Overview

overview

10

Static

static

3

dfff1351a7...88.dll

windows7-x64

10

dfff1351a7...88.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2024 19:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dfff1351a71e2a46724a191232467ee5aae1ab441b331253293ff682272c2a88.dll

  • Size

    724KB

  • MD5

    2ef91939a663dcb029490b73596d0c8c

  • SHA1

    cefb7533cbab4ad4d1bf351bb78ef0e3ca95729d

  • SHA256

    dfff1351a71e2a46724a191232467ee5aae1ab441b331253293ff682272c2a88

  • SHA512

    c6fb10150a279d5098ca52a15edfa05bf39301312345d01aeefff2812a2515f97eb9f2e461857eaa420f3c135457b34a2b931ecf9b0119f1301716fb383aec5a

  • SSDEEP

    12288:RqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:RqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 8 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dfff1351a71e2a46724a191232467ee5aae1ab441b331253293ff682272c2a88.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1052
  • C:\Windows\system32\lpksetup.exe
    C:\Windows\system32\lpksetup.exe
    1⤵
      PID:3716
    • C:\Users\Admin\AppData\Local\j6A9nCj\lpksetup.exe
      C:\Users\Admin\AppData\Local\j6A9nCj\lpksetup.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4464
    • C:\Windows\system32\MDMAppInstaller.exe
      C:\Windows\system32\MDMAppInstaller.exe
      1⤵
        PID:932
      • C:\Users\Admin\AppData\Local\KngMgJJVJ\MDMAppInstaller.exe
        C:\Users\Admin\AppData\Local\KngMgJJVJ\MDMAppInstaller.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1892
      • C:\Windows\system32\Narrator.exe
        C:\Windows\system32\Narrator.exe
        1⤵
          PID:2736
        • C:\Users\Admin\AppData\Local\wqHYd\Narrator.exe
          C:\Users\Admin\AppData\Local\wqHYd\Narrator.exe
          1⤵
          • Executes dropped EXE
          PID:3448
        • C:\Windows\system32\OptionalFeatures.exe
          C:\Windows\system32\OptionalFeatures.exe
          1⤵
            PID:4044
          • C:\Users\Admin\AppData\Local\NTg6pXVj\OptionalFeatures.exe
            C:\Users\Admin\AppData\Local\NTg6pXVj\OptionalFeatures.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:2072

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\KngMgJJVJ\MDMAppInstaller.exe
            Filesize

            151KB

            MD5

            30e978cc6830b04f1e7ed285cccaa746

            SHA1

            e915147c17e113c676c635e2102bbff90fb7aa52

            SHA256

            dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766

            SHA512

            331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214

            Download Submit

          • C:\Users\Admin\AppData\Local\KngMgJJVJ\WTSAPI32.dll
            Filesize

            728KB

            MD5

            19b77194ac11187c7ebfc4d19c0f5c73

            SHA1

            408e76daae542f85fed503cd5196b2d6b59934cd

            SHA256

            fba927d8aa77a08dfc9b7c0cc6c43d306c4c2d357d0be7028a76b1c6f9b32685

            SHA512

            a5da3ddc041581fad1bd7b32e1bbe070a0e9098d44a93ef4f63f6333f68389d1c16a72c59cb59eb96f8c4952466ce8dd24b624c0676d19ca65512c6688cc9f63

            Download Submit

          • C:\Users\Admin\AppData\Local\NTg6pXVj\OptionalFeatures.exe
            Filesize

            110KB

            MD5

            d6cd8bef71458804dbc33b88ace56372

            SHA1

            a18b58445be2492c5d37abad69b5aa0d29416a60

            SHA256

            fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8

            SHA512

            1bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d

            Download Submit

          • C:\Users\Admin\AppData\Local\NTg6pXVj\appwiz.cpl
            Filesize

            728KB

            MD5

            8f11876459687d2f2c6d53d9649d812c

            SHA1

            7aab3c7cb2c636d22e30ab52535481f8f1e221a9

            SHA256

            62dfe498d6399f9c1caa10ea9d680f2193c76e7eff4ec06fb1209f9352d7d0d3

            SHA512

            fc48164202376bcee88a27fe102dac78e72c42d855f432c4bf03aab2bc193f1f4103686b99c81d1cc57c0022dc392139399cfd49fed6b6d4420624e35bf8269b

            Download Submit

          • C:\Users\Admin\AppData\Local\j6A9nCj\dpx.dll
            Filesize

            728KB

            MD5

            72672fa945301e942dd7c03276e9faf1

            SHA1

            8eae5cf4a56d1b846f9367caa12467e80175285e

            SHA256

            539627f25e218e5badd7ba948112bcd49fc67f1541cfb2af0439f46025227e52

            SHA512

            cfa9005b2bfac252567b6198bed5dde3d8b46d4640a643058502dfa505317ca4f2437db693c204792f7ce59e5326e94ac141f7af4c933869ceb44238ca3b3da8

            Download Submit

          • C:\Users\Admin\AppData\Local\j6A9nCj\lpksetup.exe
            Filesize

            728KB

            MD5

            c75516a32e0aea02a184074d55d1a997

            SHA1

            f9396946c078f8b0f28e3a6e21a97eeece31d13f

            SHA256

            cb3cbeaaff7c07b044f70177e2899a87e80840d177238eb7dd25b8d9e20bef22

            SHA512

            92994fdb75b15742e33e6d7a499664b722e45b9c160d8cc42d30bc727044063d589f45853692b5b754df6ff0fd21294dc32fed985b153f93f4bcf9f8c89a5bcc

            Download Submit

          • C:\Users\Admin\AppData\Local\wqHYd\Narrator.exe
            Filesize

            521KB

            MD5

            d92defaa4d346278480d2780325d8d18

            SHA1

            6494d55b2e5064ffe8add579edfcd13c3e69fffe

            SHA256

            69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83

            SHA512

            b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ltmfycbfnis.lnk
            Filesize

            1KB

            MD5

            404e236d503f9bdc91c0e660dc587324

            SHA1

            6d042af0a4d7a2b13f08ceb7fe726e4c60a25a8a

            SHA256

            755b2e99ea761b73f7d6b40e52f7a2cd05a715ca7f5ad1de233f0b49bc451abe

            SHA512

            62a2e8c1a006a1e8848e93acafa9aaad8ebe8530aa2ebbb19b501a89374ee45a44c3435fd2dcbf7cada6bb008ad65d1730626beb8545f4e2817fecfed153b0dd

            Download Submit

          • memory/1052-1-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/1052-2-0x00007FFC68900000-0x00007FFC68C55000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1052-39-0x00007FFC68900000-0x00007FFC68C55000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1052-38-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/1892-67-0x0000000140000000-0x00000001400B6000-memory.dmp

            Filesize

            728KB

            Download

          • memory/1892-64-0x00000228BF7A0000-0x00000228BF7A7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/2072-90-0x0000000140000000-0x00000001400B6000-memory.dmp

            Filesize

            728KB

            Download

          • memory/3520-8-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/3520-12-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/3520-7-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/3520-6-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/3520-10-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/3520-11-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/3520-24-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/3520-35-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/3520-5-0x00007FFC67ACA000-0x00007FFC67ACB000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3520-3-0x0000000002640000-0x0000000002641000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3520-13-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/3520-26-0x00007FFC69490000-0x00007FFC694A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3520-25-0x00007FFC694A0000-0x00007FFC694B0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3520-9-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/3520-23-0x0000000002610000-0x0000000002617000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3520-15-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/3520-14-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/4464-51-0x0000000140000000-0x00000001400B6000-memory.dmp

            Filesize

            728KB

            Download

          • memory/4464-46-0x0000000140000000-0x00000001400B6000-memory.dmp

            Filesize

            728KB

            Download

          • memory/4464-48-0x000001C80FF70000-0x000001C80FF77000-memory.dmp

            Filesize

            28KB

            Download