Overview

overview

10

Static

static

3

384e3ceb6e...01.dll

windows7-x64

10

384e3ceb6e...01.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-10-2024 21:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    384e3ceb6e99ca5fd18c7acad5e19854eb15dfeee39eddef8635d2b65be15901.dll

  • Size

    684KB

  • MD5

    25f805609c924aa76767968ad908ffcb

  • SHA1

    191c36a856126af5946e9de9cea3a7cca9d8a961

  • SHA256

    384e3ceb6e99ca5fd18c7acad5e19854eb15dfeee39eddef8635d2b65be15901

  • SHA512

    334526e7f8b539fc079c1a8fc2b75ad0639f9149eb55651cbda11a2f7be30f9f1de8fe7882aca33d5f906c3a38b8fb17b68ad3b5282c1fa4339fb0f97656328d

  • SSDEEP

    12288:/fndx6M581WsGRouyjzC6gn5l0H1Tak8jnGg/xeq7gz3xfsPEb4sk:3dAE81W381Wk8jnYz3dsPEb4s

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\384e3ceb6e99ca5fd18c7acad5e19854eb15dfeee39eddef8635d2b65be15901.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4068
  • C:\Windows\system32\mspaint.exe
    C:\Windows\system32\mspaint.exe
    1⤵
      PID:3548
    • C:\Users\Admin\AppData\Local\9gVcg\mspaint.exe
      C:\Users\Admin\AppData\Local\9gVcg\mspaint.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4960
    • C:\Windows\system32\LicensingUI.exe
      C:\Windows\system32\LicensingUI.exe
      1⤵
        PID:4028
      • C:\Users\Admin\AppData\Local\jnw3qeiw\LicensingUI.exe
        C:\Users\Admin\AppData\Local\jnw3qeiw\LicensingUI.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2784
      • C:\Windows\system32\tabcal.exe
        C:\Windows\system32\tabcal.exe
        1⤵
          PID:3872
        • C:\Users\Admin\AppData\Local\DTV\tabcal.exe
          C:\Users\Admin\AppData\Local\DTV\tabcal.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4148

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\9gVcg\MFC42u.dll
          Filesize

          712KB

          MD5

          c6c32b906dd4c78eb9e47c7826ee49c8

          SHA1

          5ba01a2b1d5899d191a53379fdd1558a01c7f403

          SHA256

          b761ce56d1c21445d1ce06bbc0d5ba84de81dc5f713cc3b2f7c8acec79190074

          SHA512

          edfe206a2c4f2d696c2a9a08f6633acd8aa6dd052bbdd8e09a3d8524b7aea9e5967a6fd284dad99aecc4b3ced0dfa1566b2f17377a7b4485bf8a6e438f016cd8

          Download Submit

        • C:\Users\Admin\AppData\Local\9gVcg\mspaint.exe
          Filesize

          965KB

          MD5

          f221a4ccafec690101c59f726c95b646

          SHA1

          2098e4b62eaab213cbee73ba40fe4f1b8901a782

          SHA256

          94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709

          SHA512

          8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf

          Download Submit

        • C:\Users\Admin\AppData\Local\DTV\HID.DLL
          Filesize

          688KB

          MD5

          a39748296665792f12e48c9f2a5f5829

          SHA1

          412dc463cdaf416d02e32cf34fa4d1a1cc367fab

          SHA256

          a458a39b59dd1fc6a0bacd3294aa820fe32daab4629a0b3a7a2e831563bcb2a3

          SHA512

          eb99e606785fcf236dbdd5b1b62067f327ae6cec1517f975fff2bd2e11c385859cbfb8b05c19fae53c3b67473145b886d0cd4d0529a0265e3212e62b8c201d59

          Download Submit

        • C:\Users\Admin\AppData\Local\DTV\tabcal.exe
          Filesize

          84KB

          MD5

          40f4014416ff0cbf92a9509f67a69754

          SHA1

          1798ff7324724a32c810e2075b11c09b41e4fede

          SHA256

          f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

          SHA512

          646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

          Download Submit

        • C:\Users\Admin\AppData\Local\jnw3qeiw\DUI70.dll
          Filesize

          964KB

          MD5

          9ce5743c0b6032ff5761dfe92b4280bc

          SHA1

          2ff09343f3ebf2015fbcf2f38cb21fa90198e001

          SHA256

          928356bd67c137032c42316d6b40c1796a2a1dc9fda53d9a63776245c4449767

          SHA512

          ab300e9dbe43834a67ee80dbe1c7563799850a9dd8e96bc9b471ebec4d66b691cc84811a09c3fa3e2d3b96871afbfbac3cf2d7688a03d9de714b790832e52291

          Download Submit

        • C:\Users\Admin\AppData\Local\jnw3qeiw\LicensingUI.exe
          Filesize

          142KB

          MD5

          8b4abc637473c79a003d30bb9c7a05e5

          SHA1

          d1cab953c16d4fdec2b53262f56ac14a914558ca

          SHA256

          0e9eb89aa0df9bb84a8f11b0bb3e9d89905355de34c91508968b4cb78bc3f6c5

          SHA512

          5a40c846c5b3a53ae09114709239d8238c322a7d3758b20ed3fc8e097fc1409f62b4990557c1192e894eabfa89741a9d88bd5175850d039b97dfdf380d1c6eeb

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zugrajzkhopu.lnk
          Filesize

          1KB

          MD5

          8d95c653534b2ae30015215d7fd38281

          SHA1

          a02a03ab5c08e1471745dab2ec721b535f44d2c5

          SHA256

          3f82e2bd4ad71b193b0eaa619db0fe9af9bd53c7e39ec074e3987bcb68389fc3

          SHA512

          0625580fec59b598e7a8bc42cd07efd0ee6d70f0cdca12c85684a461602bc3f2e0db70dc917eda9379367006a918c631ed66d8cd1e5a2491350b9394d595347f

          Download Submit

        • memory/2784-62-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/2784-57-0x000001DA9E2C0000-0x000001DA9E2C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2784-58-0x0000000140000000-0x00000001400F1000-memory.dmp

          Filesize

          964KB

          Download

        • memory/3520-34-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3520-14-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3520-11-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3520-9-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3520-8-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3520-7-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3520-6-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3520-5-0x00007FFE2E8FA000-0x00007FFE2E8FB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3520-3-0x00000000029E0000-0x00000000029E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3520-23-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3520-10-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3520-13-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3520-24-0x00007FFE2ED20000-0x00007FFE2ED30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3520-22-0x00000000029C0000-0x00000000029C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3520-12-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3520-25-0x00007FFE2ED10000-0x00007FFE2ED20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4068-1-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/4068-37-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/4068-2-0x000001B39EDF0000-0x000001B39EDF7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4148-73-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/4148-77-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/4960-48-0x0000000140000000-0x00000001400B2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/4960-45-0x0000021BE5CE0000-0x0000021BE5CE7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4960-46-0x0000000140000000-0x00000001400B2000-memory.dmp

          Filesize

          712KB

          Download