Overview

overview

10

Static

static

3

b7145f389f...4c.dll

windows7-x64

10

b7145f389f...4c.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2024 02:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7145f389fc79052d20e54ce49b5b51194dccd385e08850eb11dc068d6ba6e4c.dll

  • Size

    940KB

  • MD5

    6767a3a501338fa1e0d20387797baa25

  • SHA1

    3b3b1b8514899ce981e091b1f10c5981e2276e39

  • SHA256

    b7145f389fc79052d20e54ce49b5b51194dccd385e08850eb11dc068d6ba6e4c

  • SHA512

    8571d5e0b210cac49012909d6e326b5bfd47718f115d63c23f540ff79a9d32f7bb1ada10d5b65248d99a7789eadbd4db823fe40dfffbbdc4af6c67affe431118

  • SSDEEP

    12288:YPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:YtKTrsKSKBTSb6DUXWq8

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b7145f389fc79052d20e54ce49b5b51194dccd385e08850eb11dc068d6ba6e4c.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2728
  • C:\Windows\system32\cmstp.exe
    C:\Windows\system32\cmstp.exe
    1⤵
      PID:1152
    • C:\Users\Admin\AppData\Local\TLJBeMXs\cmstp.exe
      C:\Users\Admin\AppData\Local\TLJBeMXs\cmstp.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:1376
    • C:\Windows\system32\DisplaySwitch.exe
      C:\Windows\system32\DisplaySwitch.exe
      1⤵
        PID:1964
      • C:\Users\Admin\AppData\Local\S7zHf6\DisplaySwitch.exe
        C:\Users\Admin\AppData\Local\S7zHf6\DisplaySwitch.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1972
      • C:\Windows\system32\dvdupgrd.exe
        C:\Windows\system32\dvdupgrd.exe
        1⤵
          PID:2100
        • C:\Users\Admin\AppData\Local\66ir1KNSw\dvdupgrd.exe
          C:\Users\Admin\AppData\Local\66ir1KNSw\dvdupgrd.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1304

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\66ir1KNSw\VERSION.dll
          Filesize

          944KB

          MD5

          059d4713fbd28e2405e744d533b8a22a

          SHA1

          0e978fd33ade0e3c0a4e5db429b829b53768a3d8

          SHA256

          c2102a1ed19441cc60ce3503de21c998c58191dfa8e48efe0cf87a9541f2b43c

          SHA512

          ace990522884806489814598799e231fee76aa089ba5205b3a210e549ecae0feb504995a62006380bc61be2d0d8cdb49ccafa364f2840fbfc434843ade3a98e5

          Download Submit

        • C:\Users\Admin\AppData\Local\S7zHf6\slc.dll
          Filesize

          944KB

          MD5

          6790b10e99d9d2e6a522464998d5cbc6

          SHA1

          e343d665024cee0d2c1a4510cc4a274d6f06b827

          SHA256

          2346fc4844435925cd653bead0d01704321843868528a4b458663270a0d55727

          SHA512

          bcc9a35c232f2acd8948a7bc05c487ff5b40ceab558755d86331574a7f7b36d3aa3de6c5a4fe79aa50275e9a265af1a0b6628e94cde0cf3e2226cadbb3f1b990

          Download Submit

        • C:\Users\Admin\AppData\Local\TLJBeMXs\VERSION.dll
          Filesize

          944KB

          MD5

          3e3b91602bee6813223f4e2111fe97f2

          SHA1

          7335ab28cc778e59b43d31f33e6826d0264b875b

          SHA256

          7f5120a5a1d5aaa7aa6cf8d6c64371e683b9a72f17aab03409fa9b181b18a620

          SHA512

          69cec60e0deb63dd18950d11a0650c848c4b8493f68b226d67dad1f9ba29f67640ab2ff6b301fbf71a32ca0b1ac7cc4e29feec7332d8b4b1361769682463f70c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk
          Filesize

          1KB

          MD5

          0187065aecf30ecf1b16c48733a30e1a

          SHA1

          eb8491fe0034742d802210bf40024bacf45f93df

          SHA256

          81248f8d9e7f7db6ca17ea176b9a415f1e93b2d2f5f1a9945015c75f3914ce3b

          SHA512

          9b1bd6bda928d7e9179df31f7a623e69a86216be624f23a53f377530f545e47cdfc6e4a3f91ee367fe3976f87caa1aa7be54cb248200ace69114679c237b5ed0

          Download Submit

        • \Users\Admin\AppData\Local\66ir1KNSw\dvdupgrd.exe
          Filesize

          25KB

          MD5

          75a9b4172eac01d9648c6d2133af952f

          SHA1

          63c7e1af762d2b584e9cc841e8b0100f2a482b81

          SHA256

          18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

          SHA512

          5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

          Download Submit

        • \Users\Admin\AppData\Local\S7zHf6\DisplaySwitch.exe
          Filesize

          517KB

          MD5

          b795e6138e29a37508285fc31e92bd78

          SHA1

          d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

          SHA256

          01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

          SHA512

          8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

          Download Submit

        • \Users\Admin\AppData\Local\TLJBeMXs\cmstp.exe
          Filesize

          90KB

          MD5

          74c6da5522f420c394ae34b2d3d677e3

          SHA1

          ba135738ef1fb2f4c2c6c610be2c4e855a526668

          SHA256

          51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

          SHA512

          bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

          Download Submit

        • memory/1192-26-0x0000000076F20000-0x0000000076F22000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-3-0x0000000076B86000-0x0000000076B87000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-24-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1192-14-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1192-12-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1192-11-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1192-10-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1192-9-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1192-8-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1192-23-0x0000000002AC0000-0x0000000002AC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1192-25-0x0000000076EF0000-0x0000000076EF2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-37-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1192-36-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1192-6-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1192-45-0x0000000076B86000-0x0000000076B87000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-15-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1192-13-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1192-4-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-7-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1304-91-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1376-58-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1376-54-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1376-53-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1972-72-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1972-75-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2728-44-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2728-2-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2728-0-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download