Overview

overview

10

Static

static

3

afba02c33a...1c.dll

windows7-x64

10

afba02c33a...1c.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2024 01:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    afba02c33a5c421b7cb7fc7ff9f99d8160a785cb259a688fb75e8c7fdce9931c.dll

  • Size

    944KB

  • MD5

    01c459593f35851fbb479c78490572e5

  • SHA1

    3e1d026171828708e4d6cb4063e7207abae41353

  • SHA256

    afba02c33a5c421b7cb7fc7ff9f99d8160a785cb259a688fb75e8c7fdce9931c

  • SHA512

    1ae6329f54eec7984a23dae1d400bc73d9e36fcc73489c17a4f0b2650cf1b846c2a95fab49bdb9f3b4e52ef4ff84a359f2d20523169c548aacf67724b2402bb1

  • SSDEEP

    6144:634xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTK:6IKp/UWCZdCDh2IZDwAFRpR6AuoK

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\afba02c33a5c421b7cb7fc7ff9f99d8160a785cb259a688fb75e8c7fdce9931c.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:516
  • C:\Windows\system32\BitLockerWizardElev.exe
    C:\Windows\system32\BitLockerWizardElev.exe
    1⤵
      PID:4092
    • C:\Users\Admin\AppData\Local\99BhBd\BitLockerWizardElev.exe
      C:\Users\Admin\AppData\Local\99BhBd\BitLockerWizardElev.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4976
    • C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      1⤵
        PID:4160
      • C:\Users\Admin\AppData\Local\2zTqFQV\wermgr.exe
        C:\Users\Admin\AppData\Local\2zTqFQV\wermgr.exe
        1⤵
        • Executes dropped EXE
        PID:4140
      • C:\Windows\system32\cttune.exe
        C:\Windows\system32\cttune.exe
        1⤵
          PID:4284
        • C:\Users\Admin\AppData\Local\uWw\cttune.exe
          C:\Users\Admin\AppData\Local\uWw\cttune.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2284
        • C:\Windows\system32\printfilterpipelinesvc.exe
          C:\Windows\system32\printfilterpipelinesvc.exe
          1⤵
            PID:3808
          • C:\Users\Admin\AppData\Local\VbOelx\printfilterpipelinesvc.exe
            C:\Users\Admin\AppData\Local\VbOelx\printfilterpipelinesvc.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:3612

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\2zTqFQV\wermgr.exe
            Filesize

            223KB

            MD5

            f7991343cf02ed92cb59f394e8b89f1f

            SHA1

            573ad9af63a6a0ab9b209ece518fd582b54cfef5

            SHA256

            1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc

            SHA512

            fa3cf314100f5340c7d0f6a70632a308fcadb4b48785753310a053a510169979a89637b8b4fedf4d3690db6b8b55146e323cad70d704c4e2ede4edff5284237d

            Download Submit

          • C:\Users\Admin\AppData\Local\99BhBd\BitLockerWizardElev.exe
            Filesize

            100KB

            MD5

            8ac5a3a20cf18ae2308c64fd707eeb81

            SHA1

            31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

            SHA256

            803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

            SHA512

            85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

            Download Submit

          • C:\Users\Admin\AppData\Local\99BhBd\FVEWIZ.dll
            Filesize

            948KB

            MD5

            b45ae9c4f171ecf1f89d305705d236f1

            SHA1

            1e9fc018a7091deb51da16c17fb1c358283c438d

            SHA256

            977eafbed1afcc865422701068bf25bf8fc11e29a9be3f52636ae3905dc91630

            SHA512

            59b0ac44a1dfc1793c7f046df5d83ff71d885ddceca45c44ae6eac87bc01b0286b8e457e4209feda4bcb54c5d7fac0545ca74675042d1a21118f89ebeca12951

            Download Submit

          • C:\Users\Admin\AppData\Local\VbOelx\XmlLite.dll
            Filesize

            948KB

            MD5

            a0fbbf15264c438c7dbb05c0beb8d64f

            SHA1

            785cfa906f7122e6c7b82593b53869a5d3fa1289

            SHA256

            1ec6197310d8eb64c526d2a7f64cacad865cea5ad05dc6b8b7933d9b99c62412

            SHA512

            b07f093d2af79b7874ffe582a1765cfe0b860626b1b021ab5c6745580ed38542ec4e9f60c91b0856c8909e2cbb56d7e15d7cfd5ee188640b9acd2d95f2c7a3a3

            Download Submit

          • C:\Users\Admin\AppData\Local\VbOelx\printfilterpipelinesvc.exe
            Filesize

            813KB

            MD5

            331a40eabaa5870e316b401bd81c4861

            SHA1

            ddff65771ca30142172c0d91d5bfff4eb1b12b73

            SHA256

            105099819555ed87ef3dab70a2eaf2cb61076f453266cec57ffccb8f4c00df88

            SHA512

            29992dbf10f327d77865af5e6ebbe66b937a5b4ad04c68cafbf4e6adbd6c6532c8a82ac7e638d97c1f053353a7c8a6d7e379f389af15443c94a1e8f9b16be5f8

            Download Submit

          • C:\Users\Admin\AppData\Local\uWw\OLEACC.dll
            Filesize

            948KB

            MD5

            93fcebf687dffe52b5258c3e7b02fdc2

            SHA1

            146d370b13acebe27a1ae5e2323dc38ed9341b7d

            SHA256

            8439dc556944f1264cb68010f83964bcbb58267f8565f044b2e773601bb28ea8

            SHA512

            7827b9604938995decdbb8b1f8dd54b23994687fde4bf82fb8a62d26fb016ca5a3d854e4103fecd5eb3b3a8f0c6f3626bd095009e11b9408513d84407ed7598d

            Download Submit

          • C:\Users\Admin\AppData\Local\uWw\cttune.exe
            Filesize

            90KB

            MD5

            fa924465a33833f41c1a39f6221ba460

            SHA1

            801d505d81e49d2b4ffa316245ca69ff58c523c3

            SHA256

            de2d871afe2c071cf305fc488875563b778e7279e57030ba1a1c9f7e360748da

            SHA512

            eef91316e1a679cc2183d4fe9f8f40b5efa6d06f7d1246fd399292e14952053309b6891059da88134a184d9bd0298a45a1bf4bc9f27140b1a31b9523acbf3757

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yxuzhivmkyvewy.lnk
            Filesize

            1KB

            MD5

            55216c02280169abc4911ef291736e59

            SHA1

            d0c3191fd9388d8fe2aee2ffde0abbd9d1b0cb31

            SHA256

            6d7198e7be9e9e0c7c55619e5dc4bd4cb1706742bdb635175637e28b57b8e5a1

            SHA512

            60d1bec6f43891e5ec5ec527b63abfcbc0cbfd3fd4d3c4a5630124901b7bfb2f278822190d6b7fb3e6c9eef3ce4cb881c74197ebe21698569eda6c3f990ac6e4

            Download Submit

          • memory/516-2-0x00007FF83B5B0000-0x00007FF83B69C000-memory.dmp

            Filesize

            944KB

            Download

          • memory/516-0-0x000001A1720E0000-0x000001A1720E7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/516-38-0x00007FF83B5B0000-0x00007FF83B69C000-memory.dmp

            Filesize

            944KB

            Download

          • memory/2284-73-0x00007FF82B860000-0x00007FF82B94D000-memory.dmp

            Filesize

            948KB

            Download

          • memory/3416-5-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-15-0x00000000083B0000-0x00000000083B7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3416-8-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-6-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-10-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-11-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-3-0x00000000083D0000-0x00000000083D1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3416-35-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-12-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-13-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-24-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-7-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-14-0x00007FF84978A000-0x00007FF84978B000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3416-17-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-25-0x00007FF849F00000-0x00007FF849F10000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3416-26-0x00007FF849EF0000-0x00007FF849F00000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3416-9-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3416-16-0x0000000140000000-0x00000001400EC000-memory.dmp

            Filesize

            944KB

            Download

          • memory/3612-88-0x00007FF82B860000-0x00007FF82B94D000-memory.dmp

            Filesize

            948KB

            Download

          • memory/4976-50-0x00007FF82B860000-0x00007FF82B94D000-memory.dmp

            Filesize

            948KB

            Download

          • memory/4976-46-0x00007FF82B860000-0x00007FF82B94D000-memory.dmp

            Filesize

            948KB

            Download

          • memory/4976-45-0x00000224BDB00000-0x00000224BDB07000-memory.dmp

            Filesize

            28KB

            Download