Overview

overview

10

Static

static

3

95142dd124...60.dll

windows7-x64

10

95142dd124...60.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2024 02:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95142dd124e732388684d79e589c18a00fe55eda2af3cd055c3bd5cc6feb2760.dll

  • Size

    944KB

  • MD5

    e1fd15726c61a16219286f808457b005

  • SHA1

    118a7309e85d4594e91bd5fb791dce4e84ff1e9c

  • SHA256

    95142dd124e732388684d79e589c18a00fe55eda2af3cd055c3bd5cc6feb2760

  • SHA512

    075b89e73badb35bbe48f78e910ba5cb270548cbccb40491647b4ffd5b232883eb528c0a53f57d031e392bb77a336b8e1bba20f8b03c4efd87b7c668a9a7fe72

  • SSDEEP

    12288:gPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:gtKTrsKSKBTSb6DUXWq8

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\95142dd124e732388684d79e589c18a00fe55eda2af3cd055c3bd5cc6feb2760.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1576
  • C:\Windows\system32\sigverif.exe
    C:\Windows\system32\sigverif.exe
    1⤵
      PID:2884
    • C:\Users\Admin\AppData\Local\Gtk\sigverif.exe
      C:\Users\Admin\AppData\Local\Gtk\sigverif.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2664
    • C:\Windows\system32\irftp.exe
      C:\Windows\system32\irftp.exe
      1⤵
        PID:2924
      • C:\Users\Admin\AppData\Local\fUH1\irftp.exe
        C:\Users\Admin\AppData\Local\fUH1\irftp.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1604
      • C:\Windows\system32\Utilman.exe
        C:\Windows\system32\Utilman.exe
        1⤵
          PID:1976
        • C:\Users\Admin\AppData\Local\DY4Rw\Utilman.exe
          C:\Users\Admin\AppData\Local\DY4Rw\Utilman.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2572

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\DY4Rw\DUI70.dll
          Filesize

          1.1MB

          MD5

          546229ba07a26273505d96f781d25d6c

          SHA1

          4aa4bd1b3543bd814e9d2ae50a3105d568f6067a

          SHA256

          d79b77dda2a58aa3603b7a1b1a4ede9e89b84f88be0cb7deaf608df000d4d6f1

          SHA512

          d402835cf446aa430115260332203ba5eafb332586b4285ae4e1ca71c20263bd13bdda423d2cbe27119b3aa7775dda573b2313f2022b92503ac08cfdc3cfee90

          Download Submit

        • C:\Users\Admin\AppData\Local\Gtk\VERSION.dll
          Filesize

          948KB

          MD5

          b345255f8d153d0422a1e35442749407

          SHA1

          29782c561e10a042183de10a557b454b8e54121f

          SHA256

          b4c7e82501abb27feefd4c79c1b4bf64c21953aa85073e471d8064d7e29fb474

          SHA512

          9ee161c8f4494263c847d8c015a18643e972711985e40cd59bdc98045343362a3e7d6681164fb0a120972fe0a35d56e352ee96c0d9bbe47129c068d99a2b3d51

          Download Submit

        • C:\Users\Admin\AppData\Local\fUH1\WINMM.dll
          Filesize

          952KB

          MD5

          bab409c1bda4bde53b2c4bc2930eac36

          SHA1

          c0bc3d4f6734352c51beadb27a972f15c4c02ffb

          SHA256

          a9792bc5a295682092c14adbce66f3d6680ae1a78187bcf5ebd4257d5b905274

          SHA512

          f12091e84a326a7404549dd5c3284ff894718c683dc258986f6d8c5dd92e74300957d5b13066ec03d6ffbef2b12e08cc26c0b040ebe239166ce5527569767381

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Frhyegfvspmw.lnk
          Filesize

          1KB

          MD5

          1572d189c3866b21a35705369950aa22

          SHA1

          7c226babe4e45fa54b1b7e7e3b1303e3e89de213

          SHA256

          875f8d6f75439443b59b3ae41cbe8f1944779ab861410514692ffca61f2d39d5

          SHA512

          f3313417b1fcd0d3e1022e87b3667479c6b93669f9182bfeb73be245cdf276109cdd92382aaceb6906507811c4100028fa33a1f2abea405ed7fc7afe2ac62e2a

          Download Submit

        • \Users\Admin\AppData\Local\DY4Rw\Utilman.exe
          Filesize

          1.3MB

          MD5

          32c5ee55eadfc071e57851e26ac98477

          SHA1

          8f8d0aee344e152424143da49ce2c7badabb8f9d

          SHA256

          7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

          SHA512

          e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

          Download Submit

        • \Users\Admin\AppData\Local\Gtk\sigverif.exe
          Filesize

          73KB

          MD5

          e8e95ae5534553fc055051cee99a7f55

          SHA1

          4e0f668849fd546edd083d5981ed685d02a68df4

          SHA256

          9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

          SHA512

          5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

          Download Submit

        • \Users\Admin\AppData\Local\fUH1\irftp.exe
          Filesize

          192KB

          MD5

          0cae1fb725c56d260bfd6feba7ae9a75

          SHA1

          102ac676a1de3ec3d56401f8efd518c31c8b0b80

          SHA256

          312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

          SHA512

          db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

          Download Submit

        • memory/1220-13-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1220-14-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1220-3-0x0000000077696000-0x0000000077697000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1220-24-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1220-12-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1220-11-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1220-10-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1220-9-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1220-7-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1220-26-0x0000000077A30000-0x0000000077A32000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1220-25-0x0000000077A00000-0x0000000077A02000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1220-35-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1220-37-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1220-4-0x0000000002B00000-0x0000000002B01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1220-45-0x0000000077696000-0x0000000077697000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1220-23-0x0000000002610000-0x0000000002617000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1220-15-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1220-6-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1220-8-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1576-44-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1576-2-0x0000000000320000-0x0000000000327000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1576-0-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1604-70-0x0000000000530000-0x0000000000537000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1604-71-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/1604-75-0x0000000140000000-0x00000001400EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/2572-87-0x0000000140000000-0x0000000140120000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2572-91-0x0000000140000000-0x0000000140120000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2664-58-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/2664-54-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/2664-53-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

          Download