Overview

overview

10

Static

static

3

06618db79b...0a.dll

windows7-x64

10

06618db79b...0a.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2024 18:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06618db79b292fe5270cdf536e70181a66533021d5fba89cf6cee8151e28830a.dll

  • Size

    940KB

  • MD5

    4c744bdf154706d67cce0294ea1c301c

  • SHA1

    177a8dd5df4aba873b8c29d2d2f52d7188204de0

  • SHA256

    06618db79b292fe5270cdf536e70181a66533021d5fba89cf6cee8151e28830a

  • SHA512

    76481e9906d7c8225a77e6d87622c9f79fe5bd3f44f22a04487747a15f2966f0cab259a94f7ed9cd08f05203bccff6d4001e143a6420910a8c96c879bb30e61a

  • SSDEEP

    12288:wPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:wtKTrsKSKBTSb6DUXWq8

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\06618db79b292fe5270cdf536e70181a66533021d5fba89cf6cee8151e28830a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2348
  • C:\Windows\system32\unregmp2.exe
    C:\Windows\system32\unregmp2.exe
    1⤵
      PID:2860
    • C:\Users\Admin\AppData\Local\3mauGn\unregmp2.exe
      C:\Users\Admin\AppData\Local\3mauGn\unregmp2.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2852
    • C:\Windows\system32\DisplaySwitch.exe
      C:\Windows\system32\DisplaySwitch.exe
      1⤵
        PID:2596
      • C:\Users\Admin\AppData\Local\FIpX9AKz\DisplaySwitch.exe
        C:\Users\Admin\AppData\Local\FIpX9AKz\DisplaySwitch.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1864
      • C:\Windows\system32\osk.exe
        C:\Windows\system32\osk.exe
        1⤵
          PID:1252
        • C:\Users\Admin\AppData\Local\RYYFA\osk.exe
          C:\Users\Admin\AppData\Local\RYYFA\osk.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2632

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3mauGn\slc.dll
          Filesize

          944KB

          MD5

          8f41fd1216d4879321844b5b0a2b1767

          SHA1

          d806aacfebd85f9b4880db25be3bc129a8226275

          SHA256

          d69aee7e6d603f8d3cd904a92078caa89d6feafdaa4629c60685e97ae37b162d

          SHA512

          c8d4b823887d183f194113315346432471c37388242065ae88cfb56578d95fe5396b8655812582b8ebc7f1e17638d506c7af1dd178f9db6e1b56d7a12c580018

          Download Submit

        • C:\Users\Admin\AppData\Local\FIpX9AKz\slc.dll
          Filesize

          944KB

          MD5

          bb3cd97af2ba2b2ecf1183936dfb0981

          SHA1

          dce566f4c97413a886e4dab662c550233ede0f5c

          SHA256

          1c86a13685ddd7edcc6b867d1931f8a28063150b6ce8a3103b101559b0e0b0db

          SHA512

          8948bb721a98e859b0fb4543cc3601732fe882472f275ed5cab1dc2ed49f8b208c73df4d1abd5da2f8d5a9dd68f10476112488a369080dc723bf929a97489b5f

          Download Submit

        • C:\Users\Admin\AppData\Local\RYYFA\dwmapi.dll
          Filesize

          944KB

          MD5

          e2478c4633aa037f15e751d8d53610c0

          SHA1

          53fdc8fef8f7293456a6928b6a2e225c6411a5f9

          SHA256

          853fd2a689b82b92bf098efd5c96c9c236cd1e7821b7b4dfbf6c90cd24a7def4

          SHA512

          64c694919088a717fc64286be3a33ddc575f20a2d0ccbc766588b67904060cf3a1c27af2b6e9e4e48e38f2a58d2ddfc9f43a7baa342392ca2d8b01e79a6ab02b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gwifj.lnk
          Filesize

          1KB

          MD5

          c7bb59675a4bcf17baf4e8415035270c

          SHA1

          652ca9936931aa1793a49ac2f934ea75cc8c7555

          SHA256

          8ec8df53d8ebb1d409e9ddea6392ddc34d1bed05e2f927365ca7d77e9c1e1059

          SHA512

          b93b5e43a987721c735b0d79e9f8120d7c17c5d3b3ade3994db7a34ccfe38c4e172334fbde11d444309d5933d54f5d2554400e8d6ead42c7062ed631b961783b

          Download Submit

        • \Users\Admin\AppData\Local\3mauGn\unregmp2.exe
          Filesize

          316KB

          MD5

          64b328d52dfc8cda123093e3f6e4c37c

          SHA1

          f68f45b21b911906f3aa982e64504e662a92e5ab

          SHA256

          7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

          SHA512

          e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

          Download Submit

        • \Users\Admin\AppData\Local\FIpX9AKz\DisplaySwitch.exe
          Filesize

          517KB

          MD5

          b795e6138e29a37508285fc31e92bd78

          SHA1

          d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

          SHA256

          01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

          SHA512

          8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

          Download Submit

        • \Users\Admin\AppData\Local\RYYFA\osk.exe
          Filesize

          676KB

          MD5

          b918311a8e59fb8ccf613a110024deba

          SHA1

          a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

          SHA256

          e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

          SHA512

          e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

          Download Submit

        • memory/1196-26-0x0000000077B90000-0x0000000077B92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1196-3-0x00000000777F6000-0x00000000777F7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-11-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1196-12-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1196-16-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1196-15-0x0000000002D00000-0x0000000002D07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1196-14-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1196-13-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1196-24-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1196-7-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1196-25-0x0000000077B60000-0x0000000077B62000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1196-35-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1196-36-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1196-8-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1196-45-0x00000000777F6000-0x00000000777F7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-10-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1196-9-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1196-4-0x0000000002D20000-0x0000000002D21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-6-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1864-74-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2348-44-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2348-2-0x0000000000330000-0x0000000000337000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2348-0-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2632-90-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2852-58-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2852-54-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2852-53-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download