Overview

overview

10

Static

static

3

ff4144c8cc...8e.dll

windows7-x64

10

ff4144c8cc...8e.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2024 17:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff4144c8cc33129e3e51eb87174bb82e62597373df4f0a70832d3a598b473b8e.dll

  • Size

    668KB

  • MD5

    68716a010cc7093f10b36d0c886ae030

  • SHA1

    75ffb8693bcbf4cafa0fba09a5302f2e0f2c1df6

  • SHA256

    ff4144c8cc33129e3e51eb87174bb82e62597373df4f0a70832d3a598b473b8e

  • SHA512

    b33b8fcd34e3a96097d428944e886d25dbe43638e098d45dbe1d883d144ff3398a7877b6d3915a19298294c2b3b1029faca642ebf41223ad63e6d0fea827c406

  • SSDEEP

    6144:834xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:8IKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff4144c8cc33129e3e51eb87174bb82e62597373df4f0a70832d3a598b473b8e.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3580
  • C:\Windows\system32\DeviceEnroller.exe
    C:\Windows\system32\DeviceEnroller.exe
    1⤵
      PID:3864
    • C:\Users\Admin\AppData\Local\YVtFez\DeviceEnroller.exe
      C:\Users\Admin\AppData\Local\YVtFez\DeviceEnroller.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1648
    • C:\Windows\system32\msconfig.exe
      C:\Windows\system32\msconfig.exe
      1⤵
        PID:4776
      • C:\Users\Admin\AppData\Local\zou4It\msconfig.exe
        C:\Users\Admin\AppData\Local\zou4It\msconfig.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4688
      • C:\Windows\system32\tabcal.exe
        C:\Windows\system32\tabcal.exe
        1⤵
          PID:3612
        • C:\Users\Admin\AppData\Local\ZLdWZO\tabcal.exe
          C:\Users\Admin\AppData\Local\ZLdWZO\tabcal.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3476

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\YVtFez\DeviceEnroller.exe
          Filesize

          448KB

          MD5

          946d9474533f58d2613078fd14ca7473

          SHA1

          c2620ac9522fa3702a6a03299b930d6044aa5e49

          SHA256

          cf5f5fe084f172e9c435615c1dc6ae7d3bd8c5ec8ea290caa0627c2f392760cb

          SHA512

          3653d41a0553ee63a43490f682c9b528651a6336f28adafc333d4d148577351122db8279ff83ee59bb0a9c17bb384e9f6c9c78677c8c5ed671a42036dec1f8c1

          Download Submit

        • C:\Users\Admin\AppData\Local\YVtFez\XmlLite.dll
          Filesize

          672KB

          MD5

          d0f2ca9c98a3d852bc14cbd6c1bee2a3

          SHA1

          a1b4726613fb6a1a5b3aa5f4d750582a8699da0c

          SHA256

          b9c038c46d0198f15b374d20759916083b44896d8af6846b82c094326d0b457d

          SHA512

          d1e6c6d046f7329c5f17ea58de68cf60629d5df1e889ac00d05292e9ebb1e6df80db78479c19c8657852ef92d05b1b37eb91894721b2d91bcde870740cb856ae

          Download Submit

        • C:\Users\Admin\AppData\Local\ZLdWZO\HID.DLL
          Filesize

          672KB

          MD5

          0366b7e85b50907335e8188644501268

          SHA1

          13aada52e7613424a683a0aed2b6194dbb31fd39

          SHA256

          0d88b21ff5722302e38e354e238a895b83f7a930572da6e15c939c1a67f025d9

          SHA512

          8d8aabbfadeef91b93ec661d0aee02aeab4cdda5d573c21e9c760520ef66708f542004b9caa0f40deb4e1f1c89d18dcf0d4647faebab991155e1acc3b7dd978c

          Download Submit

        • C:\Users\Admin\AppData\Local\ZLdWZO\tabcal.exe
          Filesize

          84KB

          MD5

          40f4014416ff0cbf92a9509f67a69754

          SHA1

          1798ff7324724a32c810e2075b11c09b41e4fede

          SHA256

          f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

          SHA512

          646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

          Download Submit

        • C:\Users\Admin\AppData\Local\zou4It\MFC42u.dll
          Filesize

          696KB

          MD5

          57eb57feb27cd21b7e45cb751ec05561

          SHA1

          88e69fd9fc5862361054ce4f335366e6c4b38e39

          SHA256

          98ad9cbfeff7b7a39d1638d7bb4a5cb7c65d72a904457ffb9eb42f873eb8fccd

          SHA512

          b7d331ee1c139b2350b5c74c9104517063d6bb1488c40721898653e696201c2a73126165de8e3cc5bbd12348e59e24e61767369db4f1707fbc64113a61cd27f7

          Download Submit

        • C:\Users\Admin\AppData\Local\zou4It\msconfig.exe
          Filesize

          193KB

          MD5

          39009536cafe30c6ef2501fe46c9df5e

          SHA1

          6ff7b4d30f31186de899665c704a105227704b72

          SHA256

          93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04

          SHA512

          95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rasxaa.lnk
          Filesize

          1KB

          MD5

          5b1a7f77f5c988f7b110d21aaa5ea1c4

          SHA1

          d0723a5f153e41d80f9815f24b9137d5990e04df

          SHA256

          3f4c6d0017cd3b18e8742ee90f807da7d388c0bd41fa250c7cdfe78234405b2e

          SHA512

          9f58a95ed169c9edaf201ac8129e8509aed69a3a562046afff070135a2dba99bd67b6c8880638fed30d92044e31a8f73ec8ba1a032ab2426de0940797a5b5bcf

          Download Submit

        • memory/1648-49-0x00007FFEF7170000-0x00007FFEF7218000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1648-46-0x000001C94DCC0000-0x000001C94DCC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1648-44-0x00007FFEF7170000-0x00007FFEF7218000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3456-25-0x00007FFF06A50000-0x00007FFF06A60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3456-24-0x00007FFF06A60000-0x00007FFF06A70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3456-10-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3456-9-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3456-13-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3456-8-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3456-7-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3456-6-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3456-34-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3456-5-0x00007FFF05A7A000-0x00007FFF05A7B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3456-23-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3456-11-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3456-3-0x0000000007BE0000-0x0000000007BE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3456-14-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3456-22-0x0000000007BC0000-0x0000000007BC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3456-15-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3456-12-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3476-80-0x00007FFEF7170000-0x00007FFEF7218000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3580-0-0x00007FFEF7D10000-0x00007FFEF7DB7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3580-37-0x00007FFEF7D10000-0x00007FFEF7DB7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3580-2-0x000001A8BD190000-0x000001A8BD197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4688-61-0x00007FFEF7170000-0x00007FFEF721E000-memory.dmp

          Filesize

          696KB

          Download

        • memory/4688-60-0x000001E28C0A0000-0x000001E28C0A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4688-65-0x00007FFEF7170000-0x00007FFEF721E000-memory.dmp

          Filesize

          696KB

          Download