Overview

overview

10

Static

static

3

75f422efd2...16.dll

windows7-x64

10

75f422efd2...16.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    75f422efd262f9ac592bce3923b002004354138d2c5517bcacc87d5c24cbda16.dll

  • Size

    700KB

  • MD5

    558bbcc95d7c303c8344a2926d04d498

  • SHA1

    b1bb749b3f56ba22aba58421acc3f30d81eeda14

  • SHA256

    75f422efd262f9ac592bce3923b002004354138d2c5517bcacc87d5c24cbda16

  • SHA512

    9055ee1a2e5508eb6e500773ba037bd82a94a8a39584ea865bd1b87f55e7b9ab90626245a1ecd44cdfc5ad974fd618e55f35f0d4433b5359b8aa6326472ed90d

  • SSDEEP

    6144:c34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTL:cIKp/UWCZdCDh2IZDwAFRpR6Aub

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\75f422efd262f9ac592bce3923b002004354138d2c5517bcacc87d5c24cbda16.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:4880
  • C:\Windows\system32\SndVol.exe
    C:\Windows\system32\SndVol.exe
    1⤵
      PID:4520
    • C:\Users\Admin\AppData\Local\QnEGTpFW\SndVol.exe
      C:\Users\Admin\AppData\Local\QnEGTpFW\SndVol.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1812
    • C:\Windows\system32\ApplySettingsTemplateCatalog.exe
      C:\Windows\system32\ApplySettingsTemplateCatalog.exe
      1⤵
        PID:1420
      • C:\Users\Admin\AppData\Local\2Nqp\ApplySettingsTemplateCatalog.exe
        C:\Users\Admin\AppData\Local\2Nqp\ApplySettingsTemplateCatalog.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2764
      • C:\Windows\system32\perfmon.exe
        C:\Windows\system32\perfmon.exe
        1⤵
          PID:3780
        • C:\Users\Admin\AppData\Local\Mthr\perfmon.exe
          C:\Users\Admin\AppData\Local\Mthr\perfmon.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3608

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2Nqp\ACTIVEDS.dll
          Filesize

          704KB

          MD5

          23e9c9745c60ccfd3f9dab66eb880828

          SHA1

          5c4c480f2bc3d1c43acaa30a0967291142e8aa02

          SHA256

          d356aa9ca9d6e41f5eb990ac5d3c7da55509c053fa401c43d97617490502f9bf

          SHA512

          22e5a4f93ff107628e1440644a3b33812a0ed25759375282b02d2f4742c675e16875cf41a550f4ff6b6f9f8586b223ead28ed98bc20b703acc7220b5876324d6

          Download Submit

        • C:\Users\Admin\AppData\Local\2Nqp\ApplySettingsTemplateCatalog.exe
          Filesize

          1.1MB

          MD5

          13af41b1c1c53c7360cd582a82ec2093

          SHA1

          7425f893d1245e351483ab4a20a5f59d114df4e1

          SHA256

          a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

          SHA512

          c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

          Download Submit

        • C:\Users\Admin\AppData\Local\Mthr\credui.dll
          Filesize

          704KB

          MD5

          443e24bc83827ab5359fd09b4033cb28

          SHA1

          d581f88f13735ec60c9b8613af8e06c68cbf5d2f

          SHA256

          b35f5902ef3f01ef050b40708abf6b74624373b30db47c2922b010a0961acd28

          SHA512

          09204638789d91557e22e25e453ee3755492122c738741c93f1797e2af9b15b557b203eb855ce224c93dc23cf08f07732418ee3bd7bbf1346d5d59b19324e8bb

          Download Submit

        • C:\Users\Admin\AppData\Local\Mthr\perfmon.exe
          Filesize

          177KB

          MD5

          d38aa59c3bea5456bd6f95c73ad3c964

          SHA1

          40170eab389a6ba35e949f9c92962646a302d9ef

          SHA256

          5f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c

          SHA512

          59fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68

          Download Submit

        • C:\Users\Admin\AppData\Local\QnEGTpFW\SndVol.exe
          Filesize

          269KB

          MD5

          c5d939ac3f9d885c8355884199e36433

          SHA1

          b8f277549c23953e8683746e225e7af1c193ad70

          SHA256

          68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605

          SHA512

          8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0

          Download Submit

        • C:\Users\Admin\AppData\Local\QnEGTpFW\dwmapi.dll
          Filesize

          704KB

          MD5

          951535c9a3f8856d347acb842e8fed59

          SHA1

          a1ae1e23e98113aacbb64230433b95c1e0393350

          SHA256

          cb8ebbcf6bfa2a085f29e30027c382cd69df5525d0a2ad59686bf49d2a4e7a7d

          SHA512

          5bdc9fdf927f7d510f0a0873e701071419f43035afbe94ec6dde9779d9bf1de3cddd74d096387aec68e3f538ea9ab2032f7ce63769386cfd77fa71979fa88d24

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fkasxldymr.lnk
          Filesize

          1KB

          MD5

          bc6f438f84f224820605a9434b6d1558

          SHA1

          6098824da8dafaaedce0b7d78d75ce2598e61713

          SHA256

          380f5c026a1881db8faea53c323a1649acfb18d3f516fdfcfa9d5fa19608088a

          SHA512

          1f8b026c76adf2201faeeb081db17ef3693f9c434bceb16ae496cd75bef2d039713b849430320d34d060faf39489bc3a78ac1e49d99e8b6fbea6fc5fdef739e1

          Download Submit

        • memory/1812-51-0x00007FFCC8760000-0x00007FFCC8810000-memory.dmp

          Filesize

          704KB

          Download

        • memory/1812-47-0x00007FFCC8760000-0x00007FFCC8810000-memory.dmp

          Filesize

          704KB

          Download

        • memory/1812-49-0x0000023BF9180000-0x0000023BF9187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2764-67-0x00007FFCC8760000-0x00007FFCC8810000-memory.dmp

          Filesize

          704KB

          Download

        • memory/2764-64-0x0000023087AA0000-0x0000023087AA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3440-15-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3440-37-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3440-13-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3440-12-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3440-11-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3440-10-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3440-9-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3440-8-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3440-7-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3440-6-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3440-4-0x00000000071A0000-0x00000000071A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3440-27-0x00007FFCE62A0000-0x00007FFCE62B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3440-28-0x00007FFCE6290000-0x00007FFCE62A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3440-26-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3440-3-0x00007FFCE448A000-0x00007FFCE448B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3440-17-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3440-18-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3440-25-0x0000000007180000-0x0000000007187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3440-16-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3440-14-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3608-82-0x00007FFCC8760000-0x00007FFCC8810000-memory.dmp

          Filesize

          704KB

          Download

        • memory/4880-2-0x00000000016A0000-0x00000000016A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4880-40-0x00007FFCD7550000-0x00007FFCD75FF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/4880-0-0x00007FFCD7550000-0x00007FFCD75FF000-memory.dmp

          Filesize

          700KB

          Download