Overview

overview

10

Static

static

3

97b25d2ee6...21.dll

windows7-x64

10

97b25d2ee6...21.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 16:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    97b25d2ee63b52b28c0a7f77f87b4163e106f28f831b765099c641297be1d121.dll

  • Size

    676KB

  • MD5

    a419f6c38aab1882f8e8971dc1f52e13

  • SHA1

    2e28d486ce97a07d3c3a4bf0e1ee7882d2739b42

  • SHA256

    97b25d2ee63b52b28c0a7f77f87b4163e106f28f831b765099c641297be1d121

  • SHA512

    7fd998afc56ff1e09cc2109fb0198f7727378ea07b35162970f900ea49b17825772e1e2492ce4788d1bae7769e11fc6b0273d7db8be6908c88e162457e23ac94

  • SSDEEP

    6144:M34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:MIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\97b25d2ee63b52b28c0a7f77f87b4163e106f28f831b765099c641297be1d121.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3840
  • C:\Windows\system32\msconfig.exe
    C:\Windows\system32\msconfig.exe
    1⤵
      PID:4772
    • C:\Users\Admin\AppData\Local\8oB1\msconfig.exe
      C:\Users\Admin\AppData\Local\8oB1\msconfig.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3752
    • C:\Windows\system32\unregmp2.exe
      C:\Windows\system32\unregmp2.exe
      1⤵
        PID:2804
      • C:\Users\Admin\AppData\Local\RVKE1u\unregmp2.exe
        C:\Users\Admin\AppData\Local\RVKE1u\unregmp2.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:548
      • C:\Windows\system32\tabcal.exe
        C:\Windows\system32\tabcal.exe
        1⤵
          PID:4880
        • C:\Users\Admin\AppData\Local\BljQA\tabcal.exe
          C:\Users\Admin\AppData\Local\BljQA\tabcal.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:512

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\8oB1\VERSION.dll
          Filesize

          680KB

          MD5

          6f94e5198e40a951f2afaf47f67d4301

          SHA1

          6e435adab82cc1d514b23e668d6b6afc5f435c76

          SHA256

          f19cd331f23a3ae32ad75ba29b70b774c5ef5649718e57977fc88baff8683c90

          SHA512

          07a5faa7cc71cc9bbd5e834b4edb7341b5911f7fdee4bd3af3d492eb2476095ef3ffaf44a2de5fe5fb15a6e88185c293b5c64bfe8377e40e11d0c5865371dea3

          Download Submit

        • C:\Users\Admin\AppData\Local\8oB1\msconfig.exe
          Filesize

          193KB

          MD5

          39009536cafe30c6ef2501fe46c9df5e

          SHA1

          6ff7b4d30f31186de899665c704a105227704b72

          SHA256

          93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04

          SHA512

          95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

          Download Submit

        • C:\Users\Admin\AppData\Local\BljQA\HID.DLL
          Filesize

          680KB

          MD5

          24fec7f85262798186258d208721e3da

          SHA1

          a793dadf68e34b7d15840d6799d9a09560df2034

          SHA256

          1efadd07d78532e21134d643bd01a16f9cfdef7ce18a85735d7c3c38adb1bed2

          SHA512

          23d264176727b1f831114ff81efcd8dbf78e16dcac292d8b53b48ac0d8b03294146c8b6e78d5245bb5f463309ef7aa96db97ed97f80861dc1ca04ff9e261158b

          Download Submit

        • C:\Users\Admin\AppData\Local\BljQA\tabcal.exe
          Filesize

          84KB

          MD5

          40f4014416ff0cbf92a9509f67a69754

          SHA1

          1798ff7324724a32c810e2075b11c09b41e4fede

          SHA256

          f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

          SHA512

          646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

          Download Submit

        • C:\Users\Admin\AppData\Local\RVKE1u\VERSION.dll
          Filesize

          680KB

          MD5

          1457de0ed7443695262b3ff1e849db18

          SHA1

          6fcb779dc314ce5b5256c051c4548bd5f26e276e

          SHA256

          ceea1ec11d1f0a38ec94acc32857af35ae81cffddb9e37d72511eb0f5d1c2b24

          SHA512

          0e77d7d1422424fcbec7fa274c8ae26cba1e73e6a7bf5ccfdca2ea9adf3603a0b3688129327de90c640c331c872248776e5f6bb5ad16e587960aea0bdd3046b5

          Download Submit

        • C:\Users\Admin\AppData\Local\RVKE1u\unregmp2.exe
          Filesize

          259KB

          MD5

          a6fc8ce566dec7c5873cb9d02d7b874e

          SHA1

          a30040967f75df85a1e3927bdce159b102011a61

          SHA256

          21f41fea24dddc8a32f902af7b0387a53a745013429d8fd3f5fa6916eadc839d

          SHA512

          f83e17dd305eb1bc24cca1f197e2440f9b501eafb9c9d44ede7c88b1520030a87d059bdcb8eadeac1eaedabcbc4fe50206821965d73f0f6671e27edd55c01cbc

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk
          Filesize

          726B

          MD5

          e1d75885180e8227e2e9a634daa42a04

          SHA1

          275a23a20bcb6c9dff7a986db5b4631fc15f3113

          SHA256

          534c0badbe3465dc96bfc9a548ad59ee041fc740357df92f79f4896d1e021160

          SHA512

          a6c5bc5e4734b7915b6bbcfcdf525625d34a6fc7f92b600445e8b0f916fa5c19bdf7ea2860673b4bd7786004eafa06359896ef50d465b923fdcbf198715974b0

          Download Submit

        • memory/512-83-0x00007FFC73890000-0x00007FFC7393A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/548-68-0x00007FFC73890000-0x00007FFC7393A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/548-65-0x00000190F4F70000-0x00000190F4F77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3448-9-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3448-18-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3448-15-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3448-14-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3448-13-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3448-12-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3448-17-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3448-10-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3448-5-0x00007FFC8FBDA000-0x00007FFC8FBDB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3448-8-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3448-7-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3448-6-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3448-3-0x0000000002E50000-0x0000000002E51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3448-37-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3448-26-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3448-11-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3448-16-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3448-25-0x0000000002D20000-0x0000000002D27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3448-27-0x00007FFC90F40000-0x00007FFC90F50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3448-28-0x00007FFC90F30000-0x00007FFC90F40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3752-52-0x00007FFC73890000-0x00007FFC7393A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3752-48-0x00007FFC73890000-0x00007FFC7393A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3752-47-0x0000027A37860000-0x0000027A37867000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3840-40-0x00007FFC837A0000-0x00007FFC83849000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3840-0-0x00007FFC837A0000-0x00007FFC83849000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3840-2-0x000001B54F300000-0x000001B54F307000-memory.dmp

          Filesize

          28KB

          Download