Overview

overview

10

Static

static

3

94a90a4eb2...12.dll

windows7-x64

10

94a90a4eb2...12.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 04:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94a90a4eb25abcbbac0c023c3736473b5a29df02f1a702ca86d037b5ca244312.dll

  • Size

    664KB

  • MD5

    ce92fb27287b8d8da3b53825faebe282

  • SHA1

    b0b3a97dcfecb6a25ad52cfca9a9f8708eaa3a76

  • SHA256

    94a90a4eb25abcbbac0c023c3736473b5a29df02f1a702ca86d037b5ca244312

  • SHA512

    27f0d045d02c93cc1ebc5e5ab22716fa48d02d00f02445b3e215c980e01ef1d688cbbd732924113fdb691ec076fefa0ee8f5124b4164544168397b6129a8f215

  • SSDEEP

    6144:S34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:SIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\94a90a4eb25abcbbac0c023c3736473b5a29df02f1a702ca86d037b5ca244312.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:768
  • C:\Windows\system32\dwm.exe
    C:\Windows\system32\dwm.exe
    1⤵
      PID:4864
    • C:\Users\Admin\AppData\Local\XkIu\dwm.exe
      C:\Users\Admin\AppData\Local\XkIu\dwm.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4812
    • C:\Windows\system32\SystemPropertiesProtection.exe
      C:\Windows\system32\SystemPropertiesProtection.exe
      1⤵
        PID:748
      • C:\Users\Admin\AppData\Local\ahZb\SystemPropertiesProtection.exe
        C:\Users\Admin\AppData\Local\ahZb\SystemPropertiesProtection.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2212
      • C:\Windows\system32\CustomShellHost.exe
        C:\Windows\system32\CustomShellHost.exe
        1⤵
          PID:452
        • C:\Users\Admin\AppData\Local\iDF78A\CustomShellHost.exe
          C:\Users\Admin\AppData\Local\iDF78A\CustomShellHost.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4848

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\XkIu\dwm.exe
          Filesize

          92KB

          MD5

          5c27608411832c5b39ba04e33d53536c

          SHA1

          f92f8b7439ce1de4c297046ed1d3ff9f20bc97af

          SHA256

          0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565

          SHA512

          1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

          Download Submit

        • C:\Users\Admin\AppData\Local\XkIu\dxgi.dll
          Filesize

          668KB

          MD5

          8939ed43dfa7315274772f171010e849

          SHA1

          b86fe16a0028d7f41896ba94a363143cba23ccb1

          SHA256

          80895cb9961fc8a6f374bb7382f05c758e9f5ca233ac32864fe4235f1b271afd

          SHA512

          9007c7b07328a6037d982f8c09408c543f29e6d0c6a6cea166850ecd778d5d8259d9cd55b955d1e40469d195243c537321b0e488801aaf9d88840575c4bf874d

          Download Submit

        • C:\Users\Admin\AppData\Local\ahZb\SYSDM.CPL
          Filesize

          668KB

          MD5

          a8ea455f6fb4af64e1da0eb0d1e539ee

          SHA1

          b2c59685ba38abd0e56b42c5b7a7a0b0e0575600

          SHA256

          df73c43a8d8f2499de2d4704a811b526d9b66fc6fd682ec50611a2d8cdd2f9e4

          SHA512

          65b63063df8ad867ee37f61d6bcb6824da5dba3e76f5c57f4ade3931f00979f78e07eabbe4d20b753f248a307a7e1119f530f372f33eb90646dc9664074cc9df

          Download Submit

        • C:\Users\Admin\AppData\Local\ahZb\SystemPropertiesProtection.exe
          Filesize

          82KB

          MD5

          26640d2d4fa912fc9a354ef6cfe500ff

          SHA1

          a343fd82659ce2d8de3beb587088867cf2ab8857

          SHA256

          a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37

          SHA512

          26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

          Download Submit

        • C:\Users\Admin\AppData\Local\iDF78A\CustomShellHost.exe
          Filesize

          835KB

          MD5

          70400e78b71bc8efdd063570428ae531

          SHA1

          cd86ecd008914fdd0389ac2dc00fe92d87746096

          SHA256

          91333f3282a2420359ae9d3adf537688741d21e964f021e2b152ab293447f289

          SHA512

          53005dda237fb23af79f54779c74a09835ad4cad3ca7b9dcec80e3793a60dd262f45b910bef96ab9c8e69d0c6990fea6ca5fee85d7f8425db523ae658372959e

          Download Submit

        • C:\Users\Admin\AppData\Local\iDF78A\WTSAPI32.dll
          Filesize

          668KB

          MD5

          65ed848bdc9dd7e9d02b58cd906545a9

          SHA1

          71b216cebfc01a34e85a48d9db5577f80a023efe

          SHA256

          878e13ef0e4a0cfdd8fe4d3672b0de521e7143abe580ccd12ad8d687c49cfe31

          SHA512

          c95b0925f0fd5eae81f79bc8ed23dfbf9dec98744a87147f8c20f2dc31bb9022ac5b056fe45b85e3a889f09cb31af7ec11e9f64bbcd19a66a270651668749f04

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk
          Filesize

          1KB

          MD5

          6dae35660fa60ea9d75f2ec387be9f6a

          SHA1

          7068db6768af6b09a679430f94f8b9dee543d3f1

          SHA256

          905bff3b913311ad6a5904c3e4b853e90eb1fbcd6f84027637d2280f79ba93d7

          SHA512

          0ac1b96de1851946d8b3238151f54dedfe3dc0c7f25d9e66448ea6b0750278d31e6ed71cbfe36d5dfd92c114b127e71aef7c82d3c8d9007fcc3b73b583efddb6

          Download Submit

        • memory/768-2-0x0000020CA42B0000-0x0000020CA42B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/768-0-0x00007FFD7C940000-0x00007FFD7C9E6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/768-37-0x00007FFD7C940000-0x00007FFD7C9E6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/2212-64-0x00007FFD6DE50000-0x00007FFD6DEF7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2212-59-0x00000169CA390000-0x00000169CA397000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3476-8-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3476-15-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3476-12-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3476-9-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3476-23-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3476-7-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3476-6-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3476-24-0x00007FFD8B840000-0x00007FFD8B850000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3476-34-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3476-25-0x00007FFD8B830000-0x00007FFD8B840000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3476-5-0x00007FFD89DEA000-0x00007FFD89DEB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3476-3-0x00000000024D0000-0x00000000024D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3476-13-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3476-11-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3476-14-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3476-22-0x0000000000A20000-0x0000000000A27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3476-10-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/4812-50-0x00007FFD6DE50000-0x00007FFD6DEF7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/4812-48-0x00007FFD6DE50000-0x00007FFD6DEF7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/4812-47-0x000001C50CA10000-0x000001C50CA17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4848-79-0x00007FFD6DE50000-0x00007FFD6DEF7000-memory.dmp

          Filesize

          668KB

          Download