Overview

overview

10

Static

static

3

8909d1a1de...e4.dll

windows7-x64

10

8909d1a1de...e4.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 17:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8909d1a1de17240d899afa4c15648c5bf0e154309522dc76c90e1a81ce6650e4.dll

  • Size

    672KB

  • MD5

    9b61cec907b4a11cfcbcfb77ddbc0061

  • SHA1

    07065621f6777a6bcebf18a4df586d27fc97eef5

  • SHA256

    8909d1a1de17240d899afa4c15648c5bf0e154309522dc76c90e1a81ce6650e4

  • SHA512

    ffaa9b194a8634aaef20d215a4f805499cbc675335988f81e31dbb3aba2157b3760a7240a80703ea036ba54b0e5aca17d4ef6582a9645b30b6774f874772fc7a

  • SSDEEP

    6144:s34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:sIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8909d1a1de17240d899afa4c15648c5bf0e154309522dc76c90e1a81ce6650e4.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1228
  • C:\Windows\system32\tcmsetup.exe
    C:\Windows\system32\tcmsetup.exe
    1⤵
      PID:4916
    • C:\Users\Admin\AppData\Local\a78\tcmsetup.exe
      C:\Users\Admin\AppData\Local\a78\tcmsetup.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3864
    • C:\Windows\system32\usocoreworker.exe
      C:\Windows\system32\usocoreworker.exe
      1⤵
        PID:4688
      • C:\Users\Admin\AppData\Local\fINFtJ\usocoreworker.exe
        C:\Users\Admin\AppData\Local\fINFtJ\usocoreworker.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3124
      • C:\Windows\system32\CloudNotifications.exe
        C:\Windows\system32\CloudNotifications.exe
        1⤵
          PID:1008
        • C:\Users\Admin\AppData\Local\RacA5psP\CloudNotifications.exe
          C:\Users\Admin\AppData\Local\RacA5psP\CloudNotifications.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3724

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\RacA5psP\CloudNotifications.exe
          Filesize

          59KB

          MD5

          b50dca49bc77046b6f480db6444c3d06

          SHA1

          cc9b38240b0335b1763badcceac37aa9ce547f9e

          SHA256

          96e7e1a3f0f4f6fc6bda3527ab8a739d6dfcab8e534aa7a02b023daebb3c0775

          SHA512

          2a0504ca336e86b92b2f5eff1c458ebd9df36c496331a7247ef0bb8b82eabd86ade7559ddb47ca4169e8365a97e80e5f1d3c1fc330364dea2450608bd692b1d3

          Download Submit

        • C:\Users\Admin\AppData\Local\RacA5psP\UxTheme.dll
          Filesize

          676KB

          MD5

          9b30c85610463b021ee6e8c514dae858

          SHA1

          1be6c99085c041fef6f4b6f72e124f96a09ea5f8

          SHA256

          2272ede099a1efaa00f40010ac22e1ae16f26d299488f95b17c7990c727d6488

          SHA512

          6e018a0ee80a41acaf730e36441772f3aae4ef1e7107de50da5539d700b5b5b2df39eaae5362f3914b94bc5c6afc314a4e4d55b1a2b81341b743108d2cf25b52

          Download Submit

        • C:\Users\Admin\AppData\Local\a78\TAPI32.dll
          Filesize

          680KB

          MD5

          d2747087e617cf1d0a7ec4847c6fa842

          SHA1

          5acf25d41deb48c36ef5ff4e706a752f700a6465

          SHA256

          46989fa94bcfca4ef14ef2033510ccf90b64c74471ba882bc104386379ff68eb

          SHA512

          26bfcc9ae84249be2816e2b36f89fe52819fc215067fee19af31f67fea7b85d6bd4fd00a7be374ec6fd3a13bcd48390052d4825289f6202390ab384386108bf2

          Download Submit

        • C:\Users\Admin\AppData\Local\a78\tcmsetup.exe
          Filesize

          16KB

          MD5

          58f3b915b9ae7d63431772c2616b0945

          SHA1

          6346e837da3b0f551becb7cac6d160e3063696e9

          SHA256

          e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39

          SHA512

          7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

          Download Submit

        • C:\Users\Admin\AppData\Local\fINFtJ\XmlLite.dll
          Filesize

          676KB

          MD5

          5f4e038b412a3e5f0465e8fc66ce0c09

          SHA1

          4c8c115e5cd50fa54e99dcbe4acc3c30625761ff

          SHA256

          8236880d4e81f348c51cc62d8a246d99945d95d0064debecf060fdb89e3de8a8

          SHA512

          63f98a012fb88d182179493700dc4b5e83039efd5ac19be06d30b046e2af0a04c0118cad2c6248237e54b77f221b3c8bb1335fa3130a3e28ae8432465dedae2c

          Download Submit

        • C:\Users\Admin\AppData\Local\fINFtJ\usocoreworker.exe
          Filesize

          1.3MB

          MD5

          2c5efb321aa64af37dedc6383ce3198e

          SHA1

          a06d7020dd43a57047a62bfb443091cd9de946ba

          SHA256

          0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

          SHA512

          5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eswctkc.lnk
          Filesize

          1KB

          MD5

          5672974294e5e4714305fddd22287111

          SHA1

          e37a6ad47bb0f5ebd7445b48a9f0a9e34df6020d

          SHA256

          1cde5cab513b7c0a23b5baf1ec18059a9f9378a74b76d503ff53419020d49713

          SHA512

          def2449830a0d90617ed96289d9c3fc79d68eec0c186490eead8a2acba1564de4ee27dc79b4f0b9651524c64299d5265da1e73ae2ba2da62c10830083dce901f

          Download Submit

        • memory/1228-2-0x00000263EC3C0000-0x00000263EC3C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1228-39-0x00007FF93EE30000-0x00007FF93EED8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1228-0-0x00007FF93EE30000-0x00007FF93EED8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3124-62-0x0000023E172F0000-0x0000023E172F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3124-63-0x00007FF93E190000-0x00007FF93E239000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3124-67-0x00007FF93E190000-0x00007FF93E239000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3436-12-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3436-15-0x00007FF94BECA000-0x00007FF94BECB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-3-0x0000000008010000-0x0000000008011000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-11-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3436-25-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3436-27-0x00007FF94D9D0000-0x00007FF94D9E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3436-26-0x00007FF94D9E0000-0x00007FF94D9F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3436-36-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3436-7-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3436-8-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3436-9-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3436-5-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3436-14-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3436-18-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3436-10-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3436-13-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3436-6-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3436-16-0x0000000007FF0000-0x0000000007FF7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3436-17-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3724-82-0x00007FF93E190000-0x00007FF93E239000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3864-51-0x00007FF93E190000-0x00007FF93E23A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3864-47-0x00007FF93E190000-0x00007FF93E23A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3864-46-0x000002637DE60000-0x000002637DE67000-memory.dmp

          Filesize

          28KB

          Download