Overview

overview

10

Static

static

3

c5ebee5492...7e.dll

windows7-x64

10

c5ebee5492...7e.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2024 18:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c5ebee5492b4fa991c1d37e5fee02d92ec9afbe2a7e3397829ad7b57f13ea07e.dll

  • Size

    672KB

  • MD5

    d7b6390737e5cbc33070d66723208014

  • SHA1

    d8706c8648e39289dabead6db0f9d5094048bcd7

  • SHA256

    c5ebee5492b4fa991c1d37e5fee02d92ec9afbe2a7e3397829ad7b57f13ea07e

  • SHA512

    b168072d2f1c92383f9336484b3cf1595eeba37602718b0a295d1fbacc6255967bacd9fff2090e48570086a104b8f94bf637c2a32ab84a87feef0ede9fa6fa0c

  • SSDEEP

    6144:K34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:KIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c5ebee5492b4fa991c1d37e5fee02d92ec9afbe2a7e3397829ad7b57f13ea07e.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4904
  • C:\Windows\system32\SystemPropertiesComputerName.exe
    C:\Windows\system32\SystemPropertiesComputerName.exe
    1⤵
      PID:4500
    • C:\Users\Admin\AppData\Local\j6MS\SystemPropertiesComputerName.exe
      C:\Users\Admin\AppData\Local\j6MS\SystemPropertiesComputerName.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3256
    • C:\Windows\system32\msinfo32.exe
      C:\Windows\system32\msinfo32.exe
      1⤵
        PID:4232
      • C:\Users\Admin\AppData\Local\VRu3U9\msinfo32.exe
        C:\Users\Admin\AppData\Local\VRu3U9\msinfo32.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:768
      • C:\Windows\system32\usocoreworker.exe
        C:\Windows\system32\usocoreworker.exe
        1⤵
          PID:2060
        • C:\Users\Admin\AppData\Local\Frp5\usocoreworker.exe
          C:\Users\Admin\AppData\Local\Frp5\usocoreworker.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3132

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Frp5\XmlLite.dll
          Filesize

          676KB

          MD5

          4a3157892b81dca32b3588035a03b295

          SHA1

          52b0bd02ea7908946e9154d77a72a41a61609139

          SHA256

          a117793885accfb3b2c8770769dfcc0e1f9d815840ab4b50a8df50257639ba07

          SHA512

          937f11cf1aebd4eaa2f31f7852167b088f33dbb86fb859caec99aba31757bd7257caaf1d1ab2ab1a9fe413e9ff55299dbe80b89d82433ff9e5ce5b5ab043edb4

          Download Submit

        • C:\Users\Admin\AppData\Local\Frp5\usocoreworker.exe
          Filesize

          1.3MB

          MD5

          2c5efb321aa64af37dedc6383ce3198e

          SHA1

          a06d7020dd43a57047a62bfb443091cd9de946ba

          SHA256

          0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

          SHA512

          5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

          Download Submit

        • C:\Users\Admin\AppData\Local\VRu3U9\MFC42u.dll
          Filesize

          700KB

          MD5

          41e2797acb853b119b834064569fc84d

          SHA1

          c730947602fcdeb0327eeb4b6036ce85822348c0

          SHA256

          003882976126b7c3030afd836437fd4bb3f87414d53c0382e2ce0769be131ce9

          SHA512

          72a65cb7d6935a593a585e59bcc53d5f2576b55897894861ad109887a47985414a780cdf4f6cd4edfd5341eb6a94b1222cd8f54f8286e8bb1e65372a988ae092

          Download Submit

        • C:\Users\Admin\AppData\Local\VRu3U9\msinfo32.exe
          Filesize

          376KB

          MD5

          0aed91da63713bf9f881b03a604a1c9d

          SHA1

          b1b2d292cb1a4c13dc243b5eab13afb316a28b9a

          SHA256

          5cf1604d2473661266e08fc0e4e144ea98f99b7584c43585eb2b01551130fd14

          SHA512

          04bca9b321d702122b6e72c2ad15b7cd98924e5dfc3b8dd0e907ea28fd7826d3f72b98c67242b6698594df648d3c2b6b0952bb52a2363b687bbe44a66e830c03

          Download Submit

        • C:\Users\Admin\AppData\Local\j6MS\SYSDM.CPL
          Filesize

          676KB

          MD5

          2a851f9a9ca4585f61d58931f0d8ee20

          SHA1

          70caaf4c4d6f9a3e106bb9b976b412614a3724ea

          SHA256

          d3208462a14b74376eb5622915c45fdf4c30fe378e5c10b84bc517c25b0aa7e2

          SHA512

          83b24e4cc827f970573d744a438f31a14e0daa3d06a64bf1b292e59330aa09e40e30bb7f35cdbf7c35cd94d804c07d5c92371b1a011ef6732528133dc04e8e9a

          Download Submit

        • C:\Users\Admin\AppData\Local\j6MS\SystemPropertiesComputerName.exe
          Filesize

          82KB

          MD5

          6711765f323289f5008a6a2a04b6f264

          SHA1

          d8116fdf73608b4b254ad83c74f2232584d24144

          SHA256

          bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e

          SHA512

          438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zugrajzkhopu.lnk
          Filesize

          1KB

          MD5

          3bc1f6c40d1d6b85a4e3431346c7e933

          SHA1

          0f915cd9749beef3685b97c1939f2f396de2000b

          SHA256

          517a4f6a273bdb08cc9fbf46f28e9063bbd6600512c7e4620b439bf0495274fd

          SHA512

          7ae56cec91588d8e28e5fec45bc640c4c7e70b0d50fd8b7ea25d5f923c4d5470accc3e59ff51465257898a94f380befe5ca24054918262c1dbe80c9ce74862f9

          Download Submit

        • memory/768-66-0x00007FFB5B980000-0x00007FFB5BA2F000-memory.dmp

          Filesize

          700KB

          Download

        • memory/768-63-0x0000025E9ADD0000-0x0000025E9ADD7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/768-61-0x00007FFB5B980000-0x00007FFB5BA2F000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3132-81-0x00007FFB5B980000-0x00007FFB5BA29000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3256-50-0x00007FFB5B980000-0x00007FFB5BA29000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3256-46-0x00007FFB5B980000-0x00007FFB5BA29000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3256-45-0x000002B786320000-0x000002B786327000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3544-16-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3544-14-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3544-26-0x00007FFB7A990000-0x00007FFB7A9A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3544-25-0x00007FFB7A9A0000-0x00007FFB7A9B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3544-24-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3544-35-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3544-4-0x0000000007670000-0x0000000007671000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3544-7-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3544-8-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3544-9-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3544-10-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3544-12-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3544-13-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3544-3-0x00007FFB7911A000-0x00007FFB7911B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3544-15-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3544-23-0x00000000072C0000-0x00000000072C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3544-6-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3544-11-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/4904-1-0x00007FFB6BAC0000-0x00007FFB6BB68000-memory.dmp

          Filesize

          672KB

          Download

        • memory/4904-38-0x00007FFB6BAC0000-0x00007FFB6BB68000-memory.dmp

          Filesize

          672KB

          Download

        • memory/4904-0-0x0000028E54B60000-0x0000028E54B67000-memory.dmp

          Filesize

          28KB

          Download