Overview

overview

10

Static

static

3

4ac846154d...49.dll

windows7-x64

10

4ac846154d...49.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-10-2024 00:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ac846154d1f91c30a373dc364d880d7f36b0d1f23edbf8e854b38b804db7549.dll

  • Size

    700KB

  • MD5

    bfbcb9e4b4723629dda33d1406a87d3a

  • SHA1

    d342007297faf30e3cd1a703b31287e735470858

  • SHA256

    4ac846154d1f91c30a373dc364d880d7f36b0d1f23edbf8e854b38b804db7549

  • SHA512

    d0679c2dead14ccc998bf6ae31c79e3e4570a345401374a099e2feb3252eb1a2a2159b559a0963523f39e4080d6ecf672d2c397c12cdce7d1a142c7eb81afd41

  • SSDEEP

    12288:dEwgKnIhABTW0HcD5a1PKxdZhC+k+V9Hgeb/tf/B9P632vHAA:dEwXnOAx5HcDM1Sxd3ChCHg2/P9yGo

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4ac846154d1f91c30a373dc364d880d7f36b0d1f23edbf8e854b38b804db7549.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1952
  • C:\Windows\system32\SystemPropertiesRemote.exe
    C:\Windows\system32\SystemPropertiesRemote.exe
    1⤵
      PID:3008
    • C:\Users\Admin\AppData\Local\JMUIVK0\SystemPropertiesRemote.exe
      C:\Users\Admin\AppData\Local\JMUIVK0\SystemPropertiesRemote.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3368
    • C:\Windows\system32\upfc.exe
      C:\Windows\system32\upfc.exe
      1⤵
        PID:1256
      • C:\Users\Admin\AppData\Local\WtBU2yjf\upfc.exe
        C:\Users\Admin\AppData\Local\WtBU2yjf\upfc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2228
      • C:\Windows\system32\bdeunlock.exe
        C:\Windows\system32\bdeunlock.exe
        1⤵
          PID:4608
        • C:\Users\Admin\AppData\Local\crYpAGNEX\bdeunlock.exe
          C:\Users\Admin\AppData\Local\crYpAGNEX\bdeunlock.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:5052

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\JMUIVK0\SYSDM.CPL
          Filesize

          704KB

          MD5

          ab0b6d4004fd45b3e7ad85514478d267

          SHA1

          bdb39e869a662f6d39f6c1a493fd7e8e5478c7a7

          SHA256

          81abcde1c46e8fb7ba97fa0fc7167ba4a8e2f316e9096e851424d21fa99c817f

          SHA512

          03d7c5c3405acf24db564ff645df40b4abcf47a7d350b842dd42ed19ec1d1a1719955df78ffd06130844ee5662feecd68c79ba21c8fbbde90446ecce435b2f38

          Download Submit

        • C:\Users\Admin\AppData\Local\JMUIVK0\SystemPropertiesRemote.exe
          Filesize

          82KB

          MD5

          cdce1ee7f316f249a3c20cc7a0197da9

          SHA1

          dadb23af07827758005ec0235ac1573ffcea0da6

          SHA256

          7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932

          SHA512

          f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

          Download Submit

        • C:\Users\Admin\AppData\Local\WtBU2yjf\XmlLite.dll
          Filesize

          704KB

          MD5

          0e915ef7e21e121b581f38e02e64ffb4

          SHA1

          12f993b42d0d261004ec07aad1002ca8b404a0c6

          SHA256

          a4c2ae7f42991b2fedf210779e1edea8332f21f48194a9f586586423212689e2

          SHA512

          4a5f027190c865facc38840f2442bbc0497cb225a7782b05a32b97291d5a77d70bdc921a84488868d5e91e7745e19c7bf7051566e1131d194870b9e1d9e9a077

          Download Submit

        • C:\Users\Admin\AppData\Local\WtBU2yjf\upfc.exe
          Filesize

          118KB

          MD5

          299ea296575ccb9d2c1a779062535d5c

          SHA1

          2497169c13b0ba46a6be8a1fe493b250094079b7

          SHA256

          ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2

          SHA512

          02fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa

          Download Submit

        • C:\Users\Admin\AppData\Local\crYpAGNEX\DUser.dll
          Filesize

          708KB

          MD5

          c8ae83819532b97d84ceda8ac307bf27

          SHA1

          fb148f0752ae552060e84fcab9a83f3265922942

          SHA256

          de1e18d588756901f3077b0fccacdc747938a6e5da7227f8077c4c8bd4f18230

          SHA512

          70d671d24fe8e94f6e88ea26b31051a40744d2a56bc2849101958f7947be8886ad6fce6a4aec323ad44a30a4e56ea0ca53aa36b3eb8ca28e135edfd418888ef9

          Download Submit

        • C:\Users\Admin\AppData\Local\crYpAGNEX\bdeunlock.exe
          Filesize

          279KB

          MD5

          fef5d67150c249db3c1f4b30a2a5a22e

          SHA1

          41ca037b0229be9338da4d78244b4f0ea5a3d5f3

          SHA256

          dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603

          SHA512

          4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zugrajzkhopu.lnk
          Filesize

          1KB

          MD5

          262a6b9e50423cae4fda7ba51c6ef8bc

          SHA1

          065aba634c66f8360031ea8adc4ad9fcfe1a8012

          SHA256

          99d40cfa67a4d9d070f044d2dafdf0814ac15383d839d45cc9509e6ba613d3a9

          SHA512

          6c166be9e612d7338f19fa3feeb5717b513de77bc798a575587cc148b584ae6556539284711be410d86a3c85fb0d2fc1f64fe799697126a5a7236009e656c6b5

          Download Submit

        • memory/1952-0-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1952-38-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1952-2-0x000001FAF08C0000-0x000001FAF08C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2228-66-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/2228-61-0x0000019957FB0000-0x0000019957FB7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3368-50-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/3368-46-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/3368-45-0x0000023619360000-0x0000023619367000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3444-26-0x00007FFF7F350000-0x00007FFF7F360000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3444-24-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3444-6-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3444-35-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3444-8-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3444-9-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3444-10-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3444-11-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3444-12-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3444-7-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3444-25-0x00007FFF7F360000-0x00007FFF7F370000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3444-13-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3444-23-0x0000000000700000-0x0000000000707000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3444-15-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3444-14-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3444-3-0x0000000002860000-0x0000000002861000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3444-5-0x00007FFF7E63A000-0x00007FFF7E63B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5052-81-0x0000000140000000-0x00000001400B1000-memory.dmp

          Filesize

          708KB

          Download

        • memory/5052-77-0x0000000140000000-0x00000001400B1000-memory.dmp

          Filesize

          708KB

          Download