Overview

overview

10

Static

static

3

349a48524a...88.dll

windows7-x64

10

349a48524a...88.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 07:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    349a48524a21cc6f8d8aed8caaa9fa006a558a7551506d831a29ce61ae7ee088.dll

  • Size

    952KB

  • MD5

    e9caaf99ddd15f21e80be6ad6ba0061a

  • SHA1

    216eebcaf321981fb3d87b6c49baa53e35ce405e

  • SHA256

    349a48524a21cc6f8d8aed8caaa9fa006a558a7551506d831a29ce61ae7ee088

  • SHA512

    cbe0c6597f954722d2d85e599c55a96334d7c650beb9df375e7a1fb55eb92d1697611ec33d536645c41b856d392c9e5f0a0a4296180bae03ea2376514666d5e7

  • SSDEEP

    6144:x34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:xIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 12 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\349a48524a21cc6f8d8aed8caaa9fa006a558a7551506d831a29ce61ae7ee088.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2808
  • C:\Windows\system32\cmstp.exe
    C:\Windows\system32\cmstp.exe
    1⤵
      PID:1420
    • C:\Users\Admin\AppData\Local\Z9J4k2Uc\cmstp.exe
      C:\Users\Admin\AppData\Local\Z9J4k2Uc\cmstp.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2648
    • C:\Windows\system32\SoundRecorder.exe
      C:\Windows\system32\SoundRecorder.exe
      1⤵
        PID:2072
      • C:\Users\Admin\AppData\Local\P9KcB\SoundRecorder.exe
        C:\Users\Admin\AppData\Local\P9KcB\SoundRecorder.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2852
      • C:\Windows\system32\p2phost.exe
        C:\Windows\system32\p2phost.exe
        1⤵
          PID:2952
        • C:\Users\Admin\AppData\Local\rQbwe\p2phost.exe
          C:\Users\Admin\AppData\Local\rQbwe\p2phost.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2512

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\P9KcB\WINMM.dll
          Filesize

          960KB

          MD5

          ca9e83034e20a0fa93717bcc7f40146b

          SHA1

          0782d78e88e0f9b98fda5f205e8a87f85a2fac1d

          SHA256

          fdafbbb5633437ea4acd6125961f64a5cc47e6ce058f782e151857f204a553ed

          SHA512

          f28e48388dab95873d77cadde4e818d16216f82f29d82feee005fb18eab9130946cb197ba2eed77c75f79f85ea1c984d4c2c038bf1819db40fbb965fe67bcc49

          Download Submit

        • C:\Users\Admin\AppData\Local\Z9J4k2Uc\VERSION.dll
          Filesize

          956KB

          MD5

          277a45bdf56b62cfb4d1811d132abcac

          SHA1

          a1563bec5846a68c48839a9c8072eb01e8175d34

          SHA256

          561be4a292c2a283cbb8c7f39f02c5b6bd156b60d7ec4847e01dc23f75095b0f

          SHA512

          8aaf4657e2429a6fb524757fc4c44f19abb2513b9a864d5c3ef9fa72cb73ea1dbb55644bbb456a92558348c020268adad40e121e9e65b30971ecd2d36d73c020

          Download Submit

        • C:\Users\Admin\AppData\Local\rQbwe\P2P.dll
          Filesize

          956KB

          MD5

          638eafc9fc34af999c3df461fa5f0aae

          SHA1

          5e18680a88d3ca0486e7446726dace7b25f3f040

          SHA256

          6a0fa3e0c0b1a9ba67bf8f95d5faa4e618b936b0f0587764d8b788ba4664ee5c

          SHA512

          b6f779de01501f1ed95d9a9637e01e63406c8edd66d36092784da4f8e66899a52b7bd90fc6220736baa49242b5cf003992a4ffff5e54d051cddb2185957e4180

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk
          Filesize

          1KB

          MD5

          5d0593a690ab4dfc97ef03bc77cdc5c8

          SHA1

          fb3c01c154374f675f852f715ea57ae4f349e8eb

          SHA256

          6004b8a2127db1f5f35d36a4509710e132fc136e49bc2b93d74b95a419b19d11

          SHA512

          f68c44fbadd4468408ecdd87e39eb5a3181b81a693bb4932ba32f2c3ccb4073dab39c9a8b856604c98eb483e20e3e1c486b569d23007c59a6da7055de8c4459d

          Download Submit

        • \Users\Admin\AppData\Local\P9KcB\SoundRecorder.exe
          Filesize

          139KB

          MD5

          47f0f526ad4982806c54b845b3289de1

          SHA1

          8420ea488a2e187fe1b7fcfb53040d10d5497236

          SHA256

          e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

          SHA512

          4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

          Download Submit

        • \Users\Admin\AppData\Local\Z9J4k2Uc\cmstp.exe
          Filesize

          90KB

          MD5

          74c6da5522f420c394ae34b2d3d677e3

          SHA1

          ba135738ef1fb2f4c2c6c610be2c4e855a526668

          SHA256

          51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

          SHA512

          bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

          Download Submit

        • \Users\Admin\AppData\Local\rQbwe\p2phost.exe
          Filesize

          172KB

          MD5

          0dbd420477352b278dfdc24f4672b79c

          SHA1

          df446f25be33ac60371557717073249a64e04bb2

          SHA256

          1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

          SHA512

          84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

          Download Submit

        • memory/1212-16-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1212-47-0x0000000077A86000-0x0000000077A87000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1212-17-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1212-3-0x0000000077A86000-0x0000000077A87000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1212-15-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1212-26-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1212-14-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1212-28-0x0000000077D20000-0x0000000077D22000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1212-27-0x0000000077CF0000-0x0000000077CF2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1212-13-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1212-12-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1212-10-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1212-9-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1212-8-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1212-37-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1212-38-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1212-4-0x0000000002B90000-0x0000000002B91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1212-19-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1212-11-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1212-7-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1212-6-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1212-25-0x0000000002970000-0x0000000002977000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2512-93-0x000007FEFB6F0000-0x000007FEFB7DF000-memory.dmp

          Filesize

          956KB

          Download

        • memory/2512-89-0x000007FEFB6F0000-0x000007FEFB7DF000-memory.dmp

          Filesize

          956KB

          Download

        • memory/2648-55-0x000007FEFB820000-0x000007FEFB90F000-memory.dmp

          Filesize

          956KB

          Download

        • memory/2648-60-0x000007FEFB820000-0x000007FEFB90F000-memory.dmp

          Filesize

          956KB

          Download

        • memory/2648-57-0x0000000000170000-0x0000000000177000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2808-46-0x000007FEFB730000-0x000007FEFB81E000-memory.dmp

          Filesize

          952KB

          Download

        • memory/2808-0-0x000007FEFB730000-0x000007FEFB81E000-memory.dmp

          Filesize

          952KB

          Download

        • memory/2808-2-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2852-73-0x000007FEFB6F0000-0x000007FEFB7E0000-memory.dmp

          Filesize

          960KB

          Download

        • memory/2852-72-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2852-77-0x000007FEFB6F0000-0x000007FEFB7E0000-memory.dmp

          Filesize

          960KB

          Download