Overview

overview

10

Static

static

3

0fe4a1f561...b4.dll

windows7-x64

10

0fe4a1f561...b4.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-10-2024 20:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0fe4a1f561c62db783b0319724978bd87d6cd1cb2160c21cee7d6332e6376cb4.dll

  • Size

    936KB

  • MD5

    e3131866f91556ad080fe2a779aa1b17

  • SHA1

    df96ad3471403e2b98e66b15851280ea51e13291

  • SHA256

    0fe4a1f561c62db783b0319724978bd87d6cd1cb2160c21cee7d6332e6376cb4

  • SHA512

    288e9f5ce7ea185db87f0034cc39409c7d9fbbe334e6b71da5569d02d207103a343513985e15286771b841faaccb4bb5f4224bd0419d24d7967f65d71eb93d89

  • SSDEEP

    12288:DPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:DtKTrsKSKBTSb6DUXWq8

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0fe4a1f561c62db783b0319724978bd87d6cd1cb2160c21cee7d6332e6376cb4.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2136
  • C:\Windows\system32\sethc.exe
    C:\Windows\system32\sethc.exe
    1⤵
      PID:2688
    • C:\Users\Admin\AppData\Local\ns5t\sethc.exe
      C:\Users\Admin\AppData\Local\ns5t\sethc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2708
    • C:\Windows\system32\Dxpserver.exe
      C:\Windows\system32\Dxpserver.exe
      1⤵
        PID:2732
      • C:\Users\Admin\AppData\Local\LLphxbdZl\Dxpserver.exe
        C:\Users\Admin\AppData\Local\LLphxbdZl\Dxpserver.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2440
      • C:\Windows\system32\sdclt.exe
        C:\Windows\system32\sdclt.exe
        1⤵
          PID:2568
        • C:\Users\Admin\AppData\Local\QwlWAr\sdclt.exe
          C:\Users\Admin\AppData\Local\QwlWAr\sdclt.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2664

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\LLphxbdZl\dwmapi.dll
          Filesize

          940KB

          MD5

          998e0bcf9d0a88c9a5e6e6a838e7af2a

          SHA1

          a3fad940f7c2b2a910061273894acbc631c83437

          SHA256

          3cfcedf4bff970c789d87c482aa8aad34f08d0ef79836297f1b2ea5c1dec36c2

          SHA512

          dff582ba09e9a657c272fe39e3dcb416d4f7c3bc2a75c929e5b888f8a27904aa3d3eb2c5ddb621c14c40b4eb2aac0a17ca3fcb708977e22fed0a44e2bb1c503c

          Download Submit

        • C:\Users\Admin\AppData\Local\QwlWAr\sdclt.exe
          Filesize

          1.2MB

          MD5

          cdebd55ffbda3889aa2a8ce52b9dc097

          SHA1

          4b3cbfff5e57fa0cb058e93e445e3851063646cf

          SHA256

          61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

          SHA512

          2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

          Download Submit

        • C:\Users\Admin\AppData\Local\QwlWAr\slc.dll
          Filesize

          940KB

          MD5

          61431dcbfb10700fcd58625449ecc4aa

          SHA1

          79a5c455c79c2be62b52930f468637fe1727875b

          SHA256

          dad962ab8cd3020bf143b3b0456f46ed9eafbd153957da18b62f9a6121f5f5b5

          SHA512

          2e229cdd20858602be165de98623fd92a697d4c4c8c9e0b0039e4706b74037203639ce6ef2fa885a703cfd51df0e7dd9c8848d5e03a917955762662acb726e77

          Download Submit

        • C:\Users\Admin\AppData\Local\ns5t\OLEACC.dll
          Filesize

          940KB

          MD5

          0f6175acfb2b37901cd41feccc9cd57b

          SHA1

          baeaa81be2ea4ccae8f4fe66141008afe2005ba7

          SHA256

          df52d7ec686605562bf9b407edddabf20e145d54c334e4736b812a6dd35aaf01

          SHA512

          78b593adf97519ae777b72706a565f780b0f8a9b2254659d30c9f5691d5a8c67e54c0e2605e10863860755ceaf9d83dca4dc6563dc1651a13d4fc5a58f729f6f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Adlnwv.lnk
          Filesize

          1KB

          MD5

          a88a47b9d9a44ac0ea7583397153238d

          SHA1

          5274a515ffe0c2952a31ac373959bcf3bb050458

          SHA256

          b32c951020fe7f20f4382de87536043ceae470d3243bd8ddd54e87b4daa7e4c0

          SHA512

          66bfd2f6e02474ed313270d750fea7f1698c833e0cf0ceeded7aa75a3efa1a0cf425a1badc60738b16ae369277b19fa14f53b5746c24c8c2d0e7e9b24ac9c44b

          Download Submit

        • \Users\Admin\AppData\Local\LLphxbdZl\Dxpserver.exe
          Filesize

          259KB

          MD5

          4d38389fb92e43c77a524fd96dbafd21

          SHA1

          08014e52f6894cad4f1d1e6fc1a703732e9acd19

          SHA256

          070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

          SHA512

          02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

          Download Submit

        • \Users\Admin\AppData\Local\ns5t\sethc.exe
          Filesize

          272KB

          MD5

          3bcb70da9b5a2011e01e35ed29a3f3f3

          SHA1

          9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

          SHA256

          dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

          SHA512

          69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

          Download Submit

        • memory/1216-22-0x0000000002990000-0x0000000002997000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1216-44-0x0000000077666000-0x0000000077667000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-11-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1216-25-0x0000000077A00000-0x0000000077A02000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1216-24-0x00000000779D0000-0x00000000779D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1216-23-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1216-12-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1216-10-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1216-9-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1216-3-0x0000000077666000-0x0000000077667000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-35-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1216-34-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1216-4-0x00000000029B0000-0x00000000029B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-14-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1216-13-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1216-7-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1216-6-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1216-8-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/2136-43-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/2136-0-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/2136-2-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2440-69-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2440-74-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2664-90-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2708-57-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2708-53-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2708-52-0x00000000002A0000-0x00000000002A7000-memory.dmp

          Filesize

          28KB

          Download