Overview

overview

10

Static

static

3

8909d1a1de...e4.dll

windows7-x64

10

8909d1a1de...e4.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 17:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8909d1a1de17240d899afa4c15648c5bf0e154309522dc76c90e1a81ce6650e4.dll

  • Size

    672KB

  • MD5

    9b61cec907b4a11cfcbcfb77ddbc0061

  • SHA1

    07065621f6777a6bcebf18a4df586d27fc97eef5

  • SHA256

    8909d1a1de17240d899afa4c15648c5bf0e154309522dc76c90e1a81ce6650e4

  • SHA512

    ffaa9b194a8634aaef20d215a4f805499cbc675335988f81e31dbb3aba2157b3760a7240a80703ea036ba54b0e5aca17d4ef6582a9645b30b6774f874772fc7a

  • SSDEEP

    6144:s34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:sIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8909d1a1de17240d899afa4c15648c5bf0e154309522dc76c90e1a81ce6650e4.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1520
  • C:\Windows\system32\tcmsetup.exe
    C:\Windows\system32\tcmsetup.exe
    1⤵
      PID:2860
    • C:\Users\Admin\AppData\Local\TpzrapKZ4\tcmsetup.exe
      C:\Users\Admin\AppData\Local\TpzrapKZ4\tcmsetup.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2984
    • C:\Windows\system32\rstrui.exe
      C:\Windows\system32\rstrui.exe
      1⤵
        PID:1104
      • C:\Users\Admin\AppData\Local\d12H7fKp\rstrui.exe
        C:\Users\Admin\AppData\Local\d12H7fKp\rstrui.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3044
      • C:\Windows\system32\wbengine.exe
        C:\Windows\system32\wbengine.exe
        1⤵
          PID:2676
        • C:\Users\Admin\AppData\Local\K8g\wbengine.exe
          C:\Users\Admin\AppData\Local\K8g\wbengine.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2092

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\K8g\XmlLite.dll
          Filesize

          676KB

          MD5

          df8289990590a1d13b2378c348659bbb

          SHA1

          8e8a7a7277da137570e49ca965c5fc5fa3ac5f8e

          SHA256

          55912adeadd61d6e193ccd36b421722d38e238f2a8731f34fe042aaa3785c42f

          SHA512

          f514257d17c9509298af5b38329a09fe3d172d9a8836d123ef9768f36b791f1da25fd7316cdd396eb059251e7a1670a6a34cc0d29f93f2eb280983014afc950c

          Download Submit

        • C:\Users\Admin\AppData\Local\TpzrapKZ4\TAPI32.dll
          Filesize

          680KB

          MD5

          d4d0bc4f8717305ae3758513fb4fc51f

          SHA1

          0d0bac2ceedbd3786bb4c2bdb9b6afe5ddd8bfb3

          SHA256

          a179bcac4c8f05a54b71d6d441216a2adc8c100c68306ecb59438ddfdd0017f9

          SHA512

          8563d32849e8ff31244d371aed8464fe6ccbcb3c3a0a46be4ba528f450bc2e61058ab6dec9a3e764ae50dba6ef12a6def47b096fe36a5692431a6fc00a567a6b

          Download Submit

        • C:\Users\Admin\AppData\Local\d12H7fKp\SPP.dll
          Filesize

          676KB

          MD5

          60a8c451ade8d1c6f099b1969d4e57ec

          SHA1

          3a96e4c56d286c971ffa2f75e0708707d3c5395a

          SHA256

          b604b3147a112617feefba08f235e68b754a6ad70a3b2e3de8d1188a7afb8278

          SHA512

          2dd4421355a1a136dca8d02d7ad5d8a87e17f0cce1afc680e8ab7309507b11557f8087b696faea4e4c9d18e06a42a8df7423bbebbf2746f192b8e2ca5d19f1b9

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk
          Filesize

          1KB

          MD5

          f9da002a759c3f1ab46a0cc11683896f

          SHA1

          7ae8ced7065fa39adf8c4cb4692fb676014691a6

          SHA256

          3f93b5457585c7035fb4739a99bfc57e9780bd5a71f963e4f5f198256ca55fb5

          SHA512

          2b472b441403a59dbdf72d248a7005e80733168ad998993d9ccaaaf14534d1338ede1eae6220f45767033fa92e0baf1e6c939ba00f8f6c4ff357013bef7cc40d

          Download Submit

        • \Users\Admin\AppData\Local\K8g\wbengine.exe
          Filesize

          1.4MB

          MD5

          78f4e7f5c56cb9716238eb57da4b6a75

          SHA1

          98b0b9db6ec5961dbb274eff433a8bc21f7e557b

          SHA256

          46a4e78ce5f2a4b26f4e9c3ff04a99d9b727a82ac2e390a82a1611c3f6e0c9af

          SHA512

          1a24ea71624dbbca188ee3b4812e09bc42e7d38ceac02b69940d7693475c792685a23141c8faa85a87ab6aace3f951c1a81facb610d757ac6df37cf2aa65ccd2

          Download Submit

        • \Users\Admin\AppData\Local\TpzrapKZ4\tcmsetup.exe
          Filesize

          15KB

          MD5

          0b08315da0da7f9f472fbab510bfe7b8

          SHA1

          33ba48fd980216becc532466a5ff8476bec0b31c

          SHA256

          e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

          SHA512

          c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

          Download Submit

        • \Users\Admin\AppData\Local\d12H7fKp\rstrui.exe
          Filesize

          290KB

          MD5

          3db5a1eace7f3049ecc49fa64461e254

          SHA1

          7dc64e4f75741b93804cbae365e10dc70592c6a9

          SHA256

          ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49

          SHA512

          ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025

          Download Submit

        • memory/1284-27-0x0000000077790000-0x0000000077792000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1284-15-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1284-11-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1284-10-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1284-9-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1284-8-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1284-7-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1284-6-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1284-16-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1284-18-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1284-25-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1284-3-0x00000000774F6000-0x00000000774F7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1284-26-0x0000000077760000-0x0000000077762000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1284-36-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1284-37-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1284-4-0x00000000025A0000-0x00000000025A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1284-46-0x00000000774F6000-0x00000000774F7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1284-13-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1284-17-0x0000000002010000-0x0000000002017000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1284-14-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1284-12-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1520-45-0x000007FEF79C0000-0x000007FEF7A68000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1520-0-0x000007FEF79C0000-0x000007FEF7A68000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1520-2-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2092-92-0x000007FEF7940000-0x000007FEF79E9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2984-59-0x000007FEF7A70000-0x000007FEF7B1A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2984-54-0x000007FEF7A70000-0x000007FEF7B1A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2984-56-0x0000000000200000-0x0000000000207000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3044-71-0x000007FEF7940000-0x000007FEF79E9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3044-73-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3044-76-0x000007FEF7940000-0x000007FEF79E9000-memory.dmp

          Filesize

          676KB

          Download