Overview

overview

10

Static

static

3

a130c1024a...24.dll

windows7-x64

10

a130c1024a...24.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 17:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a130c1024af7fcf7867614670b20c294d55f5b579a62b2dc630f5cf067863d24.dll

  • Size

    680KB

  • MD5

    f6fd2fc4f63d0ba67c61851cef213a49

  • SHA1

    fe874064329ea907423131cf7a64d0f3b6461d2d

  • SHA256

    a130c1024af7fcf7867614670b20c294d55f5b579a62b2dc630f5cf067863d24

  • SHA512

    3e85f9fc2ea96bd35a36ffcdba6f7c54665666e6cb2eabdf6d5f2bc01dbc6e7b3c64f92e2e3ef626e5fac743527eebdb3698840bf6e0bafa3eeab04a922aa4b1

  • SSDEEP

    6144:e34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:eIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a130c1024af7fcf7867614670b20c294d55f5b579a62b2dc630f5cf067863d24.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4464
  • C:\Windows\system32\perfmon.exe
    C:\Windows\system32\perfmon.exe
    1⤵
      PID:2892
    • C:\Users\Admin\AppData\Local\iRoo\perfmon.exe
      C:\Users\Admin\AppData\Local\iRoo\perfmon.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2240
    • C:\Windows\system32\mblctr.exe
      C:\Windows\system32\mblctr.exe
      1⤵
        PID:1168
      • C:\Users\Admin\AppData\Local\gi6z3\mblctr.exe
        C:\Users\Admin\AppData\Local\gi6z3\mblctr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1756
      • C:\Windows\system32\Dxpserver.exe
        C:\Windows\system32\Dxpserver.exe
        1⤵
          PID:1248
        • C:\Users\Admin\AppData\Local\okHnSz1f\Dxpserver.exe
          C:\Users\Admin\AppData\Local\okHnSz1f\Dxpserver.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4084

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\gi6z3\dwmapi.dll
          Filesize

          684KB

          MD5

          199c7df975c2b52ae14cbbd515c6ef47

          SHA1

          9f609ae162c6408cffe52012c97d6bfca5fbe436

          SHA256

          8b2a80c17c1c0f91ba35bb3ec5d396060b11e9facb97c5caabf50ebf5df66ff1

          SHA512

          e1fabf493e974aeeb944f9cf42a28e638fbb150b94a21206a5f2065e5ef0a221bba3d3eb665ef59d56e974e1a9f5c71e7555d15eeffd4fb9c77eb3956743c05f

          Download Submit

        • C:\Users\Admin\AppData\Local\gi6z3\mblctr.exe
          Filesize

          790KB

          MD5

          d3db14eabb2679e08020bcd0c96fa9f6

          SHA1

          578dca7aad29409634064579d269e61e1f07d9dd

          SHA256

          3baa1dc0756ebb0c2c70a31be7147863d8d8ba056c1aa7f979307f8790d1ff69

          SHA512

          14dc895ae458ff0ca13d9c27aa5b4cfc906d338603d43389bb5f4429be593a587818855d1fe938f9ebebf46467fb0c1ab28247e8f9f5357098e8b822ecd8fffe

          Download Submit

        • C:\Users\Admin\AppData\Local\iRoo\credui.dll
          Filesize

          684KB

          MD5

          26c79a34689829632d53270900e30485

          SHA1

          226442cafd7ff967b01e907e1c9d2b05e5a05dfe

          SHA256

          14ea1be5a566b35aee916299bac8282af4b311bca9655cf97d6bdf93e13b5986

          SHA512

          7a635f35295b637a12f8690fb3220fb081262f70b5e529a48783c077716775309745b0bd2e6abc2efb9e727809dae21b351a0caa56f98f2c493f8ac7ba151638

          Download Submit

        • C:\Users\Admin\AppData\Local\iRoo\perfmon.exe
          Filesize

          177KB

          MD5

          d38aa59c3bea5456bd6f95c73ad3c964

          SHA1

          40170eab389a6ba35e949f9c92962646a302d9ef

          SHA256

          5f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c

          SHA512

          59fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68

          Download Submit

        • C:\Users\Admin\AppData\Local\okHnSz1f\Dxpserver.exe
          Filesize

          310KB

          MD5

          6344f1a7d50da5732c960e243c672165

          SHA1

          b6d0236f79d4f988640a8445a5647aff5b5410f7

          SHA256

          b1081651ac33610824e2088ff64d1655993dd3d6073af1e5ffe0b4a0027f502f

          SHA512

          73f6fa01b880e6619fafa065c171bd0a2b7b2d908762b5aca15f2b8d856b5501b3884e3566ef9b8032c8cbf9bb15116e60c22fded4656c8857c974cda4213d65

          Download Submit

        • C:\Users\Admin\AppData\Local\okHnSz1f\dwmapi.dll
          Filesize

          684KB

          MD5

          14dddae0cec2f91f38be498b8b137595

          SHA1

          4b39c591f6e7d0a89b6842b4df4b06599a75df5d

          SHA256

          c5ebd868ad93ea4110287618984a997e79861cb8b5f65d672789ea545de19307

          SHA512

          353728a2d4160b631c04880a2fd83a667256b37c45f3b6b54f82cd4ae035e9808217eb88729024e9e079f8157fe1847fac8e3c339046d4f3d63f968eb4456f0f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eswctkc.lnk
          Filesize

          1KB

          MD5

          d3ab1aa6b698161b55c795e1e730b243

          SHA1

          31856d3f26c6b346a73f97f2a2054127da10a36b

          SHA256

          e99799e1ed470109837fa326d625b96e786d4f08d6894236d02facd15b31aacf

          SHA512

          272e78d7dabe22418ba42c0e8415dd8f5689ed71ec8d1f09310d0c43d2fb1c659d6a7c320d3a8106452f43b96c73f77f50d61c0784dfff03bccd2549b70c762b

          Download Submit

        • memory/1756-63-0x000001871BB10000-0x000001871BB17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1756-65-0x00007FF9E8440000-0x00007FF9E84EB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1756-68-0x00007FF9E8440000-0x00007FF9E84EB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/2240-52-0x00007FF9E84A0000-0x00007FF9E854B000-memory.dmp

          Filesize

          684KB

          Download

        • memory/2240-49-0x00000260C69F0000-0x00000260C69F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2240-47-0x00007FF9E84A0000-0x00007FF9E854B000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3460-26-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3460-14-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3460-11-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3460-10-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3460-9-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3460-8-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3460-7-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3460-5-0x00007FFA063FA000-0x00007FFA063FB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3460-3-0x00000000081C0000-0x00000000081C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3460-6-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3460-13-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3460-12-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3460-15-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3460-16-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3460-18-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3460-27-0x00007FFA06680000-0x00007FFA06690000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3460-37-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3460-28-0x00007FFA06670000-0x00007FFA06680000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3460-17-0x0000000140000000-0x00000001400AA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3460-25-0x0000000007FB0000-0x0000000007FB7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4084-83-0x00007FF9E8440000-0x00007FF9E84EB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/4464-0-0x00000218676C0000-0x00000218676C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4464-40-0x00007FF9F81B0000-0x00007FF9F825A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/4464-1-0x00007FF9F81B0000-0x00007FF9F825A000-memory.dmp

          Filesize

          680KB

          Download