Overview

overview

10

Static

static

3

138cd54735...77.dll

windows7-x64

10

138cd54735...77.dll

windows10-2004-x64

10

Resubmissions

27-01-2025 03:53

250127-efybhsyrh1 10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-01-2025 03:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    138cd54735f5ce4b638c5bb68c9e0bf5776cf81d776e46592ef10a9bc58b0277.dll

  • Size

    984KB

  • MD5

    89f99b617454ae1d26f9c5614f19fd30

  • SHA1

    43194372fae7b50a95e00580ce5d64134e4c1b7d

  • SHA256

    138cd54735f5ce4b638c5bb68c9e0bf5776cf81d776e46592ef10a9bc58b0277

  • SHA512

    fb0445aba4301466b7c5d8dea9afbf87e0ab5d0bbbcee924d22af97700370f0dd13a80691ab322ffabbbb16e287df160344f5f7a54b1834be2b0fda0089470a3

  • SSDEEP

    24576:yWyoHFMVMKkN3ZvxEhb0IsaQ4KriCo0j6Ijg:1nuVMK6vx2RsIKNrj

Score
10/10
dridexbotnetdefense_evasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    defense_evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\138cd54735f5ce4b638c5bb68c9e0bf5776cf81d776e46592ef10a9bc58b0277.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2248
  • C:\Windows\system32\SoundRecorder.exe
    C:\Windows\system32\SoundRecorder.exe
    1⤵
      PID:2684
    • C:\Users\Admin\AppData\Local\8MP\SoundRecorder.exe
      C:\Users\Admin\AppData\Local\8MP\SoundRecorder.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2884
    • C:\Windows\system32\psr.exe
      C:\Windows\system32\psr.exe
      1⤵
        PID:356
      • C:\Users\Admin\AppData\Local\ORR9Sss\psr.exe
        C:\Users\Admin\AppData\Local\ORR9Sss\psr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2844
      • C:\Windows\system32\psr.exe
        C:\Windows\system32\psr.exe
        1⤵
          PID:2104
        • C:\Users\Admin\AppData\Local\H7GRIfdfe\psr.exe
          C:\Users\Admin\AppData\Local\H7GRIfdfe\psr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1260
        • C:\Windows\system32\tcmsetup.exe
          C:\Windows\system32\tcmsetup.exe
          1⤵
            PID:2808
          • C:\Users\Admin\AppData\Local\y1g\tcmsetup.exe
            C:\Users\Admin\AppData\Local\y1g\tcmsetup.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:1992
          • C:\Windows\system32\msdtc.exe
            C:\Windows\system32\msdtc.exe
            1⤵
              PID:1664
            • C:\Users\Admin\AppData\Local\fuF\msdtc.exe
              C:\Users\Admin\AppData\Local\fuF\msdtc.exe
              1⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Checks whether UAC is enabled
              PID:1968

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\8MP\SoundRecorder.exe
              Filesize

              139KB

              MD5

              47f0f526ad4982806c54b845b3289de1

              SHA1

              8420ea488a2e187fe1b7fcfb53040d10d5497236

              SHA256

              e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

              SHA512

              4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

              Download Submit

            • C:\Users\Admin\AppData\Local\8MP\UxTheme.dll
              Filesize

              988KB

              MD5

              64837c7135c3eb41c67dc3e47ff0a541

              SHA1

              b49dd9c011a7bd9d6858150e5b8ba5b31ea20374

              SHA256

              d7027a7079593cf3bf4e162d584995d16e5c458b66f962cf5f5150a9c09f91bf

              SHA512

              5715eccc0508c677391add34945b3777112dd630bea604eab53f6a39fd882803887fb5debcf1676c2924a5574ffa4959b1a6d009ee15d2a7641a283983ba2055

              Download Submit

            • C:\Users\Admin\AppData\Local\H7GRIfdfe\OLEACC.dll
              Filesize

              984KB

              MD5

              cc6ea3b2d508f87e8d8139278faea128

              SHA1

              b691155a31dbc23c1d310d8a3f2f6036ea3d481d

              SHA256

              471d7b29c560ac06453cd68c9104fd7d210cb6c0cc94e113d4b8b160ba9377dc

              SHA512

              6e7e530fef7ad35b8c5872f9f51c43768dc276a98b1c978fdd186bcf43e1bbb046c87a1999959e4d7b25e3b386c45c0d002076d9e780a8423a9c82c376bb9eac

              Download Submit

            • C:\Users\Admin\AppData\Local\ORR9Sss\OLEACC.dll
              Filesize

              984KB

              MD5

              1d5cf8dd803e90453e00716d207a0744

              SHA1

              b2cefd9e5b4e1bdd15715fd44519bb9e0184d139

              SHA256

              12df4cc60861b8aaa20e810e0e483b8936ed0a4a3b81424a460159ee192dbbe7

              SHA512

              19541988f832f3728c0c268181df3223327b0a849dfdd8590cfe4b7e7645300127b93681b50bbf8f204fa05b838aba727860149feba791d8a58b7a23170d0f01

              Download Submit

            • C:\Users\Admin\AppData\Local\fuF\VERSION.dll
              Filesize

              984KB

              MD5

              7a2573f4e46057e1516604f25b274417

              SHA1

              6d2d83ac5c6877dbd075b39a7cc72a1ebf351406

              SHA256

              123d8847e141086dfeb187dded6ea94029903c6df186d04ff0d2c58db4a3a523

              SHA512

              b1e1584e62a15e3bf8215bd992a31ee20ea99be67c17060af37d1dad0184e51260f07124da6b57a735d895535b8387ae815d4e817ab51d97639dd705c1963bd5

              Download Submit

            • C:\Users\Admin\AppData\Local\y1g\TAPI32.dll
              Filesize

              992KB

              MD5

              e994f8e7d08989ccbc5f069d3ab4e746

              SHA1

              33a415fd6cea7944d813a84332a1c59b6122816c

              SHA256

              e3ee66e72282c4d40801c01bbb183ca674ad933fb5d4c7d9d3e0b3274b29d77d

              SHA512

              1b246e1d562bd4b6667cdf31a77daa8ca63be977787bdd42ab743290c8ea38de0883eb1dea1cbb2feac2463d3837b40ef03858cdb83256aef12fa4b7afa54bd3

              Download Submit

            • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yjafzwirjcl.lnk
              Filesize

              1KB

              MD5

              c945a3b97b59288c3b212ac796fc24bb

              SHA1

              821898e175b5cf8e8dec3fdf54ca622401143a10

              SHA256

              d9c9ecea8b184c191463a259e16c4881de6ddab74f999a7473907768a47bfc36

              SHA512

              7604cdb6fcf4390107505280c9c26597a35f575a0b12d47e950b44bff60b7c6bbdc1267c8e00fa3e903588363e512ea4efbd45fafe0281aa45a0b1d898a00aaf

              Download Submit

            • \Users\Admin\AppData\Local\ORR9Sss\psr.exe
              Filesize

              715KB

              MD5

              a80527109d75cba125d940b007eea151

              SHA1

              facf32a9ede6abfaa09368bfdfcfec8554107272

              SHA256

              68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

              SHA512

              77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

              Download Submit

            • \Users\Admin\AppData\Local\fuF\msdtc.exe
              Filesize

              138KB

              MD5

              de0ece52236cfa3ed2dbfc03f28253a8

              SHA1

              84bbd2495c1809fcd19b535d41114e4fb101466c

              SHA256

              2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

              SHA512

              69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

              Download Submit

            • \Users\Admin\AppData\Local\y1g\tcmsetup.exe
              Filesize

              15KB

              MD5

              0b08315da0da7f9f472fbab510bfe7b8

              SHA1

              33ba48fd980216becc532466a5ff8476bec0b31c

              SHA256

              e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

              SHA512

              c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

              Download Submit

            • memory/1216-14-0x0000000140000000-0x00000001400F6000-memory.dmp

              Filesize

              984KB

              Download

            • memory/1216-16-0x0000000140000000-0x00000001400F6000-memory.dmp

              Filesize

              984KB

              Download

            • memory/1216-5-0x0000000002580000-0x0000000002581000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1216-13-0x0000000140000000-0x00000001400F6000-memory.dmp

              Filesize

              984KB

              Download

            • memory/1216-12-0x0000000140000000-0x00000001400F6000-memory.dmp

              Filesize

              984KB

              Download

            • memory/1216-7-0x0000000140000000-0x00000001400F6000-memory.dmp

              Filesize

              984KB

              Download

            • memory/1216-10-0x0000000140000000-0x00000001400F6000-memory.dmp

              Filesize

              984KB

              Download

            • memory/1216-9-0x0000000140000000-0x00000001400F6000-memory.dmp

              Filesize

              984KB

              Download

            • memory/1216-34-0x0000000140000000-0x00000001400F6000-memory.dmp

              Filesize

              984KB

              Download

            • memory/1216-48-0x0000000140000000-0x00000001400F6000-memory.dmp

              Filesize

              984KB

              Download

            • memory/1216-25-0x00000000778E0000-0x00000000778E2000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1216-23-0x0000000002560000-0x0000000002567000-memory.dmp

              Filesize

              28KB

              Download

            • memory/1216-37-0x0000000140000000-0x00000001400F6000-memory.dmp

              Filesize

              984KB

              Download

            • memory/1216-131-0x0000000077576000-0x0000000077577000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1216-8-0x0000000140000000-0x00000001400F6000-memory.dmp

              Filesize

              984KB

              Download

            • memory/1216-22-0x0000000140000000-0x00000001400F6000-memory.dmp

              Filesize

              984KB

              Download

            • memory/1216-24-0x0000000077781000-0x0000000077782000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1216-4-0x0000000077576000-0x0000000077577000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1216-15-0x0000000140000000-0x00000001400F6000-memory.dmp

              Filesize

              984KB

              Download

            • memory/1260-87-0x000007FEF6610000-0x000007FEF6706000-memory.dmp

              Filesize

              984KB

              Download

            • memory/1968-114-0x000007FEF6260000-0x000007FEF6356000-memory.dmp

              Filesize

              984KB

              Download

            • memory/1968-119-0x000007FEF6260000-0x000007FEF6356000-memory.dmp

              Filesize

              984KB

              Download

            • memory/1992-102-0x000007FEF6610000-0x000007FEF6708000-memory.dmp

              Filesize

              992KB

              Download

            • memory/1992-97-0x000007FEF6610000-0x000007FEF6708000-memory.dmp

              Filesize

              992KB

              Download

            • memory/2248-0-0x000007FEF6610000-0x000007FEF6706000-memory.dmp

              Filesize

              984KB

              Download

            • memory/2248-3-0x0000000000190000-0x0000000000197000-memory.dmp

              Filesize

              28KB

              Download

            • memory/2248-11-0x000007FEF6610000-0x000007FEF6706000-memory.dmp

              Filesize

              984KB

              Download

            • memory/2844-73-0x0000000000110000-0x0000000000117000-memory.dmp

              Filesize

              28KB

              Download

            • memory/2844-74-0x000007FEF6610000-0x000007FEF6706000-memory.dmp

              Filesize

              984KB

              Download

            • memory/2884-58-0x000007FEF6E40000-0x000007FEF6F37000-memory.dmp

              Filesize

              988KB

              Download

            • memory/2884-53-0x000007FEF6E40000-0x000007FEF6F37000-memory.dmp

              Filesize

              988KB

              Download

            • memory/2884-52-0x0000000000180000-0x0000000000187000-memory.dmp

              Filesize

              28KB

              Download