Analysis
-
max time kernel
150s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-10-2024 18:10
General
-
Target
a3c82a5d0423dd286da22159254ce44db5fadc717abfe58240ab7bbf1acfd252.dll
-
Size
936KB
-
MD5
03b5687f88d38e7633c38da183cf2136
-
SHA1
bc436ad961d5695942a16cdaf5537557303ed395
-
SHA256
a3c82a5d0423dd286da22159254ce44db5fadc717abfe58240ab7bbf1acfd252
-
SHA512
cbea474e44f0c9cff8cf9d4cc1dfcc3578bb49030668fbd0f5fdcc01cf110cb5582a833a2abeae39b17ea2366d6d2706231bfcae56c7c1db0da11039c528ec68
-
SSDEEP
12288:LPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:LtKTrsKSKBTSb6DUXWq8
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Dridex payload 8 IoCs
Detects Dridex x64 core DLL in memory.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a3c82a5d0423dd286da22159254ce44db5fadc717abfe58240ab7bbf1acfd252.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\sigverif.exeC:\Windows\system32\sigverif.exe1⤵
-
C:\Users\Admin\AppData\Local\YOOHqiE4\sigverif.exeC:\Users\Admin\AppData\Local\YOOHqiE4\sigverif.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\wusa.exeC:\Windows\system32\wusa.exe1⤵
-
C:\Users\Admin\AppData\Local\2rUd\wusa.exeC:\Users\Admin\AppData\Local\2rUd\wusa.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\AtBroker.exeC:\Windows\system32\AtBroker.exe1⤵
-
C:\Users\Admin\AppData\Local\xKzMpqQh\AtBroker.exeC:\Users\Admin\AppData\Local\xKzMpqQh\AtBroker.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
940KB
MD582353680a8d71ae7f6a71130751e79aa
SHA1192f78dd8b8cab6c1a7c91a2a33e804e70456d19
SHA2565ff2f0110c42e0dcb24807642998319ab8c664ba60d7be124596d61b34ab1528
SHA512f86dea20aa2761bbacd3cf810e88e5061f64b827313cbd2b8abbb836cb706aa2c54750559a44d8af0b0e3915230b7ab53cb8359cb18816682a55b61a1ddf634c
-
Filesize
309KB
MD5e43499ee2b4cf328a81bace9b1644c5d
SHA1b2b55641f2799e3fdb3bea709c9532017bbac59d
SHA2563e30230bbf3ceee3e58162b61eed140e9616210833a6ad7df3e106bc7492d2fb
SHA51204823764520871f9202d346b08a194bdd5f5929db6d5c2f113911f84aece7471c8d3bd2c4256119a303dbe18a0c055dbc5034d80b1f27a43744104544731f52b
-
Filesize
940KB
MD5a6649bd7e2c75580f1d82b0887c2e06d
SHA1ec6c80f7b9535dda2a6be2d7fd367c5fbc0130fb
SHA256e495792356540bf23163e40a440507b4d7ff9f1d2289e0a3074b6b19def4a589
SHA512dfbd01df92f29b99c7539857e024fa7554ed7761ac582f7bd8e919156ff3b35009df5bd76e7d3d77ee3f900bb7fbe82fba156b623f5455662e29aa7150f55f9e
-
Filesize
77KB
MD52151a535274b53ba8a728e542cbc07a8
SHA1a2304c0f2616a7d12298540dce459dd9ccf07443
SHA256064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd
SHA512e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f
-
Filesize
90KB
MD530076e434a015bdf4c136e09351882cc
SHA1584c958a35e23083a0861421357405afd26d9a0c
SHA256ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd
SHA512675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024
-
Filesize
940KB
MD553fc19db3c7e77dcd2fb0107f44d7ca8
SHA110f03905027d1372f3a26fa6f7cf1fb58d1905e0
SHA256b8e660b6668a1cc7d3fd6f6a240dbe3e715fd5cd22fc5b831606157fa1c5f54e
SHA512eb0ca2c8850d543babbe4e32b283cdf2abbb5399fb73e1baddfabd239de268c6a22d2d25e821dd38bb3c935ded7eb38aefe0ef3ac6d214535b7a7fcb381c7f56
-
Filesize
1KB
MD512d04b67a887409a59669fdf124e1af9
SHA1084da4aa0a3c593595056da01a3165d439698e24
SHA256f3ba5200c5f966d4b51e57f67a7ba03446beadd8447ba4518095dbdff7818bc8
SHA5127a5920d5132d0818e07d0257ed44ff5f8f227966eb30e37b689609f65506bee1bc33bcd3d448abda46cb18dff4d192226ac25e8883b52afb31f7ee505dc32ecb
-
Filesize
940KB
-
Filesize
28KB
-
Filesize
936KB
-
Filesize
936KB
-
Filesize
940KB
-
Filesize
28KB
-
Filesize
940KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
936KB
-
Filesize
936KB
-
Filesize
936KB
-
Filesize
936KB
-
Filesize
936KB
-
Filesize
936KB
-
Filesize
4KB
-
Filesize
936KB
-
Filesize
936KB
-
Filesize
936KB
-
Filesize
936KB
-
Filesize
28KB
-
Filesize
936KB
-
Filesize
940KB
-
Filesize
28KB