Overview

overview

10

Static

static

3

d616010470...27.dll

windows7-x64

10

d616010470...27.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 05:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d616010470e5a7f7633e4f505709437b4d672312c57ab1724f3339bbc5acc727.dll

  • Size

    664KB

  • MD5

    192f752bbdcb5e33312abe8fd40eb318

  • SHA1

    efaccfee37c0fa32a1b45b156ad4e65a33bab91e

  • SHA256

    d616010470e5a7f7633e4f505709437b4d672312c57ab1724f3339bbc5acc727

  • SHA512

    0ed59a18735e566cc458b3c3dd27d07fa62d1ec55f67ea3e9f8779ac0ce7373da046ed4dc7b4420d33ec6e810b317f56317b8ba4861825221a2b4ed54cfc9f0e

  • SSDEEP

    6144:W34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:WIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d616010470e5a7f7633e4f505709437b4d672312c57ab1724f3339bbc5acc727.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2508
  • C:\Windows\system32\quickassist.exe
    C:\Windows\system32\quickassist.exe
    1⤵
      PID:1928
    • C:\Users\Admin\AppData\Local\CRMVG9\quickassist.exe
      C:\Users\Admin\AppData\Local\CRMVG9\quickassist.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2308
    • C:\Windows\system32\SystemPropertiesPerformance.exe
      C:\Windows\system32\SystemPropertiesPerformance.exe
      1⤵
        PID:1840
      • C:\Users\Admin\AppData\Local\8sxUk0\SystemPropertiesPerformance.exe
        C:\Users\Admin\AppData\Local\8sxUk0\SystemPropertiesPerformance.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1364
      • C:\Windows\system32\CustomShellHost.exe
        C:\Windows\system32\CustomShellHost.exe
        1⤵
          PID:1872
        • C:\Users\Admin\AppData\Local\ymQn7\CustomShellHost.exe
          C:\Users\Admin\AppData\Local\ymQn7\CustomShellHost.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1568

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\8sxUk0\SYSDM.CPL
          Filesize

          668KB

          MD5

          5ff12cc40d005f3c35f536df50e88374

          SHA1

          31533555517f78fbc812d42113ee9a9f6650c7c0

          SHA256

          5cf790e6a7054e1d4c434b64a0b2f9e1b260539bfc0476f2979ad08d54f5ead1

          SHA512

          19a4546cbf956517fade8dd01d2de0e74b323e373198951fe7450ce6360fe7ac95de2eb8a5bd5f29e4ffe52f9675c25aab448702c16ad866846e35d4e53a5b4a

          Download Submit

        • C:\Users\Admin\AppData\Local\8sxUk0\SystemPropertiesPerformance.exe
          Filesize

          82KB

          MD5

          e4fbf7cab8669c7c9cef92205d2f2ffc

          SHA1

          adbfa782b7998720fa85678cc85863b961975e28

          SHA256

          b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30

          SHA512

          c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

          Download Submit

        • C:\Users\Admin\AppData\Local\CRMVG9\UxTheme.dll
          Filesize

          668KB

          MD5

          cf781471e004751825576fd4d6d5a85f

          SHA1

          795d4eb8e6c900db73bbd6cc7906e7172f49380c

          SHA256

          e55fdf4c4b5cf1f2ce7c77a7be47ab5e88408b86982944ae1cb8f29e9c3a33b3

          SHA512

          b076a3a2daff193d048088774bfef7f3504fb79b23c63e684d42d72367bd44a494aeb3f119520e18546cc8c233699c6124161239b509572080eb9d5c04ce4cae

          Download Submit

        • C:\Users\Admin\AppData\Local\CRMVG9\quickassist.exe
          Filesize

          665KB

          MD5

          d1216f9b9a64fd943539cc2b0ddfa439

          SHA1

          6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c

          SHA256

          c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2

          SHA512

          c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567

          Download Submit

        • C:\Users\Admin\AppData\Local\ymQn7\CustomShellHost.exe
          Filesize

          835KB

          MD5

          70400e78b71bc8efdd063570428ae531

          SHA1

          cd86ecd008914fdd0389ac2dc00fe92d87746096

          SHA256

          91333f3282a2420359ae9d3adf537688741d21e964f021e2b152ab293447f289

          SHA512

          53005dda237fb23af79f54779c74a09835ad4cad3ca7b9dcec80e3793a60dd262f45b910bef96ab9c8e69d0c6990fea6ca5fee85d7f8425db523ae658372959e

          Download Submit

        • C:\Users\Admin\AppData\Local\ymQn7\WTSAPI32.dll
          Filesize

          668KB

          MD5

          563cad7fee33742226155bf432ceede3

          SHA1

          562bfba1e756e7cd71bca79ebe5dd5f6978d2e8e

          SHA256

          5b89c86a45fda420afe85b17f5a56288a7d913a192b1afe57efeb2db9fd0cd5c

          SHA512

          c077326f0c4a186f4eec395fc218e4ba8fba6871bff0045167334aeb2616123f8a64e8d589eaf4fa595b1a2e6fb8ba5d73b9fa21df2e3bca1e5a2fa60913dc87

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eswctkc.lnk
          Filesize

          1KB

          MD5

          1557840b6b2a4009d47fbee5fc3d1778

          SHA1

          dcb8a3804dba9496986c352f92e8c5c03fcbf584

          SHA256

          c04e6e92c3208bd7421a3d4c0f2e79646ee00407c88cd281e8405a7595b5619d

          SHA512

          0bcd4e739c0e06a0f1ae5f1c018c9c49cfcf1bc7d6e88dc7b5c6ba4166629fe2a6c860642ce3a311e6c9501b2772cc60872e08edafe6e4d33a108cc1f5b583a4

          Download Submit

        • memory/1364-65-0x00007FFC1C630000-0x00007FFC1C6D7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1364-60-0x0000023C299D0000-0x0000023C299D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1568-80-0x00007FFC1C630000-0x00007FFC1C6D7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2308-46-0x000002B8524A0000-0x000002B8524A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2308-49-0x00007FFC1C630000-0x00007FFC1C6D7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2308-44-0x00007FFC1C630000-0x00007FFC1C6D7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2508-37-0x00007FFC1D2F0000-0x00007FFC1D396000-memory.dmp

          Filesize

          664KB

          Download

        • memory/2508-2-0x0000000000930000-0x0000000000937000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2508-1-0x00007FFC1D2F0000-0x00007FFC1D396000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3588-14-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3588-34-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3588-7-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3588-9-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3588-10-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3588-11-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3588-12-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3588-24-0x00007FFC2B380000-0x00007FFC2B390000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3588-25-0x00007FFC2B370000-0x00007FFC2B380000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3588-8-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3588-23-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3588-15-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3588-22-0x0000000000ED0000-0x0000000000ED7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3588-13-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3588-6-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3588-3-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3588-5-0x00007FFC2A7CA000-0x00007FFC2A7CB000-memory.dmp

          Filesize

          4KB

          Download