Overview

overview

10

Static

static

3

5a9312f37f...ab.dll

windows7-x64

10

5a9312f37f...ab.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 05:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a9312f37fc4f6e40e1cf12c15df2a7d84199ac4d594831db9f6ca1c4a6cbfab.dll

  • Size

    668KB

  • MD5

    f640bf21877302ba5a105a1cc52c4aef

  • SHA1

    7f84c86e274bed6a64be7123cb15f4e1fc477ff6

  • SHA256

    5a9312f37fc4f6e40e1cf12c15df2a7d84199ac4d594831db9f6ca1c4a6cbfab

  • SHA512

    d0f670cd9a926c674bfb926b6d080ecc8e0b3d6f2350567cb0d8ff56a15c53b461064026f5b9604afbab6035b4aed7786c66d3ef529fa789708910c1d6acc3fd

  • SSDEEP

    6144:f34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuT9:fIKp/UWCZdCDh2IZDwAFRpR6Auz1

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 12 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5a9312f37fc4f6e40e1cf12c15df2a7d84199ac4d594831db9f6ca1c4a6cbfab.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2872
  • C:\Windows\system32\raserver.exe
    C:\Windows\system32\raserver.exe
    1⤵
      PID:2364
    • C:\Users\Admin\AppData\Local\C36CH9N\raserver.exe
      C:\Users\Admin\AppData\Local\C36CH9N\raserver.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2640
    • C:\Windows\system32\irftp.exe
      C:\Windows\system32\irftp.exe
      1⤵
        PID:2432
      • C:\Users\Admin\AppData\Local\u3D7Ss5J\irftp.exe
        C:\Users\Admin\AppData\Local\u3D7Ss5J\irftp.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2716
      • C:\Windows\system32\dialer.exe
        C:\Windows\system32\dialer.exe
        1⤵
          PID:2924
        • C:\Users\Admin\AppData\Local\mTKVV7w9V\dialer.exe
          C:\Users\Admin\AppData\Local\mTKVV7w9V\dialer.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1356

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\C36CH9N\WTSAPI32.dll
          Filesize

          672KB

          MD5

          1e44c14f2284324a90b1edfb112ef9e2

          SHA1

          e0956e4f1085f52e1963a45f70aa7a5844dee156

          SHA256

          9ad0ad4adbb2644bed5483bba7cd7cda4782b6fa243b9f38918adad0148b808d

          SHA512

          cb9f686940f29728638ef4c60d44251038a2b6589c5cb40db9b3ce5ceb9c58e9b84d9e66e242fc632f489d6909a610fc981e1178d1a92830b51be170181d5198

          Download Submit

        • C:\Users\Admin\AppData\Local\mTKVV7w9V\TAPI32.dll
          Filesize

          676KB

          MD5

          10f5f800e19d2919f99fec3120c2198d

          SHA1

          932d282c7c8cc62e7988251f2856ef8c0a1d1b9b

          SHA256

          117c9d2fb29c353944e8b75e836d96c408a29ee981e255b73b0e0d3ebd5dcb60

          SHA512

          bf05243628d10d1aa0e4fd4865df505f1443b84171460d6ee9daa91089fcecf1cadd6765b7744a11cc452e33081e6b4c8c03617e1b3ba9e5f074f5610784348f

          Download Submit

        • C:\Users\Admin\AppData\Local\mTKVV7w9V\dialer.exe
          Filesize

          34KB

          MD5

          46523e17ee0f6837746924eda7e9bac9

          SHA1

          d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

          SHA256

          23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

          SHA512

          c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

          Download Submit

        • C:\Users\Admin\AppData\Local\u3D7Ss5J\MFC42u.dll
          Filesize

          696KB

          MD5

          a6fcc1b663d01bb5d30b755df8ca7252

          SHA1

          3b1976c87e0fcbed27a9766f03602867329a8f71

          SHA256

          60ec262fa341126af6b06c64874e1777a80ca594d3c05e9d5592f365423941de

          SHA512

          4d6ddd6be51da07de1b5d5d3a8ff4740cb478871930a99a79f945aefe28a244058dc81759ebe6f9bfd55ac835785f2524ee1dfe8d8e301f5f2586994946435d1

          Download Submit

        • C:\Users\Admin\AppData\Local\u3D7Ss5J\irftp.exe
          Filesize

          192KB

          MD5

          0cae1fb725c56d260bfd6feba7ae9a75

          SHA1

          102ac676a1de3ec3d56401f8efd518c31c8b0b80

          SHA256

          312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

          SHA512

          db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk
          Filesize

          1KB

          MD5

          e2f5c8e808f63cc76235e4188845a949

          SHA1

          d3fd177264bac3e9dd4f3ba01866976a8dcd5e92

          SHA256

          1f36ff7f9a0791080007363431ae0b20ad39d2eca6aa6333f95910bf4dfeecd3

          SHA512

          7b12cd4bb7625058dea168d0efa1456786c26bff5615e83b2110036d49ed0820227258a8176dc7ee8d4a73602e5a0d893dfbf4bc152e60b1849ff8c4857c940b

          Download Submit

        • \Users\Admin\AppData\Local\C36CH9N\raserver.exe
          Filesize

          123KB

          MD5

          cd0bc0b6b8d219808aea3ecd4e889b19

          SHA1

          9f8f4071ce2484008e36fdfd963378f4ebad703f

          SHA256

          16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

          SHA512

          84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

          Download Submit

        • memory/1204-26-0x00000000773D0000-0x00000000773D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-45-0x0000000077136000-0x0000000077137000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-14-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1204-13-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1204-12-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1204-11-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1204-10-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1204-9-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1204-8-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1204-24-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1204-25-0x00000000773A0000-0x00000000773A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-3-0x0000000077136000-0x0000000077137000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-35-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1204-36-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1204-4-0x0000000002E00000-0x0000000002E01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-15-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1204-16-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1204-23-0x0000000002DE0000-0x0000000002DE7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1204-6-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1204-7-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1356-87-0x000007FEF6100000-0x000007FEF61A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1356-91-0x000007FEF6100000-0x000007FEF61A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2640-58-0x000007FEF69E0000-0x000007FEF6A88000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2640-53-0x000007FEF69E0000-0x000007FEF6A88000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2640-55-0x0000000000320000-0x0000000000327000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2716-72-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2716-70-0x000007FEF6100000-0x000007FEF61AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2716-75-0x000007FEF6100000-0x000007FEF61AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2872-44-0x000007FEF6930000-0x000007FEF69D7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2872-2-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2872-0-0x000007FEF6930000-0x000007FEF69D7000-memory.dmp

          Filesize

          668KB

          Download