Overview

overview

10

Static

static

3

096c523389...a0.dll

windows7-x64

10

096c523389...a0.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 12:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    096c5233892113f80a9ade6545c751fd5c7e049e3357f0be6a0dc8debd18f5a0.dll

  • Size

    1.1MB

  • MD5

    29b4a43d6fa90c2c28824982c991da5d

  • SHA1

    f4693227a98c1b9a031bb6ad182c5f20b83de5f1

  • SHA256

    096c5233892113f80a9ade6545c751fd5c7e049e3357f0be6a0dc8debd18f5a0

  • SHA512

    88fa077dc53d0bef81cdfc3d6da7f44ffc77ca3bdd5fd1818c37c0e9327fdd5b1749945393289b87f7aa2f0a2ddb11b924cea0861e83960bd858f7e353f43f2c

  • SSDEEP

    12288:LkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:LkMZ+gf4ltGd8H1fYO0q2G1Ah

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\096c5233892113f80a9ade6545c751fd5c7e049e3357f0be6a0dc8debd18f5a0.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2380
  • C:\Windows\system32\Magnify.exe
    C:\Windows\system32\Magnify.exe
    1⤵
      PID:2804
    • C:\Users\Admin\AppData\Local\Q1YwRE\Magnify.exe
      C:\Users\Admin\AppData\Local\Q1YwRE\Magnify.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3064
    • C:\Windows\system32\Dxpserver.exe
      C:\Windows\system32\Dxpserver.exe
      1⤵
        PID:3028
      • C:\Users\Admin\AppData\Local\aAN1X9\Dxpserver.exe
        C:\Users\Admin\AppData\Local\aAN1X9\Dxpserver.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2892
      • C:\Windows\system32\javaws.exe
        C:\Windows\system32\javaws.exe
        1⤵
          PID:288
        • C:\Users\Admin\AppData\Local\X161yD\javaws.exe
          C:\Users\Admin\AppData\Local\X161yD\javaws.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2020

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Q1YwRE\Magnify.exe
          Filesize

          637KB

          MD5

          233b45ddf77bd45e53872881cff1839b

          SHA1

          d4b8cafce4664bb339859a90a9dd1506f831756d

          SHA256

          adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a

          SHA512

          6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

          Download Submit

        • C:\Users\Admin\AppData\Local\Q1YwRE\dwmapi.dll
          Filesize

          1.1MB

          MD5

          198ed0dc28fbf7a200d82c20b7f6fc93

          SHA1

          84c027ae88ba11ab86f55d6ed0201592b9ae4249

          SHA256

          b1743b47f414d8028e654869a97ca6602c6657f59533098d0ece6fcaad5f6cc9

          SHA512

          20b6d08b085eb0834dcb9c888df4df168cb0d6e28dd9bb818a9919e33db204800f69e35933a2ea1a55e951fbca75bc5700fc9a542cf97079ce0f1f06a2fce5e4

          Download Submit

        • C:\Users\Admin\AppData\Local\X161yD\VERSION.dll
          Filesize

          1.1MB

          MD5

          2b32ebac848259883ab6ff4c2c3b1ba6

          SHA1

          3b0b23b4bccfc222cd2dbbfe0d4a570b4ee7b5ee

          SHA256

          642ae8cbb97e4ae9bada0baf0fc79a81ec687915db474597efa3277b43ae3ca3

          SHA512

          3c66ade72bef5e9670b41bc2f6bf35e1df6f371569908e03a9761a04ffa768005054b65a9dc54b75bfb76286a1a597dd589d5c09971d885b026a2eb7209edd7e

          Download Submit

        • C:\Users\Admin\AppData\Local\aAN1X9\Dxpserver.exe
          Filesize

          259KB

          MD5

          4d38389fb92e43c77a524fd96dbafd21

          SHA1

          08014e52f6894cad4f1d1e6fc1a703732e9acd19

          SHA256

          070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

          SHA512

          02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

          Download Submit

        • C:\Users\Admin\AppData\Local\aAN1X9\dwmapi.dll
          Filesize

          1.1MB

          MD5

          094c635b1193f9451c87316624760c01

          SHA1

          fc27b50c0eb4b23cbda44c54a34195ab763b78e6

          SHA256

          1dff2e2322fb771a1a7382e915e5d76f0480c6f58cc5224e7ac4612f8d79ba2d

          SHA512

          9e6bdd6e018c1b986cbad672a8e6dbfaa0328467dd494dccd1c99573b285081f316cc3542374d478ee7f5ec549401dc9989fc9c291e40efcee7f9cdbc932972a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wbvsyha.lnk
          Filesize

          1KB

          MD5

          0c8a5fabd8d38d855b9109cea1eafa72

          SHA1

          99ad87ab94956a80c8df003753f59a62bf21e110

          SHA256

          b34cd553f5c5daeee35198bceb0613dec12d3ab4350dc806877fdbc6fcfa55f1

          SHA512

          0c2c95592a44881ed26ff3b648b4c755e638403c9031a7c2ad4426bea62f8d3da367c155d41335e0cad8b2f2cf302a763027ea60bc23c772b4c9c8402c22adc2

          Download Submit

        • \Users\Admin\AppData\Local\X161yD\javaws.exe
          Filesize

          312KB

          MD5

          f94bc1a70c942621c4279236df284e04

          SHA1

          8f46d89c7db415a7f48ccd638963028f63df4e4f

          SHA256

          be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c

          SHA512

          60edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52

          Download Submit

        • memory/1212-15-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-9-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-8-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-7-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-6-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-26-0x0000000077490000-0x0000000077492000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1212-25-0x0000000077460000-0x0000000077462000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1212-24-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-23-0x0000000002D70000-0x0000000002D77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1212-13-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-14-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-36-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-37-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-12-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-45-0x00000000770F6000-0x00000000770F7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1212-10-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-11-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1212-3-0x00000000770F6000-0x00000000770F7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1212-4-0x0000000002D90000-0x0000000002D91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2020-88-0x0000000140000000-0x000000014011F000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2380-44-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2380-1-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2380-2-0x00000000001B0000-0x00000000001B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2892-67-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2892-72-0x0000000140000000-0x000000014011F000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3064-57-0x0000000140000000-0x000000014011F000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3064-54-0x0000000140000000-0x000000014011F000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3064-53-0x0000000000130000-0x0000000000137000-memory.dmp

          Filesize

          28KB

          Download