Overview

overview

10

Static

static

3

642f7b6daf...f9.dll

windows7-x64

10

642f7b6daf...f9.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2024 17:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    642f7b6daf911406a48014ce3cb624d1980ed73a5ace4439de573ff2791043f9.dll

  • Size

    900KB

  • MD5

    42b74b886c2d75ff9bf4636e558d7ee2

  • SHA1

    096a9d095b93fd378afdc04e04f0d82d23320b3d

  • SHA256

    642f7b6daf911406a48014ce3cb624d1980ed73a5ace4439de573ff2791043f9

  • SHA512

    688ad13892a5e66726574759fd21579887e2452b54397682a81643735ef050dd4fc4a8d152183802ad7f15f80eb2cdf889aa67a1b9050dcfd813cad00b363c78

  • SSDEEP

    12288:CqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed1aaw6:CqGBHTxvt+g2gYed1

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\642f7b6daf911406a48014ce3cb624d1980ed73a5ace4439de573ff2791043f9.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2676
  • C:\Windows\system32\osk.exe
    C:\Windows\system32\osk.exe
    1⤵
      PID:2648
    • C:\Users\Admin\AppData\Local\rFfGP\osk.exe
      C:\Users\Admin\AppData\Local\rFfGP\osk.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1300
    • C:\Windows\system32\perfmon.exe
      C:\Windows\system32\perfmon.exe
      1⤵
        PID:2028
      • C:\Users\Admin\AppData\Local\fnikkwy\perfmon.exe
        C:\Users\Admin\AppData\Local\fnikkwy\perfmon.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2144
      • C:\Windows\system32\BitLockerWizard.exe
        C:\Windows\system32\BitLockerWizard.exe
        1⤵
          PID:1080
        • C:\Users\Admin\AppData\Local\tU4M\BitLockerWizard.exe
          C:\Users\Admin\AppData\Local\tU4M\BitLockerWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2460

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\rFfGP\WMsgAPI.dll
          Filesize

          904KB

          MD5

          68a8d17f89fe8a759972bec0f393f6a2

          SHA1

          1205341661286c228608d9a71edb9a5982e458e8

          SHA256

          9f3e9c5e690d2717eaa4901ac7a654fcb06be4066b5a4593ee90fba79b8cf9e2

          SHA512

          05c0fcfb7c6ddb04370640fb17291dbb9209f46f1d977d52fe986bba6dffd7fb1f00bad1c9dc17822ca8b9df5c4c77d48d486ed201ba61ebe9b54958cfb5bdfb

          Download Submit

        • C:\Users\Admin\AppData\Local\tU4M\FVEWIZ.dll
          Filesize

          904KB

          MD5

          bc3c2aa85c1515fc114f54ea8760d4a4

          SHA1

          ff7d46654aa115eac18143f229c40a2de1adae3d

          SHA256

          a51e1018be7fc80a7930f58a166b4e8c45e4fbb7789872ca60d3ad7de69cc3b6

          SHA512

          c3117a36c00c567d45d127d42ae2328a7a00d7d84a4474bb4cb52e4d72f1b9e21a22ae900aa965a490c77ee0cffffd7ab9fd84d073bebec003c932f4f7f837df

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Adlnwv.lnk
          Filesize

          1KB

          MD5

          0976514544ee78c5fcadcbc8c4a067f3

          SHA1

          1337ad15ca96540b9c5ddb638dab2fb1ccab8b97

          SHA256

          73224e22711e2f54c18f71eee8d969ed3dbf0ee59daa2dd47b532ae8f0585bc1

          SHA512

          bf127451b0a294be43f10b00fdde36d078b9c4d65d03e6a9111b270e9106f03f58af2326e757d73b0e7433d979756c6664eb9f262125d2eeea2e009e6bd61359

          Download Submit

        • \Users\Admin\AppData\Local\fnikkwy\Secur32.dll
          Filesize

          904KB

          MD5

          78bd391a6dc84e2c9da4c7afed64c4de

          SHA1

          fd362561309b82f8e066245cfaaf4a7eb5109cc6

          SHA256

          3c5a93c93d2b5986f7bd64472c0d8d87de4e17328d0608a076c1f07ee139b922

          SHA512

          9d914d7c047a41248b0394e29f996cdf4e0be571c1cb760906bfeb33a715e61889ab3f1601d829fa3417c308f69134865a6d9486eeb9f7de8672369b6e6c8abe

          Download Submit

        • \Users\Admin\AppData\Local\fnikkwy\perfmon.exe
          Filesize

          168KB

          MD5

          3eb98cff1c242167df5fdbc6441ce3c5

          SHA1

          730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

          SHA256

          6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

          SHA512

          f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

          Download Submit

        • \Users\Admin\AppData\Local\rFfGP\osk.exe
          Filesize

          676KB

          MD5

          b918311a8e59fb8ccf613a110024deba

          SHA1

          a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

          SHA256

          e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

          SHA512

          e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

          Download Submit

        • \Users\Admin\AppData\Local\tU4M\BitLockerWizard.exe
          Filesize

          98KB

          MD5

          08a761595ad21d152db2417d6fdb239a

          SHA1

          d84c1bc2e8c9afce9fb79916df9bca169f93a936

          SHA256

          ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

          SHA512

          8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

          Download Submit

        • memory/1232-24-0x0000000077370000-0x0000000077372000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1232-44-0x0000000077006000-0x0000000077007000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1232-14-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/1232-13-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/1232-12-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/1232-11-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/1232-10-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/1232-23-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/1232-25-0x00000000773A0000-0x00000000773A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1232-3-0x0000000077006000-0x0000000077007000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1232-35-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/1232-34-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/1232-4-0x0000000002530000-0x0000000002531000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1232-22-0x0000000002510000-0x0000000002517000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1232-9-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/1232-6-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/1232-7-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/1232-8-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/1300-57-0x0000000140000000-0x00000001400E2000-memory.dmp

          Filesize

          904KB

          Download

        • memory/1300-53-0x0000000140000000-0x00000001400E2000-memory.dmp

          Filesize

          904KB

          Download

        • memory/1300-52-0x0000000000420000-0x0000000000427000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2144-69-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2144-74-0x0000000140000000-0x00000001400E2000-memory.dmp

          Filesize

          904KB

          Download

        • memory/2460-90-0x0000000140000000-0x00000001400E2000-memory.dmp

          Filesize

          904KB

          Download

        • memory/2676-43-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/2676-2-0x0000000000130000-0x0000000000137000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2676-0-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download