:\Users\Admin\AppData\Local\uwmA\unregmp2.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2624
    • C:\Windows\system32\BitLockerWizard.exe
      C:\Windows\system32\BitLockerWizard.exe
      1⤵
        PID:1984
      • C:\Users\Admin\AppData\Local\h8G8\BitLockerWizard.exe
        C:\Users\Admin\AppData\Local\h8G8\BitLockerWizard.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2332
      • C:\Windows\system32\perfmon.exe
        C:\Windows\system32\perfmon.exe
        1⤵
          PID:1476
        • C:\Users\Admin\AppData\Local\0KqLVHBH\perfmon.exe
          C:\Users\Admin\AppData\Local\0KqLVHBH\perfmon.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1804

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0KqLVHBH\Secur32.dll
          Filesize

          668KB

          MD5

          6ee6432c2a9a0727a8dee618e4b79c58

          SHA1

          52eb879b159345421c1e69113fb7c2c5741ad2db

          SHA256

          e1fb2894c534949a2b941849e15d3ee4fe5b0203bb2d5936e9628d2f6a01fbf8

          SHA512

          65de6ff18bfbc34139071aeb5dfdfb532e970e5a49914ab42ca74296ba9594591b09a156f522c70351d371d32653c6823c3c4f2d9f80d572e1c0e173a3deea93

          Download Submit

        • C:\Users\Admin\AppData\Local\h8G8\FVEWIZ.dll
          Filesize

          668KB

          MD5

          4faafac550bb4d2c2bf05ea94f273a3b

          SHA1

          dbe267d4c7aad28a91350708c3fb3ec013a72611

          SHA256

          3dbfb3ff0d3e57a6a3616644106625e3c9ccf903b7ae2d52baa4e3ac27a73674

          SHA512

          f8c3da74c2ae8fbe767d788c7e2f3d0265d076b46c8e04647ac197eb14be43380db77c35c2d673d6d166d90e73d0bb039b095d130540a342cd8b5db880878656

          Download Submit

        • C:\Users\Admin\AppData\Local\uwmA\VERSION.dll
          Filesize

          668KB

          MD5

          95ef7b7235925abe6876738c649900ad

          SHA1

          04629bc5b1a6d4d436506664b92e41bef3158efd

          SHA256

          351c84be50d9e9ffb030c24a7d6cb2cc6923ed25ece536c3f11f2e0f1a97883f

          SHA512

          20bade1b45867527ccb1430826feae9eb305dae2984770b2667672f32a3093ce70b5e37c576f3c60247f6a057fbecfb57e788f12bdcd3b31edfc46a864c8bf5b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ncfyujonfo.lnk
          Filesize

          998B

          MD5

          b655f1db02cba43057bc83702dcf5dac

          SHA1

          3b7f747800936e2a816834529e04085a1d47d6ba

          SHA256

          09d6e79a4ce109452a0d1bde4c4964190a053a865a1f2d62fa34c9879741c7f3

          SHA512

          6ce2b036decd5b527dc06475ffdb0431c0f13fb81539e978c4ecc2b527a9464b20d75a74f05bae875e3d96e60c28a3788b136881977fa26c23a1774e01452cfe

          Download Submit

        • \Users\Admin\AppData\Local\0KqLVHBH\perfmon.exe
          Filesize

          168KB

          MD5

          3eb98cff1c242167df5fdbc6441ce3c5

          SHA1

          730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

          SHA256

          6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

          SHA512

          f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

          Download Submit

        • \Users\Admin\AppData\Local\h8G8\BitLockerWizard.exe
          Filesize

          98KB

          MD5

          08a761595ad21d152db2417d6fdb239a

          SHA1

          d84c1bc2e8c9afce9fb79916df9bca169f93a936

          SHA256

          ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

          SHA512

          8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

          Download Submit

        • \Users\Admin\AppData\Local\uwmA\unregmp2.exe
          Filesize

          316KB

          MD5

          64b328d52dfc8cda123093e3f6e4c37c

          SHA1

          f68f45b21b911906f3aa982e64504e662a92e5ab

          SHA256

          7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

          SHA512

          e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

          Download Submit

        • memory/1196-6-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1196-8-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1196-3-0x0000000076E66000-0x0000000076E67000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-15-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1196-22-0x0000000002A40000-0x0000000002A47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1196-14-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1196-13-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1196-12-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1196-23-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1196-24-0x00000000771D0000-0x00000000771D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1196-25-0x0000000077200000-0x0000000077202000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1196-34-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1196-35-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1196-4-0x0000000002A60000-0x0000000002A61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-44-0x0000000076E66000-0x0000000076E67000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-7-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1196-9-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1196-11-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1196-10-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1804-90-0x000007FEF6210000-0x000007FEF62B7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2332-69-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2332-70-0x000007FEF6210000-0x000007FEF62B7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2332-74-0x000007FEF6210000-0x000007FEF62B7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2384-43-0x000007FEF6780000-0x000007FEF6826000-memory.dmp

          Filesize

          664KB

          Download

        • memory/2384-1-0x000007FEF6780000-0x000007FEF6826000-memory.dmp

          Filesize

          664KB

          Download

        • memory/2384-0-0x0000000001CF0000-0x0000000001CF7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2624-57-0x000007FEF6830000-0x000007FEF68D7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2624-53-0x000007FEF6830000-0x000007FEF68D7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2624-52-0x0000000000310000-0x0000000000317000-memory.dmp

          Filesize

          28KB

          Download