Overview

overview

10

Static

static

3

875b2e19f2...c7.dll

windows7-x64

10

875b2e19f2...c7.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-10-2024 21:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    875b2e19f2f6be613a643c4e600e1b822157499ad3b4c62cdf4aeae1666fecc7.dll

  • Size

    688KB

  • MD5

    5d441694a83f37144335ccf6cf3ef79b

  • SHA1

    089139f16273ec4b133c70e0d8d92348667778b6

  • SHA256

    875b2e19f2f6be613a643c4e600e1b822157499ad3b4c62cdf4aeae1666fecc7

  • SHA512

    eaabc984daa73b210ffcb1a78f4812b5186d6be9f9e7e19899b98fea0f5f3fb8653d507325020b08215cdcbd7b7cf05f66a8aa78a975a1e6117f62c60446f3f5

  • SSDEEP

    12288:Gfndx6M581WsGRouyjzC6gn5l0H1Tak8jnGg/xeq7gz3xfsPEb4sk:odAE81W381Wk8jnYz3dsPEb4s

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\875b2e19f2f6be613a643c4e600e1b822157499ad3b4c62cdf4aeae1666fecc7.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2380
  • C:\Windows\system32\vmicsvc.exe
    C:\Windows\system32\vmicsvc.exe
    1⤵
      PID:2720
    • C:\Users\Admin\AppData\Local\0TjMUacA\vmicsvc.exe
      C:\Users\Admin\AppData\Local\0TjMUacA\vmicsvc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2928
    • C:\Windows\system32\SystemPropertiesAdvanced.exe
      C:\Windows\system32\SystemPropertiesAdvanced.exe
      1⤵
        PID:2708
      • C:\Users\Admin\AppData\Local\5r7q6lu\SystemPropertiesAdvanced.exe
        C:\Users\Admin\AppData\Local\5r7q6lu\SystemPropertiesAdvanced.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3052
      • C:\Windows\system32\recdisc.exe
        C:\Windows\system32\recdisc.exe
        1⤵
          PID:676
        • C:\Users\Admin\AppData\Local\1f1rbU9Bi\recdisc.exe
          C:\Users\Admin\AppData\Local\1f1rbU9Bi\recdisc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1520

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0TjMUacA\ACTIVEDS.dll
          Filesize

          692KB

          MD5

          b771f5ef2b8dd8fc435346657595739d

          SHA1

          fd7fa23c1ca82cc1c65ed40a3f3ce7b629375a30

          SHA256

          4da7ce7c6e6fb12feeab75592daf63ce9b7fdabb8d78e83e1441265e6f48fbca

          SHA512

          ac35c974beca9f307bb160c26357bd9bb1c30b165466d8a8dd42fc40e32d42e6bfaf527641131e1d6a80cb65770d7f08272cee7dd040aceda34a1188475b75f9

          Download Submit

        • C:\Users\Admin\AppData\Local\1f1rbU9Bi\ReAgent.dll
          Filesize

          692KB

          MD5

          959195006d77f630911950d7f12140ac

          SHA1

          d52867f4fdfa2d94d62545202cd4718cc38100ad

          SHA256

          8f54a4516bf43e042b93ef476e8b16d5b0c3a8dcc1671fe91bf9707e1a472226

          SHA512

          6b82aa291e441e45b5134b4134d434a46e7f8a1ec506c1ef39794e95af628c1f60d88892505e566d083dea7364ff50f525976246a371e55e08d29990bf7c2d62

          Download Submit

        • C:\Users\Admin\AppData\Local\5r7q6lu\SYSDM.CPL
          Filesize

          692KB

          MD5

          f272f1332b44a193ad9fc753647c3a81

          SHA1

          6f33b71b4e2ed9e4cb1e3773ad8ca4a6d9906004

          SHA256

          dec79b15b6ed5cc97f30f249482d83c0ddba602f423d2fac41eb0abdf6edf0e2

          SHA512

          4f822e4f8753a39695d2d4171dee8798300ea8dd7d6887e444ea2787ae04be5eeec3072191af9c862f2dce0e03af7f4462fd07adf50efbd9508360676248af26

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk
          Filesize

          1KB

          MD5

          66f54bd2e356eeca6780bc1937b084df

          SHA1

          29a707dd93ba12f4a27d5011d623a86e701fffca

          SHA256

          a1c9e74a82624bacfec1dd2d7cbf6b0abd8f9bc1367ce26c2006620319729ffd

          SHA512

          e34968a29ebccf9ac6691bb94b5db9d444bc50f40ad0f455b4fb9819f5b7f8bd4dac4f53f77d1545ab70b1391b4d7350a03ded75b8f36406d40a0f6945dce93f

          Download Submit

        • \Users\Admin\AppData\Local\0TjMUacA\vmicsvc.exe
          Filesize

          238KB

          MD5

          79e14b291ca96a02f1eb22bd721deccd

          SHA1

          4c8dbff611acd8a92cd2280239f78bebd2a9947e

          SHA256

          d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

          SHA512

          f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

          Download Submit

        • \Users\Admin\AppData\Local\1f1rbU9Bi\recdisc.exe
          Filesize

          232KB

          MD5

          f3b306179f1840c0813dc6771b018358

          SHA1

          dec7ce3c13f7a684cb52ae6007c99cf03afef005

          SHA256

          dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

          SHA512

          9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

          Download Submit

        • \Users\Admin\AppData\Local\5r7q6lu\SystemPropertiesAdvanced.exe
          Filesize

          80KB

          MD5

          25dc1e599591871c074a68708206e734

          SHA1

          27a9dffa92d979d39c07d889fada536c062dac77

          SHA256

          a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

          SHA512

          f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

          Download Submit

        • memory/1224-25-0x0000000077670000-0x0000000077672000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1224-23-0x0000000002DC0000-0x0000000002DC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1224-24-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/1224-15-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/1224-13-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/1224-12-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/1224-11-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/1224-9-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/1224-7-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/1224-6-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/1224-26-0x00000000776A0000-0x00000000776A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1224-35-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/1224-36-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/1224-8-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/1224-45-0x0000000077406000-0x0000000077407000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1224-14-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/1224-10-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/1224-3-0x0000000077406000-0x0000000077407000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1224-4-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1520-91-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/2380-44-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/2380-0-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2380-1-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/2928-58-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/2928-54-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/2928-53-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3052-70-0x0000000000320000-0x0000000000327000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3052-75-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download