Overview

overview

10

Static

static

3

c3ec167bc2...56.dll

windows7-x64

10

c3ec167bc2...56.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-10-2024 18:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c3ec167bc24e86e10581efc8f52840c6af30a72fe312924da4bc3f115ed55756.dll

  • Size

    664KB

  • MD5

    72dbe7ff8cb3b1c782692f3cc9615602

  • SHA1

    7b97c3abc1e53da0d174f5f49bac65b2e005f13b

  • SHA256

    c3ec167bc24e86e10581efc8f52840c6af30a72fe312924da4bc3f115ed55756

  • SHA512

    cb5f4ef030942e8136626b9a225ef2b2d243dad900b2b196289335c592c537d5289382d25491c3e89bd0546a126ebdda8b6c0eee7dacd713ae155f62e8b0ea72

  • SSDEEP

    6144:P34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:PIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 12 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c3ec167bc24e86e10581efc8f52840c6af30a72fe312924da4bc3f115ed55756.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1172
  • C:\Windows\system32\UI0Detect.exe
    C:\Windows\system32\UI0Detect.exe
    1⤵
      PID:2584
    • C:\Users\Admin\AppData\Local\YJfChbEdr\UI0Detect.exe
      C:\Users\Admin\AppData\Local\YJfChbEdr\UI0Detect.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2976
    • C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      1⤵
        PID:2716
      • C:\Users\Admin\AppData\Local\KxklG\dialer.exe
        C:\Users\Admin\AppData\Local\KxklG\dialer.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2260
      • C:\Windows\system32\SystemPropertiesProtection.exe
        C:\Windows\system32\SystemPropertiesProtection.exe
        1⤵
          PID:1100
        • C:\Users\Admin\AppData\Local\ONqYRRGWC\SystemPropertiesProtection.exe
          C:\Users\Admin\AppData\Local\ONqYRRGWC\SystemPropertiesProtection.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1520

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\KxklG\TAPI32.dll
          Filesize

          672KB

          MD5

          d6e0e0b9a8a5cf22c4b590f20f519080

          SHA1

          df302e7c08a4b3fa2a7999b6af1131aafe2235f0

          SHA256

          2eac103ace89444b474ffe78b1719dbfb1acaf7d7de5a33f0eb0f082827e8dea

          SHA512

          3902f27ed46d77fcfcac6368fec81d9d4e6174a18b763ca0164c15fc16c73c11775cd9d9a90c5d55f95b5e5757b217bfd4cc73a14255c9654f50486674667a44

          Download Submit

        • C:\Users\Admin\AppData\Local\ONqYRRGWC\SYSDM.CPL
          Filesize

          668KB

          MD5

          bf8b04015929aeb8606849e6cba3abcc

          SHA1

          8f2f40e4ff5d0c0fa91f77ace464372691610980

          SHA256

          7816ef8ad4f50585cea332991af52d55655cf6039a8c1f3f6052829b8cc9214a

          SHA512

          6b96a63d31cd42b7188f96a60080a1dc339b60aad4d502dbae58542519fa8d24915ef4667432f935ed3553414ed89b7ee9b81233da90fe028b0c080288e2b74f

          Download Submit

        • C:\Users\Admin\AppData\Local\YJfChbEdr\VERSION.dll
          Filesize

          668KB

          MD5

          57def19490ff36af59e1b1cde2a1c0c1

          SHA1

          c577230148a2dbaa54d9bc16c0af803381274cbd

          SHA256

          78cabbab9a85a6692546920cef0561ad39df000adaf5fba13672355d94729f66

          SHA512

          6f37882c4cba5ee79c6a1d8b5a0e4aedfe2b33e484a266f37838251cd7530c8ae3410fdb6c2caf220ef035edf56416e530bc3d148678449cd611bdd9a684421b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yjafzwirjcl.lnk
          Filesize

          837B

          MD5

          f28d14eaab9f5268d85d42bb27ffcc12

          SHA1

          974e25114f5b3387faf3f9f44fe27872aa11d173

          SHA256

          cec48d14d9b97376fb064314c7f259524e753655764f0334090e5d8f1302e779

          SHA512

          61bdb92734e52e133f2486f2a04044c3e55c49068eec9009a85fa03222d0f4f195c29df5bb6f71d7d5314fb4c65e96ca9b1b555ddb850fef3993afd4238b79e2

          Download Submit

        • \Users\Admin\AppData\Local\KxklG\dialer.exe
          Filesize

          34KB

          MD5

          46523e17ee0f6837746924eda7e9bac9

          SHA1

          d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

          SHA256

          23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

          SHA512

          c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

          Download Submit

        • \Users\Admin\AppData\Local\ONqYRRGWC\SystemPropertiesProtection.exe
          Filesize

          80KB

          MD5

          05138d8f952d3fff1362f7c50158bc38

          SHA1

          780bc59fcddf06a7494d09771b8340acffdcc720

          SHA256

          753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

          SHA512

          27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

          Download Submit

        • \Users\Admin\AppData\Local\YJfChbEdr\UI0Detect.exe
          Filesize

          40KB

          MD5

          3cbdec8d06b9968aba702eba076364a1

          SHA1

          6e0fcaccadbdb5e3293aa3523ec1006d92191c58

          SHA256

          b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

          SHA512

          a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

          Download Submit

        • memory/1172-43-0x000007FEF6AE0000-0x000007FEF6B86000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1172-2-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1172-0-0x000007FEF6AE0000-0x000007FEF6B86000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1192-13-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1192-22-0x0000000002D60000-0x0000000002D67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1192-10-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1192-9-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1192-8-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1192-23-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1192-25-0x0000000077610000-0x0000000077612000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-24-0x00000000775E0000-0x00000000775E2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-34-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1192-35-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1192-12-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1192-44-0x0000000077276000-0x0000000077277000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-14-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1192-11-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1192-3-0x0000000077276000-0x0000000077277000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-4-0x0000000002D80000-0x0000000002D81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-7-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1192-15-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1192-6-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1520-86-0x000007FEF6330000-0x000007FEF63D7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1520-90-0x000007FEF6330000-0x000007FEF63D7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2260-69-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2260-70-0x000007FEF6330000-0x000007FEF63D8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2260-74-0x000007FEF6330000-0x000007FEF63D8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2976-55-0x000007FEF6B90000-0x000007FEF6C37000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2976-53-0x000007FEF6B90000-0x000007FEF6C37000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2976-52-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

          Download