Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
16-09-2024 08:51
General
-
Target
Trojan.Win64.Dridex.ASFS.dll
-
Size
968KB
-
MD5
2f6f37b1fbcaef784678f6c7c28b0000
-
SHA1
a95e2e1be2d3ff1981431b0410d085c26f3cee23
-
SHA256
3f3ad389e9541bbce7ff09e031de4105c89ad468be01b7ef7310f189e2b98642
-
SHA512
00a7e7919324f165262a70fcdd581b68ce7ff8a7ced313b6f8ba8511f20caf2c002a8bdc803a21d5263fde986691112649653ecf6a4fe27bdaab9248cf16e197
-
SSDEEP
12288:LfJV6EzPTIzQF9mVz5wYacR/8HiFeQBsjgyvunuAoA2U3PxyWhD:LhVXu8mZ5racR/xFejmnuAD2U3Prh
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Dridex payload 10 IoCs
Detects Dridex x64 core DLL in memory.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Trojan.Win64.Dridex.ASFS.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4512,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:81⤵
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe1⤵
-
C:\Users\Admin\AppData\Local\XV8f\printfilterpipelinesvc.exeC:\Users\Admin\AppData\Local\XV8f\printfilterpipelinesvc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\bdeunlock.exeC:\Windows\system32\bdeunlock.exe1⤵
-
C:\Users\Admin\AppData\Local\qCu\bdeunlock.exeC:\Users\Admin\AppData\Local\qCu\bdeunlock.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\BitLockerWizard.exeC:\Windows\system32\BitLockerWizard.exe1⤵
-
C:\Users\Admin\AppData\Local\2vQjgIgjI\BitLockerWizard.exeC:\Users\Admin\AppData\Local\2vQjgIgjI\BitLockerWizard.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD56d30c96f29f64b34bc98e4c81d9b0ee8
SHA14a3adc355f02b9c69bdbe391bfb01469dee15cf0
SHA2567758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74
SHA51225471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8
-
Filesize
972KB
MD5968e1cbf33c6bece42520cf0d272c775
SHA1aa612fdb4b8be49231940ddc41164457a0695db6
SHA256b7e9fe607bd39649c1097b47e958f870b85c52fdb81cff9cc47dd85efb5cbdd3
SHA512cb9d0d3853504461233dc7f47ae7867d8be623d57a69eff8a847ca204f725497b0aa4eda15c061c1f4dfd1bda3f4ff03dc39f9c4e1669d2704936baae5d7b35f
-
Filesize
972KB
MD5d829586c5e6ecaac74db7e808ca4ee85
SHA1ba41f7489e26f338baa1e532253dd30999f84b73
SHA25649cf6bb24241c65f1d2dc8360774214d788821bf44376504ff4fa326836980ed
SHA512e26bdf1e486f76dbeeb71fea31908b82b9b0f6133ac32a01e6c04b92bca609f1fd693cb63a4f94b733264c0c2504cdc7b73e82d7ed141618f8a0e064f8b6634e
-
Filesize
813KB
MD5331a40eabaa5870e316b401bd81c4861
SHA1ddff65771ca30142172c0d91d5bfff4eb1b12b73
SHA256105099819555ed87ef3dab70a2eaf2cb61076f453266cec57ffccb8f4c00df88
SHA51229992dbf10f327d77865af5e6ebbe66b937a5b4ad04c68cafbf4e6adbd6c6532c8a82ac7e638d97c1f053353a7c8a6d7e379f389af15443c94a1e8f9b16be5f8
-
Filesize
1.2MB
MD5f423793e495851b924ecf856b2e53804
SHA1f02b5487b6b035bd927e5c2347d0813b3a3216f7
SHA256cbf8f918f7745bd4ccb0f8d6ee5ec577c43a3dbd7675cbd0b4c7ee8cdfac2adf
SHA512cb85cbc54d1846ff3fba77a7d83e305ca1bc43746562ee5ac1737d34f115ddaca021c1f3fff6cbf089fa2d352b88e2b68b96a9b72c5af6ff172430730c1edad2
-
Filesize
279KB
MD5fef5d67150c249db3c1f4b30a2a5a22e
SHA141ca037b0229be9338da4d78244b4f0ea5a3d5f3
SHA256dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603
SHA5124ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7
-
Filesize
1KB
MD53b5480aa913d54602bdf9a2a50c43ca9
SHA1909bcc88e6d9b375050cadf5a0f6040d312dfcd9
SHA2560619f9966c475405f5471286618e8e49668c455b19b67044baa6f356773c45fc
SHA51275571becb9ec55a5adf8ebf8d664a798212c331237a65d2183f2c9a5a419b79a1876ece9528149bb205e9cea26a28a0a05ad8833674856696dec559a618d8b1a
-
Filesize
972KB
-
Filesize
972KB
-
Filesize
28KB
-
Filesize
968KB
-
Filesize
968KB
-
Filesize
28KB
-
Filesize
64KB
-
Filesize
968KB
-
Filesize
968KB
-
Filesize
968KB
-
Filesize
968KB
-
Filesize
968KB
-
Filesize
968KB
-
Filesize
968KB
-
Filesize
968KB
-
Filesize
968KB
-
Filesize
968KB
-
Filesize
968KB
-
Filesize
968KB
-
Filesize
968KB
-
Filesize
968KB
-
Filesize
4KB
-
Filesize
968KB
-
Filesize
968KB
-
Filesize
64KB
-
Filesize
968KB
-
Filesize
28KB
-
Filesize
968KB
-
Filesize
968KB
-
Filesize
968KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
972KB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
28KB