Overview

overview

10

Static

static

3

349a48524a...88.dll

windows7-x64

10

349a48524a...88.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2024, 07:17

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    349a48524a21cc6f8d8aed8caaa9fa006a558a7551506d831a29ce61ae7ee088.dll

  • Size

    952KB

  • MD5

    e9caaf99ddd15f21e80be6ad6ba0061a

  • SHA1

    216eebcaf321981fb3d87b6c49baa53e35ce405e

  • SHA256

    349a48524a21cc6f8d8aed8caaa9fa006a558a7551506d831a29ce61ae7ee088

  • SHA512

    cbe0c6597f954722d2d85e599c55a96334d7c650beb9df375e7a1fb55eb92d1697611ec33d536645c41b856d392c9e5f0a0a4296180bae03ea2376514666d5e7

  • SSDEEP

    6144:x34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:xIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\349a48524a21cc6f8d8aed8caaa9fa006a558a7551506d831a29ce61ae7ee088.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1360
  • C:\Windows\system32\RecoveryDrive.exe
    C:\Windows\system32\RecoveryDrive.exe
    1⤵
      PID:4036
    • C:\Users\Admin\AppData\Local\ierQY0tyM\RecoveryDrive.exe
      C:\Users\Admin\AppData\Local\ierQY0tyM\RecoveryDrive.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3276
    • C:\Windows\system32\SystemPropertiesProtection.exe
      C:\Windows\system32\SystemPropertiesProtection.exe
      1⤵
        PID:3432
      • C:\Users\Admin\AppData\Local\Me7T\SystemPropertiesProtection.exe
        C:\Users\Admin\AppData\Local\Me7T\SystemPropertiesProtection.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3116
      • C:\Windows\system32\DeviceEnroller.exe
        C:\Windows\system32\DeviceEnroller.exe
        1⤵
          PID:2924
        • C:\Users\Admin\AppData\Local\vDi86PsB\DeviceEnroller.exe
          C:\Users\Admin\AppData\Local\vDi86PsB\DeviceEnroller.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3492

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Me7T\SYSDM.CPL
          Filesize

          956KB

          MD5

          7598b2b02f67a51597c407a353e1d256

          SHA1

          f92ef7efd5364d3bee832caffdded45821fa8880

          SHA256

          a6b3d653ba01d07c6d61d56133e31793ca8f8abb4b9c275bde55f7d9dcb1da3f

          SHA512

          ad58127667e783d67eebcf48857335be2c16b14663109e76bc480fc0ef4037ac269c07738f5935344f9f0406f7b1749d46289a3b87450e41084ef0713a98218b

          Download Submit

        • C:\Users\Admin\AppData\Local\Me7T\SystemPropertiesProtection.exe
          Filesize

          82KB

          MD5

          26640d2d4fa912fc9a354ef6cfe500ff

          SHA1

          a343fd82659ce2d8de3beb587088867cf2ab8857

          SHA256

          a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37

          SHA512

          26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

          Download Submit

        • C:\Users\Admin\AppData\Local\ierQY0tyM\ReAgent.dll
          Filesize

          956KB

          MD5

          7fd93ac48667c27715f2b3bb200801d0

          SHA1

          2f8ca08474c97089d6a2c373d07c71c6c57b31f9

          SHA256

          7b92745f60a2cf542aead6b02d73dd228c20248295b655dc0e5165803b3295a7

          SHA512

          787e7b941a429297fbadef3c8d43dcc67cdad3dbf590a080cbf13a14ceb0422adee957822b6b362d02c0568585d12a235229bc906882090dc2ed1426e6df23b6

          Download Submit

        • C:\Users\Admin\AppData\Local\ierQY0tyM\RecoveryDrive.exe
          Filesize

          911KB

          MD5

          b9b3dc6f2eb89e41ff27400952602c74

          SHA1

          24ae07e0db3ace0809d08bbd039db3a9d533e81b

          SHA256

          630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

          SHA512

          7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

          Download Submit

        • C:\Users\Admin\AppData\Local\vDi86PsB\DeviceEnroller.exe
          Filesize

          448KB

          MD5

          946d9474533f58d2613078fd14ca7473

          SHA1

          c2620ac9522fa3702a6a03299b930d6044aa5e49

          SHA256

          cf5f5fe084f172e9c435615c1dc6ae7d3bd8c5ec8ea290caa0627c2f392760cb

          SHA512

          3653d41a0553ee63a43490f682c9b528651a6336f28adafc333d4d148577351122db8279ff83ee59bb0a9c17bb384e9f6c9c78677c8c5ed671a42036dec1f8c1

          Download Submit

        • C:\Users\Admin\AppData\Local\vDi86PsB\XmlLite.dll
          Filesize

          956KB

          MD5

          52fb17f712b4f7a435732987b1f184f0

          SHA1

          0f8548cd01271c17f715327dcf9f68412a0ca85d

          SHA256

          751caae7f4fcfd93da39ec1c58c443dd8570a529c5455254660fb68d1283ed0d

          SHA512

          484b63873db0cd23514a6f96c43c04c6e06da44924b3e2f1e3c1e37a59bb397cddf4e670d12c18487b91a8c508c534d73c982e6bf468c958cc1dc748ceba2ec6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ybgihhkn.lnk
          Filesize

          999B

          MD5

          884083d509a78e0013d3652e1fed92af

          SHA1

          b7da130403addae6e70f4666dc04eba43a71516f

          SHA256

          0dbd8b8af195bf8112bf32dd8ca467902e9dfc502f8b0b58abd32ee7ec6e554e

          SHA512

          f4e6c3ebb90c053c6d5cc159beb733ee558b6a535f135972c7b53f1be66f96f0d57fc37c1b90f642b2af6f6f5e6cce4d4578509babb08eeec7ce3d06210c3844

          Download Submit

        • memory/1360-1-0x00007FFDAC4F0000-0x00007FFDAC5DE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1360-40-0x00007FFDAC4F0000-0x00007FFDAC5DE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1360-2-0x0000023842E70000-0x0000023842E77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3116-63-0x00007FFD9E260000-0x00007FFD9E34F000-memory.dmp

          Filesize

          956KB

          Download

        • memory/3116-65-0x0000024669DF0000-0x0000024669DF7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3116-68-0x00007FFD9E260000-0x00007FFD9E34F000-memory.dmp

          Filesize

          956KB

          Download

        • memory/3276-52-0x00007FFD9E1A0000-0x00007FFD9E28F000-memory.dmp

          Filesize

          956KB

          Download

        • memory/3276-47-0x0000027EF9D60000-0x0000027EF9D67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3276-48-0x00007FFD9E1A0000-0x00007FFD9E28F000-memory.dmp

          Filesize

          956KB

          Download

        • memory/3492-83-0x00007FFD9E260000-0x00007FFD9E34F000-memory.dmp

          Filesize

          956KB

          Download

        • memory/3528-28-0x00007FFDBBB30000-0x00007FFDBBB40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3528-15-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3528-8-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3528-7-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3528-6-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3528-10-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3528-11-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3528-12-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3528-13-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3528-9-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3528-26-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3528-27-0x00007FFDBBB40000-0x00007FFDBBB50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3528-37-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3528-17-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3528-18-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3528-25-0x0000000000730000-0x0000000000737000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3528-16-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3528-14-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3528-3-0x00007FFDBA31A000-0x00007FFDBA31B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3528-4-0x00000000024B0000-0x00000000024B1000-memory.dmp

          Filesize

          4KB

          Download