Overview

overview

10

Static

static

3

9f42706b6c...12.dll

windows7-x64

10

9f42706b6c...12.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 16:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f42706b6c266edd5c6ffd4ee56117063224bc6afea8cfb85d0646029585cd12.dll

  • Size

    676KB

  • MD5

    792dfd2b5224a44183e40fe97050f5c2

  • SHA1

    990c995f30ecfca83fdaa9c347c125c52c610d2a

  • SHA256

    9f42706b6c266edd5c6ffd4ee56117063224bc6afea8cfb85d0646029585cd12

  • SHA512

    1bcc2d01951747d7d6a56b3553888d1828a5523bb60fc1e92dae175274e43505d70b7678c410a87546300893e736a16515592d50da1dc3cedf6b8d6e22bc991e

  • SSDEEP

    6144:r34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:rIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9f42706b6c266edd5c6ffd4ee56117063224bc6afea8cfb85d0646029585cd12.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4560
  • C:\Windows\system32\BitLockerWizard.exe
    C:\Windows\system32\BitLockerWizard.exe
    1⤵
      PID:4896
    • C:\Users\Admin\AppData\Local\6QRHHtZYD\BitLockerWizard.exe
      C:\Users\Admin\AppData\Local\6QRHHtZYD\BitLockerWizard.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1176
    • C:\Windows\system32\ProximityUxHost.exe
      C:\Windows\system32\ProximityUxHost.exe
      1⤵
        PID:5116
      • C:\Users\Admin\AppData\Local\HpUb\ProximityUxHost.exe
        C:\Users\Admin\AppData\Local\HpUb\ProximityUxHost.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2596
      • C:\Windows\system32\DeviceEnroller.exe
        C:\Windows\system32\DeviceEnroller.exe
        1⤵
          PID:2244
        • C:\Users\Admin\AppData\Local\OCoNlcC\DeviceEnroller.exe
          C:\Users\Admin\AppData\Local\OCoNlcC\DeviceEnroller.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3984

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\6QRHHtZYD\BitLockerWizard.exe
          Filesize

          100KB

          MD5

          6d30c96f29f64b34bc98e4c81d9b0ee8

          SHA1

          4a3adc355f02b9c69bdbe391bfb01469dee15cf0

          SHA256

          7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

          SHA512

          25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

          Download Submit

        • C:\Users\Admin\AppData\Local\6QRHHtZYD\FVEWIZ.dll
          Filesize

          680KB

          MD5

          692e08965e111b18d571a4d9509fe303

          SHA1

          307d41d05cb4513c97ed17429c545a33327e57d3

          SHA256

          560d7a8c0da08e7dd5c967ec28886a595c673b1377760e5668b70865062f3ea8

          SHA512

          3b05e451905db117b085308dacb17a78fe7d444067da0cb6c258422d5409a8959a6ee61d03b80fd9cd033b1eb6d0e2736b1fecaac68c4734aa261acbbe02c44e

          Download Submit

        • C:\Users\Admin\AppData\Local\HpUb\DUI70.dll
          Filesize

          956KB

          MD5

          81e8019fa211e3d08a29fc9c3690efbf

          SHA1

          21449956143e8d73cff60235b44e11173cfce7f0

          SHA256

          9875119fcf23bf2f707570228b57af8b7ec6f8bfe12d7921ad184280daf37bd3

          SHA512

          5f58320f95c99450764f5764f44d26bcb468a0d1fcb9520a7d3e9cbd4b4ba77b9cc27ced627e867225abd0188ab4e101a4c5cff391abc11b227c73b62278221a

          Download Submit

        • C:\Users\Admin\AppData\Local\HpUb\ProximityUxHost.exe
          Filesize

          263KB

          MD5

          9ea326415b83d77295c70a35feb75577

          SHA1

          f8fc6a4f7f97b242f35066f61d305e278155b8a8

          SHA256

          192bfde77bf280e48f92d1eceacdc7ec4bf31cda46f7d577c7d7c3ec3ac89d8f

          SHA512

          2b1943600f97abcd18778101e33eac00c2bd360a3eff62fef65f668a084d8fa38c3bbdedfc6c2b7e8410aa7c9c3df2734705dc502b4754259121adc9198c3692

          Download Submit

        • C:\Users\Admin\AppData\Local\OCoNlcC\DeviceEnroller.exe
          Filesize

          448KB

          MD5

          946d9474533f58d2613078fd14ca7473

          SHA1

          c2620ac9522fa3702a6a03299b930d6044aa5e49

          SHA256

          cf5f5fe084f172e9c435615c1dc6ae7d3bd8c5ec8ea290caa0627c2f392760cb

          SHA512

          3653d41a0553ee63a43490f682c9b528651a6336f28adafc333d4d148577351122db8279ff83ee59bb0a9c17bb384e9f6c9c78677c8c5ed671a42036dec1f8c1

          Download Submit

        • C:\Users\Admin\AppData\Local\OCoNlcC\XmlLite.dll
          Filesize

          680KB

          MD5

          67160fc8da765a85c239b6300bad34b8

          SHA1

          5a8bf1555973571465405cb8ac994f578dfecf16

          SHA256

          f6f4ca50bbdf8d613a1dac9ac7d772acaff262752ecb6576fb26933b278e914d

          SHA512

          268a235a8f6b4ec897cb538b37546908f7db44a12c92d329b0ee5c16220ee2fd392a799ec5d5fa8526dbbe0401ab0c7b5be97afd5e438021c1c6de6409e7447c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk
          Filesize

          787B

          MD5

          c5f99de2bc61d790270a79dbd2697b60

          SHA1

          b297341f23f784c5f0a9519e3d6f8ca93036a0d1

          SHA256

          de51eac8c64c925dac901527f05bb3916f9eebea6bf9dc2a77de9c567d2e6464

          SHA512

          c5c77da376a57aec746589bd233aed55e56ad8c6574c03181d03f212fcd2b308be98311d055dc266ae7b8763beb7b46e2e846b109e6fe60fc12ab469ab97f8f1

          Download Submit

        • memory/1176-52-0x00007FF81E6C0000-0x00007FF81E76A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1176-47-0x0000028361900000-0x0000028361907000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1176-48-0x00007FF81E6C0000-0x00007FF81E76A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2596-65-0x0000016F9C0A0000-0x0000016F9C0A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2596-63-0x00007FF81E680000-0x00007FF81E76F000-memory.dmp

          Filesize

          956KB

          Download

        • memory/2596-68-0x00007FF81E680000-0x00007FF81E76F000-memory.dmp

          Filesize

          956KB

          Download

        • memory/3460-14-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3460-10-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3460-5-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3460-3-0x0000000008600000-0x0000000008601000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3460-25-0x00000000084A0000-0x00000000084A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3460-28-0x00007FF83CE50000-0x00007FF83CE60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3460-37-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3460-27-0x00007FF83CE60000-0x00007FF83CE70000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3460-26-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3460-6-0x00007FF83BA0A000-0x00007FF83BA0B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3460-9-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3460-8-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3460-11-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3460-12-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3460-7-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3460-15-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3460-16-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3460-17-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3460-18-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3460-13-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3984-83-0x00007FF81E6C0000-0x00007FF81E76A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/4560-2-0x0000022224C20000-0x0000022224C27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4560-40-0x00007FF82E6E0000-0x00007FF82E789000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4560-1-0x00007FF82E6E0000-0x00007FF82E789000-memory.dmp

          Filesize

          676KB

          Download