Overview

overview

10

Static

static

3

3d547a32ba...96.dll

windows7-x64

10

3d547a32ba...96.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2024 02:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d547a32ba5e9558dae5877fbf177d8f1ad64ffbe75b9dd479d1a4271e9bf596.dll

  • Size

    672KB

  • MD5

    7184ef15375279757405bee2a9a39f9c

  • SHA1

    e205028e3ce6cbb7aab6700a37e3bd0b318626ca

  • SHA256

    3d547a32ba5e9558dae5877fbf177d8f1ad64ffbe75b9dd479d1a4271e9bf596

  • SHA512

    b780417f016aaaac4efff3783b8f9c1e5ef74e1d04147a52b96d539cfb72e4496789ef2f820693ed5fd567f11b8c3d41d3f6a9744bbc22056e865212d7ba3ac6

  • SSDEEP

    6144:t34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTR:tIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3d547a32ba5e9558dae5877fbf177d8f1ad64ffbe75b9dd479d1a4271e9bf596.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3560
  • C:\Windows\system32\MDMAppInstaller.exe
    C:\Windows\system32\MDMAppInstaller.exe
    1⤵
      PID:1840
    • C:\Users\Admin\AppData\Local\WiCN7U\MDMAppInstaller.exe
      C:\Users\Admin\AppData\Local\WiCN7U\MDMAppInstaller.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2952
    • C:\Windows\system32\dccw.exe
      C:\Windows\system32\dccw.exe
      1⤵
        PID:1664
      • C:\Users\Admin\AppData\Local\WeZXo\dccw.exe
        C:\Users\Admin\AppData\Local\WeZXo\dccw.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1300
      • C:\Windows\system32\WindowsActionDialog.exe
        C:\Windows\system32\WindowsActionDialog.exe
        1⤵
          PID:4420
        • C:\Users\Admin\AppData\Local\ryGe5nmPe\WindowsActionDialog.exe
          C:\Users\Admin\AppData\Local\ryGe5nmPe\WindowsActionDialog.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3136

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WeZXo\dccw.exe
          Filesize

          101KB

          MD5

          cb9374911bf5237179785c739a322c0f

          SHA1

          3f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9

          SHA256

          f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845

          SHA512

          9d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be

          Download Submit

        • C:\Users\Admin\AppData\Local\WeZXo\mscms.dll
          Filesize

          680KB

          MD5

          0659437a48a5ef9370746b622ed0235a

          SHA1

          9b62dc872f901a85088ae7f2bdc2e369d9e19eca

          SHA256

          c9f3100f88a5f887232f199de060278eaeeff01dc6356f2e5f661f661ed6c47e

          SHA512

          bce506af215ee1d716426d778f03f2f8b133bf4fc253de7409925672677646f68866e23c77de9220d6e1b1906d53071ea07a48b2d065ef9fef58d791a8604b07

          Download Submit

        • C:\Users\Admin\AppData\Local\WiCN7U\MDMAppInstaller.exe
          Filesize

          151KB

          MD5

          30e978cc6830b04f1e7ed285cccaa746

          SHA1

          e915147c17e113c676c635e2102bbff90fb7aa52

          SHA256

          dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766

          SHA512

          331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214

          Download Submit

        • C:\Users\Admin\AppData\Local\WiCN7U\WTSAPI32.dll
          Filesize

          676KB

          MD5

          352b3b00a97eabc2ddffe5492de15d4e

          SHA1

          f723920696f68a4a5435b8fb753384fb31769b01

          SHA256

          6c1e9e3cdfe72f568f966a24ee89c0b05f2562ba128c3166826f07cc2397dc9f

          SHA512

          31921ac529fcab929fd8a73a163e37ed54c980809f7301990daa5ca8ecad106d7fa22a567674a4c72235486adb539d289a30175888199af12b99273eafc596e4

          Download Submit

        • C:\Users\Admin\AppData\Local\ryGe5nmPe\DUI70.dll
          Filesize

          952KB

          MD5

          2bc168c941f4a3731149795ed084afd4

          SHA1

          87e9931339644b9cfe93e94b70ea3bc50dc685dc

          SHA256

          af12f6897bb2ad27b51327eacdf0c98c88ecc8f63e5330b6184a46ff7982d0b8

          SHA512

          f8e354189518b905c7714bbe2c2381458830af1765ae14c331c911992455cd19e58437491436ea071f38ed2ce72f70e664cc15ef2d4c307f29dcbb17965fb566

          Download Submit

        • C:\Users\Admin\AppData\Local\ryGe5nmPe\WindowsActionDialog.exe
          Filesize

          61KB

          MD5

          73c523b6556f2dc7eefc662338d66f8d

          SHA1

          1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5

          SHA256

          0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31

          SHA512

          69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eswctkc.lnk
          Filesize

          1KB

          MD5

          7aa6aba8ecad7faf3d75651f6dd862f6

          SHA1

          7cb35830fdfb790a961c26d09dbab726f746a56e

          SHA256

          b4c11ba44493262ac38c88aa95ee5b09541c49de484de5795185779c371a08fb

          SHA512

          045268557ce67a3dbbca0d28984fbe7f5bbe07048667705baee027676565fe268179390e4291d99a02855e54357a66950689173f55b9522b7b008714726d6929

          Download Submit

        • memory/1300-64-0x0000026D14F40000-0x0000026D14F47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1300-62-0x00007FF878490000-0x00007FF87853A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1300-67-0x00007FF878490000-0x00007FF87853A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2952-51-0x00007FF878490000-0x00007FF878539000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2952-46-0x00007FF878490000-0x00007FF878539000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2952-48-0x0000016483020000-0x0000016483027000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3136-78-0x00007FF878450000-0x00007FF87853E000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3136-82-0x00007FF878450000-0x00007FF87853E000-memory.dmp

          Filesize

          952KB

          Download

        • memory/3560-39-0x00007FF8884F0000-0x00007FF888598000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3560-1-0x00007FF8884F0000-0x00007FF888598000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3560-2-0x000001F4510F0000-0x000001F4510F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3628-25-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3628-12-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3628-3-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3628-5-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3628-7-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3628-8-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3628-9-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3628-10-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3628-11-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3628-6-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3628-13-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3628-14-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3628-26-0x00007FF896D20000-0x00007FF896D30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3628-36-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3628-27-0x00007FF896D10000-0x00007FF896D20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3628-15-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3628-17-0x00007FF89669A000-0x00007FF89669B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3628-16-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3628-19-0x0000000002BC0000-0x0000000002BC7000-memory.dmp

          Filesize

          28KB

          Download