Overview

overview

10

Static

static

3

3cc4b7ea1a...e8.dll

windows7-x64

10

3cc4b7ea1a...e8.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-08-2024 21:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3cc4b7ea1abe6edba734f9be8de5a30d2486816545a6bbb6886b7138921bfde8.dll

  • Size

    1.7MB

  • MD5

    fe0231fafe84b0cc6597d9a92d2fb425

  • SHA1

    dd78e81942b70120c0549ef8c8f6bb86e672cbd3

  • SHA256

    3cc4b7ea1abe6edba734f9be8de5a30d2486816545a6bbb6886b7138921bfde8

  • SHA512

    761c15381e5fd2836f8b53f2ccc70f16066e06fb6c279fbfd039df17749a14fbbb9200f5014330574a5375253c46d5ab5219133393aee480839f925ecc877452

  • SSDEEP

    12288:VVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:MfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3cc4b7ea1abe6edba734f9be8de5a30d2486816545a6bbb6886b7138921bfde8.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4976
  • C:\Windows\system32\usocoreworker.exe
    C:\Windows\system32\usocoreworker.exe
    1⤵
      PID:2540
    • C:\Users\Admin\AppData\Local\bYy\usocoreworker.exe
      C:\Users\Admin\AppData\Local\bYy\usocoreworker.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4748
    • C:\Windows\system32\sethc.exe
      C:\Windows\system32\sethc.exe
      1⤵
        PID:4472
      • C:\Users\Admin\AppData\Local\byPxeBY\sethc.exe
        C:\Users\Admin\AppData\Local\byPxeBY\sethc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:5056
      • C:\Windows\system32\ie4ushowIE.exe
        C:\Windows\system32\ie4ushowIE.exe
        1⤵
          PID:4140
        • C:\Users\Admin\AppData\Local\KFJi1\ie4ushowIE.exe
          C:\Users\Admin\AppData\Local\KFJi1\ie4ushowIE.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1504

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\KFJi1\VERSION.dll
          Filesize

          1.7MB

          MD5

          75bc6d835802022b9ba8e95ca646a93b

          SHA1

          615eab66a53414c30a1c011f2a0bb39c2e8263a5

          SHA256

          bd6c8bf0420a330c4a431cd2c6eade56636043172599e6e02de5231599a74695

          SHA512

          014e95789f2e94cfc94dab1c45e5c7e28bcce1db4d2b8f8a5fb41c4fe5a84eb91123f54c3c8d1b1e48338700ea48cd5cb62949db3c5ad20f64351d464494e409

          Download Submit

        • C:\Users\Admin\AppData\Local\KFJi1\ie4ushowIE.exe
          Filesize

          76KB

          MD5

          9de952f476abab0cd62bfd81e20a3deb

          SHA1

          109cc4467b78dad4b12a3225020ea590bccee3e6

          SHA256

          e9cb6336359ac6f71ac75af2836efb28daa3bafd10a1f0b775dcdc2ec8850a6b

          SHA512

          3cbe50a146ca50b0657a78a2d89a34630c69823005668906785b2d2015cc6139c8dbbf7aefa5fe55957ef55ae06e758933b3b41eaf822e49dba3b7700582e2c9

          Download Submit

        • C:\Users\Admin\AppData\Local\bYy\XmlLite.dll
          Filesize

          1.7MB

          MD5

          d04e33d0ff3c02d31c26e3de15212c83

          SHA1

          ab1d3c6a71ecf660b642a4c9049a0b6f20ebc9da

          SHA256

          ed0da393e08ca2ed3de25d475b0cf918db240ff197124052b9df71d0865aeac9

          SHA512

          91e8acfe15e24830fd38836e2686bb8269fd9488de1a0bf3cda93dfbd922147183bccafad5995351f3ce738871ac89db02c4f48ebb98203af2b4ed096091787b

          Download Submit

        • C:\Users\Admin\AppData\Local\bYy\usocoreworker.exe
          Filesize

          1.3MB

          MD5

          2c5efb321aa64af37dedc6383ce3198e

          SHA1

          a06d7020dd43a57047a62bfb443091cd9de946ba

          SHA256

          0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

          SHA512

          5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

          Download Submit

        • C:\Users\Admin\AppData\Local\byPxeBY\WTSAPI32.dll
          Filesize

          1.7MB

          MD5

          d1dfaffb9c7373d5db4b4099719db597

          SHA1

          c4a8efc110be346317aa5c89af7ebc1a67ecdc9a

          SHA256

          623ca597d8fda34fb29534a7eba6bbd7bd742b67f64c1d9df9b58f2f68591fac

          SHA512

          7ad62cf45bf2800f1defab365d7087fa68dea7aa7b9109834fe4d11fdd4dc34ab6ff6bf46bf4a035b429448b8083ff7ed8c294d4e555da8c4788a9e4bbdee5ca

          Download Submit

        • C:\Users\Admin\AppData\Local\byPxeBY\sethc.exe
          Filesize

          104KB

          MD5

          8ba3a9702a3f1799431cad6a290223a6

          SHA1

          9c7dc9b6830297c8f759d1f46c8b36664e26c031

          SHA256

          615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8

          SHA512

          680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Sfbjsepzltomqmf.lnk
          Filesize

          1KB

          MD5

          e0e45a8e3b4884c7fdab34b74fd4bf4d

          SHA1

          2a82bc5e60ff20aeebc0651902e0bdb55c7b7319

          SHA256

          70ee084a15cae51afe40484cb90cfe2f49c575246d7ac83b596c43b16618c08c

          SHA512

          267beb052138064d84dbb6f8035166da3f37106ef455d173e1965a4bec30293741195dfca69c9ea5ca852aa7b4e38f7eb10faf27fa3379f48a5735a325857237

          Download Submit

        • memory/1504-101-0x0000000140000000-0x00000001401AD000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1504-95-0x00000141BA9B0000-0x00000141BA9B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3492-20-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-16-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-31-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-30-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-29-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-50-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-5-0x0000000008670000-0x0000000008671000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3492-4-0x00007FFA32B7A000-0x00007FFA32B7B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3492-8-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-53-0x0000000008650000-0x0000000008657000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3492-28-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-27-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-26-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-39-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-21-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-22-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-19-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-18-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-17-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-48-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-15-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-14-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-13-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-12-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-11-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-10-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-32-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-25-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-24-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-23-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-7-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3492-54-0x00007FFA33280000-0x00007FFA33290000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4748-61-0x0000000140000000-0x00000001401AD000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/4748-66-0x000001FAAB7D0000-0x000001FAAB7D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4748-67-0x0000000140000000-0x00000001401AD000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/4976-9-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/4976-3-0x0000026DE3EF0000-0x0000026DE3EF7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4976-1-0x0000000140000000-0x00000001401AC000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/5056-83-0x000002054E460000-0x000002054E467000-memory.dmp

          Filesize

          28KB

          Download

        • memory/5056-84-0x0000000140000000-0x00000001401AD000-memory.dmp

          Filesize

          1.7MB

          Download