Overview

overview

10

Static

static

3

c5ebee5492...7e.dll

windows7-x64

10

c5ebee5492...7e.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2024 17:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5ebee5492b4fa991c1d37e5fee02d92ec9afbe2a7e3397829ad7b57f13ea07e.dll

  • Size

    672KB

  • MD5

    d7b6390737e5cbc33070d66723208014

  • SHA1

    d8706c8648e39289dabead6db0f9d5094048bcd7

  • SHA256

    c5ebee5492b4fa991c1d37e5fee02d92ec9afbe2a7e3397829ad7b57f13ea07e

  • SHA512

    b168072d2f1c92383f9336484b3cf1595eeba37602718b0a295d1fbacc6255967bacd9fff2090e48570086a104b8f94bf637c2a32ab84a87feef0ede9fa6fa0c

  • SSDEEP

    6144:K34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:KIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 12 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c5ebee5492b4fa991c1d37e5fee02d92ec9afbe2a7e3397829ad7b57f13ea07e.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1760
  • C:\Windows\system32\mspaint.exe
    C:\Windows\system32\mspaint.exe
    1⤵
      PID:2732
    • C:\Users\Admin\AppData\Local\UxCI\mspaint.exe
      C:\Users\Admin\AppData\Local\UxCI\mspaint.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2872
    • C:\Windows\system32\vmicsvc.exe
      C:\Windows\system32\vmicsvc.exe
      1⤵
        PID:2552
      • C:\Users\Admin\AppData\Local\4tvx\vmicsvc.exe
        C:\Users\Admin\AppData\Local\4tvx\vmicsvc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2536
      • C:\Windows\system32\rrinstaller.exe
        C:\Windows\system32\rrinstaller.exe
        1⤵
          PID:1840
        • C:\Users\Admin\AppData\Local\T2b\rrinstaller.exe
          C:\Users\Admin\AppData\Local\T2b\rrinstaller.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2416

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\4tvx\ACTIVEDS.dll
          Filesize

          676KB

          MD5

          03ba5f48fbe46aabf8e5552fa2c3d0f9

          SHA1

          11ee93181c6d3b1b3b6f521c809d2cebc58787f2

          SHA256

          c6f98fa593f6820241da84047b508b3de5e7433860d742eecc89681dc23655c1

          SHA512

          3f8ea032afc37d4bd7202f76a0c2deca0e9f7ec533f2d443a5a3b582f846cc85301de530e44da1f465dc90917f8cd810804643932c724106a6c22900628583f5

          Download Submit

        • C:\Users\Admin\AppData\Local\T2b\MFPlat.DLL
          Filesize

          680KB

          MD5

          7d6e8c51c0c58c63406a4c7331600406

          SHA1

          1a4979a5bf3eaaf62de869ba8763dd017ad51818

          SHA256

          4ff53b80d4de457e156e1b65e90872931e4b83ad9538eb5334befa99d6d352e9

          SHA512

          cb97a538b2706cf25e52139afce281099726caac8dc29967f7c461b8a33f104f3a1a819b6ef19b53740e1383513c9760aa97c9198e4f9965d160a98171fc8fad

          Download Submit

        • C:\Users\Admin\AppData\Local\UxCI\WINMM.dll
          Filesize

          680KB

          MD5

          0c9b805360939a62b2cc880ed29946d1

          SHA1

          c522f42ad51b3ba421556835f8bf9f3f7dab8c3d

          SHA256

          40d32ace0c32ab113703661ebadff54eb120d025a642b69801adbb648972b692

          SHA512

          32185c4381594366035366b281b3ca2e7215712e2bd7b24e15b1f7a8f7428126ddbac52368cf051a66b90a0a90d34fde69765f799f58857d6676a64ae1397670

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk
          Filesize

          1KB

          MD5

          d47d08d8eecf32e4a775f7871727265a

          SHA1

          14e139039c7f333369b8908de856144109d9c884

          SHA256

          039e8cdf2db162fcd10902740eb75cc6c9972f5445baa44ce656420190dbf794

          SHA512

          9785c068ead3b99a95a2ac74cf945d314d591f859e6a474f40cf4a93d6193bc24d78b3e34ba3e5799b8b3650c9734aa5ba6ac8792de1c42f2a8a4beaf0ce33e2

          Download Submit

        • \Users\Admin\AppData\Local\4tvx\vmicsvc.exe
          Filesize

          238KB

          MD5

          79e14b291ca96a02f1eb22bd721deccd

          SHA1

          4c8dbff611acd8a92cd2280239f78bebd2a9947e

          SHA256

          d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

          SHA512

          f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

          Download Submit

        • \Users\Admin\AppData\Local\T2b\rrinstaller.exe
          Filesize

          54KB

          MD5

          0d3a73b0b30252680b383532f1758649

          SHA1

          9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

          SHA256

          fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

          SHA512

          a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

          Download Submit

        • \Users\Admin\AppData\Local\UxCI\mspaint.exe
          Filesize

          6.4MB

          MD5

          458f4590f80563eb2a0a72709bfc2bd9

          SHA1

          3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

          SHA256

          ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

          SHA512

          e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

          Download Submit

        • memory/1320-25-0x0000000077850000-0x0000000077852000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1320-45-0x00000000774E6000-0x00000000774E7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1320-12-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1320-11-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1320-10-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1320-9-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1320-8-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1320-7-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1320-6-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1320-24-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1320-26-0x0000000077880000-0x0000000077882000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1320-3-0x00000000774E6000-0x00000000774E7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1320-37-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1320-35-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1320-4-0x0000000002610000-0x0000000002611000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1320-13-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1320-14-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1320-23-0x00000000025F0000-0x00000000025F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1320-16-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1320-15-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1760-44-0x000007FEFAFF0000-0x000007FEFB098000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1760-0-0x000007FEFAFF0000-0x000007FEFB098000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1760-2-0x0000000000220000-0x0000000000227000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2416-92-0x000007FEFAFF0000-0x000007FEFB09A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2416-96-0x000007FEFAFF0000-0x000007FEFB09A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2536-75-0x000007FEFB1A0000-0x000007FEFB249000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2536-77-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2536-80-0x000007FEFB1A0000-0x000007FEFB249000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2872-63-0x000007FEFB1A0000-0x000007FEFB24A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2872-55-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2872-53-0x000007FEFB1A0000-0x000007FEFB24A000-memory.dmp

          Filesize

          680KB

          Download