Overview

overview

10

Static

static

3

875b2e19f2...c7.dll

windows7-x64

10

875b2e19f2...c7.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-10-2024 21:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    875b2e19f2f6be613a643c4e600e1b822157499ad3b4c62cdf4aeae1666fecc7.dll

  • Size

    688KB

  • MD5

    5d441694a83f37144335ccf6cf3ef79b

  • SHA1

    089139f16273ec4b133c70e0d8d92348667778b6

  • SHA256

    875b2e19f2f6be613a643c4e600e1b822157499ad3b4c62cdf4aeae1666fecc7

  • SHA512

    eaabc984daa73b210ffcb1a78f4812b5186d6be9f9e7e19899b98fea0f5f3fb8653d507325020b08215cdcbd7b7cf05f66a8aa78a975a1e6117f62c60446f3f5

  • SSDEEP

    12288:Gfndx6M581WsGRouyjzC6gn5l0H1Tak8jnGg/xeq7gz3xfsPEb4sk:odAE81W381Wk8jnYz3dsPEb4s

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\875b2e19f2f6be613a643c4e600e1b822157499ad3b4c62cdf4aeae1666fecc7.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1124
  • C:\Windows\system32\bdechangepin.exe
    C:\Windows\system32\bdechangepin.exe
    1⤵
      PID:4848
    • C:\Users\Admin\AppData\Local\IFUQ1mJ\bdechangepin.exe
      C:\Users\Admin\AppData\Local\IFUQ1mJ\bdechangepin.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1772
    • C:\Windows\system32\msra.exe
      C:\Windows\system32\msra.exe
      1⤵
        PID:1120
      • C:\Users\Admin\AppData\Local\lsP\msra.exe
        C:\Users\Admin\AppData\Local\lsP\msra.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4008
      • C:\Windows\system32\BitLockerWizard.exe
        C:\Windows\system32\BitLockerWizard.exe
        1⤵
          PID:3424
        • C:\Users\Admin\AppData\Local\NCEK5sc\BitLockerWizard.exe
          C:\Users\Admin\AppData\Local\NCEK5sc\BitLockerWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2540

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\IFUQ1mJ\DUI70.dll
          Filesize

          968KB

          MD5

          cbf8fe6d89d4e71036c3db80d51d65fe

          SHA1

          9762cb28bb7791b4811af99ccf720906fa25efa4

          SHA256

          13474a7dde0df4d4a53079be58b3ba3418df1a72716bd236d3a0bb1b1e72e42b

          SHA512

          3436cda983c0865011c1e5f8fb7a3400010f947ad93e701597bd80a44179bbe8d76d6fa5cf493ab9a60ad461dab59e6b33f7a2bf183af222b59def289d5bf9f1

          Download Submit

        • C:\Users\Admin\AppData\Local\IFUQ1mJ\bdechangepin.exe
          Filesize

          373KB

          MD5

          601a28eb2d845d729ddd7330cbae6fd6

          SHA1

          5cf9f6f9135c903d42a7756c638333db8621e642

          SHA256

          4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

          SHA512

          1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

          Download Submit

        • C:\Users\Admin\AppData\Local\NCEK5sc\BitLockerWizard.exe
          Filesize

          100KB

          MD5

          6d30c96f29f64b34bc98e4c81d9b0ee8

          SHA1

          4a3adc355f02b9c69bdbe391bfb01469dee15cf0

          SHA256

          7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

          SHA512

          25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

          Download Submit

        • C:\Users\Admin\AppData\Local\NCEK5sc\FVEWIZ.dll
          Filesize

          692KB

          MD5

          42f67c0a0ab128466836462310a2637e

          SHA1

          415297d71c57f3d7e24909ae5f5783d2532935af

          SHA256

          d6776891f6038f00ddd5d2b1671306ee9374f8c97ef737a2ce50e45afad3b1e7

          SHA512

          b8573670045f9b70d225b1c2f4d754627fc1214be5b5c7a4ab0c5c8e943377f0a8d56291586c226dcaba06c08048c53b089315c383b3c33fe3ee20fc25a42096

          Download Submit

        • C:\Users\Admin\AppData\Local\lsP\NDFAPI.DLL
          Filesize

          692KB

          MD5

          8430393e538e955a567883f957ae6d14

          SHA1

          74bf2ce981fb17303599068636765fae84ca29d2

          SHA256

          8a413f2dbac1a37410924b35f644ca20b04108a929641d232769ff069f432fe3

          SHA512

          6d523ec7fd7cd3b76c91857884abb72aea650513e52581d995b16ac531c188ce6fdb283810b2a17391133e9eceecbb949a9ff5b91636ddd07c45324524fe0eb3

          Download Submit

        • C:\Users\Admin\AppData\Local\lsP\msra.exe
          Filesize

          579KB

          MD5

          dcda3b7b8eb0bfbccb54b4d6a6844ad6

          SHA1

          316a2925e451f739f45e31bc233a95f91bf775fa

          SHA256

          011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae

          SHA512

          18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk
          Filesize

          1KB

          MD5

          7a22723f2d920260d3d41e510de624b0

          SHA1

          1617a8c75df3c8f47e068b103cc07b4679d71338

          SHA256

          6fad77dc0a4cf03611441933946ee7e455bdf19cea1ffeccc92c9cdb49a3aea2

          SHA512

          ff57593ced6b2ed1376489c360c634d3dab17eab53992c5a0a543034e5623c2963543bf941d980a5d88af137f81bd2e7ba5d7476d41234fbede43fbeaf36be1a

          Download Submit

        • memory/1124-2-0x0000014274220000-0x0000014274227000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1124-0-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/1124-38-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/1772-50-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/1772-45-0x0000021BDFCE0000-0x0000021BDFCE7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1772-46-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/2540-81-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3340-25-0x00007FFAA8300000-0x00007FFAA8310000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3340-11-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3340-6-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3340-3-0x0000000003100000-0x0000000003101000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3340-35-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3340-7-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3340-8-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3340-9-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3340-10-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3340-5-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3340-24-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3340-26-0x00007FFAA82F0000-0x00007FFAA8300000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3340-14-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3340-13-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3340-12-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3340-23-0x00000000030E0000-0x00000000030E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3340-22-0x00007FFAA6ADA000-0x00007FFAA6ADB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4008-66-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/4008-63-0x000001879BE40000-0x000001879BE47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4008-61-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download