Overview

overview

10

Static

static

3

b61075259d...bN.dll

windows7-x64

10

b61075259d...bN.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-10-2024 12:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b61075259d3efd383b0287631ba2d610e6b80fa363f99f43f7016622393ee4abN.dll

  • Size

    864KB

  • MD5

    2c03fc6b7234c76ff6dbe5abd2825560

  • SHA1

    407a3f86da295159b9cab2c43b255a25455ee14b

  • SHA256

    b61075259d3efd383b0287631ba2d610e6b80fa363f99f43f7016622393ee4ab

  • SHA512

    3807cc45b91e613805cb2b7763ec31fd96d961896112460c2196bce36a5207a8f567b41c97cc72bc5fd51461fc62cfc77a4f55f8062f41b45f0f8e4065e93acb

  • SSDEEP

    12288:2kbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/R:2kbHkWfzZ5adwLNGeStHntqN7v

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b61075259d3efd383b0287631ba2d610e6b80fa363f99f43f7016622393ee4abN.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3100
  • C:\Windows\system32\wbengine.exe
    C:\Windows\system32\wbengine.exe
    1⤵
      PID:944
    • C:\Users\Admin\AppData\Local\tXa\wbengine.exe
      C:\Users\Admin\AppData\Local\tXa\wbengine.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:544
    • C:\Windows\system32\BitLockerWizard.exe
      C:\Windows\system32\BitLockerWizard.exe
      1⤵
        PID:3288
      • C:\Users\Admin\AppData\Local\A0WY\BitLockerWizard.exe
        C:\Users\Admin\AppData\Local\A0WY\BitLockerWizard.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4520
      • C:\Windows\system32\dxgiadaptercache.exe
        C:\Windows\system32\dxgiadaptercache.exe
        1⤵
          PID:2624
        • C:\Users\Admin\AppData\Local\DDUOTssbr\dxgiadaptercache.exe
          C:\Users\Admin\AppData\Local\DDUOTssbr\dxgiadaptercache.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4448

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\A0WY\BitLockerWizard.exe
          Filesize

          100KB

          MD5

          6d30c96f29f64b34bc98e4c81d9b0ee8

          SHA1

          4a3adc355f02b9c69bdbe391bfb01469dee15cf0

          SHA256

          7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

          SHA512

          25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

          Download Submit

        • C:\Users\Admin\AppData\Local\A0WY\FVEWIZ.dll
          Filesize

          868KB

          MD5

          a1694e7fe2799c0774c34f4cb5619375

          SHA1

          f5669462380771cb6a4582950d69c855f2ce7479

          SHA256

          b6f31361c6957cb534c3b07918e1268b2ba60d2f43ed9f325adf9e96f7398d56

          SHA512

          20422b873f93abd5746e0023bcdd8a5c41e559ec48d795eb7532460e59d047476f3587929ea5b2711026796b39cc2ab2072dae7fa4f1d01a94cd49dccce0bfbd

          Download Submit

        • C:\Users\Admin\AppData\Local\DDUOTssbr\dxgi.dll
          Filesize

          868KB

          MD5

          11d78805c81796c41b1279185908ec24

          SHA1

          01d1f877819e1d3e5b6468220fefc5624386543d

          SHA256

          5d6054d1e6392a4f721fa3481398a0757071899af2b2b9cf6b53dda8303f8d4d

          SHA512

          aa8e5279277ae66f95dbbdd8cff9ddfb4a2fe8507729bc5a860255e3c8d09a511dc6fd79b84d4029a450a0e7af18c536ebac337d5d5255ed7b5e07f5d75f9adc

          Download Submit

        • C:\Users\Admin\AppData\Local\DDUOTssbr\dxgiadaptercache.exe
          Filesize

          230KB

          MD5

          e62f89130b7253f7780a862ed9aff294

          SHA1

          b031e64a36e93f95f2061be5b0383069efac2070

          SHA256

          4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5

          SHA512

          05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

          Download Submit

        • C:\Users\Admin\AppData\Local\tXa\XmlLite.dll
          Filesize

          868KB

          MD5

          31ef2428cd4b1d8974a0220dd33dadce

          SHA1

          605db3d11fe7d71fb7cddc2d5e75c9645b20c6e2

          SHA256

          ee4b79732c460a9e250b5568f742d6552e27b1bf7504ba12d45b362e0935125a

          SHA512

          9c4b0bbb7743d23f148c14416dc8ca59d68c1727c823eba939f4fbd4309eaa9a2df67520b651ff6ca051cfa69ff19a1ef176778fd71d38c488192f78bf25f3d1

          Download Submit

        • C:\Users\Admin\AppData\Local\tXa\wbengine.exe
          Filesize

          1.5MB

          MD5

          17270a354a66590953c4aac1cf54e507

          SHA1

          715babcc8e46b02ac498f4f06df7937904d9798d

          SHA256

          9954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4

          SHA512

          6be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ehuvmtvuxjwd.lnk
          Filesize

          1KB

          MD5

          6519197ad12ce2746f35e61621a0a453

          SHA1

          760804430cf60f460125ad66d2f9bdfc5b03ce33

          SHA256

          5ca3aadeb18fe8fd3e60cee61e9b4c7b8493ab037be2fe6dcca2662fc122e766

          SHA512

          8e76e525ea91c1a4b9f1c90f4d2d859826597e3763161c4b7c407b5c2d832794805c770e80b0d03e57674c7615e8a7e7a66a8f95eb0409a36ef78587c02a8581

          Download Submit

        • memory/544-55-0x00007FFD9E380000-0x00007FFD9E459000-memory.dmp

          Filesize

          868KB

          Download

        • memory/544-51-0x00007FFD9E380000-0x00007FFD9E459000-memory.dmp

          Filesize

          868KB

          Download

        • memory/544-50-0x00000292DFBA0000-0x00000292DFBA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3100-43-0x00007FFDAE900000-0x00007FFDAE9D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/3100-1-0x00007FFDAE900000-0x00007FFDAE9D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/3100-0-0x0000023424AC0000-0x0000023424AC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3464-29-0x0000000140000000-0x00000001400D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/3464-19-0x0000000140000000-0x00000001400D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/3464-15-0x0000000140000000-0x00000001400D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/3464-12-0x0000000140000000-0x00000001400D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/3464-10-0x0000000140000000-0x00000001400D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/3464-9-0x0000000140000000-0x00000001400D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/3464-8-0x0000000140000000-0x00000001400D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/3464-7-0x0000000140000000-0x00000001400D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/3464-6-0x0000000140000000-0x00000001400D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/3464-14-0x0000000140000000-0x00000001400D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/3464-13-0x0000000140000000-0x00000001400D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/3464-11-0x0000000140000000-0x00000001400D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/3464-20-0x0000000140000000-0x00000001400D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/3464-17-0x0000000140000000-0x00000001400D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/3464-21-0x0000000140000000-0x00000001400D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/3464-30-0x00007FFDBCE40000-0x00007FFDBCE50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3464-40-0x0000000140000000-0x00000001400D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/3464-31-0x00007FFDBCE30000-0x00007FFDBCE40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3464-28-0x0000000007840000-0x0000000007847000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3464-18-0x0000000140000000-0x00000001400D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/3464-5-0x00007FFDBC29A000-0x00007FFDBC29B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3464-3-0x0000000007860000-0x0000000007861000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3464-16-0x0000000140000000-0x00000001400D8000-memory.dmp

          Filesize

          864KB

          Download

        • memory/4448-83-0x0000021AEEEC0000-0x0000021AEEEC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4448-88-0x00007FFD9E380000-0x00007FFD9E459000-memory.dmp

          Filesize

          868KB

          Download

        • memory/4520-71-0x00007FFD9E380000-0x00007FFD9E459000-memory.dmp

          Filesize

          868KB

          Download

        • memory/4520-66-0x000001B685920000-0x000001B685927000-memory.dmp

          Filesize

          28KB

          Download