Overview

overview

10

Static

static

3

69c4557456...8a.dll

windows7-x64

10

69c4557456...8a.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 17:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69c455745647cfb7a255bb03b8a4279b64be1e542bc8c540c180b2884b8d858a.dll

  • Size

    672KB

  • MD5

    9b616d2c751b6b29a1c2a529a49daba4

  • SHA1

    46341d4ab5707193e9e53ffc140a42a61b6629a4

  • SHA256

    69c455745647cfb7a255bb03b8a4279b64be1e542bc8c540c180b2884b8d858a

  • SHA512

    ac1e27da3fc0d5541382425232677e832896c6d3b8fa089db4799bad3a0383a1eb1e737f9b1f34213d30bdd842e1ef335599d4ff07c2b40f8f490e035c858f05

  • SSDEEP

    6144:I34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:IIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\69c455745647cfb7a255bb03b8a4279b64be1e542bc8c540c180b2884b8d858a.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:4416
  • C:\Windows\system32\mstsc.exe
    C:\Windows\system32\mstsc.exe
    1⤵
      PID:4964
    • C:\Users\Admin\AppData\Local\WKh\mstsc.exe
      C:\Users\Admin\AppData\Local\WKh\mstsc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1660
    • C:\Windows\system32\mstsc.exe
      C:\Windows\system32\mstsc.exe
      1⤵
        PID:3308
      • C:\Users\Admin\AppData\Local\vmDG\mstsc.exe
        C:\Users\Admin\AppData\Local\vmDG\mstsc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:928
      • C:\Windows\system32\SndVol.exe
        C:\Windows\system32\SndVol.exe
        1⤵
          PID:2596
        • C:\Users\Admin\AppData\Local\czXK\SndVol.exe
          C:\Users\Admin\AppData\Local\czXK\SndVol.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:540

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\WKh\WINMM.dll
          Filesize

          680KB

          MD5

          d53480d18124e857bb5b62d871551ccb

          SHA1

          0f23433c213e904ed3cd5607479ae67cc4e4e762

          SHA256

          b93b82b4443703f7bbb60c2ce9fd5ec80cfedd81bdf9b6ea4f70e51ba33cd947

          SHA512

          9b957570e5f839cd3b8d2fc701122bef106b485ca99647120d5d31c73e539093ee743fb6a8c72659577e3f9c30f5f313d94b7f06760f68c3825dc7ac5c578f8b

          Download Submit

        • C:\Users\Admin\AppData\Local\WKh\mstsc.exe
          Filesize

          1.5MB

          MD5

          3a26640414cee37ff5b36154b1a0b261

          SHA1

          e0c28b5fdf53a202a7543b67bbc97214bad490ed

          SHA256

          1d1b6b2edac7ac6494c9eecda3afb804f679d7190f4d1a80929380e85743823f

          SHA512

          76fc70ead57ddacd3dbcec1a4772bd46924d30b30018a36b13052d2f7272cc86b63bf85d5e4ec04aac08630d4b2637ca6e7d35c08ce6b675d63ed011f7d95ba2

          Download Submit

        • C:\Users\Admin\AppData\Local\czXK\SndVol.exe
          Filesize

          269KB

          MD5

          c5d939ac3f9d885c8355884199e36433

          SHA1

          b8f277549c23953e8683746e225e7af1c193ad70

          SHA256

          68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605

          SHA512

          8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0

          Download Submit

        • C:\Users\Admin\AppData\Local\czXK\dwmapi.dll
          Filesize

          676KB

          MD5

          1b3426f11c815f6e9f1b74f1c5c06dbb

          SHA1

          d0920805c99c741fdfcd90410ac397488d8201f0

          SHA256

          f0c94d075ba1473fc694d438ba73e27cb65e684f2cdc1830a1ad828d7b416de7

          SHA512

          6b52bf448ff90c508626938931d8d1d6f541ba7c37720794f2f5ec0bb58cb923b6b7eabae525e27aecbabd253dd796be2bae0704bce1ade5955db7b898eda1c5

          Download Submit

        • C:\Users\Admin\AppData\Local\vmDG\WINMM.dll
          Filesize

          680KB

          MD5

          4b96de7e315d872bfdb6bbcbbd6e9982

          SHA1

          749ac209ea0bbb8470b94d0a315e127baafd1669

          SHA256

          af3e3b85a6d5b336fc19e7f35184adc86862f27f024d5cb58c459f42ca975e69

          SHA512

          7a4e63a51ca55c4ad254cf91dfacd049392ddf82ff093f6e15edd0eadfef99f5a892b739986fe79fd9f8d7e34718bef632123de0c1f51199c88489899717ad26

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eswctkc.lnk
          Filesize

          1KB

          MD5

          acdc213b2de5585ddac6e4f34c4bd4af

          SHA1

          b878827b5a7236135f7cca5bad0d96fe59854b2b

          SHA256

          89986f497059274d4dc1753b6f55c12b3e179e8e95897378a6f05133a380a0b1

          SHA512

          bef619ef1463281107e4d184a325b5caa5e92575f20e42788be86a19d1382d812fb8b2f571f0191d9520ddf2e96949aaed1d0a47f7aed26f6e4f76923e452e93

          Download Submit

        • memory/540-81-0x00007FFB2A820000-0x00007FFB2A8C9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/540-77-0x00007FFB2A820000-0x00007FFB2A8C9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/928-66-0x00007FFB2A820000-0x00007FFB2A8CA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1660-51-0x00007FFB2A820000-0x00007FFB2A8CA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1660-47-0x00007FFB2A820000-0x00007FFB2A8CA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1660-46-0x0000019218090000-0x0000019218097000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3520-8-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3520-26-0x00007FFB47E00000-0x00007FFB47E10000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3520-14-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3520-13-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3520-12-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3520-11-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3520-10-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3520-9-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3520-7-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3520-4-0x00007FFB4754A000-0x00007FFB4754B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3520-25-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3520-17-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3520-36-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3520-27-0x00007FFB47DF0000-0x00007FFB47E00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3520-3-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3520-24-0x0000000001080000-0x0000000001087000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3520-16-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3520-15-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3520-6-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/4416-0-0x00007FFB39B40000-0x00007FFB39BE8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/4416-39-0x00007FFB39B40000-0x00007FFB39BE8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/4416-2-0x0000000002A40000-0x0000000002A47000-memory.dmp

          Filesize

          28KB

          Download