Overview

overview

10

Static

static

3

ff4144c8cc...8e.dll

windows7-x64

10

ff4144c8cc...8e.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2024 17:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff4144c8cc33129e3e51eb87174bb82e62597373df4f0a70832d3a598b473b8e.dll

  • Size

    668KB

  • MD5

    68716a010cc7093f10b36d0c886ae030

  • SHA1

    75ffb8693bcbf4cafa0fba09a5302f2e0f2c1df6

  • SHA256

    ff4144c8cc33129e3e51eb87174bb82e62597373df4f0a70832d3a598b473b8e

  • SHA512

    b33b8fcd34e3a96097d428944e886d25dbe43638e098d45dbe1d883d144ff3398a7877b6d3915a19298294c2b3b1029faca642ebf41223ad63e6d0fea827c406

  • SSDEEP

    6144:834xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:8IKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 12 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff4144c8cc33129e3e51eb87174bb82e62597373df4f0a70832d3a598b473b8e.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1668
  • C:\Windows\system32\fvenotify.exe
    C:\Windows\system32\fvenotify.exe
    1⤵
      PID:2800
    • C:\Users\Admin\AppData\Local\eqD\fvenotify.exe
      C:\Users\Admin\AppData\Local\eqD\fvenotify.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2772
    • C:\Windows\system32\cmstp.exe
      C:\Windows\system32\cmstp.exe
      1⤵
        PID:2656
      • C:\Users\Admin\AppData\Local\BFIsLnG\cmstp.exe
        C:\Users\Admin\AppData\Local\BFIsLnG\cmstp.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2688
      • C:\Windows\system32\rdpclip.exe
        C:\Windows\system32\rdpclip.exe
        1⤵
          PID:2600
        • C:\Users\Admin\AppData\Local\iGf\rdpclip.exe
          C:\Users\Admin\AppData\Local\iGf\rdpclip.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2964

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\BFIsLnG\VERSION.dll
          Filesize

          672KB

          MD5

          b5d1520730acf018621ccf33a923c601

          SHA1

          bc31ced4d9fb441e4fc6c022733f7e798d0878f0

          SHA256

          3c6ccc9cf1d3890bc32633c0e401d51aada0e7472028f6baeb41b3880979237e

          SHA512

          f94f0bbf8ea4c376a689013f304185214ab4d0ffb5da7ca17d936b7c0e33eeaa97b3093beabda8a2a327f4af2f466263691ce6c455b25dc5165a9f99a982e128

          Download Submit

        • C:\Users\Admin\AppData\Local\eqD\slc.dll
          Filesize

          672KB

          MD5

          4248deccb0fc84e7a78b8b68428fd563

          SHA1

          73a7288c1ea0e9f806e75022ac194c709d51e7c7

          SHA256

          28b1a52e25587a0de9564063acf27b02247dcfec55b6e056f5aa90efb0dd2401

          SHA512

          32467920b7b548c408fde2fe75397e83d752144a9fc0cff8cf1baf1e5a77ceddda57ea8792e9ed95d53b2704616a35b21d0fcdb1735856598d2e9f19d94e4fa8

          Download Submit

        • C:\Users\Admin\AppData\Local\iGf\WINSTA.dll
          Filesize

          676KB

          MD5

          1881c2f0223011a8ddf80026954de7fd

          SHA1

          1bdf4bbef85a7a7dc2c22e16a3e44a83dd1d2e97

          SHA256

          b7ee6355016d3787d93d07eda75d647838ea0b7590e0edfb6f12523fd1f102ca

          SHA512

          07c62f9b4421795e2f9735f7624e3a93de4e6fbf25d24e18bb5b0ac6061b3c185d8811e5c9fe09c5b244f9ce2f27cd8bbc6718e4f5e9259e9d0f158fd6279eba

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Kkwpdvbxvgx.lnk
          Filesize

          1KB

          MD5

          f9b36387b8ae5c463b0e088f90142e20

          SHA1

          23e497c82546e983be73ab80dc2674add8747a84

          SHA256

          9e012c28c560aeeea3887d9fc0959313cd326d0c9056d199ee0008239d5339fb

          SHA512

          d2b60f9056edc72158d247081aa2bd23cae134e0624c28b8249e35d97eac290a8afc43512cd59b39ce5ed6ccd8ffbccaa6de437a2cc4a156d56d40ce207d0c0c

          Download Submit

        • \Users\Admin\AppData\Local\BFIsLnG\cmstp.exe
          Filesize

          90KB

          MD5

          74c6da5522f420c394ae34b2d3d677e3

          SHA1

          ba135738ef1fb2f4c2c6c610be2c4e855a526668

          SHA256

          51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

          SHA512

          bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

          Download Submit

        • \Users\Admin\AppData\Local\eqD\fvenotify.exe
          Filesize

          117KB

          MD5

          e61d644998e07c02f0999388808ac109

          SHA1

          183130ad81ff4c7997582a484e759bf7769592d6

          SHA256

          15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

          SHA512

          310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

          Download Submit

        • \Users\Admin\AppData\Local\iGf\rdpclip.exe
          Filesize

          206KB

          MD5

          25d284eb2f12254c001afe9a82575a81

          SHA1

          cf131801fdd5ec92278f9e0ae62050e31c6670a5

          SHA256

          837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

          SHA512

          7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

          Download Submit

        • memory/1176-12-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1176-14-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1176-3-0x0000000076C66000-0x0000000076C67000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1176-11-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1176-10-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1176-9-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1176-8-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1176-7-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1176-23-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1176-25-0x0000000077000000-0x0000000077002000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1176-24-0x0000000076FD0000-0x0000000076FD2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1176-35-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1176-34-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1176-4-0x00000000024A0000-0x00000000024A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1176-44-0x0000000076C66000-0x0000000076C67000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1176-13-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1176-16-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1176-6-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1176-22-0x0000000002480000-0x0000000002487000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1668-43-0x000007FEF64F0000-0x000007FEF6597000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1668-0-0x000007FEF64F0000-0x000007FEF6597000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1668-2-0x00000000002A0000-0x00000000002A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2688-69-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2688-70-0x000007FEF5D20000-0x000007FEF5DC8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2688-74-0x000007FEF5D20000-0x000007FEF5DC8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2772-57-0x000007FEF65A0000-0x000007FEF6648000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2772-53-0x000007FEF65A0000-0x000007FEF6648000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2772-52-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2964-86-0x000007FEF5D20000-0x000007FEF5DC9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2964-90-0x000007FEF5D20000-0x000007FEF5DC9000-memory.dmp

          Filesize

          676KB

          Download