Overview

overview

10

Static

static

3

0d164485fd...06.dll

windows7-x64

10

0d164485fd...06.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 17:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d164485fdd6b55434645eaf01fe91ba530450d5c7e1783f355a236b82988d06.dll

  • Size

    676KB

  • MD5

    e30eba0e3eff7fbe220428e0f92d3bc5

  • SHA1

    41eef42dffcc4dc1c5877cbbeb57d23a3653f8d8

  • SHA256

    0d164485fdd6b55434645eaf01fe91ba530450d5c7e1783f355a236b82988d06

  • SHA512

    68e3d5beb81e94b252fba94c2419fc0dd5bb25289ee1f4839205a49323a8592612bdfebec2065391d74b08f8f2887dccf5b5d7276f800a441de2b66f38e34a5b

  • SSDEEP

    6144:h34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:hIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0d164485fdd6b55434645eaf01fe91ba530450d5c7e1783f355a236b82988d06.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:316
  • C:\Windows\system32\MoUsoCoreWorker.exe
    C:\Windows\system32\MoUsoCoreWorker.exe
    1⤵
      PID:3112
    • C:\Users\Admin\AppData\Local\vRMzwq\MoUsoCoreWorker.exe
      C:\Users\Admin\AppData\Local\vRMzwq\MoUsoCoreWorker.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1032
    • C:\Windows\system32\MusNotifyIcon.exe
      C:\Windows\system32\MusNotifyIcon.exe
      1⤵
        PID:2424
      • C:\Users\Admin\AppData\Local\ePUhJpHI\MusNotifyIcon.exe
        C:\Users\Admin\AppData\Local\ePUhJpHI\MusNotifyIcon.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2476
      • C:\Windows\system32\rdpinit.exe
        C:\Windows\system32\rdpinit.exe
        1⤵
          PID:1996
        • C:\Users\Admin\AppData\Local\1mCB\rdpinit.exe
          C:\Users\Admin\AppData\Local\1mCB\rdpinit.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2360

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1mCB\WTSAPI32.dll
          Filesize

          680KB

          MD5

          0e9a7dcb036728af0091921990a23103

          SHA1

          83bf1a8f528d3aa4a934078c57aea16e0def6104

          SHA256

          bd32b8e0a8635165efa66d415b10322d357f01cb9bf5c67f0e3c30e43af24792

          SHA512

          c4cc4f6d1aeb46bad7cede2ace5f4b62a61e971722e1125ba59bcdd42c1c1c9c8f2a3ad56cbf78d6dce8d16674e81a1478fc6ec74e2f73661f728da07c806e13

          Download Submit

        • C:\Users\Admin\AppData\Local\1mCB\rdpinit.exe
          Filesize

          343KB

          MD5

          b0ecd76d99c5f5134aeb52460add6f80

          SHA1

          51462078092c9d6b7fa2b9544ffe0a49eb258106

          SHA256

          51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

          SHA512

          16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

          Download Submit

        • C:\Users\Admin\AppData\Local\ePUhJpHI\MusNotifyIcon.exe
          Filesize

          629KB

          MD5

          c54b1a69a21e03b83ebb0aeb3758b6f7

          SHA1

          b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c

          SHA256

          ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf

          SHA512

          2680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19

          Download Submit

        • C:\Users\Admin\AppData\Local\ePUhJpHI\XmlLite.dll
          Filesize

          680KB

          MD5

          0230b805ae9e780272b57a1f21cab314

          SHA1

          424b2d5eb5104d358023286a799998d1cc2683a3

          SHA256

          9d6c7398b0f0fdcdfb0da795e7749865db9ca59ce9bfd2cb103a5c3c780bb67a

          SHA512

          cca927402ef654151a92e493b224955a0bb0042fb0a4e0d4b6762395d8c7be6aa0b534e00855321b888f21693afddc7cba083a2692f01d549a20040015516b97

          Download Submit

        • C:\Users\Admin\AppData\Local\vRMzwq\MoUsoCoreWorker.exe
          Filesize

          1.6MB

          MD5

          47c6b45ff22b73caf40bb29392386ce3

          SHA1

          7e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9

          SHA256

          cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0

          SHA512

          c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331

          Download Submit

        • C:\Users\Admin\AppData\Local\vRMzwq\XmlLite.dll
          Filesize

          680KB

          MD5

          78457671cbefda118e6d29fee5be8f43

          SHA1

          265c68c3925a459b6ad08557a591a24dbe8d35ed

          SHA256

          1d57fac149291d0e8505cd9f3ba30fbb5a353b286b6f0dd65088df0bdf649c91

          SHA512

          ab4d3d722c2fd1c3702e368325d0d177baa406979d559dbb24d440c051fbeb01d04a776c104b441f3af7479d2e6753b8fa98d4a587e87559f7f02943f62e39d6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fkasxldymr.lnk
          Filesize

          1KB

          MD5

          fad071586be74c8cb9af34733b45c559

          SHA1

          556ff7ba5daf3ddd684502ef7e92983b6864d85d

          SHA256

          8a3c509ce5c604c70688da75dc81fe71b1817ec5506e5e782586fe55da01fb77

          SHA512

          9e539929f74fe4fee2727dca7ca24df776ae47983bba54b0c1857c9b55bafb0d6a04f3706c9e467052deca88ea4d3ffa94406294ef96c267b874e3316cbd681d

          Download Submit

        • memory/316-1-0x00007FFFE6070000-0x00007FFFE6119000-memory.dmp

          Filesize

          676KB

          Download

        • memory/316-39-0x00007FFFE6070000-0x00007FFFE6119000-memory.dmp

          Filesize

          676KB

          Download

        • memory/316-0-0x0000022A040E0000-0x0000022A040E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1032-51-0x00007FFFD7890000-0x00007FFFD793A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1032-48-0x000001FF559E0000-0x000001FF559E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1032-46-0x00007FFFD7890000-0x00007FFFD793A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2360-82-0x00007FFFD7890000-0x00007FFFD793A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2476-67-0x00007FFFD7890000-0x00007FFFD793A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2476-62-0x0000020E62600000-0x0000020E62607000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3464-16-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3464-11-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3464-26-0x00007FFFF4EA0000-0x00007FFFF4EB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3464-27-0x00007FFFF4E90000-0x00007FFFF4EA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3464-36-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3464-6-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3464-7-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3464-8-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3464-9-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3464-25-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3464-12-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3464-13-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3464-14-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3464-17-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3464-24-0x0000000003810000-0x0000000003817000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3464-15-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3464-10-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3464-5-0x00007FFFF303A000-0x00007FFFF303B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3464-3-0x0000000007B80000-0x0000000007B81000-memory.dmp

          Filesize

          4KB

          Download