Overview

overview

10

Static

static

3

ff69e56f8e...ef.dll

windows7-x64

10

ff69e56f8e...ef.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    97s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/11/2024, 02:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ff69e56f8ee29f346c9495468b07dc2d2eb486642a1cfcc54d31d7a813bd95ef.dll

  • Size

    672KB

  • MD5

    584c0aedb20485c2e84e74c629507bca

  • SHA1

    68adc01881c74a7e747c02fcc8b3bf6a992595c7

  • SHA256

    ff69e56f8ee29f346c9495468b07dc2d2eb486642a1cfcc54d31d7a813bd95ef

  • SHA512

    f0de47f3fe7cac1ec434e5e29d33c6ace9e3ee64102acd2f5c05860d782f6c74f34b740ad21615fff80054c9bfa2333492a9c9ed51f182dc3f72805901945e4e

  • SSDEEP

    6144:t34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:tIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff69e56f8ee29f346c9495468b07dc2d2eb486642a1cfcc54d31d7a813bd95ef.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2688
  • C:\Windows\system32\SystemPropertiesRemote.exe
    C:\Windows\system32\SystemPropertiesRemote.exe
    1⤵
      PID:744
    • C:\Users\Admin\AppData\Local\62NNOfmr\SystemPropertiesRemote.exe
      C:\Users\Admin\AppData\Local\62NNOfmr\SystemPropertiesRemote.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:964
    • C:\Windows\system32\msconfig.exe
      C:\Windows\system32\msconfig.exe
      1⤵
        PID:2348
      • C:\Users\Admin\AppData\Local\ZdAT\msconfig.exe
        C:\Users\Admin\AppData\Local\ZdAT\msconfig.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1636
      • C:\Windows\system32\FXSCOVER.exe
        C:\Windows\system32\FXSCOVER.exe
        1⤵
          PID:2432
        • C:\Users\Admin\AppData\Local\CexBzETA\FXSCOVER.exe
          C:\Users\Admin\AppData\Local\CexBzETA\FXSCOVER.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:364

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\62NNOfmr\SYSDM.CPL
                Filesize

                676KB

                MD5

                4aae161ecd80053e20603eb54c5e6f28

                SHA1

                0ae69144044a5a46fc40645ec91643a31d914f90

                SHA256

                1e7cbe6d3dc77f958afaf8e8008d3ef7e10c2820cde2c7bfd2099e57c3425734

                SHA512

                25e6c146257ed189b3adf355e0fc53ae5968d16f27c0a97d1c7b00b7711857a2bdb0b432df8575b3502ff221d9a2fe45eb1fe5de8b4d1a264bcfdfef5a11e88f

                Download Submit

              • C:\Users\Admin\AppData\Local\62NNOfmr\SystemPropertiesRemote.exe
                Filesize

                82KB

                MD5

                cdce1ee7f316f249a3c20cc7a0197da9

                SHA1

                dadb23af07827758005ec0235ac1573ffcea0da6

                SHA256

                7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932

                SHA512

                f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

                Download Submit

              • C:\Users\Admin\AppData\Local\CexBzETA\FXSCOVER.exe
                Filesize

                242KB

                MD5

                5769f78d00f22f76a4193dc720d0b2bd

                SHA1

                d62b6cab057e88737cba43fe9b0c6d11a28b53e8

                SHA256

                40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31

                SHA512

                b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

                Download Submit

              • C:\Users\Admin\AppData\Local\CexBzETA\MFC42u.dll
                Filesize

                700KB

                MD5

                d5221ce9452ad142c8e3f05bd82be921

                SHA1

                e4d716c3f9e8900e043f353571636bcdbb5f47ec

                SHA256

                632a51f3b73b5eb010ada4cc4569c6b976f5b4c011ce916006611e266ad1f246

                SHA512

                d27b50a26fa260e321c0c7e80385fbd244ca318e974f7874b519071273c31d9dc95124226c6e26ee9f71176be2ab87f1a03e2ccd5975cb856a7893733e9b679a

                Download Submit

              • C:\Users\Admin\AppData\Local\ZdAT\VERSION.dll
                Filesize

                676KB

                MD5

                12097512e8fbf55287cf45727781b344

                SHA1

                c195652bee0837df3ba7041b0195349ce9af237c

                SHA256

                ef592109aa4329083cace264978cc42e1f19e644b81d0108726df5c306d5b2fa

                SHA512

                697a9ae0b020264d3448ebd37092baf058e1a708111e5c39966cd9049d51eadcf2dc0f5c66db3676fcd1432f580176093d875a8063185b4a1ba3403fb378e775

                Download Submit

              • C:\Users\Admin\AppData\Local\ZdAT\msconfig.exe
                Filesize

                193KB

                MD5

                39009536cafe30c6ef2501fe46c9df5e

                SHA1

                6ff7b4d30f31186de899665c704a105227704b72

                SHA256

                93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04

                SHA512

                95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

                Download Submit

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ltmfycbfnis.lnk
                Filesize

                1KB

                MD5

                60828e397e83ac7aaf73e36ec7b1625e

                SHA1

                f1b091d04cf9b393d79b757b17dd5721ac6e8d0c

                SHA256

                f72ab50d018cf3de6202af2328b198af24ef12556d1a3d2beae82a6b89c29265

                SHA512

                05cf8cf4c2f8abbe9e1164fdad8c0f3b77e2a8a135fd2194c42edfd689bbf5ad4caaf8829ce4e2f7ad316ee2c94d01a91253d1a48ae8b2fe16b45183a2f0506e

                Download Submit

              • memory/364-82-0x00007FFDE1EC0000-0x00007FFDE1F6F000-memory.dmp

                Filesize

                700KB

                Download

              • memory/364-78-0x00007FFDE1EC0000-0x00007FFDE1F6F000-memory.dmp

                Filesize

                700KB

                Download

              • memory/964-46-0x000001A800E30000-0x000001A800E37000-memory.dmp

                Filesize

                28KB

                Download

              • memory/964-47-0x00007FFDE1EC0000-0x00007FFDE1F69000-memory.dmp

                Filesize

                676KB

                Download

              • memory/964-51-0x00007FFDE1EC0000-0x00007FFDE1F69000-memory.dmp

                Filesize

                676KB

                Download

              • memory/1636-62-0x00000215DD3D0000-0x00000215DD3D7000-memory.dmp

                Filesize

                28KB

                Download

              • memory/1636-67-0x00007FFDE1EC0000-0x00007FFDE1F69000-memory.dmp

                Filesize

                676KB

                Download

              • memory/2688-1-0x00007FFDF12F0000-0x00007FFDF1398000-memory.dmp

                Filesize

                672KB

                Download

              • memory/2688-39-0x00007FFDF12F0000-0x00007FFDF1398000-memory.dmp

                Filesize

                672KB

                Download

              • memory/2688-2-0x000002568EDC0000-0x000002568EDC7000-memory.dmp

                Filesize

                28KB

                Download

              • memory/3380-27-0x00007FFDFF630000-0x00007FFDFF640000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3380-25-0x0000000140000000-0x00000001400A8000-memory.dmp

                Filesize

                672KB

                Download

              • memory/3380-7-0x0000000140000000-0x00000001400A8000-memory.dmp

                Filesize

                672KB

                Download

              • memory/3380-6-0x0000000140000000-0x00000001400A8000-memory.dmp

                Filesize

                672KB

                Download

              • memory/3380-10-0x0000000140000000-0x00000001400A8000-memory.dmp

                Filesize

                672KB

                Download

              • memory/3380-11-0x0000000140000000-0x00000001400A8000-memory.dmp

                Filesize

                672KB

                Download

              • memory/3380-12-0x0000000140000000-0x00000001400A8000-memory.dmp

                Filesize

                672KB

                Download

              • memory/3380-13-0x0000000140000000-0x00000001400A8000-memory.dmp

                Filesize

                672KB

                Download

              • memory/3380-14-0x0000000140000000-0x00000001400A8000-memory.dmp

                Filesize

                672KB

                Download

              • memory/3380-8-0x0000000140000000-0x00000001400A8000-memory.dmp

                Filesize

                672KB

                Download

              • memory/3380-36-0x0000000140000000-0x00000001400A8000-memory.dmp

                Filesize

                672KB

                Download

              • memory/3380-26-0x00007FFDFF640000-0x00007FFDFF650000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3380-16-0x0000000140000000-0x00000001400A8000-memory.dmp

                Filesize

                672KB

                Download

              • memory/3380-17-0x0000000140000000-0x00000001400A8000-memory.dmp

                Filesize

                672KB

                Download

              • memory/3380-24-0x0000000000370000-0x0000000000377000-memory.dmp

                Filesize

                28KB

                Download

              • memory/3380-15-0x0000000140000000-0x00000001400A8000-memory.dmp

                Filesize

                672KB

                Download

              • memory/3380-9-0x0000000140000000-0x00000001400A8000-memory.dmp

                Filesize

                672KB

                Download

              • memory/3380-3-0x0000000000990000-0x0000000000991000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3380-5-0x00007FFDFDA5A000-0x00007FFDFDA5B000-memory.dmp

                Filesize

                4KB

                Download