Overview

overview

10

Static

static

3

164ec74b8c...17.dll

windows7-x64

10

164ec74b8c...17.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    164ec74b8cd92223749f1f843b8518c3e337360376a5edcda388525029bb3117.dll

  • Size

    676KB

  • MD5

    1bf1ac0d053766f0b3f1463c6896953c

  • SHA1

    73aafbff8a7ea3dabe84d5047add7442e52d43b0

  • SHA256

    164ec74b8cd92223749f1f843b8518c3e337360376a5edcda388525029bb3117

  • SHA512

    d292fd9143a267c4dbde98fe9f014cee96686579d8fb8ff692b7dfa420cac3085dd361fb06f81476cfb72ff72a5e53e9f15195dc4ceeeff57e9188b1ac5343d4

  • SSDEEP

    6144:u34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:uIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\164ec74b8cd92223749f1f843b8518c3e337360376a5edcda388525029bb3117.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:720
  • C:\Windows\system32\wermgr.exe
    C:\Windows\system32\wermgr.exe
    1⤵
      PID:3576
    • C:\Users\Admin\AppData\Local\xnJ3E\wermgr.exe
      C:\Users\Admin\AppData\Local\xnJ3E\wermgr.exe
      1⤵
      • Executes dropped EXE
      PID:2516
    • C:\Windows\system32\dccw.exe
      C:\Windows\system32\dccw.exe
      1⤵
        PID:3828
      • C:\Users\Admin\AppData\Local\4N6lgGMih\dccw.exe
        C:\Users\Admin\AppData\Local\4N6lgGMih\dccw.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3492
      • C:\Windows\system32\cmstp.exe
        C:\Windows\system32\cmstp.exe
        1⤵
          PID:3752
        • C:\Users\Admin\AppData\Local\BhQ\cmstp.exe
          C:\Users\Admin\AppData\Local\BhQ\cmstp.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1260
        • C:\Windows\system32\WFS.exe
          C:\Windows\system32\WFS.exe
          1⤵
            PID:1108
          • C:\Users\Admin\AppData\Local\V0LahMy7\WFS.exe
            C:\Users\Admin\AppData\Local\V0LahMy7\WFS.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:5088

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\4N6lgGMih\dccw.exe
            Filesize

            101KB

            MD5

            cb9374911bf5237179785c739a322c0f

            SHA1

            3f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9

            SHA256

            f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845

            SHA512

            9d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be

            Download Submit

          • C:\Users\Admin\AppData\Local\4N6lgGMih\dxva2.dll
            Filesize

            680KB

            MD5

            3bea5bb501c6be8489c2d16778dbcd14

            SHA1

            a237f8daeb882573cfee62f6670e625d76afa4ad

            SHA256

            a6af4bf2eeabef414382c82e8657b9fc32bd01d6aa696f5e34015cd229892cc6

            SHA512

            e2c653e13f79106a6cb8f782e10bbd8d7c51911a2762f4ac0d26ea40d64f0ba4affbe77ce691f24e1fa4e35b8435b9ef1682f8b9e9134808a16001d78cec58cb

            Download Submit

          • C:\Users\Admin\AppData\Local\BhQ\VERSION.dll
            Filesize

            680KB

            MD5

            fa8d8a1efb0b152896fa09901484472c

            SHA1

            c3fff50bf7eb17e19cfe3054a03ab4556077d3fd

            SHA256

            3ab1a4bdb459a887c5a7a5cc53396ce106e50607f0d24ab65dd11bcff44517cc

            SHA512

            465c1f6bd8762de4a3fd83c3e7fe9b6d5178fb710eacbc1a448951a7c638b8380354e7be38eae91bb0896a306ad1db449a6ecc7c26cd286b034529c1b6f8b60e

            Download Submit

          • C:\Users\Admin\AppData\Local\BhQ\cmstp.exe
            Filesize

            96KB

            MD5

            4cc43fe4d397ff79fa69f397e016df52

            SHA1

            8fd6cf81ad40c9b123cd75611860a8b95c72869c

            SHA256

            f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c

            SHA512

            851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157

            Download Submit

          • C:\Users\Admin\AppData\Local\V0LahMy7\WFS.exe
            Filesize

            944KB

            MD5

            3cbc8d0f65e3db6c76c119ed7c2ffd85

            SHA1

            e74f794d86196e3bbb852522479946cceeed7e01

            SHA256

            e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4

            SHA512

            26ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a

            Download Submit

          • C:\Users\Admin\AppData\Local\V0LahMy7\WINMM.dll
            Filesize

            684KB

            MD5

            def39abf9abe9c52140165216643689b

            SHA1

            5594c0e04a5627cbaf01db489c0914a85a9258d6

            SHA256

            3c31a344f439683db3786d87faf83346f5fb47368647a8f6f1ea503111abd032

            SHA512

            ccb154368db829ac223996d5b50dad4d1940d94878d39839650c88e1564b9a4a78834c3b97038b7582f2b3b004821c9dd85da61a2e53565c1f3158c5cc74b2a2

            Download Submit

          • C:\Users\Admin\AppData\Local\xnJ3E\wermgr.exe
            Filesize

            223KB

            MD5

            f7991343cf02ed92cb59f394e8b89f1f

            SHA1

            573ad9af63a6a0ab9b209ece518fd582b54cfef5

            SHA256

            1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc

            SHA512

            fa3cf314100f5340c7d0f6a70632a308fcadb4b48785753310a053a510169979a89637b8b4fedf4d3690db6b8b55146e323cad70d704c4e2ede4edff5284237d

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rasxaa.lnk
            Filesize

            1KB

            MD5

            6a88f3f6c564b48c0bccd80931eaf20c

            SHA1

            50e2d1a478c558955112ff46606f5d16df0cb1b2

            SHA256

            6b7367fa5765960d930c98a88c9046eb27627ff1abf5dee90653005d6d2dbc35

            SHA512

            00d8759083a68632fa4577b72d54b092e626fd281db7fd9ea69222d1c1d8f2456eafc3cc27bbd28aec00ae624ca07ba5ebb0e268d759dd5e0686ae9b3c71c715

            Download Submit

          • memory/720-40-0x00007FFCB54D0000-0x00007FFCB5579000-memory.dmp

            Filesize

            676KB

            Download

          • memory/720-0-0x00007FFCB54D0000-0x00007FFCB5579000-memory.dmp

            Filesize

            676KB

            Download

          • memory/720-2-0x0000026837530000-0x0000026837537000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1260-76-0x00007FFCA5090000-0x00007FFCA513A000-memory.dmp

            Filesize

            680KB

            Download

          • memory/1260-73-0x000001909CD00000-0x000001909CD07000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3492-60-0x00007FFCA5090000-0x00007FFCA513A000-memory.dmp

            Filesize

            680KB

            Download

          • memory/3492-55-0x00007FFCA5090000-0x00007FFCA513A000-memory.dmp

            Filesize

            680KB

            Download

          • memory/3492-57-0x000001E35DD50000-0x000001E35DD57000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3500-14-0x0000000140000000-0x00000001400A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/3500-12-0x0000000140000000-0x00000001400A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/3500-5-0x0000000140000000-0x00000001400A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/3500-3-0x0000000007D50000-0x0000000007D51000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3500-11-0x0000000140000000-0x00000001400A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/3500-38-0x0000000140000000-0x00000001400A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/3500-7-0x0000000140000000-0x00000001400A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/3500-18-0x0000000140000000-0x00000001400A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/3500-15-0x0000000140000000-0x00000001400A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/3500-9-0x0000000140000000-0x00000001400A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/3500-10-0x0000000140000000-0x00000001400A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/3500-6-0x0000000140000000-0x00000001400A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/3500-13-0x0000000140000000-0x00000001400A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/3500-26-0x0000000140000000-0x00000001400A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/3500-27-0x00007FFCC3840000-0x00007FFCC3850000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3500-28-0x00007FFCC3830000-0x00007FFCC3840000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3500-16-0x00007FFCC23EA000-0x00007FFCC23EB000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3500-25-0x0000000007D30000-0x0000000007D37000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3500-17-0x0000000140000000-0x00000001400A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/3500-8-0x0000000140000000-0x00000001400A9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/5088-91-0x00007FFCA4F10000-0x00007FFCA4FBB000-memory.dmp

            Filesize

            684KB

            Download

          • memory/5088-87-0x00007FFCA4F10000-0x00007FFCA4FBB000-memory.dmp

            Filesize

            684KB

            Download