Overview

overview

10

Static

static

3

5610f2cff2...c7.dll

windows7-x64

10

5610f2cff2...c7.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2024 17:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5610f2cff2a5352f2aea2e2d85f83d8dd8d44bc56b776a938ef4826f621adcc7.dll

  • Size

    700KB

  • MD5

    f361ea6f535b8b1dfbfe86aea88cc345

  • SHA1

    43d2f136fbf4fe3918efcc246de89783158bd17b

  • SHA256

    5610f2cff2a5352f2aea2e2d85f83d8dd8d44bc56b776a938ef4826f621adcc7

  • SHA512

    476b50c70ef7d07a5cb77413824783bc3ae00c1df5e8bb0cd4d6482eec8087121fbaa3fe1a4f47f20422d655699493baaef14ee9b93bd091c0ac625481d0ae59

  • SSDEEP

    12288:RqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:RqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5610f2cff2a5352f2aea2e2d85f83d8dd8d44bc56b776a938ef4826f621adcc7.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2956
  • C:\Windows\system32\osk.exe
    C:\Windows\system32\osk.exe
    1⤵
      PID:2672
    • C:\Users\Admin\AppData\Local\LFxS201\osk.exe
      C:\Users\Admin\AppData\Local\LFxS201\osk.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1616
    • C:\Windows\system32\icardagt.exe
      C:\Windows\system32\icardagt.exe
      1⤵
        PID:1200
      • C:\Users\Admin\AppData\Local\3wVLSA1\icardagt.exe
        C:\Users\Admin\AppData\Local\3wVLSA1\icardagt.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2092
      • C:\Windows\system32\rstrui.exe
        C:\Windows\system32\rstrui.exe
        1⤵
          PID:2292
        • C:\Users\Admin\AppData\Local\NIznXP9\rstrui.exe
          C:\Users\Admin\AppData\Local\NIznXP9\rstrui.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2844

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3wVLSA1\UxTheme.dll
          Filesize

          704KB

          MD5

          341ebd071eb3068538d5f0245c056cfb

          SHA1

          10e65fb14092e76d28c01653204d5ad4a1def66d

          SHA256

          59e37b75c83a3be3a1086d0706cf45401b6ad8047cedc2532e1121416f3ccc84

          SHA512

          7941ce3519c990e8cb99995c2647958f292596ee1151ee625d0d084d56d0955c243f904973b889b86b9517ddb34c1d6c7cfbd7330952e3c0df4d37c72e8e3ed4

          Download Submit

        • C:\Users\Admin\AppData\Local\3wVLSA1\icardagt.exe
          Filesize

          1.3MB

          MD5

          2fe97a3052e847190a9775431292a3a3

          SHA1

          43edc451ac97365600391fa4af15476a30423ff6

          SHA256

          473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

          SHA512

          93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

          Download Submit

        • C:\Users\Admin\AppData\Local\LFxS201\WMsgAPI.dll
          Filesize

          704KB

          MD5

          3692bc17a9aa1b45901724d82868a542

          SHA1

          6f884cb64d8303e12b7c200b8bb700b2488a916e

          SHA256

          29caacd9285ca97a86b684ad73137d1c53e27799dc7f53693464dbaa7789c1eb

          SHA512

          a055d5d1a87da6861f9881d296f81eb3a0cc55c53ee3c1f1ebe36eb9d9ff02b66aa4bd7cc4ebb9ea4e2a953776382a69afd9ccd151c95944f876d5093cb7988f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Kkwpdvbxvgx.lnk
          Filesize

          1KB

          MD5

          a40d704489bfe2bfe7007fc75daddd8e

          SHA1

          d6e495015e8b324c4d94ed7e06f644fe67e8e356

          SHA256

          54424c160febcc1ea910d3e4688914d7865705166c48fcd5671af8e996a1e187

          SHA512

          09765a089232e07066926bd59dbadb6348b6bbadad27a84dfba62a73152232c95cbf4e6c872974d7b3971027d0eedac793a48beb8bcb7836e17cd89c21b20b48

          Download Submit

        • \Users\Admin\AppData\Local\LFxS201\osk.exe
          Filesize

          676KB

          MD5

          b918311a8e59fb8ccf613a110024deba

          SHA1

          a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

          SHA256

          e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

          SHA512

          e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

          Download Submit

        • \Users\Admin\AppData\Local\NIznXP9\SRCORE.dll
          Filesize

          704KB

          MD5

          b789568e3fffc51d215ef43475a7d815

          SHA1

          93a5bc3c0692c07efae98cee6fce35671c2272aa

          SHA256

          171b96c496e1749e6955130d45600bc063c70be4eaf256dbda765d690c798bc5

          SHA512

          ebfb02b0f50f62bc4357eb2b2dc34ac7b8b11e56e93fd78933b853d4a3c5e911bd3b11acb275f7be82c4449143af8ca98afffe9e23ecbd31eee2069f96264ade

          Download Submit

        • \Users\Admin\AppData\Local\NIznXP9\rstrui.exe
          Filesize

          290KB

          MD5

          3db5a1eace7f3049ecc49fa64461e254

          SHA1

          7dc64e4f75741b93804cbae365e10dc70592c6a9

          SHA256

          ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49

          SHA512

          ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025

          Download Submit

        • memory/1188-26-0x0000000076F60000-0x0000000076F62000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1188-3-0x0000000076CC6000-0x0000000076CC7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-12-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1188-11-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1188-10-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1188-9-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1188-8-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1188-7-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1188-24-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1188-13-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1188-25-0x0000000076F30000-0x0000000076F32000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1188-35-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1188-36-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1188-4-0x0000000002E00000-0x0000000002E01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-45-0x0000000076CC6000-0x0000000076CC7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1188-14-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1188-23-0x0000000002DE0000-0x0000000002DE7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1188-6-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1188-15-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1616-58-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/1616-55-0x0000000001F20000-0x0000000001F27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1616-53-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/2092-70-0x0000000000690000-0x0000000000697000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2092-75-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/2844-91-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/2956-44-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/2956-0-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/2956-2-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download