Overview

overview

10

Static

static

3

43508d520d...92.dll

windows7-x64

10

43508d520d...92.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 05:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43508d520d7e2071ccd08862888e65cb9ae724268835584aec28c355f22f1d92.dll

  • Size

    948KB

  • MD5

    c3da5425420b0f94aa1a58c38ef6d14d

  • SHA1

    891965f46beafca8d84b87e9aa815d8d7b8171fd

  • SHA256

    43508d520d7e2071ccd08862888e65cb9ae724268835584aec28c355f22f1d92

  • SHA512

    1ebc2ca75e6354edd72ef76991569565199267a472756077166deed6fa6b22e46d5df3546910c78b4b80b54e0e98f6eb5142e254feffae2026f46773ac687dee

  • SSDEEP

    6144:D34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:DIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 12 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\43508d520d7e2071ccd08862888e65cb9ae724268835584aec28c355f22f1d92.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2596
  • C:\Windows\system32\OptionalFeatures.exe
    C:\Windows\system32\OptionalFeatures.exe
    1⤵
      PID:2916
    • C:\Users\Admin\AppData\Local\bnZI4cI\OptionalFeatures.exe
      C:\Users\Admin\AppData\Local\bnZI4cI\OptionalFeatures.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2672
    • C:\Windows\system32\msconfig.exe
      C:\Windows\system32\msconfig.exe
      1⤵
        PID:2900
      • C:\Users\Admin\AppData\Local\fxCYMs\msconfig.exe
        C:\Users\Admin\AppData\Local\fxCYMs\msconfig.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3032
      • C:\Windows\system32\cttune.exe
        C:\Windows\system32\cttune.exe
        1⤵
          PID:1932
        • C:\Users\Admin\AppData\Local\2i4Sf5\cttune.exe
          C:\Users\Admin\AppData\Local\2i4Sf5\cttune.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:608

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2i4Sf5\UxTheme.dll
          Filesize

          952KB

          MD5

          51b218e2e427efce71755b395f67f088

          SHA1

          b8a2656b92d1cde887a425d040f47f2dfd0ed71e

          SHA256

          aac3f57d7947643783ae1765a1b3b497a8096fa5276caccd42f6501887b0997f

          SHA512

          486603068e84bc2ef381f401d721bfff899bc11b56aa144a25a2928c2eb30fcf0997a7f936b104a43bf321810bcc32cee3e7322406740d6a888c405695531c19

          Download Submit

        • C:\Users\Admin\AppData\Local\bnZI4cI\OptionalFeatures.exe
          Filesize

          95KB

          MD5

          eae7af6084667c8f05412ddf096167fc

          SHA1

          0dbe8aba001447030e48e8ad5466fd23481e6140

          SHA256

          01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

          SHA512

          172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

          Download Submit

        • C:\Users\Admin\AppData\Local\bnZI4cI\appwiz.cpl
          Filesize

          952KB

          MD5

          a4008ea96b0bb08e18a0f436bcade2ea

          SHA1

          33025e654fbe6406bbf36593ea285577c5612497

          SHA256

          abd3caf990775eccb76aed94dcef10dbb869d38dd47c0a409860fdcc0049f135

          SHA512

          d1ec51bded978407291da9abd018cfc8a2fca3d403f02a4bf8b01e478aed016404f5ffdf4d019419cfd10be6adf6ca0e0e7aac2675bd8837b629d1a476b65f77

          Download Submit

        • C:\Users\Admin\AppData\Local\fxCYMs\VERSION.dll
          Filesize

          952KB

          MD5

          fa85d76f24e574e31092be31025ec09c

          SHA1

          502652249f07907e32f06b5d7aff3771df1134ef

          SHA256

          992ac224a49d722015c6408e7aaf82a4520bd44e4981a2d4c489be2593a08047

          SHA512

          bd2374b44889b0fa74aef5378d6d292ecf38f6b9656185c02d132619904e0953c53c891959bca63507c10c9501c55a1f1829d543c333c8c8d92087772d672917

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk
          Filesize

          1KB

          MD5

          b7c1a6cc532505784367af71a6fc2f58

          SHA1

          7caedc7f759c12b5d7f642cbdd8eba6f65ad553b

          SHA256

          5001bbf2182bcf738ae22246aa19b6bcedf3234aac4a18aec94498b817bf4d1c

          SHA512

          228c41ba00226c0670dae46c3d8ce0eeeaf0cbef13b7fb29b3db85f7be5d9920dcfc3144e253f8fb8f9c2a798238f6e18b2ad5e00caf10a0b8b709534ca3a09c

          Download Submit

        • \Users\Admin\AppData\Local\2i4Sf5\cttune.exe
          Filesize

          314KB

          MD5

          7116848fd23e6195fcbbccdf83ce9af4

          SHA1

          35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

          SHA256

          39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

          SHA512

          e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

          Download Submit

        • \Users\Admin\AppData\Local\fxCYMs\msconfig.exe
          Filesize

          293KB

          MD5

          e19d102baf266f34592f7c742fbfa886

          SHA1

          c9c9c45b7e97bb7a180064d0a1962429f015686d

          SHA256

          f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

          SHA512

          1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

          Download Submit

        • memory/608-92-0x000007FEF7230000-0x000007FEF731E000-memory.dmp

          Filesize

          952KB

          Download

        • memory/608-88-0x000007FEF7230000-0x000007FEF731E000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1284-27-0x00000000770C0000-0x00000000770C2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1284-15-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/1284-13-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/1284-12-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/1284-25-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/1284-11-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/1284-10-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/1284-9-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/1284-8-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/1284-3-0x0000000076D26000-0x0000000076D27000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1284-26-0x0000000077090000-0x0000000077092000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1284-36-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/1284-37-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/1284-4-0x0000000002060000-0x0000000002061000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1284-46-0x0000000076D26000-0x0000000076D27000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1284-14-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/1284-16-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/1284-6-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/1284-7-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/1284-17-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/1284-24-0x0000000002040000-0x0000000002047000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2596-45-0x000007FEF7270000-0x000007FEF735D000-memory.dmp

          Filesize

          948KB

          Download

        • memory/2596-2-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2596-1-0x000007FEF7270000-0x000007FEF735D000-memory.dmp

          Filesize

          948KB

          Download

        • memory/2672-59-0x000007FEF7360000-0x000007FEF744E000-memory.dmp

          Filesize

          952KB

          Download

        • memory/2672-54-0x000007FEF7360000-0x000007FEF744E000-memory.dmp

          Filesize

          952KB

          Download

        • memory/2672-56-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3032-71-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3032-72-0x000007FEF65F0000-0x000007FEF66DE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3032-76-0x000007FEF65F0000-0x000007FEF66DE000-memory.dmp

          Filesize

          952KB

          Download