Overview

overview

10

Static

static

3

b996bd4a19...82.dll

windows7-x64

10

b996bd4a19...82.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2024 17:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b996bd4a19e143f16d6497f87abf72874f0afba80cf5374d24b0a3522556b082.dll

  • Size

    1.4MB

  • MD5

    ae929a0749157b4e066875db351711ef

  • SHA1

    8aa55d7d9b43225ce5f67b31332f56c35459520d

  • SHA256

    b996bd4a19e143f16d6497f87abf72874f0afba80cf5374d24b0a3522556b082

  • SHA512

    3b5b6c85574e6bb6620cfc78c07b18101df0ef2e4e9d8f8f1affa83c0b8cfc4557a86338bed9467ddabcb6c7b98ebfd972cd1d0031ae927436629fabb8e39c34

  • SSDEEP

    12288:nkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:nkMZ+gf4ltGd8H1fYO0q2G1Ah

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b996bd4a19e143f16d6497f87abf72874f0afba80cf5374d24b0a3522556b082.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:804
  • C:\Windows\system32\cttune.exe
    C:\Windows\system32\cttune.exe
    1⤵
      PID:4956
    • C:\Users\Admin\AppData\Local\ivvO9hni\cttune.exe
      C:\Users\Admin\AppData\Local\ivvO9hni\cttune.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2848
    • C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
      C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
      1⤵
        PID:4360
      • C:\Users\Admin\AppData\Local\YwOUpXSqp\PasswordOnWakeSettingFlyout.exe
        C:\Users\Admin\AppData\Local\YwOUpXSqp\PasswordOnWakeSettingFlyout.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1360
      • C:\Windows\system32\bdechangepin.exe
        C:\Windows\system32\bdechangepin.exe
        1⤵
          PID:1420
        • C:\Users\Admin\AppData\Local\8XU\bdechangepin.exe
          C:\Users\Admin\AppData\Local\8XU\bdechangepin.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4528

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\8XU\DUI70.dll
          Filesize

          1.7MB

          MD5

          167690d0ef5698a447b79f249aa9b6c3

          SHA1

          e4a3fa2b38e43efa7806eecbc0db6776c45b84be

          SHA256

          9e3e184b9d1615edb0ddd102cf21ce9beaf6ad9eb3c8498f46ce0c2d85575cf7

          SHA512

          6a400b670c9ba60bc31aa71e4444058fd28ebd9a18705899be4e3e1838e80df6edc9cde5709554d5f73c1290a3b532f97603990649e4286bb211a9be9bf3e808

          Download Submit

        • C:\Users\Admin\AppData\Local\8XU\bdechangepin.exe
          Filesize

          373KB

          MD5

          601a28eb2d845d729ddd7330cbae6fd6

          SHA1

          5cf9f6f9135c903d42a7756c638333db8621e642

          SHA256

          4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

          SHA512

          1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

          Download Submit

        • C:\Users\Admin\AppData\Local\YwOUpXSqp\PasswordOnWakeSettingFlyout.exe
          Filesize

          44KB

          MD5

          591a98c65f624c52882c2b238d6cd4c4

          SHA1

          c960d08c19d777069cf265dcc281807fbd8502d7

          SHA256

          5e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06

          SHA512

          1999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074

          Download Submit

        • C:\Users\Admin\AppData\Local\YwOUpXSqp\UxTheme.dll
          Filesize

          1.4MB

          MD5

          e4db84261ad4de3ecdfb075933ef2351

          SHA1

          18d528e684becfd7724edd569a3c64cd1e374516

          SHA256

          35a0a89ee622f11ce2591d1b3a7cabf89dc2478f7736c15e4d71f593cbd61291

          SHA512

          56e2a1a0021c6670c7aafd230315eaa4c95b5ce8fa8e9fc9104fe05e561142745e281f788b8fd3f88b5846d739fe0d3a26f159b65b8d1ee40e98160dcd2114f7

          Download Submit

        • C:\Users\Admin\AppData\Local\ivvO9hni\UxTheme.dll
          Filesize

          1.4MB

          MD5

          e7ae579820936d534cd09048cfa6e53e

          SHA1

          de92e3a081dd57bf11f5840a6e13e08d920ae548

          SHA256

          7b2e1bc25193c34d32b7d06310eb58ced7a4ad9406b9222b9de59bc3d35fd26e

          SHA512

          f0a7eb976d176312b5ebab13da64489057b76bb4d5256975d1e2b68bab757e34170d8f2b2b03e66ea8b6121671b4973afd530cdcda2b4880adf5e1f3683156cd

          Download Submit

        • C:\Users\Admin\AppData\Local\ivvO9hni\cttune.exe
          Filesize

          90KB

          MD5

          fa924465a33833f41c1a39f6221ba460

          SHA1

          801d505d81e49d2b4ffa316245ca69ff58c523c3

          SHA256

          de2d871afe2c071cf305fc488875563b778e7279e57030ba1a1c9f7e360748da

          SHA512

          eef91316e1a679cc2183d4fe9f8f40b5efa6d06f7d1246fd399292e14952053309b6891059da88134a184d9bd0298a45a1bf4bc9f27140b1a31b9523acbf3757

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk
          Filesize

          1KB

          MD5

          6936c113122be182ac558e7cc8df18af

          SHA1

          45023e4bf64968210744ddf5397c367135527dda

          SHA256

          7864f340f333c8f211d8020db4f7354a1fb8ea70d7daa93840edf00551eeacd5

          SHA512

          b98c31494f50b5793d76e4e1be26226ff29ab62790f26d3e052a33b9b60658eb5f93dd4584f3760d04184c71878c7da84e7f6e42c7722c1998be189e9c7bb72f

          Download Submit

        • memory/804-2-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/804-41-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/804-0-0x000001D8BA500000-0x000001D8BA507000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1360-66-0x0000024BC7FF0000-0x0000024BC7FF7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1360-69-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2848-53-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2848-48-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2848-50-0x0000025EE55C0000-0x0000025EE55C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3536-15-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3536-12-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3536-6-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3536-16-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3536-5-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3536-29-0x00007FF8743B0000-0x00007FF8743C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3536-38-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3536-8-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3536-11-0x00007FF87350A000-0x00007FF87350B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3536-10-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3536-9-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3536-7-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3536-13-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3536-17-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3536-26-0x00000000075D0000-0x00000000075D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3536-27-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3536-28-0x00007FF8743C0000-0x00007FF8743D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3536-18-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3536-14-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3536-3-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4528-84-0x0000000140000000-0x00000001401AD000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/4528-80-0x0000000140000000-0x00000001401AD000-memory.dmp

          Filesize

          1.7MB

          Download