Overview

overview

10

Static

static

3

4dce2d4fe2...41.dll

windows7-x64

10

4dce2d4fe2...41.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2024 17:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4dce2d4fe2054c63b9a870f31a295a3a4f855727508b6da1fe2a2f8a0cbab941.dll

  • Size

    908KB

  • MD5

    a713d62a74696a69c4f6cee26d0d94c2

  • SHA1

    7d37f5b6cb82f71d94ee305e1fccb7879655f830

  • SHA256

    4dce2d4fe2054c63b9a870f31a295a3a4f855727508b6da1fe2a2f8a0cbab941

  • SHA512

    6e4663dcdc40710e39c9fd2b9ff79fb0a0cb5b3bc48883b9c38c826c3c8d498f0dd0b50785c9a5e6d07af73f68f094f5b3ab25427d61cdf7e9fca016f1d68b30

  • SSDEEP

    12288:6qJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:6qGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4dce2d4fe2054c63b9a870f31a295a3a4f855727508b6da1fe2a2f8a0cbab941.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1812
  • C:\Windows\system32\consent.exe
    C:\Windows\system32\consent.exe
    1⤵
      PID:2772
    • C:\Users\Admin\AppData\Local\2YVj\consent.exe
      C:\Users\Admin\AppData\Local\2YVj\consent.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2700
    • C:\Windows\system32\Magnify.exe
      C:\Windows\system32\Magnify.exe
      1⤵
        PID:2688
      • C:\Users\Admin\AppData\Local\5tWuMl\Magnify.exe
        C:\Users\Admin\AppData\Local\5tWuMl\Magnify.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2832
      • C:\Windows\system32\SndVol.exe
        C:\Windows\system32\SndVol.exe
        1⤵
          PID:2296
        • C:\Users\Admin\AppData\Local\8qQ7Ecwy3\SndVol.exe
          C:\Users\Admin\AppData\Local\8qQ7Ecwy3\SndVol.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2392

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2YVj\WINSTA.dll
          Filesize

          916KB

          MD5

          f5e37afb587c147f5ff68bc848ef6f91

          SHA1

          d02eb51e1feeb5754daa6962e3d91cf383c2f951

          SHA256

          6e8c5c39ffcc089de180d341bb522328c106c5510180fb8cc2e50e735a430ca8

          SHA512

          bfac625a52c0b41af6c65779c44f1b7507b9111b87e3ec9730efc26f3c43179acb8162a0e1c32ee07eebc5e1afa918977ed6ab3a043d6ba3c0e1c9d3e31246e8

          Download Submit

        • C:\Users\Admin\AppData\Local\5tWuMl\DUI70.dll
          Filesize

          1.1MB

          MD5

          5ccf7049b6d46f8ba21efc0039e65719

          SHA1

          c8205f4a0cb6ba529691396fe294cc14a8fe9720

          SHA256

          f81d350699ab9fefbbcbaf0feabff390074407a362ecdd1ab1b466d092e0934d

          SHA512

          b11415008714781fbcedef05dec9e95b74013cf563c93beab9317b50532831f9f500a2412f85d0fc1b338878abdf6420f61a21cd2938ad796d0c0d4c0cb86568

          Download Submit

        • C:\Users\Admin\AppData\Local\8qQ7Ecwy3\dwmapi.dll
          Filesize

          912KB

          MD5

          2d83239b0626b1525c07cf43e14f7ad9

          SHA1

          bb511af989f2ef3021f2cafb693cf32dc9424d48

          SHA256

          f5e17071c2eb1c1fac68bad1ca098ffdf6aba8236ee976e23d55cc2e3910a698

          SHA512

          e354b899096db0cde195f8b45274019988dfe37e85cdadad2d6312a808a81ad7267e8f7eaa358bb548b17ff2cfcce1e4e08f8849fd97003be06756a50cd0d290

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk
          Filesize

          1KB

          MD5

          fc614c07cc558407871c8a46900ff7b4

          SHA1

          a174a12810bc34d54efdb6a19ae76d3fe25d0dbe

          SHA256

          75d7d996967ae73b58c63717acfdd8efd9e001dd6c07a3316b7083b0684820f5

          SHA512

          a90e328ed9e518e7d8843c1bd24058d980c068d78475e1779ab96652adcbc20c165ab80068a6233fca31027c1fddb0741dc48aee2d8a259608a572f97c0f42b8

          Download Submit

        • \Users\Admin\AppData\Local\2YVj\consent.exe
          Filesize

          109KB

          MD5

          0b5511674394666e9d221f8681b2c2e6

          SHA1

          6e4e720dfc424a12383f0b8194e4477e3bc346dc

          SHA256

          ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

          SHA512

          00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

          Download Submit

        • \Users\Admin\AppData\Local\5tWuMl\Magnify.exe
          Filesize

          637KB

          MD5

          233b45ddf77bd45e53872881cff1839b

          SHA1

          d4b8cafce4664bb339859a90a9dd1506f831756d

          SHA256

          adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a

          SHA512

          6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

          Download Submit

        • \Users\Admin\AppData\Local\8qQ7Ecwy3\SndVol.exe
          Filesize

          267KB

          MD5

          c3489639ec8e181044f6c6bfd3d01ac9

          SHA1

          e057c90b675a6da19596b0ac458c25d7440b7869

          SHA256

          a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

          SHA512

          63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

          Download Submit

        • memory/1204-27-0x0000000077AC0000-0x0000000077AC2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-46-0x0000000077726000-0x0000000077727000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-15-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1204-14-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1204-13-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1204-12-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1204-11-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1204-8-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1204-7-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1204-9-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1204-26-0x0000000077A90000-0x0000000077A92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-3-0x0000000077726000-0x0000000077727000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-36-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1204-37-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1204-4-0x0000000002890000-0x0000000002891000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-24-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1204-25-0x0000000002870000-0x0000000002877000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1204-16-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1204-6-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1204-10-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1812-45-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/1812-0-0x0000000001D80000-0x0000000001D87000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1812-1-0x0000000140000000-0x00000001400E3000-memory.dmp

          Filesize

          908KB

          Download

        • memory/2392-85-0x0000000140000000-0x00000001400E4000-memory.dmp

          Filesize

          912KB

          Download

        • memory/2392-89-0x0000000140000000-0x00000001400E4000-memory.dmp

          Filesize

          912KB

          Download

        • memory/2700-59-0x0000000140000000-0x00000001400E5000-memory.dmp

          Filesize

          916KB

          Download

        • memory/2700-56-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2700-54-0x0000000140000000-0x00000001400E5000-memory.dmp

          Filesize

          916KB

          Download

        • memory/2832-71-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2832-73-0x00000000003A0000-0x00000000003A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2832-75-0x0000000140000000-0x0000000140117000-memory.dmp

          Filesize

          1.1MB

          Download