Overview

overview

10

Static

static

3

b5a92b20ca...dd.dll

windows7-x64

10

b5a92b20ca...dd.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/11/2024, 16:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b5a92b20ca55f3df694fbdb63f6d5bd6d7ce96581d341d282223bd33bc0753dd.dll

  • Size

    680KB

  • MD5

    5b9fde8a7db8bc2c53fccd4187db1c8c

  • SHA1

    fcac82c487ba59787aa3e3be98aedd6e2198fc1e

  • SHA256

    b5a92b20ca55f3df694fbdb63f6d5bd6d7ce96581d341d282223bd33bc0753dd

  • SHA512

    88ee1dc23bc6ab839334667e2f82ecfced7b5ac488c1e9f6109f6e1f0d5b245fdaaccbfabb5faa5b67ad91d8780f018daee28dad9ea389ab8defaed4d24f323b

  • SSDEEP

    6144:z34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuT7:zIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b5a92b20ca55f3df694fbdb63f6d5bd6d7ce96581d341d282223bd33bc0753dd.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3244
  • C:\Windows\system32\MDMAppInstaller.exe
    C:\Windows\system32\MDMAppInstaller.exe
    1⤵
      PID:5024
    • C:\Users\Admin\AppData\Local\LO89CG4ag\MDMAppInstaller.exe
      C:\Users\Admin\AppData\Local\LO89CG4ag\MDMAppInstaller.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3472
    • C:\Windows\system32\rdpclip.exe
      C:\Windows\system32\rdpclip.exe
      1⤵
        PID:904
      • C:\Users\Admin\AppData\Local\aD1T\rdpclip.exe
        C:\Users\Admin\AppData\Local\aD1T\rdpclip.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3180
      • C:\Windows\system32\OptionalFeatures.exe
        C:\Windows\system32\OptionalFeatures.exe
        1⤵
          PID:4904
        • C:\Users\Admin\AppData\Local\3KnfQAj\OptionalFeatures.exe
          C:\Users\Admin\AppData\Local\3KnfQAj\OptionalFeatures.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3692

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\3KnfQAj\OptionalFeatures.exe
                Filesize

                110KB

                MD5

                d6cd8bef71458804dbc33b88ace56372

                SHA1

                a18b58445be2492c5d37abad69b5aa0d29416a60

                SHA256

                fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8

                SHA512

                1bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d

                Download Submit

              • C:\Users\Admin\AppData\Local\3KnfQAj\appwiz.cpl
                Filesize

                684KB

                MD5

                1ac9640875fe58a668d44a9eb5e5753a

                SHA1

                5fcfb496b11964bdb21d6b184a1f8c876dfeb46b

                SHA256

                2272ee6cbabcd0fd4bf499e0039aeca4b7c5fd4b383bf7e4dfe31b69c383a3d9

                SHA512

                68825e0d6ae19b4124260a50ae4ae66f9a5d452557313cf6425e5d47561c193d1e0b317194b345409989af0c5d502c6608fbc69e81274a522ef53d79fa47e602

                Download Submit

              • C:\Users\Admin\AppData\Local\LO89CG4ag\MDMAppInstaller.exe
                Filesize

                151KB

                MD5

                30e978cc6830b04f1e7ed285cccaa746

                SHA1

                e915147c17e113c676c635e2102bbff90fb7aa52

                SHA256

                dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766

                SHA512

                331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214

                Download Submit

              • C:\Users\Admin\AppData\Local\LO89CG4ag\WTSAPI32.dll
                Filesize

                684KB

                MD5

                ad56cc31878df0ee101705991a2e68f2

                SHA1

                058e602c7ee599229236236da0977f6414cd4ffb

                SHA256

                bd7ca369fd8c4503a257a95569ee0cedfd5bd16cc194d1795b6043690b152b65

                SHA512

                f5b56aca1b9ae5d9a9b451b6e0e4006023cdfe56673c6b92cb20ccc7a4fa3bc23fc64fca9e74b0c3f46eb5a4db5e38a44835c44d98b54c3e750c3e87666af77e

                Download Submit

              • C:\Users\Admin\AppData\Local\aD1T\WTSAPI32.dll
                Filesize

                684KB

                MD5

                fc33f422d18b5cb071e1297c5378019c

                SHA1

                5bd2b3c1d1a431901281b350728c9485be097557

                SHA256

                f21660a0349d3ab4adc16369dc6e1d3d043fd0c601e177af9931b24008574b03

                SHA512

                16ccfef7070f9e5f6cd056093ca05a0223f7b9d96fc05749c65d67e3141b43567a4423be881bfddae9c899c736c60c0acc99c7d80a3089d1d7d43b9ece463256

                Download Submit

              • C:\Users\Admin\AppData\Local\aD1T\rdpclip.exe
                Filesize

                446KB

                MD5

                a52402d6bd4e20a519a2eeec53332752

                SHA1

                129f2b6409395ef877b9ca39dd819a2703946a73

                SHA256

                9d5be181d9309dea98039d2ce619afe745fc8a9a1b1c05cf860b3620b5203308

                SHA512

                632dda67066cff2b940f27e3f409e164684994a02bda57d74e958c462b9a0963e922be4a487c06126cecc9ef34d34913ef8315524bf8422f83c0c135b8af924e

                Download Submit

              • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk
                Filesize

                1KB

                MD5

                48f149af37a8edf336ad93731a5aeaad

                SHA1

                b241e11340d92a6931633c83d4e62c574b9f53ca

                SHA256

                6c814b39cc427521e62620d8efa4062a6623dfa056c70b11c4117c1a49426c81

                SHA512

                923cefd54d31b5c67bafe149e381a69c69d66ff4adef78622363aa615792f7722fd2ff6e1cbfe6bb650f1052aa3ec2ea2cc0561e4eac9bfb0872431fa1e46635

                Download Submit

              • memory/3180-63-0x00000156D6E50000-0x00000156D6E57000-memory.dmp

                Filesize

                28KB

                Download

              • memory/3180-68-0x00007FFB430A0000-0x00007FFB4314B000-memory.dmp

                Filesize

                684KB

                Download

              • memory/3244-40-0x00007FFB525A0000-0x00007FFB5264A000-memory.dmp

                Filesize

                680KB

                Download

              • memory/3244-2-0x00007FFB525A0000-0x00007FFB5264A000-memory.dmp

                Filesize

                680KB

                Download

              • memory/3244-0-0x0000013AD3EA0000-0x0000013AD3EA7000-memory.dmp

                Filesize

                28KB

                Download

              • memory/3472-52-0x00007FFB430A0000-0x00007FFB4314B000-memory.dmp

                Filesize

                684KB

                Download

              • memory/3472-48-0x00007FFB430A0000-0x00007FFB4314B000-memory.dmp

                Filesize

                684KB

                Download

              • memory/3472-47-0x000001E3C0E90000-0x000001E3C0E97000-memory.dmp

                Filesize

                28KB

                Download

              • memory/3524-28-0x00007FFB60E50000-0x00007FFB60E60000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3524-27-0x00007FFB60E60000-0x00007FFB60E70000-memory.dmp

                Filesize

                64KB

                Download

              • memory/3524-11-0x0000000140000000-0x00000001400AA000-memory.dmp

                Filesize

                680KB

                Download

              • memory/3524-10-0x0000000140000000-0x00000001400AA000-memory.dmp

                Filesize

                680KB

                Download

              • memory/3524-9-0x0000000140000000-0x00000001400AA000-memory.dmp

                Filesize

                680KB

                Download

              • memory/3524-8-0x0000000140000000-0x00000001400AA000-memory.dmp

                Filesize

                680KB

                Download

              • memory/3524-6-0x0000000140000000-0x00000001400AA000-memory.dmp

                Filesize

                680KB

                Download

              • memory/3524-13-0x0000000140000000-0x00000001400AA000-memory.dmp

                Filesize

                680KB

                Download

              • memory/3524-14-0x0000000140000000-0x00000001400AA000-memory.dmp

                Filesize

                680KB

                Download

              • memory/3524-15-0x0000000140000000-0x00000001400AA000-memory.dmp

                Filesize

                680KB

                Download

              • memory/3524-26-0x0000000140000000-0x00000001400AA000-memory.dmp

                Filesize

                680KB

                Download

              • memory/3524-12-0x0000000140000000-0x00000001400AA000-memory.dmp

                Filesize

                680KB

                Download

              • memory/3524-37-0x0000000140000000-0x00000001400AA000-memory.dmp

                Filesize

                680KB

                Download

              • memory/3524-17-0x0000000140000000-0x00000001400AA000-memory.dmp

                Filesize

                680KB

                Download

              • memory/3524-18-0x0000000140000000-0x00000001400AA000-memory.dmp

                Filesize

                680KB

                Download

              • memory/3524-25-0x0000000007400000-0x0000000007407000-memory.dmp

                Filesize

                28KB

                Download

              • memory/3524-16-0x0000000140000000-0x00000001400AA000-memory.dmp

                Filesize

                680KB

                Download

              • memory/3524-7-0x0000000140000000-0x00000001400AA000-memory.dmp

                Filesize

                680KB

                Download

              • memory/3524-3-0x00007FFB5F6FA000-0x00007FFB5F6FB000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3524-4-0x00000000073F0000-0x00000000073F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3692-83-0x00007FFB430A0000-0x00007FFB4314B000-memory.dmp

                Filesize

                684KB

                Download