Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2024 20:26

General

  • Target

    6b64203a5d0b4968785bb42b23396818.dll

  • Size

    1000KB

  • MD5

    6b64203a5d0b4968785bb42b23396818

  • SHA1

    fd6d2a08195cfb8423b80901b97f949b566b5240

  • SHA256

    53c3c9f049896f4cd87cdf67f1cef8a68f76d5b47bb7e20b6b6ffb09e4746a9e

  • SHA512

    ddc86408f244d17fe749bfb0d09e5b524e9d33b9df77b5ce287527de919bb555d7c9ab4d0732da1f30434b687606f98d70c00b166271b8b8095b2db65f815a8e

  • SSDEEP

    24576:cQcu8pzbIPLMzjw09TI/OrRd0E1ORe39JaCHSG9:cxuW0PL4wOxNP2TG

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Modifies registry class 40 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b64203a5d0b4968785bb42b23396818.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2872
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2836
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2964
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1372
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SendNotifyMessage
    PID:396
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:2228
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:2512
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    PID:2616
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    PID:1932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/396-40-0x0000000077340000-0x000000007745F000-memory.dmp

    Filesize

    1.1MB

  • memory/396-35-0x0000000077340000-0x000000007745F000-memory.dmp

    Filesize

    1.1MB

  • memory/396-34-0x0000000004010000-0x0000000004011000-memory.dmp

    Filesize

    4KB

  • memory/1240-4-0x00000000773A6000-0x00000000773A7000-memory.dmp

    Filesize

    4KB

  • memory/1240-5-0x0000000002A10000-0x0000000002A11000-memory.dmp

    Filesize

    4KB

  • memory/1240-9-0x00000000029D0000-0x00000000029D1000-memory.dmp

    Filesize

    4KB

  • memory/1372-26-0x0000000003F50000-0x0000000003F51000-memory.dmp

    Filesize

    4KB

  • memory/1372-32-0x0000000077340000-0x000000007745F000-memory.dmp

    Filesize

    1.1MB

  • memory/1372-27-0x0000000077340000-0x000000007745F000-memory.dmp

    Filesize

    1.1MB

  • memory/2228-42-0x0000000003F70000-0x0000000003F71000-memory.dmp

    Filesize

    4KB

  • memory/2228-43-0x0000000077340000-0x000000007745F000-memory.dmp

    Filesize

    1.1MB

  • memory/2228-48-0x0000000077340000-0x000000007745F000-memory.dmp

    Filesize

    1.1MB

  • memory/2512-56-0x0000000077340000-0x000000007745F000-memory.dmp

    Filesize

    1.1MB

  • memory/2512-51-0x0000000077340000-0x000000007745F000-memory.dmp

    Filesize

    1.1MB

  • memory/2512-50-0x0000000002230000-0x0000000002231000-memory.dmp

    Filesize

    4KB

  • memory/2616-64-0x0000000077340000-0x000000007745F000-memory.dmp

    Filesize

    1.1MB

  • memory/2616-59-0x0000000077340000-0x000000007745F000-memory.dmp

    Filesize

    1.1MB

  • memory/2616-58-0x00000000040F0000-0x00000000040F1000-memory.dmp

    Filesize

    4KB

  • memory/2836-12-0x0000000077340000-0x000000007745F000-memory.dmp

    Filesize

    1.1MB

  • memory/2836-10-0x0000000003EB0000-0x0000000003EB1000-memory.dmp

    Filesize

    4KB

  • memory/2836-17-0x0000000077340000-0x000000007745F000-memory.dmp

    Filesize

    1.1MB

  • memory/2872-0-0x0000000140000000-0x0000000140101000-memory.dmp

    Filesize

    1.0MB

  • memory/2872-1-0x0000000000110000-0x0000000000117000-memory.dmp

    Filesize

    28KB

  • memory/2872-8-0x0000000140000000-0x0000000140101000-memory.dmp

    Filesize

    1.0MB

  • memory/2964-20-0x0000000077340000-0x000000007745F000-memory.dmp

    Filesize

    1.1MB

  • memory/2964-18-0x00000000040F0000-0x00000000040F1000-memory.dmp

    Filesize

    4KB

  • memory/2964-24-0x0000000077340000-0x000000007745F000-memory.dmp

    Filesize

    1.1MB