Overview

overview

10

Static

static

3

f4a8f6ec84...6b.dll

windows7-x64

10

f4a8f6ec84...6b.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2024 00:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4a8f6ec846b2fbe5edf0dc402093eceb69b87819e58953cada2d3c410c1476b.dll

  • Size

    1.4MB

  • MD5

    16bb8e25d3d2f866cbf6826bb90fd325

  • SHA1

    ce86cea88918e556a9d0d2061c332da8e7513623

  • SHA256

    f4a8f6ec846b2fbe5edf0dc402093eceb69b87819e58953cada2d3c410c1476b

  • SHA512

    53321d6e37c9be3be9970ec3a69d84c049e022d071e47a03b922149b453493f531eb4f2afbaee0110d2ba4b87414c653015dd7f85d31fb41848063891b6bee72

  • SSDEEP

    12288:TkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:TkMZ+gf4ltGd8H1fYO0q2G1Ah

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4a8f6ec846b2fbe5edf0dc402093eceb69b87819e58953cada2d3c410c1476b.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:744
  • C:\Windows\system32\GamePanel.exe
    C:\Windows\system32\GamePanel.exe
    1⤵
      PID:4580
    • C:\Users\Admin\AppData\Local\136AXmgin\GamePanel.exe
      C:\Users\Admin\AppData\Local\136AXmgin\GamePanel.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2844
    • C:\Windows\system32\LockScreenContentServer.exe
      C:\Windows\system32\LockScreenContentServer.exe
      1⤵
        PID:4420
      • C:\Users\Admin\AppData\Local\pYO0\LockScreenContentServer.exe
        C:\Users\Admin\AppData\Local\pYO0\LockScreenContentServer.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2304
      • C:\Windows\system32\phoneactivate.exe
        C:\Windows\system32\phoneactivate.exe
        1⤵
          PID:1760
        • C:\Users\Admin\AppData\Local\KLJBz\phoneactivate.exe
          C:\Users\Admin\AppData\Local\KLJBz\phoneactivate.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:632

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\136AXmgin\GamePanel.exe
          Filesize

          1.2MB

          MD5

          266f6a62c16f6a889218800762b137be

          SHA1

          31b9bd85a37bf0cbb38a1c30147b83671458fa72

          SHA256

          71f8f11f26f3a7c1498373f20f0f4cc960513d0383fe24906eeb1bc9678beecd

          SHA512

          b21d9b0656ab6bd3b158922722a332f07096ddd4215c802776c5807c9cf6ece40082dd986ea6867bdc8d22878ce035a5c8dfcc26cfae94aeee059701b6bf1e68

          Download Submit

        • C:\Users\Admin\AppData\Local\136AXmgin\dwmapi.dll
          Filesize

          1.4MB

          MD5

          9391d234bb4274b2c0414314a8859435

          SHA1

          c7c44beb9505684f4aa7dae1117f0ff69271a03e

          SHA256

          b0ab5fd782895700f124a98171eee6f8f8ab5f8cc521e11150604c59f724abd6

          SHA512

          223be985c16bec3b03dc51d7f5e166a0fec003b8fe92a25cbdfcfc2b8a26e584ee3ec3b5543d5bbda209ef8030515c75f1791caa225a0a88840afa620cc7e296

          Download Submit

        • C:\Users\Admin\AppData\Local\KLJBz\SLC.dll
          Filesize

          1.4MB

          MD5

          720c29480b3aed150eca83543a19d247

          SHA1

          a5b1074a260d44629b55c6508c1f0d396016139f

          SHA256

          84f4bc85660d4a037d9f6ef505c20094118227f1961628df6c168177131ed88c

          SHA512

          aedb451d1b310a20338486664cae1090ef6bebc3227a34918a06c077217141fb46d737fc3b519c737469dc7f6c2d8ffdd6f3c014ae5dd0138a6e941b217789bb

          Download Submit

        • C:\Users\Admin\AppData\Local\KLJBz\phoneactivate.exe
          Filesize

          107KB

          MD5

          32c31f06e0b68f349f68afdd08e45f3d

          SHA1

          e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c

          SHA256

          cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017

          SHA512

          fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26

          Download Submit

        • C:\Users\Admin\AppData\Local\pYO0\DUI70.dll
          Filesize

          1.7MB

          MD5

          8429224785bdf1f04940cf12bdbdd011

          SHA1

          95c3c51c9ef75baea0be4994ae4b58d75c115a31

          SHA256

          ea6edce782447b73fb0dfac48647c874043d0a389ad318950c75755cb6b7c153

          SHA512

          4f0eb4b82b83073faabf17e40cbc09f798ad709ff65294b4b58cc047a6dd5d62fccc5c68b07af8e659911ba3c5074224c8245feb18202915c0161fdf07429165

          Download Submit

        • C:\Users\Admin\AppData\Local\pYO0\LockScreenContentServer.exe
          Filesize

          47KB

          MD5

          a0b7513c98cf46ca2cea3a567fec137c

          SHA1

          2307fc8e3fc620ea3c2fdc6248ad4658479ba995

          SHA256

          cb2278884f04fd34753f7a20e5865ef5fc4fa47c28df9ac14ad6e922713af8c6

          SHA512

          3928485a60ffa7f2d2b7d0be51863e1f8197578cfb397f1086a1ab5132843a23bbc4042b04b5d01fafad04878bd839161fa492d0cf1a6bac6be92023cdee3d15

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rasxaa.lnk
          Filesize

          1KB

          MD5

          97fac52aed2427138fc23b66d70a1ee1

          SHA1

          1a5adc5953c07845cc0b7bb33413b9ff068db64f

          SHA256

          5fb1e29f94942233e60e83549c563cb770d1db475e26240e15cf4b352a9cb01f

          SHA512

          05df578c69ca4b9fbbb10967d00f7a0b4790086d6040c91109ce9d2de11e47ece4bcee49651d75855b30f578f634517092bbeab110cc2f63aff5b3b14beaaea8

          Download Submit

        • memory/632-83-0x0000000140000000-0x0000000140169000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/744-41-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/744-0-0x000001DB26AA0000-0x000001DB26AA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/744-2-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2304-68-0x0000000140000000-0x00000001401AE000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/2304-65-0x0000000140000000-0x00000001401AE000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/2844-53-0x0000000140000000-0x0000000140169000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2844-48-0x0000000140000000-0x0000000140169000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2844-50-0x00000298D8920000-0x00000298D8927000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3472-38-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3472-15-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3472-10-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3472-6-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3472-12-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3472-9-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3472-13-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3472-14-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3472-16-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3472-11-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3472-17-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3472-26-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3472-27-0x00007FF8EDC80000-0x00007FF8EDC90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3472-28-0x00007FF8EDC70000-0x00007FF8EDC80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3472-29-0x00000000005F0000-0x00000000005F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3472-18-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3472-7-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3472-8-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3472-5-0x00007FF8EDBEA000-0x00007FF8EDBEB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3472-3-0x00000000006A0000-0x00000000006A1000-memory.dmp

          Filesize

          4KB

          Download