Overview

overview

10

Static

static

3

943d4fc5d1...3a.dll

windows7-x64

10

943d4fc5d1...3a.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 17:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    943d4fc5d133c77195cc6890a2242901bc15b2d4ee602b95920606549966af3a.dll

  • Size

    676KB

  • MD5

    8872f507e943dddfbc1a37950c801fd6

  • SHA1

    8fcec7153c1819828a6d17899029eab9e313f888

  • SHA256

    943d4fc5d133c77195cc6890a2242901bc15b2d4ee602b95920606549966af3a

  • SHA512

    3956325e9805bced8d537d4e06241b2db14446e3abb2ed085882454b5fb27f02110db5e1743e68efa4c082be2970b08b572e9690c8b06a171a0e94fc4fc7cb85

  • SSDEEP

    6144:p34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:pIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\943d4fc5d133c77195cc6890a2242901bc15b2d4ee602b95920606549966af3a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1244
  • C:\Windows\system32\DmNotificationBroker.exe
    C:\Windows\system32\DmNotificationBroker.exe
    1⤵
      PID:2956
    • C:\Users\Admin\AppData\Local\sgTcI6h3R\DmNotificationBroker.exe
      C:\Users\Admin\AppData\Local\sgTcI6h3R\DmNotificationBroker.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3684
    • C:\Windows\system32\EaseOfAccessDialog.exe
      C:\Windows\system32\EaseOfAccessDialog.exe
      1⤵
        PID:4892
      • C:\Users\Admin\AppData\Local\NjbeVLJ\EaseOfAccessDialog.exe
        C:\Users\Admin\AppData\Local\NjbeVLJ\EaseOfAccessDialog.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3176
      • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
        C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
        1⤵
          PID:1564
        • C:\Users\Admin\AppData\Local\hS2RfyCR\SystemPropertiesDataExecutionPrevention.exe
          C:\Users\Admin\AppData\Local\hS2RfyCR\SystemPropertiesDataExecutionPrevention.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1184

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\NjbeVLJ\DUser.dll
          Filesize

          684KB

          MD5

          53395692bedf9764777ce5c8448cfc9b

          SHA1

          024a199225bfcd28fb04bd62c294081ef61f7d88

          SHA256

          930446e5fd983899c7405f9a31d1b2971cadf2f21d3989727604116bdd52c7ce

          SHA512

          c8b4a44308f6b2aacfceaa013f623dc6ded640604e9d2e4a9d497e57b73d22c77123cffd546a205dfbc8fa63ee30cb47fab7ff07192b685ed9932b7e1d30a731

          Download Submit

        • C:\Users\Admin\AppData\Local\NjbeVLJ\EaseOfAccessDialog.exe
          Filesize

          123KB

          MD5

          e75ee992c1041341f709a517c8723c87

          SHA1

          471021260055eac0021f0abffa2d0ba77a2f380e

          SHA256

          0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc

          SHA512

          48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a

          Download Submit

        • C:\Users\Admin\AppData\Local\hS2RfyCR\SYSDM.CPL
          Filesize

          680KB

          MD5

          6ae542268424b4a1cdefee809aca72ba

          SHA1

          025282ad34ada05541f0ceefabd5fa7012203f19

          SHA256

          a76e48cb7bba0d978ae4fd560352f6da0ca52099909a486ef6b6caa42c594f71

          SHA512

          6e39364137c01573309043a915f594d74926a958ec83e0cdc85c5d3947105573729c8402c69fd06e763ee8d9f864782148abc7c9e93ec34530853ccb7fbad8b2

          Download Submit

        • C:\Users\Admin\AppData\Local\hS2RfyCR\SystemPropertiesDataExecutionPrevention.exe
          Filesize

          82KB

          MD5

          de58532954c2704f2b2309ffc320651d

          SHA1

          0a9fc98f4d47dccb0b231edf9a63309314f68e3b

          SHA256

          1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3

          SHA512

          d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed

          Download Submit

        • C:\Users\Admin\AppData\Local\sgTcI6h3R\DUI70.dll
          Filesize

          956KB

          MD5

          c170df5eb612870a765b3cd326ff8441

          SHA1

          40fec0e9c2019e5ee54e620b0425e3c4bb853db2

          SHA256

          c518380f3a422dfcda0535410496ce57cc1783665b711d062c6e217eaaae7c7b

          SHA512

          59921f1df930150bcfd27cffc8d5fc9c387af09c776236537104ba48d1e4e477dd4fcefc0afa6a91a89ea999a75532c57823ddc688d920d843fcd64efc98ef55

          Download Submit

        • C:\Users\Admin\AppData\Local\sgTcI6h3R\DmNotificationBroker.exe
          Filesize

          32KB

          MD5

          f0bdc20540d314a2aad951c7e2c88420

          SHA1

          4ab344595a4a81ab5f31ed96d72f217b4cee790b

          SHA256

          f87537e5f26193a2273380f86cc9ac16d977f65b0eff2435e40be830fd99f7b5

          SHA512

          cb69e35b2954406735264a4ae8fe1eca1bd4575f553ab2178c70749ab997bda3c06496d2fce97872c51215a19093e51eea7cc8971af62ad9d5726f3a0d2730aa

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eswctkc.lnk
          Filesize

          1KB

          MD5

          fd60ef40a5b003630c3588b26134004d

          SHA1

          902d8ff04bcd4dcb6416c40ab2733a873f811a93

          SHA256

          2d5ff6a751c42fb1903de4416c89e02cca8989d9a40a2c5cb722cb5279d559dc

          SHA512

          05cffa4eca8df26398f9b244ea94f9eedeed9814561f47aa08a12daaadfd09bc8a1342dbe405006c0a91ac191339f459a880459a4a3bb586cba67f884ff89cd2

          Download Submit

        • memory/1184-83-0x00007FF92F2A0000-0x00007FF92F34A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1184-79-0x00007FF92F2A0000-0x00007FF92F34A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1244-1-0x00007FF93EE30000-0x00007FF93EED9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1244-2-0x000002C03AE20000-0x000002C03AE27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1244-40-0x00007FF93EE30000-0x00007FF93EED9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3176-64-0x00007FF92F0F0000-0x00007FF92F19B000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3176-63-0x000001E57C2B0000-0x000001E57C2B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3176-68-0x00007FF92F0F0000-0x00007FF92F19B000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3436-16-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3436-28-0x00007FF94D9D0000-0x00007FF94D9E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3436-9-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3436-11-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3436-8-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3436-7-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3436-6-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3436-12-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3436-17-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3436-25-0x00000000007D0000-0x00000000007D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3436-5-0x00007FF94BECA000-0x00007FF94BECB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-3-0x00000000025B0000-0x00000000025B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3436-15-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3436-26-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3436-37-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3436-27-0x00007FF94D9E0000-0x00007FF94D9F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3436-10-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3436-18-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3436-13-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3436-14-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3684-52-0x00007FF92F200000-0x00007FF92F2EF000-memory.dmp

          Filesize

          956KB

          Download

        • memory/3684-47-0x00007FF92F200000-0x00007FF92F2EF000-memory.dmp

          Filesize

          956KB

          Download

        • memory/3684-49-0x0000018033FB0000-0x0000018033FB7000-memory.dmp

          Filesize

          28KB

          Download