Overview

overview

10

Static

static

3

384e3ceb6e...01.dll

windows7-x64

10

384e3ceb6e...01.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-10-2024 21:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    384e3ceb6e99ca5fd18c7acad5e19854eb15dfeee39eddef8635d2b65be15901.dll

  • Size

    684KB

  • MD5

    25f805609c924aa76767968ad908ffcb

  • SHA1

    191c36a856126af5946e9de9cea3a7cca9d8a961

  • SHA256

    384e3ceb6e99ca5fd18c7acad5e19854eb15dfeee39eddef8635d2b65be15901

  • SHA512

    334526e7f8b539fc079c1a8fc2b75ad0639f9149eb55651cbda11a2f7be30f9f1de8fe7882aca33d5f906c3a38b8fb17b68ad3b5282c1fa4339fb0f97656328d

  • SSDEEP

    12288:/fndx6M581WsGRouyjzC6gn5l0H1Tak8jnGg/xeq7gz3xfsPEb4sk:3dAE81W381Wk8jnYz3dsPEb4s

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\384e3ceb6e99ca5fd18c7acad5e19854eb15dfeee39eddef8635d2b65be15901.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2920
  • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
    C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
    1⤵
      PID:2476
    • C:\Users\Admin\AppData\Local\9ifeJFfRM\SystemPropertiesDataExecutionPrevention.exe
      C:\Users\Admin\AppData\Local\9ifeJFfRM\SystemPropertiesDataExecutionPrevention.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2524
    • C:\Windows\system32\ddodiag.exe
      C:\Windows\system32\ddodiag.exe
      1⤵
        PID:536
      • C:\Users\Admin\AppData\Local\tNM43eAJ\ddodiag.exe
        C:\Users\Admin\AppData\Local\tNM43eAJ\ddodiag.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:988
      • C:\Windows\system32\ComputerDefaults.exe
        C:\Windows\system32\ComputerDefaults.exe
        1⤵
          PID:2696
        • C:\Users\Admin\AppData\Local\1qMGNo4d\ComputerDefaults.exe
          C:\Users\Admin\AppData\Local\1qMGNo4d\ComputerDefaults.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2804

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1qMGNo4d\appwiz.cpl
          Filesize

          688KB

          MD5

          cb006cafb4827a641852e3f66753fbc1

          SHA1

          2024dbfc88964fa6bcc1a4ca199fbe88f8b9a448

          SHA256

          aa1fd26147db5df7fd82aae3821f49900377eb58976328cd284555c95f91d97e

          SHA512

          79653378871337abc78108474cbbcd3cc0d6e0b4bb925f3343ce3beaafcc0f27aeeb29570e870a0566c269df6277316e72cb72a0ae190f7063d25dcf60e70dd7

          Download Submit

        • C:\Users\Admin\AppData\Local\9ifeJFfRM\SYSDM.CPL
          Filesize

          688KB

          MD5

          58fb4754135a95e1e196f1e2330beedc

          SHA1

          67e8bec6ab685dd7ee7d25980e7ca6eae2943bf3

          SHA256

          7764b0011c58d8d90b0c7c6d38389efa7e3c1ddc7a519ed82c4b6a5614ef7b28

          SHA512

          bceb5b20bc13912f90caf1447ef317d1cb1b58c6cfb6f421cedaf8db1b0e0d775c5f03c17fb348032ceb2c673e7aaad054b6b91f83e02fa8ff4ae6ad740836b7

          Download Submit

        • C:\Users\Admin\AppData\Local\tNM43eAJ\XmlLite.dll
          Filesize

          688KB

          MD5

          f294069db8a6a012570f86037969aab4

          SHA1

          59992a4254b6584ec64a423e69d26846afef4f7f

          SHA256

          b33cc5afd62dd89472504d8d8097b20a470ef006b917b83750ea2e0002165565

          SHA512

          17ee8cc36168ba5e3edade0255f3936c4ad4ac59be09ac2976c4a187588e445bee8b8939910d329c5f0e244e8541ae05b3f13cddbb0f5169dc6aa722225aa61c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk
          Filesize

          1KB

          MD5

          658372f5c129615c266ea649c9275ec4

          SHA1

          45ffd2fd8031bbf9e78bd50175c3414ed5df62c3

          SHA256

          7bb110017f7a17dcec17a5d8c283a897920e425b89b9cfe535b971d0d8290156

          SHA512

          474c5e4f465ec4b931489c21926b4dae55517c92f2d9ad10f22ff51050a2c7057fc63b26aa6b2baef2b16674545fe928c5e7805cda00d76f465123719b5a33eb

          Download Submit

        • \Users\Admin\AppData\Local\1qMGNo4d\ComputerDefaults.exe
          Filesize

          36KB

          MD5

          86bd981f55341273753ac42ea200a81e

          SHA1

          14fe410efc9aeb0a905b984ac27719ff0dd10ea7

          SHA256

          40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

          SHA512

          49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

          Download Submit

        • \Users\Admin\AppData\Local\9ifeJFfRM\SystemPropertiesDataExecutionPrevention.exe
          Filesize

          80KB

          MD5

          e43ff7785fac643093b3b16a9300e133

          SHA1

          a30688e84c0b0a22669148fe87680b34fcca2fba

          SHA256

          c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

          SHA512

          61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

          Download Submit

        • \Users\Admin\AppData\Local\tNM43eAJ\ddodiag.exe
          Filesize

          42KB

          MD5

          509f9513ca16ba2f2047f5227a05d1a8

          SHA1

          fe8d63259cb9afa17da7b7b8ede4e75081071b1a

          SHA256

          ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

          SHA512

          ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

          Download Submit

        • memory/988-74-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/988-69-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1176-24-0x0000000077E30000-0x0000000077E32000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1176-8-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1176-23-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1176-11-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1176-10-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1176-9-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1176-25-0x0000000077E60000-0x0000000077E62000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1176-3-0x0000000077BC6000-0x0000000077BC7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1176-34-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1176-35-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1176-4-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1176-44-0x0000000077BC6000-0x0000000077BC7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1176-13-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1176-14-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1176-6-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1176-12-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1176-7-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1176-22-0x0000000002ED0000-0x0000000002ED7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2524-57-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/2524-53-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/2524-52-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2804-90-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/2920-43-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/2920-2-0x0000000001D80000-0x0000000001D87000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2920-0-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download