Overview

overview

10

Static

static

3

7630a12359...cc.dll

windows7-x64

10

7630a12359...cc.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 11:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7630a12359a46806fd7136d9900fba44a2221ce67ad7a31007c3857238b6d3cc.dll

  • Size

    1.1MB

  • MD5

    a8a0cf7dacc631b659a49928caab4bff

  • SHA1

    23806c93a27b6a4e7ba07faa15c90cf94e611309

  • SHA256

    7630a12359a46806fd7136d9900fba44a2221ce67ad7a31007c3857238b6d3cc

  • SHA512

    935c4f34c18d7672c02843849091321f30cbd98f7b75395f7389f10510b9ab94e251f9c61e5653fd954145ea0da82b307574decb36c67d7de5220aa683f52d1f

  • SSDEEP

    12288:GkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:GkMZ+gf4ltGd8H1fYO0q2G1Ah

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7630a12359a46806fd7136d9900fba44a2221ce67ad7a31007c3857238b6d3cc.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3888
  • C:\Windows\system32\ie4uinit.exe
    C:\Windows\system32\ie4uinit.exe
    1⤵
      PID:4272
    • C:\Users\Admin\AppData\Local\hv1Falr8j\ie4uinit.exe
      C:\Users\Admin\AppData\Local\hv1Falr8j\ie4uinit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4744
    • C:\Windows\system32\AtBroker.exe
      C:\Windows\system32\AtBroker.exe
      1⤵
        PID:1280
      • C:\Users\Admin\AppData\Local\cc0T\AtBroker.exe
        C:\Users\Admin\AppData\Local\cc0T\AtBroker.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2124
      • C:\Windows\system32\raserver.exe
        C:\Windows\system32\raserver.exe
        1⤵
          PID:1636
        • C:\Users\Admin\AppData\Local\DNIlQpM\raserver.exe
          C:\Users\Admin\AppData\Local\DNIlQpM\raserver.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2260

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\DNIlQpM\WTSAPI32.dll
          Filesize

          1.1MB

          MD5

          fabc03b9a3adc2abf8b58820d607d56e

          SHA1

          6dd97a510b6272e4bfa6f5361340d1ea3688082b

          SHA256

          2abbb336f8bb485313b6fb2f24c8d8c0a89e8048c590e7c6ed12ba46fbad6081

          SHA512

          ed80b321c703e7ade37c65b299d16cbc22c885654b91c63d70fd237349b462cbe7a83b7d9f58c8b06cd9dee3c2d35aecab4f74f35736e72e74dc5dfb1d19040d

          Download Submit

        • C:\Users\Admin\AppData\Local\DNIlQpM\raserver.exe
          Filesize

          132KB

          MD5

          d1841c6ee4ea45794ced131d4b68b60e

          SHA1

          4be6d2116060d7c723ac2d0b5504efe23198ea01

          SHA256

          38732626242988cc5b8f97fe8d3b030d483046ef66ea90d7ea3607f1adc0600d

          SHA512

          d8bad215872c5956c6e8acac1cd3ad19b85f72b224b068fb71cfd1493705bc7d3390853ba923a1aa461140294f8793247df018484a378e4f026c2a12cb3fa5c9

          Download Submit

        • C:\Users\Admin\AppData\Local\cc0T\AtBroker.exe
          Filesize

          90KB

          MD5

          30076e434a015bdf4c136e09351882cc

          SHA1

          584c958a35e23083a0861421357405afd26d9a0c

          SHA256

          ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd

          SHA512

          675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024

          Download Submit

        • C:\Users\Admin\AppData\Local\cc0T\UxTheme.dll
          Filesize

          1.1MB

          MD5

          35fdbd7c713d49ed0b26da3302319543

          SHA1

          821a13f7ef33136fa16dc0d9e93546da0a0d7e02

          SHA256

          ba4e2440d5b2901281800216e3518d2adb0f96bc3254a85fcb5a5c02dafc3123

          SHA512

          a909cb80b7eb55ed856e4ccecd06b335dd7ca88709203c30cf23a596725335503faa26908976b7c448ab26dfa9d5361277ef99953367fa3638d77ba93c900652

          Download Submit

        • C:\Users\Admin\AppData\Local\hv1Falr8j\VERSION.dll
          Filesize

          1.1MB

          MD5

          9e809e1e7ba3e3aee614b0bd65e45e6a

          SHA1

          f9197bdd204981f60b676f5103b6533f29406e85

          SHA256

          c9d196a8fe1e18eadcb2c8fc8bd06dd209bfd11a3536fd4a40332a1c95e601ca

          SHA512

          19cd521ea20b587148b48531f518567ed0efa3dbd56829443015d45b198afeb333d34bc64869ccb35b5a6f89eeec779353da14b800a2b23d8cd7951021b50fc6

          Download Submit

        • C:\Users\Admin\AppData\Local\hv1Falr8j\ie4uinit.exe
          Filesize

          262KB

          MD5

          a2f0104edd80ca2c24c24356d5eacc4f

          SHA1

          8269b9fd9231f04ed47419bd565c69dc677fab56

          SHA256

          5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c

          SHA512

          e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Womuvunldsugi.lnk
          Filesize

          1KB

          MD5

          2f18439fc83310890660cfffddea2940

          SHA1

          7d3d98dc888d5b6316dacba9c18309428af3d5b5

          SHA256

          71e28d489bd1b2f3f78d6c8ab2150f7a3c5f83eb35fd8853252a1c1e680bc15a

          SHA512

          3490227c5d8ead57d4ab73f063440c8790469ac3236f710206bcc2e776b96f28371158f132bfed108e184cc468b574c4afc323c67317a31f012fdcb8a9dc0b8a

          Download Submit

        • memory/2124-68-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2124-63-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2124-65-0x000002D1035B0000-0x000002D1035B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2260-83-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3548-9-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3548-23-0x0000000000670000-0x0000000000677000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3548-12-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3548-11-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3548-10-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3548-4-0x00000000020C0000-0x00000000020C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3548-8-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3548-7-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3548-3-0x00007FFBB5FBA000-0x00007FFBB5FBB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3548-25-0x00007FFBB7E20000-0x00007FFBB7E30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3548-35-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3548-6-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3548-14-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3548-15-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3548-26-0x00007FFBB7E10000-0x00007FFBB7E20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3548-13-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3548-24-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3888-38-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3888-0-0x00000270D6E80000-0x00000270D6E87000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3888-2-0x0000000140000000-0x000000014011D000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/4744-52-0x000001E9ABD00000-0x000001E9ABE1E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/4744-47-0x000001E9ABBA0000-0x000001E9ABBA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4744-48-0x000001E9ABD00000-0x000001E9ABE1E000-memory.dmp

          Filesize

          1.1MB

          Download