Overview

overview

10

Static

static

3

763faa1110...3d.dll

windows7-x64

10

763faa1110...3d.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2024 01:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    763faa1110a1eb2a98349030a58923a87b9df454427bc6272ba0921280a3ea3d.dll

  • Size

    668KB

  • MD5

    a54ee66f23a531967e634c34d652250a

  • SHA1

    4ffc272ecba8c3d7822c33e0e20ca079b2564d2c

  • SHA256

    763faa1110a1eb2a98349030a58923a87b9df454427bc6272ba0921280a3ea3d

  • SHA512

    2e168ae652c2cab389ead5403ed020d5abc4c66667b902c93c532aade88115746d70f1237fd83c69fafb4858aadf1596cba80fe058efb8c6f2684eb86a2dae19

  • SSDEEP

    6144:m34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:mIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\763faa1110a1eb2a98349030a58923a87b9df454427bc6272ba0921280a3ea3d.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4224
  • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
    C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
    1⤵
      PID:2408
    • C:\Users\Admin\AppData\Local\6kMRI1T9\SystemPropertiesDataExecutionPrevention.exe
      C:\Users\Admin\AppData\Local\6kMRI1T9\SystemPropertiesDataExecutionPrevention.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3988
    • C:\Windows\system32\LockScreenContentServer.exe
      C:\Windows\system32\LockScreenContentServer.exe
      1⤵
        PID:1648
      • C:\Users\Admin\AppData\Local\aEsvIp1\LockScreenContentServer.exe
        C:\Users\Admin\AppData\Local\aEsvIp1\LockScreenContentServer.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2016
      • C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
        C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
        1⤵
          PID:1680
        • C:\Users\Admin\AppData\Local\QLpjun8J\PasswordOnWakeSettingFlyout.exe
          C:\Users\Admin\AppData\Local\QLpjun8J\PasswordOnWakeSettingFlyout.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2908

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\6kMRI1T9\SYSDM.CPL
          Filesize

          672KB

          MD5

          aae65bc8588284eb3d839f600ab07447

          SHA1

          10e9c9b474be0822ba3aa98f0236bc9c9bc87d70

          SHA256

          8624710d4e79b706e6217ceb96d225f38d5a26bc748c62766f23036c7a6e49f0

          SHA512

          da84e38b0e38addbd563de3657c218e1f04806b0e726d79fb543fc95eba809db9bbc29f8df8ac96013439a8e57a9cea2ad0d7dcef9792c780c172243a9dd0ce7

          Download Submit

        • C:\Users\Admin\AppData\Local\6kMRI1T9\SystemPropertiesDataExecutionPrevention.exe
          Filesize

          82KB

          MD5

          de58532954c2704f2b2309ffc320651d

          SHA1

          0a9fc98f4d47dccb0b231edf9a63309314f68e3b

          SHA256

          1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3

          SHA512

          d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed

          Download Submit

        • C:\Users\Admin\AppData\Local\QLpjun8J\DUI70.dll
          Filesize

          948KB

          MD5

          79f0bf2b17de0cd742642a957ab83a6c

          SHA1

          62d6af0fdea53c38ce84673e9de835903a38f9c8

          SHA256

          20b83c8087420ad195c532ba251c5a54abe6ec814aaef1c8cff91c515e7213fe

          SHA512

          3df0c0b7ba0982b754ca0602f71111ce3430964f54abcc415d1b94f316ed4abdddbbd221ddcf86befad4f48cb6bf158eb40f78663a648294b236280ee917b19b

          Download Submit

        • C:\Users\Admin\AppData\Local\QLpjun8J\PasswordOnWakeSettingFlyout.exe
          Filesize

          44KB

          MD5

          591a98c65f624c52882c2b238d6cd4c4

          SHA1

          c960d08c19d777069cf265dcc281807fbd8502d7

          SHA256

          5e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06

          SHA512

          1999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074

          Download Submit

        • C:\Users\Admin\AppData\Local\aEsvIp1\LockScreenContentServer.exe
          Filesize

          47KB

          MD5

          a0b7513c98cf46ca2cea3a567fec137c

          SHA1

          2307fc8e3fc620ea3c2fdc6248ad4658479ba995

          SHA256

          cb2278884f04fd34753f7a20e5865ef5fc4fa47c28df9ac14ad6e922713af8c6

          SHA512

          3928485a60ffa7f2d2b7d0be51863e1f8197578cfb397f1086a1ab5132843a23bbc4042b04b5d01fafad04878bd839161fa492d0cf1a6bac6be92023cdee3d15

          Download Submit

        • C:\Users\Admin\AppData\Local\aEsvIp1\dwmapi.dll
          Filesize

          672KB

          MD5

          43aa0c5dbf8ffd1b72c62121c18ebeb6

          SHA1

          5abb6bb8368fd571ac59f284220cd0f5a2279b0b

          SHA256

          ba4607d6f66093d50ea1c326d981079e29c93fc256c41fb327bcc8329acfa232

          SHA512

          9ee1e830550fd2823ae908d3ae3a8db261a9fd99f9fc58c66b21d0b130651713b3dfb21fbeb2222987486689261c3c2adb1e7ac1c76751836e76c8cdabfe6e7a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk
          Filesize

          1KB

          MD5

          267466cfa8f563bed8f6d45f48cbf5dc

          SHA1

          8c8599096453e96dac6b7005dbf67ce15f322032

          SHA256

          cdc8495fb9fac1516c3bf3d14eda410090f2200b266bc4d8eca075d92eed8231

          SHA512

          c75875ee9f65cab3d74c1868eb1451c03a724410b32643a547ce92b1e3c3cadc317bbbad87164f8b8d60d47a88e2818bc362d1fc350471aa31cdf7fdad5c0588

          Download Submit

        • memory/2016-66-0x00007FFC27440000-0x00007FFC274E8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2016-62-0x00007FFC27440000-0x00007FFC274E8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2016-61-0x000002BDEF820000-0x000002BDEF827000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2908-81-0x00007FFC27650000-0x00007FFC2773D000-memory.dmp

          Filesize

          948KB

          Download

        • memory/2908-77-0x00007FFC27650000-0x00007FFC2773D000-memory.dmp

          Filesize

          948KB

          Download

        • memory/3432-24-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3432-25-0x00007FFC45EC0000-0x00007FFC45ED0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3432-9-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3432-8-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3432-7-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3432-6-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3432-35-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3432-26-0x00007FFC45EB0000-0x00007FFC45EC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3432-3-0x0000000006B60000-0x0000000006B61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3432-12-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3432-13-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3432-5-0x00007FFC4493A000-0x00007FFC4493B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3432-11-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3432-14-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3432-15-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3432-16-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3432-10-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3432-23-0x0000000006B40000-0x0000000006B47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3988-50-0x00007FFC27690000-0x00007FFC27738000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3988-46-0x00007FFC27690000-0x00007FFC27738000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3988-45-0x000001D61DE50000-0x000001D61DE57000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4224-0-0x000001AD05BB0000-0x000001AD05BB7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4224-38-0x00007FFC37690000-0x00007FFC37737000-memory.dmp

          Filesize

          668KB

          Download

        • memory/4224-1-0x00007FFC37690000-0x00007FFC37737000-memory.dmp

          Filesize

          668KB

          Download