Overview

overview

10

Static

static

3

a63124e1c6...13.dll

windows7-x64

10

a63124e1c6...13.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 12:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a63124e1c689fd3a1bed990b4faf822fcd0a0797b2b2b68609e7d169b494fa13.dll

  • Size

    1.1MB

  • MD5

    a4b1c110a484ba5ca47588ea117ce092

  • SHA1

    82f5efbb7fe1cb100d0521e64311c97ac771a875

  • SHA256

    a63124e1c689fd3a1bed990b4faf822fcd0a0797b2b2b68609e7d169b494fa13

  • SHA512

    fd2bfa5c05f51a8aa9ad3602ec9a6fabfb1178d42f80113bf19700260107415dacc1b7e6d7dbf3b7e2a65665f3b3776b30403f791040430c632224bb3d889309

  • SSDEEP

    12288:nkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:nkMZ+gf4ltGd8H1fYO0q2G1Ah

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a63124e1c689fd3a1bed990b4faf822fcd0a0797b2b2b68609e7d169b494fa13.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2844
  • C:\Windows\system32\bdeunlock.exe
    C:\Windows\system32\bdeunlock.exe
    1⤵
      PID:2480
    • C:\Users\Admin\AppData\Local\ctwfFBje\bdeunlock.exe
      C:\Users\Admin\AppData\Local\ctwfFBje\bdeunlock.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3808
    • C:\Windows\system32\consent.exe
      C:\Windows\system32\consent.exe
      1⤵
        PID:1200
      • C:\Users\Admin\AppData\Local\DuBrIYMd\consent.exe
        C:\Users\Admin\AppData\Local\DuBrIYMd\consent.exe
        1⤵
        • Executes dropped EXE
        PID:2592
      • C:\Windows\system32\BitLockerWizard.exe
        C:\Windows\system32\BitLockerWizard.exe
        1⤵
          PID:1840
        • C:\Users\Admin\AppData\Local\Ct67t\BitLockerWizard.exe
          C:\Users\Admin\AppData\Local\Ct67t\BitLockerWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2896
        • C:\Windows\system32\Magnify.exe
          C:\Windows\system32\Magnify.exe
          1⤵
            PID:5052
          • C:\Users\Admin\AppData\Local\WywT\Magnify.exe
            C:\Users\Admin\AppData\Local\WywT\Magnify.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:732

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Ct67t\BitLockerWizard.exe
            Filesize

            100KB

            MD5

            6d30c96f29f64b34bc98e4c81d9b0ee8

            SHA1

            4a3adc355f02b9c69bdbe391bfb01469dee15cf0

            SHA256

            7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74

            SHA512

            25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

            Download Submit

          • C:\Users\Admin\AppData\Local\Ct67t\FVEWIZ.dll
            Filesize

            1.1MB

            MD5

            5bf1960c1c38a314d1c834080729369f

            SHA1

            24c5956157999d8e755e73755ff0b7c746a2d24f

            SHA256

            e1e0f57ff99e0f8328a1e6a0d986470727944a6dac724c50e7a2c0fd81bc6e8a

            SHA512

            f6b8e16fb77d387efd7172af3e8f437c9f9ec2454f5f35cf314a0dbbdd0b7a232d0f36e9d10d302eb8a2a20729e9e6152a13f8180e410228b082152a35774a37

            Download Submit

          • C:\Users\Admin\AppData\Local\DuBrIYMd\consent.exe
            Filesize

            162KB

            MD5

            6646631ce4ad7128762352da81f3b030

            SHA1

            1095bd4b63360fc2968d75622aa745e5523428ab

            SHA256

            56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64

            SHA512

            1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da

            Download Submit

          • C:\Users\Admin\AppData\Local\WywT\MAGNIFICATION.dll
            Filesize

            1.1MB

            MD5

            2983940acefa752c9876173eaee1eee4

            SHA1

            27f901c5df662a2f76b3207df6a3dfafe360bcb4

            SHA256

            08f951deb8f8ab4b481c48fff932c41e34002ba088e6ef3e2290b544a7fc4daf

            SHA512

            68db3d4132175f529a0d4c7ed7e159314b9ebd3d4e03b25f46b34a7dce43096a91cd7363458272d13c3bdf02ccda48ea49a8c02a16079829336624ba72851c59

            Download Submit

          • C:\Users\Admin\AppData\Local\WywT\Magnify.exe
            Filesize

            639KB

            MD5

            4029890c147e3b4c6f41dfb5f9834d42

            SHA1

            10d08b3f6dabe8171ca2dd52e5737e3402951c75

            SHA256

            57137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d

            SHA512

            dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d

            Download Submit

          • C:\Users\Admin\AppData\Local\ctwfFBje\DUI70.dll
            Filesize

            1.4MB

            MD5

            da5d7b8676bbbd2a1236fb7cbdc4d2bb

            SHA1

            1ba886714c55649d6f97aa3697d3464ff3481890

            SHA256

            641daa253b06c0c1e8750316eae6b115589a5924cadaa24412a348694db0a1c2

            SHA512

            7262d6452b9948edb30dfb697dad38192cb2d75ba3dcb718bcb63cdb75d6fbd1edcdcfbbecfc35f9e6d0636d71742666d80b52d480b5c2bb2d168798f10e6c6c

            Download Submit

          • C:\Users\Admin\AppData\Local\ctwfFBje\bdeunlock.exe
            Filesize

            279KB

            MD5

            fef5d67150c249db3c1f4b30a2a5a22e

            SHA1

            41ca037b0229be9338da4d78244b4f0ea5a3d5f3

            SHA256

            dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603

            SHA512

            4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zcgcwwxuxxxcbkn.lnk
            Filesize

            1KB

            MD5

            19cfb85f3a7f197a3e059b08c64c4ff8

            SHA1

            d4811278fb4d38c44dc8472ec7e6e11494f74215

            SHA256

            815eaf11c59dd7129a617da2b3470dd44f596dfbb3a9b891d88dea8586e534ad

            SHA512

            f52f8aa77266e3b447a47e87dddf8c04d047296d9f1c5596214d22b87b6889fd7bec04335a710200e382ac0ecbdc4d92d1c1f6be800d6ae4d08d01179d7f187a

            Download Submit

          • memory/732-88-0x0000000140000000-0x000000014011E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/2844-2-0x0000000000EE0000-0x0000000000EE7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2844-0-0x0000000140000000-0x000000014011D000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/2844-38-0x0000000140000000-0x000000014011D000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/2896-69-0x0000000140000000-0x000000014011E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/2896-73-0x0000000140000000-0x000000014011E000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3468-26-0x00007FFAA6810000-0x00007FFAA6820000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3468-13-0x0000000140000000-0x000000014011D000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3468-6-0x0000000140000000-0x000000014011D000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3468-25-0x00007FFAA6820000-0x00007FFAA6830000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3468-35-0x0000000140000000-0x000000014011D000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3468-7-0x0000000140000000-0x000000014011D000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3468-8-0x0000000140000000-0x000000014011D000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3468-15-0x0000000140000000-0x000000014011D000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3468-3-0x0000000001560000-0x0000000001561000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3468-4-0x00007FFAA610A000-0x00007FFAA610B000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3468-12-0x0000000140000000-0x000000014011D000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3468-10-0x0000000140000000-0x000000014011D000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3468-11-0x0000000140000000-0x000000014011D000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3468-24-0x0000000140000000-0x000000014011D000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3468-23-0x0000000001470000-0x0000000001477000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3468-14-0x0000000140000000-0x000000014011D000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3468-9-0x0000000140000000-0x000000014011D000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3808-50-0x0000000140000000-0x0000000140163000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3808-45-0x0000000140000000-0x0000000140163000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3808-47-0x0000023B0E4F0000-0x0000023B0E4F7000-memory.dmp

            Filesize

            28KB

            Download