Overview

overview

10

Static

static

3

9c8c8ac477...f3.dll

windows7-x64

10

9c8c8ac477...f3.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 17:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9c8c8ac4777f6e405e3c0d2bb0e1bed5d1b2f76d20e1ade9e7c67b9e09df97f3.dll

  • Size

    676KB

  • MD5

    354125f74bf6ead1524646a2a042e721

  • SHA1

    52f947c20843fa442f94cdcb49650369d27a96de

  • SHA256

    9c8c8ac4777f6e405e3c0d2bb0e1bed5d1b2f76d20e1ade9e7c67b9e09df97f3

  • SHA512

    36590d7ad1b0b747c644383879ce43c795b4a432b0ae9ea65c0fc045c06af802f0f71c2fc631e1a4519251135488e0c05fa21a289d26724528147b7ff7792af9

  • SSDEEP

    6144:t34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:tIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9c8c8ac4777f6e405e3c0d2bb0e1bed5d1b2f76d20e1ade9e7c67b9e09df97f3.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3060
  • C:\Windows\system32\omadmclient.exe
    C:\Windows\system32\omadmclient.exe
    1⤵
      PID:4856
    • C:\Users\Admin\AppData\Local\nw4\omadmclient.exe
      C:\Users\Admin\AppData\Local\nw4\omadmclient.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1100
    • C:\Windows\system32\DmNotificationBroker.exe
      C:\Windows\system32\DmNotificationBroker.exe
      1⤵
        PID:2736
      • C:\Users\Admin\AppData\Local\H4NVUKU\DmNotificationBroker.exe
        C:\Users\Admin\AppData\Local\H4NVUKU\DmNotificationBroker.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4092
      • C:\Windows\system32\MusNotifyIcon.exe
        C:\Windows\system32\MusNotifyIcon.exe
        1⤵
          PID:4636
        • C:\Users\Admin\AppData\Local\U9XDk5p\MusNotifyIcon.exe
          C:\Users\Admin\AppData\Local\U9XDk5p\MusNotifyIcon.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:500

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\H4NVUKU\DUI70.dll
          Filesize

          956KB

          MD5

          908b39c1891af47f33bc18ed2cbe9f25

          SHA1

          796b67629b5c274085cb88315606a35c3a54ca04

          SHA256

          36fa5869dcee9c4acef895d626900e13c761790c546b7816e81e7416d23a0317

          SHA512

          9930ba7520d4d2a21040708b65eb0e33111df5df7d4056571a16a8450ce105f03a825005dfd0b0beb8efafd2e247fe2fc65382b2aa3409d9a11ee5dedc8c39a5

          Download Submit

        • C:\Users\Admin\AppData\Local\H4NVUKU\DmNotificationBroker.exe
          Filesize

          32KB

          MD5

          f0bdc20540d314a2aad951c7e2c88420

          SHA1

          4ab344595a4a81ab5f31ed96d72f217b4cee790b

          SHA256

          f87537e5f26193a2273380f86cc9ac16d977f65b0eff2435e40be830fd99f7b5

          SHA512

          cb69e35b2954406735264a4ae8fe1eca1bd4575f553ab2178c70749ab997bda3c06496d2fce97872c51215a19093e51eea7cc8971af62ad9d5726f3a0d2730aa

          Download Submit

        • C:\Users\Admin\AppData\Local\U9XDk5p\MusNotifyIcon.exe
          Filesize

          629KB

          MD5

          c54b1a69a21e03b83ebb0aeb3758b6f7

          SHA1

          b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c

          SHA256

          ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf

          SHA512

          2680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19

          Download Submit

        • C:\Users\Admin\AppData\Local\U9XDk5p\XmlLite.dll
          Filesize

          680KB

          MD5

          482159ec597e9be2beddc5bc97497f81

          SHA1

          6d78a33890d58d86d0b759a0ccb054a543de3673

          SHA256

          d13fa27cdb5c6b9884b71a3a083e7a6d27b28eb3f183c126947f6777d1c221d4

          SHA512

          5a22511f8f9a2b3b8436c2f66690cdc93221bea4ed9f5416caaaaeb56e7ef8d57dae9b1ae56bc38b63b46d875432e3ec93590e3977d77fc2bda2e3966d30dabb

          Download Submit

        • C:\Users\Admin\AppData\Local\nw4\XmlLite.dll
          Filesize

          680KB

          MD5

          1cd3aa345fa3fef64746b4d59adc36b3

          SHA1

          c917328564f1e024bf34f21a6bcd6c68790f0449

          SHA256

          5a84d1c85872d23dd6ed12649c12daa10da844d783ba009faa868dbc59705286

          SHA512

          6059f152e4c4c9bb470e9d12fe6381c03e71a3a22f20c8bc0ee121ced481e96b393aa04d5a116dda4c0610905779f5a2fb00b9bcada37dcef1f423a1be430d30

          Download Submit

        • C:\Users\Admin\AppData\Local\nw4\omadmclient.exe
          Filesize

          425KB

          MD5

          8992b5b28a996eb83761dafb24959ab4

          SHA1

          697ecb33b8ff5b0e73ef29ce471153b368b1b729

          SHA256

          e0c6c1b082c5d61be95b7fad95155b7cb2e516d6dcd51b8e1554a176876699e7

          SHA512

          4ab0d71f6f9e5a5d0870d8e6eaa4b5db74ea6148de0a00603e3e56303d0fec4722172e0207b9678a5bd0136f2d43d43b9d34907183369ab3b9b9c1484034fe3d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk
          Filesize

          1KB

          MD5

          2d44d0457a27b6c5d6a9e01d3b5d28e8

          SHA1

          070ea1fd1fec9bd27bcea62577f8053ac889c081

          SHA256

          55c25aaa250ecd6ceb7a3d7c75c44167672c90c7094761e3d338070c8a03aed8

          SHA512

          66c9eefb281d8c239b27e2d9a77aa156c30ae3e593d36867e5ea6ea6a0af46d25acd4f4d8e9d9f44f1899067dd5bb5a46c103d0e4bd5461067583e64ade1c4dd

          Download Submit

        • memory/500-83-0x00007FFE6D730000-0x00007FFE6D7DA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1100-52-0x00007FFE6D730000-0x00007FFE6D7DA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1100-49-0x000001D9D9FC0000-0x000001D9D9FC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1100-47-0x00007FFE6D730000-0x00007FFE6D7DA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3060-0-0x00007FFE7D840000-0x00007FFE7D8E9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3060-40-0x00007FFE7D840000-0x00007FFE7D8E9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3060-2-0x000002457CDC0000-0x000002457CDC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3380-26-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3380-14-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3380-9-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3380-8-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3380-7-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3380-6-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3380-3-0x0000000008140000-0x0000000008141000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3380-37-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3380-11-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3380-12-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3380-13-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3380-10-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3380-16-0x00007FFE8A9CA000-0x00007FFE8A9CB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3380-28-0x00007FFE8BC10000-0x00007FFE8BC20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3380-27-0x00007FFE8BC20000-0x00007FFE8BC30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3380-17-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3380-5-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3380-15-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3380-25-0x0000000008120000-0x0000000008127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3380-18-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4092-68-0x00007FFE6D6F0000-0x00007FFE6D7DF000-memory.dmp

          Filesize

          956KB

          Download

        • memory/4092-64-0x00007FFE6D6F0000-0x00007FFE6D7DF000-memory.dmp

          Filesize

          956KB

          Download

        • memory/4092-63-0x000001DDE3860000-0x000001DDE3867000-memory.dmp

          Filesize

          28KB

          Download