Overview

overview

10

Static

static

3

f4a8f6ec84...6b.dll

windows7-x64

10

f4a8f6ec84...6b.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    31-10-2024 00:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4a8f6ec846b2fbe5edf0dc402093eceb69b87819e58953cada2d3c410c1476b.dll

  • Size

    1.4MB

  • MD5

    16bb8e25d3d2f866cbf6826bb90fd325

  • SHA1

    ce86cea88918e556a9d0d2061c332da8e7513623

  • SHA256

    f4a8f6ec846b2fbe5edf0dc402093eceb69b87819e58953cada2d3c410c1476b

  • SHA512

    53321d6e37c9be3be9970ec3a69d84c049e022d071e47a03b922149b453493f531eb4f2afbaee0110d2ba4b87414c653015dd7f85d31fb41848063891b6bee72

  • SSDEEP

    12288:TkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:TkMZ+gf4ltGd8H1fYO0q2G1Ah

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4a8f6ec846b2fbe5edf0dc402093eceb69b87819e58953cada2d3c410c1476b.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2668
  • C:\Windows\system32\UI0Detect.exe
    C:\Windows\system32\UI0Detect.exe
    1⤵
      PID:3036
    • C:\Users\Admin\AppData\Local\7PHIvA2Bi\UI0Detect.exe
      C:\Users\Admin\AppData\Local\7PHIvA2Bi\UI0Detect.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:568
    • C:\Windows\system32\mmc.exe
      C:\Windows\system32\mmc.exe
      1⤵
        PID:1036
      • C:\Users\Admin\AppData\Local\CBZp2jQ\mmc.exe
        C:\Users\Admin\AppData\Local\CBZp2jQ\mmc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2736
      • C:\Windows\system32\sdclt.exe
        C:\Windows\system32\sdclt.exe
        1⤵
          PID:2240
        • C:\Users\Admin\AppData\Local\pdMW1xMN\sdclt.exe
          C:\Users\Admin\AppData\Local\pdMW1xMN\sdclt.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2860
        • C:\Windows\system32\unregmp2.exe
          C:\Windows\system32\unregmp2.exe
          1⤵
            PID:1620
          • C:\Users\Admin\AppData\Local\DKFq\unregmp2.exe
            C:\Users\Admin\AppData\Local\DKFq\unregmp2.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:2628

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\7PHIvA2Bi\UI0Detect.exe
            Filesize

            40KB

            MD5

            3cbdec8d06b9968aba702eba076364a1

            SHA1

            6e0fcaccadbdb5e3293aa3523ec1006d92191c58

            SHA256

            b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

            SHA512

            a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

            Download Submit

          • C:\Users\Admin\AppData\Local\7PHIvA2Bi\WTSAPI32.dll
            Filesize

            1.4MB

            MD5

            26302e980181a74008260690160204ed

            SHA1

            00de96341cdf00c4670b1c8b4671be30c5d54839

            SHA256

            6a1122c81a4c776f859da04451e89c81b900cd638a9b0c9e4b305eea00cff3f5

            SHA512

            e5c0e029a3426576e66f5096a4651e36f933b23498a771147494dd1bc89dae422cedfdb77d8394aa8d497c93d7d2b321ea4e05876ff39e722c48e7f70b4c7f95

            Download Submit

          • C:\Users\Admin\AppData\Local\CBZp2jQ\MFC42u.dll
            Filesize

            1.4MB

            MD5

            331de46e9a6007b2329459bb9c324531

            SHA1

            14f23bfed5c52cc01e664967f740a1a586568e59

            SHA256

            b3dd96829422058d3f5c01afa563f544fe025feb656d4f9d7e56f96c0ca8cb8f

            SHA512

            00c5e1f0ab5d4ff50bae3e81afeee5f7b62fb75b92cae5e30dc86cb1ac08dd12ef9c273a037abb010b82ad9b33f55f2b738fe687b672bdec819f31487696f983

            Download Submit

          • C:\Users\Admin\AppData\Local\DKFq\slc.dll
            Filesize

            1.4MB

            MD5

            61bc6c3bc16be35ce4b3605c01f1b4f0

            SHA1

            8064ed9f87f597330dc1c9a888aab59f3087160e

            SHA256

            7ee9421131807a09b0e244f286fff9dd906c2d18e280530daba413341153ab9d

            SHA512

            50b959fef2691f9a39756c22996d6bd44c8066250262dbd6a9e76bf60b5520b1950a670d204eb404308d790cbd39e5388ffe81be0b47e14aa6cc6f9d7c63f25f

            Download Submit

          • C:\Users\Admin\AppData\Local\DKFq\unregmp2.exe
            Filesize

            316KB

            MD5

            64b328d52dfc8cda123093e3f6e4c37c

            SHA1

            f68f45b21b911906f3aa982e64504e662a92e5ab

            SHA256

            7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

            SHA512

            e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ygxjfqh.lnk
            Filesize

            1KB

            MD5

            dc7a6f0e009e777cb2816b6de00f23ab

            SHA1

            b25c33483b264526574e6b38bcf24fbbef2b159c

            SHA256

            5289e256b7accd0ab13915c18cb1e46e8bd997394bc21a9370132ac0f52a0f71

            SHA512

            6b893b03e8a06ac33aeabe4e9f4ea0901b080098da9b372703aa1224ed9def27f09db0f355c6fe8b6c4bb10bf8363592c05566243ab4b5d59f12a465b6485bdb

            Download Submit

          • \Users\Admin\AppData\Local\CBZp2jQ\mmc.exe
            Filesize

            2.0MB

            MD5

            9fea051a9585f2a303d55745b4bf63aa

            SHA1

            f5dc12d658402900a2b01af2f018d113619b96b8

            SHA256

            b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484

            SHA512

            beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

            Download Submit

          • \Users\Admin\AppData\Local\pdMW1xMN\UxTheme.dll
            Filesize

            1.4MB

            MD5

            b6b115424b8b01cf8a635e1c17f0ea65

            SHA1

            bc657e4d444e1dd91fa84edb24888a57ba763f13

            SHA256

            d71a562cc41e7c3352035e1fbb6e426901f0ee7323ba8b7b293374059bbe73a0

            SHA512

            32d9cec9fb80263ec0dff172a7a7c24151ce6b6192e08c894ece3111a89395ca357ef95f9ba64575a65627d2d556224e4c08f373d36b69452f18a5fed4c4d5a0

            Download Submit

          • \Users\Admin\AppData\Local\pdMW1xMN\sdclt.exe
            Filesize

            1.2MB

            MD5

            cdebd55ffbda3889aa2a8ce52b9dc097

            SHA1

            4b3cbfff5e57fa0cb058e93e445e3851063646cf

            SHA256

            61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

            SHA512

            2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

            Download Submit

          • memory/568-56-0x0000000140000000-0x0000000140169000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/568-61-0x0000000140000000-0x0000000140169000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/568-58-0x0000000000210000-0x0000000000217000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1252-12-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1252-17-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1252-26-0x0000000002AE0000-0x0000000002AE7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1252-27-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1252-18-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1252-16-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1252-15-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1252-29-0x0000000077D70000-0x0000000077D72000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1252-28-0x0000000077D40000-0x0000000077D42000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1252-38-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1252-39-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1252-8-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1252-48-0x00000000779D6000-0x00000000779D7000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1252-10-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1252-11-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1252-9-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1252-7-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1252-13-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1252-14-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1252-6-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/1252-3-0x00000000779D6000-0x00000000779D7000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1252-4-0x0000000002B00000-0x0000000002B01000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2628-106-0x0000000140000000-0x0000000140169000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2668-2-0x00000000000A0000-0x00000000000A7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2668-47-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2668-0-0x0000000140000000-0x0000000140168000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2736-76-0x0000000140000000-0x000000014016F000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2736-73-0x0000000000090000-0x0000000000097000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2736-74-0x0000000140000000-0x000000014016F000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2860-90-0x0000000140000000-0x0000000140169000-memory.dmp

            Filesize

            1.4MB

            Download