Overview

overview

10

Static

static

3

3b4f8af931...c4.dll

windows7-x64

10

3b4f8af931...c4.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2024 02:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b4f8af9318b4a4541fb0b94db0ce8483a65c828b755274f16a97bcaa377e4c4.dll

  • Size

    672KB

  • MD5

    aaf31301e741243c6ad5399aa9e4f757

  • SHA1

    c2529446c4fc65d54f634e7ac23777f78cb8757a

  • SHA256

    3b4f8af9318b4a4541fb0b94db0ce8483a65c828b755274f16a97bcaa377e4c4

  • SHA512

    327571c02220df11a30d34f81138f7d8e0302986f63036201e2aebe264616a5005204e4a285a45b6291d805d6e7a69b49872a09f5ad19b5d468fcbd7c3edd83d

  • SSDEEP

    6144:V34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTU:VIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b4f8af9318b4a4541fb0b94db0ce8483a65c828b755274f16a97bcaa377e4c4.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4112
  • C:\Windows\system32\msinfo32.exe
    C:\Windows\system32\msinfo32.exe
    1⤵
      PID:1608
    • C:\Users\Admin\AppData\Local\Y1Vds\msinfo32.exe
      C:\Users\Admin\AppData\Local\Y1Vds\msinfo32.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4368
    • C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      1⤵
        PID:4620
      • C:\Users\Admin\AppData\Local\LTaHoGgNu\wermgr.exe
        C:\Users\Admin\AppData\Local\LTaHoGgNu\wermgr.exe
        1⤵
        • Executes dropped EXE
        PID:4084
      • C:\Windows\system32\shrpubw.exe
        C:\Windows\system32\shrpubw.exe
        1⤵
          PID:4372
        • C:\Users\Admin\AppData\Local\9RR\shrpubw.exe
          C:\Users\Admin\AppData\Local\9RR\shrpubw.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2472
        • C:\Windows\system32\eudcedit.exe
          C:\Windows\system32\eudcedit.exe
          1⤵
            PID:612
          • C:\Users\Admin\AppData\Local\mZIadL5\eudcedit.exe
            C:\Users\Admin\AppData\Local\mZIadL5\eudcedit.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:4792

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\9RR\MFC42u.dll
            Filesize

            700KB

            MD5

            22b29660e0ceeaab8038177c0dfd3043

            SHA1

            6e95bdadfe80ef1934de9d0bf93a9576412e2b0d

            SHA256

            d0457e969fefd0c18e424294da4eb2f09dd0b4d1ba8316ee300b817821ca12c8

            SHA512

            0956b0606b6c8c294a90f32f28b1f7f9bb1450fbfd610c1ccbe36824e722320dec30e9afbe1b9e42a85774981699a55f40666b4ca8989338a86a6786698ffd11

            Download Submit

          • C:\Users\Admin\AppData\Local\9RR\shrpubw.exe
            Filesize

            59KB

            MD5

            9910d5c62428ec5f92b04abf9428eec9

            SHA1

            05f27d7515e8ae1fa3bc974ec65b864ec4c9ac8b

            SHA256

            6b84e6e55d8572d7edf0b6243d00abb651fcb0cddddac8461de5f9bb80035a2e

            SHA512

            01be043f7ff879a683e53962eec58456ba200d6787ea66581bb62669ae65d5e58a5577cdf23441165f7a535fce1dec933e3ad2465c72172b4a1488b24ce722cb

            Download Submit

          • C:\Users\Admin\AppData\Local\LTaHoGgNu\wermgr.exe
            Filesize

            223KB

            MD5

            f7991343cf02ed92cb59f394e8b89f1f

            SHA1

            573ad9af63a6a0ab9b209ece518fd582b54cfef5

            SHA256

            1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc

            SHA512

            fa3cf314100f5340c7d0f6a70632a308fcadb4b48785753310a053a510169979a89637b8b4fedf4d3690db6b8b55146e323cad70d704c4e2ede4edff5284237d

            Download Submit

          • C:\Users\Admin\AppData\Local\Y1Vds\MFC42u.dll
            Filesize

            700KB

            MD5

            5c8009a90db0d8ba2c3286b1f9bd6168

            SHA1

            5847191ca23400db517965a615ef76eb8419dc3e

            SHA256

            73800f14385494825c51099b364d4caca6b57c9c9992e25a7242c546d73fcc1e

            SHA512

            1879ec60f0e6d1097934ebe9e8644da3896ec7983b9b4ab974655d548b66e1cb525fe113fabfd996e4c8a9c01c010870a37af5e41a8d5fd6674d62e55f971dd0

            Download Submit

          • C:\Users\Admin\AppData\Local\Y1Vds\msinfo32.exe
            Filesize

            376KB

            MD5

            0aed91da63713bf9f881b03a604a1c9d

            SHA1

            b1b2d292cb1a4c13dc243b5eab13afb316a28b9a

            SHA256

            5cf1604d2473661266e08fc0e4e144ea98f99b7584c43585eb2b01551130fd14

            SHA512

            04bca9b321d702122b6e72c2ad15b7cd98924e5dfc3b8dd0e907ea28fd7826d3f72b98c67242b6698594df648d3c2b6b0952bb52a2363b687bbe44a66e830c03

            Download Submit

          • C:\Users\Admin\AppData\Local\mZIadL5\MFC42u.dll
            Filesize

            700KB

            MD5

            dba0777c469e764e6cf724e6758f0fd8

            SHA1

            1f876f894dbc2910c43c3029b408ad12523ff5ab

            SHA256

            9f82672fbb992c674d87cdaead3cb261420b43fae9d898d62a28ec6a22ea8d1b

            SHA512

            1d66d5af368e4263dc357dd887f494a02c58fd10b6eb8b9ebad58316b116f17c376271f7b1e2ded0208a7a37765c03cea43568eafd4bbfc1dd12bb7a9e7220f2

            Download Submit

          • C:\Users\Admin\AppData\Local\mZIadL5\eudcedit.exe
            Filesize

            365KB

            MD5

            a9de6557179d371938fbe52511b551ce

            SHA1

            def460b4028788ded82dc55c36cb0df28599fd5f

            SHA256

            83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe

            SHA512

            5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk
            Filesize

            1KB

            MD5

            a8b31e0e27eca6b9bcea23d900131ca5

            SHA1

            eb0dddf5ec8db7ba3e61ea71119363643d6b9fb6

            SHA256

            2643e2cb68d760f3c3af91ca2791dde95b8ec6f82c27f179e271e448d5daea2b

            SHA512

            1a5731b6df2ab625506d8b19638aba088f1562956e1cfaf526e1c07c1842a12d260a540fd46b2161f7cd2facf8212c689c914683a50ad998528290746de2bf1b

            Download Submit

          • memory/2472-75-0x00007FFB265C0000-0x00007FFB2666F000-memory.dmp

            Filesize

            700KB

            Download

          • memory/2472-70-0x000001C562700000-0x000001C562707000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3496-36-0x0000000140000000-0x00000001400A8000-memory.dmp

            Filesize

            672KB

            Download

          • memory/3496-16-0x0000000140000000-0x00000001400A8000-memory.dmp

            Filesize

            672KB

            Download

          • memory/3496-14-0x0000000140000000-0x00000001400A8000-memory.dmp

            Filesize

            672KB

            Download

          • memory/3496-13-0x0000000140000000-0x00000001400A8000-memory.dmp

            Filesize

            672KB

            Download

          • memory/3496-11-0x0000000140000000-0x00000001400A8000-memory.dmp

            Filesize

            672KB

            Download

          • memory/3496-10-0x0000000140000000-0x00000001400A8000-memory.dmp

            Filesize

            672KB

            Download

          • memory/3496-9-0x0000000140000000-0x00000001400A8000-memory.dmp

            Filesize

            672KB

            Download

          • memory/3496-8-0x0000000140000000-0x00000001400A8000-memory.dmp

            Filesize

            672KB

            Download

          • memory/3496-7-0x0000000140000000-0x00000001400A8000-memory.dmp

            Filesize

            672KB

            Download

          • memory/3496-6-0x0000000140000000-0x00000001400A8000-memory.dmp

            Filesize

            672KB

            Download

          • memory/3496-5-0x0000000140000000-0x00000001400A8000-memory.dmp

            Filesize

            672KB

            Download

          • memory/3496-3-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3496-26-0x00007FFB43E80000-0x00007FFB43E90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-12-0x0000000140000000-0x00000001400A8000-memory.dmp

            Filesize

            672KB

            Download

          • memory/3496-24-0x0000000002F90000-0x0000000002F97000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3496-23-0x00007FFB435AA000-0x00007FFB435AB000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3496-25-0x0000000140000000-0x00000001400A8000-memory.dmp

            Filesize

            672KB

            Download

          • memory/3496-27-0x00007FFB43E70000-0x00007FFB43E80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3496-15-0x0000000140000000-0x00000001400A8000-memory.dmp

            Filesize

            672KB

            Download

          • memory/4112-2-0x000001D194EF0000-0x000001D194EF7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/4112-39-0x00007FFB35AE0000-0x00007FFB35B88000-memory.dmp

            Filesize

            672KB

            Download

          • memory/4112-1-0x00007FFB35AE0000-0x00007FFB35B88000-memory.dmp

            Filesize

            672KB

            Download

          • memory/4368-51-0x00007FFB265C0000-0x00007FFB2666F000-memory.dmp

            Filesize

            700KB

            Download

          • memory/4368-47-0x00007FFB265C0000-0x00007FFB2666F000-memory.dmp

            Filesize

            700KB

            Download

          • memory/4368-46-0x000002B7905C0000-0x000002B7905C7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/4792-89-0x00007FFB265C0000-0x00007FFB2666F000-memory.dmp

            Filesize

            700KB

            Download