Overview

overview

10

Static

static

3

f9244033cd...55.dll

windows7-x64

10

f9244033cd...55.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2024 17:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f9244033cd6a59c0de137c0211e98b0adef2afc54a56cae909aad14bdfe62e55.dll

  • Size

    672KB

  • MD5

    63e9a975848446456adbf6d5a552286f

  • SHA1

    0d51906d785e8c0388f98c298edeb8a3a68c4294

  • SHA256

    f9244033cd6a59c0de137c0211e98b0adef2afc54a56cae909aad14bdfe62e55

  • SHA512

    958abf84bcd4b357feaf51a6d4655a13574aa808de22d6d753bc552f64bbfdbba38a65eec2a8e8d2680fd7e5bfd5c2267e5b74a27ae0b3927860ef3f47b264ba

  • SSDEEP

    6144:O34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:OIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f9244033cd6a59c0de137c0211e98b0adef2afc54a56cae909aad14bdfe62e55.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2376
  • C:\Windows\system32\TpmInit.exe
    C:\Windows\system32\TpmInit.exe
    1⤵
      PID:2788
    • C:\Users\Admin\AppData\Local\0lXsh2Y\TpmInit.exe
      C:\Users\Admin\AppData\Local\0lXsh2Y\TpmInit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2916
    • C:\Windows\system32\javaws.exe
      C:\Windows\system32\javaws.exe
      1⤵
        PID:2648
      • C:\Users\Admin\AppData\Local\YYNE9ZYIB\javaws.exe
        C:\Users\Admin\AppData\Local\YYNE9ZYIB\javaws.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2684
      • C:\Windows\system32\icardagt.exe
        C:\Windows\system32\icardagt.exe
        1⤵
          PID:1480
        • C:\Users\Admin\AppData\Local\B51UpP\icardagt.exe
          C:\Users\Admin\AppData\Local\B51UpP\icardagt.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1144

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0lXsh2Y\ACTIVEDS.dll
          Filesize

          676KB

          MD5

          39920add12c50d9318a6a2abd20379c6

          SHA1

          bb7c7d0b7bd525fad9285b784b676e871d292d24

          SHA256

          e46044db1a9c9e747f2498d0cc2b0885bc2d47836dd215e82e50326108452f07

          SHA512

          057f71e73ed45fdfdaba8c55ade274cad7c2e939d2480a6e19c3c395a05305442c5e5b012d876d9d9fb5dad5ad7aab227952d3cdb01d6759afbd4f18d468977b

          Download Submit

        • C:\Users\Admin\AppData\Local\B51UpP\UxTheme.dll
          Filesize

          676KB

          MD5

          17d2d0d407a8a12811d7980c16427c77

          SHA1

          bc95801e0d7a9e5d73c121e4477f7a605cfce172

          SHA256

          b71c9824a71c01cdd6e089dd0aa855a7c612e87a680a2c641aa695a2dabc3ee0

          SHA512

          b72d0705b881108d701e614ebcaba24eb0a8ed1bd39927336f98ac0875ab6e517c191c0d1a3358b2f23f1a5a88a101dd5b2793d4eb6735db0492ae7f9f07f2d9

          Download Submit

        • C:\Users\Admin\AppData\Local\YYNE9ZYIB\VERSION.dll
          Filesize

          676KB

          MD5

          a5155475e855568aadd1eef270856e4a

          SHA1

          1690b2951674b7dd697556a9d2ab88b94ce29f04

          SHA256

          65733758e71562ffcbc1e0bebcf9b63f5e7febe269ce5a64b39146781eaf5245

          SHA512

          cc6014d6979ed64ef3d18f4d0e84b6e47af6152585e1fc7280476eece8fb3ffc2bdea132d25e608c72d8b073bcc0f13e6bab0b2a66ca58a589ba23ca0714f791

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wbvsyha.lnk
          Filesize

          1KB

          MD5

          91cd10b3b81a29c7158989b996362501

          SHA1

          d3540b0162df8925b71fa82fd9ef56620b70c1e8

          SHA256

          462388f690d45cd261708223cc0c3bced3b1ef78d112c0904e20c27ce7808db7

          SHA512

          60ba0a21be2038b47f15a5c7569ce3db195e96f05b4d41804c2491109fc526c8e0621dfef83049670f0646a3233c6489a2af5cc5fece5f8ba920d718e26da997

          Download Submit

        • \Users\Admin\AppData\Local\0lXsh2Y\TpmInit.exe
          Filesize

          112KB

          MD5

          8b5eb38e08a678afa129e23129ca1e6d

          SHA1

          a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

          SHA256

          4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

          SHA512

          a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

          Download Submit

        • \Users\Admin\AppData\Local\B51UpP\icardagt.exe
          Filesize

          1.3MB

          MD5

          2fe97a3052e847190a9775431292a3a3

          SHA1

          43edc451ac97365600391fa4af15476a30423ff6

          SHA256

          473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

          SHA512

          93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

          Download Submit

        • \Users\Admin\AppData\Local\YYNE9ZYIB\javaws.exe
          Filesize

          312KB

          MD5

          f94bc1a70c942621c4279236df284e04

          SHA1

          8f46d89c7db415a7f48ccd638963028f63df4e4f

          SHA256

          be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c

          SHA512

          60edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52

          Download Submit

        • memory/1144-91-0x000007FEF6AE0000-0x000007FEF6B89000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1200-25-0x0000000077AA0000-0x0000000077AA2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1200-16-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-13-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-12-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-11-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-10-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-8-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-7-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-24-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-26-0x0000000077AD0000-0x0000000077AD2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1200-3-0x0000000077836000-0x0000000077837000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1200-35-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-37-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-6-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-45-0x0000000077836000-0x0000000077837000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1200-15-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-23-0x0000000002F00000-0x0000000002F07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1200-4-0x0000000002F80000-0x0000000002F81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1200-9-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-14-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2376-44-0x000007FEF7050000-0x000007FEF70F8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2376-0-0x000007FEF7050000-0x000007FEF70F8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2376-2-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2684-70-0x000007FEF6AE0000-0x000007FEF6B89000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2684-72-0x0000000000690000-0x0000000000697000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2684-75-0x000007FEF6AE0000-0x000007FEF6B89000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2916-58-0x000007FEF7100000-0x000007FEF71A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2916-54-0x000007FEF7100000-0x000007FEF71A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2916-53-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download