Overview

overview

10

Static

static

3

82bbb37f2e...8b.dll

windows7-x64

10

82bbb37f2e...8b.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2024 19:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    82bbb37f2ea3e1afd819a87eba997c908ba7b061bdb28880e11bf490f6b6c48b.dll

  • Size

    720KB

  • MD5

    063b08ece19964bb44c048bdaf338d0c

  • SHA1

    629c98179cd6f9dd0d642305ba7ce56525833c6c

  • SHA256

    82bbb37f2ea3e1afd819a87eba997c908ba7b061bdb28880e11bf490f6b6c48b

  • SHA512

    c9374043f8b06799b2fc49c88c5b26e838dbd9ac28f87fa4293cbd1775b67d1ded3eacd62c02c4230c694114f65b078dfa6fb196510e0106c9e32a96bd1484f7

  • SSDEEP

    12288:HqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4BaedXlS:HqGBHTxvt+g2gYedXlS

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\82bbb37f2ea3e1afd819a87eba997c908ba7b061bdb28880e11bf490f6b6c48b.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2688
  • C:\Windows\system32\ComputerDefaults.exe
    C:\Windows\system32\ComputerDefaults.exe
    1⤵
      PID:2784
    • C:\Users\Admin\AppData\Local\QbPgOqh\ComputerDefaults.exe
      C:\Users\Admin\AppData\Local\QbPgOqh\ComputerDefaults.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2872
    • C:\Windows\system32\DevicePairingWizard.exe
      C:\Windows\system32\DevicePairingWizard.exe
      1⤵
        PID:3040
      • C:\Users\Admin\AppData\Local\SwK\DevicePairingWizard.exe
        C:\Users\Admin\AppData\Local\SwK\DevicePairingWizard.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1996
      • C:\Windows\system32\Utilman.exe
        C:\Windows\system32\Utilman.exe
        1⤵
          PID:1908
        • C:\Users\Admin\AppData\Local\A7lnnf6\Utilman.exe
          C:\Users\Admin\AppData\Local\A7lnnf6\Utilman.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1584

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\A7lnnf6\DUI70.dll
          Filesize

          928KB

          MD5

          1408c8666a9479ade86aec39cc62ce49

          SHA1

          43e49252cb40ab18f8363999f3654a5e81017c83

          SHA256

          e8691ca69d8db9863718d4a01e75d8029dae3e3b371f47670d7a81ea49640fcf

          SHA512

          569c0f99b74de26f4fdb5bb60668beedffca483010c8d173b146b7d5a2f0c49a3ef7d7178c55bdda96fb7fb63b164357e557d3386ac5e3e38f6d2c57c95b8e8a

          Download Submit

        • C:\Users\Admin\AppData\Local\QbPgOqh\appwiz.cpl
          Filesize

          724KB

          MD5

          18e6b5552af22be6542c4ded55202b2a

          SHA1

          64f3be46f5bbfc207e1a2ed7e010d7ddb78d969e

          SHA256

          754575b0069b7339a6e340e68118924ef4b45a28ac184ff63315bb8ee3ee1366

          SHA512

          0eff669e141a88a16c10d746eebb24bd6e63557fb11c381f0452d620983e49bc40cdc9e6ab05a3a657d0fb6e10cb84b0c22e931bb24cad7d0c8a0626989c522f

          Download Submit

        • C:\Users\Admin\AppData\Local\SwK\MFC42u.dll
          Filesize

          748KB

          MD5

          ad959a271446390a055abffd9fbd9ebc

          SHA1

          c1472980eff30242b5f1c65e417eec7f202f2167

          SHA256

          7874bec8238b965ea0a48aec5deb7379b8309a156d304f794443ba93b891c543

          SHA512

          a882ca2129c9f0cd820567b4b8a48a8888e39764165c78006fde6858046b041b624d5a5a244200999df879d3468ae5a0449931aac3e6c6d65eb45ef828342880

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wbvsyha.lnk
          Filesize

          1KB

          MD5

          84bf8084be76a5e22159e9bc34e80665

          SHA1

          e5073de56cbbf249dfb345f294189b47ecaf8d26

          SHA256

          b76609ec53e0abf51dbeeca9566dfa4116c4851076b6b6a3adc3e148bd028798

          SHA512

          4e42a751f66859c3024b622fc3a6120e72c2e89196cbcdd6225c50d263e2699b86d124281e765e20a232d2ae7eb97e542f8357920f885de3af182974ea70d227

          Download Submit

        • \Users\Admin\AppData\Local\A7lnnf6\Utilman.exe
          Filesize

          1.3MB

          MD5

          32c5ee55eadfc071e57851e26ac98477

          SHA1

          8f8d0aee344e152424143da49ce2c7badabb8f9d

          SHA256

          7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

          SHA512

          e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

          Download Submit

        • \Users\Admin\AppData\Local\QbPgOqh\ComputerDefaults.exe
          Filesize

          36KB

          MD5

          86bd981f55341273753ac42ea200a81e

          SHA1

          14fe410efc9aeb0a905b984ac27719ff0dd10ea7

          SHA256

          40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

          SHA512

          49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

          Download Submit

        • \Users\Admin\AppData\Local\SwK\DevicePairingWizard.exe
          Filesize

          73KB

          MD5

          9728725678f32e84575e0cd2d2c58e9b

          SHA1

          dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

          SHA256

          d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

          SHA512

          a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

          Download Submit

        • memory/1112-11-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1112-14-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1112-3-0x0000000076CC6000-0x0000000076CC7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1112-10-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1112-8-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1112-7-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1112-9-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1112-23-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1112-24-0x0000000077030000-0x0000000077032000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1112-25-0x0000000077060000-0x0000000077062000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1112-36-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1112-34-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1112-4-0x00000000024F0000-0x00000000024F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1112-44-0x0000000076CC6000-0x0000000076CC7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1112-13-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1112-12-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1112-6-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1112-22-0x00000000024D0000-0x00000000024D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1584-86-0x0000000140000000-0x00000001400E8000-memory.dmp

          Filesize

          928KB

          Download

        • memory/1584-90-0x0000000140000000-0x00000001400E8000-memory.dmp

          Filesize

          928KB

          Download

        • memory/1996-69-0x0000000140000000-0x00000001400BB000-memory.dmp

          Filesize

          748KB

          Download

        • memory/1996-71-0x0000000000310000-0x0000000000317000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1996-74-0x0000000140000000-0x00000001400BB000-memory.dmp

          Filesize

          748KB

          Download

        • memory/2688-43-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/2688-0-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/2688-2-0x0000000000130000-0x0000000000137000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2872-57-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/2872-53-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/2872-52-0x0000000000410000-0x0000000000417000-memory.dmp

          Filesize

          28KB

          Download