Overview

overview

10

Static

static

3

935df89b2b...fd.dll

windows7-x64

10

935df89b2b...fd.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 07:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    935df89b2b9b8b96959f35ffdf9e2bde46b01560f21c729b00cb4d13e0ff02fd.dll

  • Size

    952KB

  • MD5

    97a982e24ffe6987e49fd0cb330a17ec

  • SHA1

    404d71db7a082078c62ee0811513d80a083f0c39

  • SHA256

    935df89b2b9b8b96959f35ffdf9e2bde46b01560f21c729b00cb4d13e0ff02fd

  • SHA512

    11fb5562e1f5c5a19fd7ad769be5c786d5abc69105c1dea3d8854aff57e525c9a95bf78c798c43d1665256f128fb714ed25380a970a7c6bba21d2f8709489f31

  • SSDEEP

    6144:534xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:5IKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\935df89b2b9b8b96959f35ffdf9e2bde46b01560f21c729b00cb4d13e0ff02fd.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2568
  • C:\Windows\system32\rdpclip.exe
    C:\Windows\system32\rdpclip.exe
    1⤵
      PID:2700
    • C:\Users\Admin\AppData\Local\Uo5cA\rdpclip.exe
      C:\Users\Admin\AppData\Local\Uo5cA\rdpclip.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2640
    • C:\Windows\system32\ComputerDefaults.exe
      C:\Windows\system32\ComputerDefaults.exe
      1⤵
        PID:2376
      • C:\Users\Admin\AppData\Local\wqa\ComputerDefaults.exe
        C:\Users\Admin\AppData\Local\wqa\ComputerDefaults.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2208
      • C:\Windows\system32\raserver.exe
        C:\Windows\system32\raserver.exe
        1⤵
          PID:1900
        • C:\Users\Admin\AppData\Local\WJ99z3\raserver.exe
          C:\Users\Admin\AppData\Local\WJ99z3\raserver.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1984

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Uo5cA\WINSTA.dll
          Filesize

          960KB

          MD5

          af9163157a88578547806254108f3261

          SHA1

          935037af0eedd61ad598e8cfa446af90affb2dd3

          SHA256

          61b03321dde4c38fe050ea05715915b4d570693ed5c71c7dec39411a8d52efa0

          SHA512

          65c451ebcc3d35146a55aaed44a52342c7d89d444fd1bbbba7e5bf40abd8be11c99fe79c778766d332c012e2937ef320c4bc785dd66bbc2f6292093c6d7f03a2

          Download Submit

        • C:\Users\Admin\AppData\Local\WJ99z3\WTSAPI32.dll
          Filesize

          956KB

          MD5

          1a6e933e6c1ac67ce81809692cd61715

          SHA1

          a6782c7ad7a00d63d2eba10fadb62b43667f4c0a

          SHA256

          1b417316288bda8ebb60f80169149e7a2835c9c1d96b5d77ca7648c91cc30296

          SHA512

          bca4751a3de52dd4ba6f284764574a200224ca6a2490972a645941e715b98f08456b63c8c92ef5d4255f3edb90598c557bc5e4ecd9611bebcbaf8492d15649c8

          Download Submit

        • C:\Users\Admin\AppData\Local\wqa\appwiz.cpl
          Filesize

          956KB

          MD5

          98bdb39582de405d825063d643fabfb2

          SHA1

          192989f894ef08e3a18f5a1d9a0c33184f6cd6a9

          SHA256

          5fa1b78f3881c50556d85bb5f6258f67683972a8035736fea3d61a87fbc29152

          SHA512

          0c5085cc4b75eb129dded848ae4f4e1c5fa59f4f02cb598c9077749e9bb24b8ce21947a7246785829fd98a670a363961c1b5e8e556e089aea16cd3531e1b6d0f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ygxjfqh.lnk
          Filesize

          1KB

          MD5

          1e423b09fcd0309cc1e309eb940413fc

          SHA1

          39972b56007c082e7a88748f80a13f824a746bdc

          SHA256

          a48c3fe8e018c92da893572f766c7f6685c801aef78caa04d367a9e8b2ad0db1

          SHA512

          392c6dd68c9b7a9947a8447e247367fa3c24b4f819babd51ce76a197f766401d183e1431bf4a5971a620811ccdb7521c1b678d5f60c2b035afc64261a2976491

          Download Submit

        • \Users\Admin\AppData\Local\Uo5cA\rdpclip.exe
          Filesize

          206KB

          MD5

          25d284eb2f12254c001afe9a82575a81

          SHA1

          cf131801fdd5ec92278f9e0ae62050e31c6670a5

          SHA256

          837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

          SHA512

          7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

          Download Submit

        • \Users\Admin\AppData\Local\WJ99z3\raserver.exe
          Filesize

          123KB

          MD5

          cd0bc0b6b8d219808aea3ecd4e889b19

          SHA1

          9f8f4071ce2484008e36fdfd963378f4ebad703f

          SHA256

          16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

          SHA512

          84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

          Download Submit

        • \Users\Admin\AppData\Local\wqa\ComputerDefaults.exe
          Filesize

          36KB

          MD5

          86bd981f55341273753ac42ea200a81e

          SHA1

          14fe410efc9aeb0a905b984ac27719ff0dd10ea7

          SHA256

          40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

          SHA512

          49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

          Download Submit

        • memory/1188-25-0x0000000002D00000-0x0000000002D07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1188-39-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1188-15-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1188-14-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1188-13-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1188-12-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1188-11-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1188-10-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1188-9-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1188-8-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1188-26-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1188-3-0x0000000077276000-0x0000000077277000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-27-0x00000000775E0000-0x00000000775E2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1188-28-0x0000000077610000-0x0000000077612000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1188-38-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1188-16-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1188-4-0x0000000002D20000-0x0000000002D21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-47-0x0000000077276000-0x0000000077277000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-17-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1188-18-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1188-6-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1188-7-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1984-93-0x000007FEF6D70000-0x000007FEF6E5F000-memory.dmp

          Filesize

          956KB

          Download

        • memory/2208-72-0x000007FEF6D70000-0x000007FEF6E5F000-memory.dmp

          Filesize

          956KB

          Download

        • memory/2208-74-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2208-77-0x000007FEF6D70000-0x000007FEF6E5F000-memory.dmp

          Filesize

          956KB

          Download

        • memory/2568-46-0x000007FEF6D70000-0x000007FEF6E5E000-memory.dmp

          Filesize

          952KB

          Download

        • memory/2568-2-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2568-1-0x000007FEF6D70000-0x000007FEF6E5E000-memory.dmp

          Filesize

          952KB

          Download

        • memory/2640-60-0x000007FEF7390000-0x000007FEF7480000-memory.dmp

          Filesize

          960KB

          Download

        • memory/2640-57-0x000007FEF7390000-0x000007FEF7480000-memory.dmp

          Filesize

          960KB

          Download

        • memory/2640-55-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download