Overview

overview

10

Static

static

3

3b4f8af931...c4.dll

windows7-x64

10

3b4f8af931...c4.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-11-2024 02:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b4f8af9318b4a4541fb0b94db0ce8483a65c828b755274f16a97bcaa377e4c4.dll

  • Size

    672KB

  • MD5

    aaf31301e741243c6ad5399aa9e4f757

  • SHA1

    c2529446c4fc65d54f634e7ac23777f78cb8757a

  • SHA256

    3b4f8af9318b4a4541fb0b94db0ce8483a65c828b755274f16a97bcaa377e4c4

  • SHA512

    327571c02220df11a30d34f81138f7d8e0302986f63036201e2aebe264616a5005204e4a285a45b6291d805d6e7a69b49872a09f5ad19b5d468fcbd7c3edd83d

  • SSDEEP

    6144:V34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTU:VIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b4f8af9318b4a4541fb0b94db0ce8483a65c828b755274f16a97bcaa377e4c4.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2408
  • C:\Windows\system32\notepad.exe
    C:\Windows\system32\notepad.exe
    1⤵
      PID:2780
    • C:\Users\Admin\AppData\Local\uvF\notepad.exe
      C:\Users\Admin\AppData\Local\uvF\notepad.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2536
    • C:\Windows\system32\Dxpserver.exe
      C:\Windows\system32\Dxpserver.exe
      1⤵
        PID:2524
      • C:\Users\Admin\AppData\Local\R82NicA\Dxpserver.exe
        C:\Users\Admin\AppData\Local\R82NicA\Dxpserver.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2172
      • C:\Windows\system32\mstsc.exe
        C:\Windows\system32\mstsc.exe
        1⤵
          PID:640
        • C:\Users\Admin\AppData\Local\jhatf\mstsc.exe
          C:\Users\Admin\AppData\Local\jhatf\mstsc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2968

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\R82NicA\XmlLite.dll
          Filesize

          676KB

          MD5

          ee5d8acbf4dbe9792be2cd9cf4396eeb

          SHA1

          147f7940d44a1b3ac7bd9a396fb691207ffd4b3e

          SHA256

          79fce1991043212a3a4650fbc19faac5550f2b3b665bf14f8c07372f4bccfdf0

          SHA512

          7f4e6d8315e31024549cc2af0248e2c943ba5fb913d0e2cab585e15d3801397dd03829f4093c487f0d18d5bf3a34e9510af148e81aeabe747d9df5e3ce0b934b

          Download Submit

        • C:\Users\Admin\AppData\Local\uvF\VERSION.dll
          Filesize

          676KB

          MD5

          700171c3d157eae51220c335ca05278c

          SHA1

          10efc691aac07f4b48d2206adde68a68f2308e0b

          SHA256

          9dd4465c1c38c911805a37a49bde07689c9a8ebe4fbbaa7169dfa4e810b0391b

          SHA512

          c9b86db592481fee001903532918b8cec4cfad637a47fc85fb5c357b777c881302aab59e97f6f0a3a2241062143c4b65922d3c2277b8c95ea55255e34a0263fc

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ncfyujonfo.lnk
          Filesize

          1KB

          MD5

          dc1de726a87c681e4248b4773e63a471

          SHA1

          c3c047b115e4894e6c3c11fe4d8629b1d4ce5820

          SHA256

          5bc6ed745063fdd81f99564c0abda58fd5571d7711375cbe803c47e774251b0e

          SHA512

          9c664c043ba7055a544c12f354363087907a57a5b489b9460ba5e74584e3b04b8851139719d28011192da9cadc7c77e5169b800b6a56d509dd28c8350eae4f60

          Download Submit

        • \Users\Admin\AppData\Local\R82NicA\Dxpserver.exe
          Filesize

          259KB

          MD5

          4d38389fb92e43c77a524fd96dbafd21

          SHA1

          08014e52f6894cad4f1d1e6fc1a703732e9acd19

          SHA256

          070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

          SHA512

          02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

          Download Submit

        • \Users\Admin\AppData\Local\jhatf\Secur32.dll
          Filesize

          676KB

          MD5

          d20fc9ad940117f1fae0d3c919905b56

          SHA1

          7db4a7ca1264d91b4a27a6da03446c8b83c2e5f5

          SHA256

          7ac1a10e035b7ccbc32672bdb28dca2a8f7a6f7243681809bc6d1926b1a18d59

          SHA512

          2c941e96d7d5e782147c2478c7ff78b43815cec7767a4500cb975af4c8b10d9f3878c2ca3806c040408407cd29859394580df9c5fa56a0933d4bd9cb1a7e962d

          Download Submit

        • \Users\Admin\AppData\Local\jhatf\mstsc.exe
          Filesize

          1.1MB

          MD5

          50f739538ef014b2e7ec59431749d838

          SHA1

          b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

          SHA256

          85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

          SHA512

          02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

          Download Submit

        • \Users\Admin\AppData\Local\uvF\notepad.exe
          Filesize

          189KB

          MD5

          f2c7bb8acc97f92e987a2d4087d021b1

          SHA1

          7eb0139d2175739b3ccb0d1110067820be6abd29

          SHA256

          142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

          SHA512

          2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

          Download Submit

        • memory/1252-27-0x00000000770F0000-0x00000000770F2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1252-17-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-14-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-13-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-12-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-11-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-10-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-25-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-9-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-8-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-7-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-3-0x0000000076E56000-0x0000000076E57000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1252-26-0x00000000770C0000-0x00000000770C2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1252-36-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-37-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-4-0x0000000002D70000-0x0000000002D71000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1252-46-0x0000000076E56000-0x0000000076E57000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1252-16-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-24-0x0000000002990000-0x0000000002997000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1252-6-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1252-15-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2172-71-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2172-72-0x000007FEF6090000-0x000007FEF6139000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2172-76-0x000007FEF6090000-0x000007FEF6139000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2408-45-0x000007FEF65E0000-0x000007FEF6688000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2408-0-0x000007FEF65E0000-0x000007FEF6688000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2408-2-0x0000000000320000-0x0000000000327000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2536-59-0x000007FEF6690000-0x000007FEF6739000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2536-55-0x000007FEF6690000-0x000007FEF6739000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2536-54-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2968-92-0x000007FEF6090000-0x000007FEF6139000-memory.dmp

          Filesize

          676KB

          Download