Overview

overview

10

Static

static

3

0bc57ba35f...b1.dll

windows7-x64

10

0bc57ba35f...b1.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 14:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0bc57ba35fdd2ba7868a82512650b287f7168d52d25c4fddb8b423b773eaa6b1.dll

  • Size

    1.1MB

  • MD5

    bd5c5e5fd3ccc87376233a873effa08e

  • SHA1

    76e9011550b052c0f12294f12fa77fa53e7b309e

  • SHA256

    0bc57ba35fdd2ba7868a82512650b287f7168d52d25c4fddb8b423b773eaa6b1

  • SHA512

    92c6e4b56d30701b09ebdc414a8547cb41a09fa16c390d58663b2b5e861e3dcb608adcdd6cda3fc01c10fb38ca1b4d4f72d062862e9617a14eaff670c28a3cf3

  • SSDEEP

    12288:wkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:wkMZ+gf4ltGd8H1fYO0q2G1Ah

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 8 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0bc57ba35fdd2ba7868a82512650b287f7168d52d25c4fddb8b423b773eaa6b1.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4108
  • C:\Windows\system32\MDMAppInstaller.exe
    C:\Windows\system32\MDMAppInstaller.exe
    1⤵
      PID:3096
    • C:\Users\Admin\AppData\Local\4i30G\MDMAppInstaller.exe
      C:\Users\Admin\AppData\Local\4i30G\MDMAppInstaller.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1308
    • C:\Windows\system32\Magnify.exe
      C:\Windows\system32\Magnify.exe
      1⤵
        PID:3996
      • C:\Users\Admin\AppData\Local\Tai\Magnify.exe
        C:\Users\Admin\AppData\Local\Tai\Magnify.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:436
      • C:\Windows\system32\OptionalFeatures.exe
        C:\Windows\system32\OptionalFeatures.exe
        1⤵
          PID:2540
        • C:\Users\Admin\AppData\Local\PJt6sp\OptionalFeatures.exe
          C:\Users\Admin\AppData\Local\PJt6sp\OptionalFeatures.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2032

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\4i30G\MDMAppInstaller.exe
          Filesize

          151KB

          MD5

          30e978cc6830b04f1e7ed285cccaa746

          SHA1

          e915147c17e113c676c635e2102bbff90fb7aa52

          SHA256

          dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766

          SHA512

          331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214

          Download Submit

        • C:\Users\Admin\AppData\Local\4i30G\WTSAPI32.dll
          Filesize

          1.1MB

          MD5

          05bd8fc5ee1ba42f6401fee90fc7d2c8

          SHA1

          277f2a3ee85248df041603c8f7881c628314697c

          SHA256

          aca3619b58a1184662feb3c6b2b75c9bc8dae9af6c7b16f23f05c240671e87da

          SHA512

          8c880b92495368c832a2e1e51bb4aee7e8a03a176456589eb3a4eb039d2c5cc581e1c0049a8fcf2cfcea825a04f7e563646f3873b28adcc401264c69f5933534

          Download Submit

        • C:\Users\Admin\AppData\Local\PJt6sp\OptionalFeatures.exe
          Filesize

          110KB

          MD5

          d6cd8bef71458804dbc33b88ace56372

          SHA1

          a18b58445be2492c5d37abad69b5aa0d29416a60

          SHA256

          fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8

          SHA512

          1bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d

          Download Submit

        • C:\Users\Admin\AppData\Local\PJt6sp\appwiz.cpl
          Filesize

          1.1MB

          MD5

          9ee0c5135a9a6dde58964d493c75d8d3

          SHA1

          4e30db6f855f4e381cfe47208982dd568bb5f070

          SHA256

          4ba2535b8d0da44dee983390d4e3a5369b6843959f7c22e58e613aa3a83c98a9

          SHA512

          44ce56d2db7851c9ef71d78a33ee043a44168aae30dca7e0df36a159147d5e8594ea2cb2470bb852528ae56168cf46901478885ab992c7fd9754569ed4a4b35e

          Download Submit

        • C:\Users\Admin\AppData\Local\Tai\Magnify.exe
          Filesize

          639KB

          MD5

          4029890c147e3b4c6f41dfb5f9834d42

          SHA1

          10d08b3f6dabe8171ca2dd52e5737e3402951c75

          SHA256

          57137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d

          SHA512

          dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d

          Download Submit

        • C:\Users\Admin\AppData\Local\Tai\OLEACC.dll
          Filesize

          1.1MB

          MD5

          0c5cbf82417c15c0e2f7f973edf628f6

          SHA1

          aab771c137f0405a7dc2902a5808c4caab31c2be

          SHA256

          be8a86e73899143091f879a1a01ce0c2448b3296b0d9df064ae2c9155bbb3097

          SHA512

          fbc02be82381d402ee94475119b048f3b1098020523e9909a1fa7642efef0484207653ebe48ee5ddea99e3d32d7bd2b76eeae59498da28d377d67cdfdf1c8fe1

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zugrajzkhopu.lnk
          Filesize

          1KB

          MD5

          458a7b61ceddb27996aac1877fbab376

          SHA1

          4841cba426335587656b293c6d61a7ea881ffcd8

          SHA256

          c2ed2d2817a42cb03c396f7ba7a59b617f8d07d45945d59425025b69bc5f55f1

          SHA512

          ae0d8e8cd3c9bc9b92d0de329405d372d05740617d22c4044833e29bf9b76f862cd7fb13dac739f3dfa02af96539e8265c6633701213c01840dece52b58f1aae

          Download Submit

        • memory/436-64-0x0000000140000000-0x0000000140124000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1308-50-0x0000000140000000-0x0000000140124000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1308-46-0x0000000140000000-0x0000000140124000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1308-45-0x0000016A820F0000-0x0000016A820F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2032-77-0x0000000140000000-0x0000000140124000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3456-24-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3456-25-0x00007FF927800000-0x00007FF927810000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3456-11-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3456-10-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3456-9-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3456-8-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3456-7-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3456-4-0x0000000002600000-0x0000000002601000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3456-13-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3456-12-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3456-35-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3456-26-0x00007FF9277F0000-0x00007FF927800000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3456-3-0x00007FF925EAA000-0x00007FF925EAB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3456-15-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3456-23-0x0000000000820000-0x0000000000827000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3456-14-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3456-6-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/4108-0-0x000001CCF81E0000-0x000001CCF81E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4108-38-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/4108-1-0x0000000140000000-0x0000000140123000-memory.dmp

          Filesize

          1.1MB

          Download