Overview

overview

10

Static

static

3

6148532826...bf.dll

windows7-x64

10

6148532826...bf.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2024 19:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6148532826cdbfc9b12295ce641021f22336459ea6f5cd2de43dec5f18e648bf.dll

  • Size

    728KB

  • MD5

    3a325295832f70c883b27b87efa606c6

  • SHA1

    920e9216016a61f1323024604facdb3fa3d4739a

  • SHA256

    6148532826cdbfc9b12295ce641021f22336459ea6f5cd2de43dec5f18e648bf

  • SHA512

    8908496ecd06be35afaf723601ec8478f8b6d1805bf390f5fbb2301db21d0872b0b63f4dbdfb1f9d03db8ecd721a697a49a6eb79d6d5d3e2f173e3176cc7c05f

  • SSDEEP

    12288:pqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:pqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6148532826cdbfc9b12295ce641021f22336459ea6f5cd2de43dec5f18e648bf.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2384
  • C:\Windows\system32\consent.exe
    C:\Windows\system32\consent.exe
    1⤵
      PID:2836
    • C:\Users\Admin\AppData\Local\urpGjUa5M\consent.exe
      C:\Users\Admin\AppData\Local\urpGjUa5M\consent.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2952
    • C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      1⤵
        PID:2172
      • C:\Users\Admin\AppData\Local\9HoB2gmiU\wermgr.exe
        C:\Users\Admin\AppData\Local\9HoB2gmiU\wermgr.exe
        1⤵
        • Executes dropped EXE
        PID:2284
      • C:\Windows\system32\notepad.exe
        C:\Windows\system32\notepad.exe
        1⤵
          PID:1676
        • C:\Users\Admin\AppData\Local\qvg\notepad.exe
          C:\Users\Admin\AppData\Local\qvg\notepad.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1392
        • C:\Windows\system32\DisplaySwitch.exe
          C:\Windows\system32\DisplaySwitch.exe
          1⤵
            PID:1316
          • C:\Users\Admin\AppData\Local\4zAVhKRg4\DisplaySwitch.exe
            C:\Users\Admin\AppData\Local\4zAVhKRg4\DisplaySwitch.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:2040

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\4zAVhKRg4\slc.dll
            Filesize

            732KB

            MD5

            48f8f4835f7d2aad3ab54dad7b5264fa

            SHA1

            44abfb898464f5e8ece4802f84d18e63fbd328e8

            SHA256

            94aceafc71d233d2afaf56b314ca8891a1e52ec50a884c427eba01c78bd8e0a9

            SHA512

            6e4dee6c1c5fd0ea9c02a75499485af61214123b6ac275b57a5bb17ac22f4047f24b736ee595583a55525e1d0bc0d02a45f6cfaeff41f1cad8822a6bbef21548

            Download Submit

          • C:\Users\Admin\AppData\Local\qvg\VERSION.dll
            Filesize

            732KB

            MD5

            ea97366e75ac3dfe5eb9f6792765cacb

            SHA1

            db447bdcde77e4ad3ce8bbb794794dd39bc05d79

            SHA256

            1fcb371194db252e908f41bc9c15b5e05b2bfc16e57dbc8897660f958ccb8b86

            SHA512

            6e160c75f85b4b86033b6d31de57fa683c26ab760c847df57a247927e025fe10b0b9d9c000a003424d401397a9d0773995feebe40117d17f65187bf76201a410

            Download Submit

          • C:\Users\Admin\AppData\Local\urpGjUa5M\WINSTA.dll
            Filesize

            736KB

            MD5

            93f1217881c573d00340cb1b660861e0

            SHA1

            6055bca7cefa469dc60c8a705b3d752e9ad18484

            SHA256

            57730097e569967282081be81209d0bb90745dfa242965c392d82e25028ce548

            SHA512

            76aff20f770bb36281d194ee2b7fc2dcc38af95028fb86752e8878661adccfe7f545dcb3638bcbe4cb91b7b04276e7d39a2400984d7aba67875e17e187011f41

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Adlnwv.lnk
            Filesize

            1KB

            MD5

            6e64def2379cccab47ddb650dcabbe2a

            SHA1

            fe155ab1dfeed98438c993a090d5a1de2315eff7

            SHA256

            2fa4ff69ccaca5c19b3c2b152ee4bbd0f99d5d0e432bb7cef6cfdeb8b8170ff3

            SHA512

            8bf384bdc0e2c31008a10349fd3bba167f6a3fe33cbdb006f0e6e21ca0eaa7e1576effc57f2c014d842088d1a4f4cdb4d623417b8eb4a8a7e21f36590e1bd413

            Download Submit

          • \Users\Admin\AppData\Local\4zAVhKRg4\DisplaySwitch.exe
            Filesize

            517KB

            MD5

            b795e6138e29a37508285fc31e92bd78

            SHA1

            d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

            SHA256

            01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

            SHA512

            8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

            Download Submit

          • \Users\Admin\AppData\Local\9HoB2gmiU\wermgr.exe
            Filesize

            49KB

            MD5

            41df7355a5a907e2c1d7804ec028965d

            SHA1

            453263d230c6317eb4a2eb3aceeec1bbcf5e153d

            SHA256

            207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861

            SHA512

            59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

            Download Submit

          • \Users\Admin\AppData\Local\qvg\notepad.exe
            Filesize

            189KB

            MD5

            f2c7bb8acc97f92e987a2d4087d021b1

            SHA1

            7eb0139d2175739b3ccb0d1110067820be6abd29

            SHA256

            142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

            SHA512

            2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

            Download Submit

          • \Users\Admin\AppData\Local\urpGjUa5M\consent.exe
            Filesize

            109KB

            MD5

            0b5511674394666e9d221f8681b2c2e6

            SHA1

            6e4e720dfc424a12383f0b8194e4477e3bc346dc

            SHA256

            ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

            SHA512

            00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

            Download Submit

          • memory/1196-11-0x0000000140000000-0x00000001400B6000-memory.dmp

            Filesize

            728KB

            Download

          • memory/1196-13-0x0000000140000000-0x00000001400B6000-memory.dmp

            Filesize

            728KB

            Download

          • memory/1196-10-0x0000000140000000-0x00000001400B6000-memory.dmp

            Filesize

            728KB

            Download

          • memory/1196-9-0x0000000140000000-0x00000001400B6000-memory.dmp

            Filesize

            728KB

            Download

          • memory/1196-8-0x0000000140000000-0x00000001400B6000-memory.dmp

            Filesize

            728KB

            Download

          • memory/1196-7-0x0000000140000000-0x00000001400B6000-memory.dmp

            Filesize

            728KB

            Download

          • memory/1196-6-0x0000000140000000-0x00000001400B6000-memory.dmp

            Filesize

            728KB

            Download

          • memory/1196-26-0x0000000077C90000-0x0000000077C92000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1196-25-0x0000000077C60000-0x0000000077C62000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1196-24-0x0000000140000000-0x00000001400B6000-memory.dmp

            Filesize

            728KB

            Download

          • memory/1196-37-0x0000000140000000-0x00000001400B6000-memory.dmp

            Filesize

            728KB

            Download

          • memory/1196-35-0x0000000140000000-0x00000001400B6000-memory.dmp

            Filesize

            728KB

            Download

          • memory/1196-3-0x00000000778F6000-0x00000000778F7000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1196-45-0x00000000778F6000-0x00000000778F7000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1196-12-0x0000000140000000-0x00000001400B6000-memory.dmp

            Filesize

            728KB

            Download

          • memory/1196-4-0x0000000002E60000-0x0000000002E61000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1196-15-0x0000000140000000-0x00000001400B6000-memory.dmp

            Filesize

            728KB

            Download

          • memory/1196-14-0x0000000140000000-0x00000001400B6000-memory.dmp

            Filesize

            728KB

            Download

          • memory/1196-20-0x0000000002E40000-0x0000000002E47000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1392-79-0x0000000000280000-0x0000000000287000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1392-80-0x0000000140000000-0x00000001400B7000-memory.dmp

            Filesize

            732KB

            Download

          • memory/1392-84-0x0000000140000000-0x00000001400B7000-memory.dmp

            Filesize

            732KB

            Download

          • memory/2040-100-0x0000000140000000-0x00000001400B7000-memory.dmp

            Filesize

            732KB

            Download

          • memory/2384-1-0x0000000001D80000-0x0000000001D87000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2384-44-0x0000000140000000-0x00000001400B6000-memory.dmp

            Filesize

            728KB

            Download

          • memory/2384-0-0x0000000140000000-0x00000001400B6000-memory.dmp

            Filesize

            728KB

            Download

          • memory/2952-58-0x0000000140000000-0x00000001400B8000-memory.dmp

            Filesize

            736KB

            Download

          • memory/2952-54-0x0000000140000000-0x00000001400B8000-memory.dmp

            Filesize

            736KB

            Download

          • memory/2952-53-0x0000000000180000-0x0000000000187000-memory.dmp

            Filesize

            28KB

            Download