Overview

overview

10

Static

static

3

582465ca47...2f.dll

windows7-x64

10

582465ca47...2f.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-10-2024 07:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    582465ca47042194af55732c39ecd86302618b932f5b6608c9b1b825c112042f.dll

  • Size

    696KB

  • MD5

    0a3cf587cfebb06a98eb27d2200ddf2a

  • SHA1

    cb58b536bfb54b7ee2795a8939361465a8cb262e

  • SHA256

    582465ca47042194af55732c39ecd86302618b932f5b6608c9b1b825c112042f

  • SHA512

    806a83b20039618e181ccb87f9658cdb6dd25cef4b59d3bfc7c3a65381f1b67440e015dfe4f756f3c7e05ec05f3bba06732e32e51ddabc1295b803254ab9fd0f

  • SSDEEP

    12288:BqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:BqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\582465ca47042194af55732c39ecd86302618b932f5b6608c9b1b825c112042f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4940
  • C:\Windows\system32\sigverif.exe
    C:\Windows\system32\sigverif.exe
    1⤵
      PID:4036
    • C:\Users\Admin\AppData\Local\CGV\sigverif.exe
      C:\Users\Admin\AppData\Local\CGV\sigverif.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3000
    • C:\Windows\system32\Magnify.exe
      C:\Windows\system32\Magnify.exe
      1⤵
        PID:3572
      • C:\Users\Admin\AppData\Local\gaxabfI\Magnify.exe
        C:\Users\Admin\AppData\Local\gaxabfI\Magnify.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:8
      • C:\Windows\system32\bdechangepin.exe
        C:\Windows\system32\bdechangepin.exe
        1⤵
          PID:2664
        • C:\Users\Admin\AppData\Local\0tAgRDGR\bdechangepin.exe
          C:\Users\Admin\AppData\Local\0tAgRDGR\bdechangepin.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3256

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0tAgRDGR\DUI70.dll
          Filesize

          976KB

          MD5

          7564340a5fa9bc942722f6f59f029a5f

          SHA1

          1a087609f99c107e852830918847a552d54a26b2

          SHA256

          aa65d05347a73976793653504d3a7108dd6b14d9f081a38fb295d37bca40fa40

          SHA512

          10fadf05b7661acfb36a3ee8a058fbf26897d00c29f7d791648e5226858bbc1d997b91d77844d7a3a5eaabe3307cf331c37d9b0a448183d3e179fe52987a0157

          Download Submit

        • C:\Users\Admin\AppData\Local\0tAgRDGR\bdechangepin.exe
          Filesize

          373KB

          MD5

          601a28eb2d845d729ddd7330cbae6fd6

          SHA1

          5cf9f6f9135c903d42a7756c638333db8621e642

          SHA256

          4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

          SHA512

          1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

          Download Submit

        • C:\Users\Admin\AppData\Local\CGV\VERSION.dll
          Filesize

          700KB

          MD5

          46dbe39a155d6471914eba4d3a0a40d3

          SHA1

          f62d08d877c86a7f513ab60415d831fffdf9b1ab

          SHA256

          183e7d9ee2fadbef6e37e44abbab4d019f80f65ca3ad5baa1d11ef4855f23df2

          SHA512

          89fcae61dcdf39b0dc8669cb55730c10cde8c23aad5eab8748c75132547be5548b578bb9d85257349ed3f09815d25cece8881648dbb38e02a5d0af9893e4c556

          Download Submit

        • C:\Users\Admin\AppData\Local\CGV\sigverif.exe
          Filesize

          77KB

          MD5

          2151a535274b53ba8a728e542cbc07a8

          SHA1

          a2304c0f2616a7d12298540dce459dd9ccf07443

          SHA256

          064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

          SHA512

          e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

          Download Submit

        • C:\Users\Admin\AppData\Local\gaxabfI\MAGNIFICATION.dll
          Filesize

          700KB

          MD5

          e88bf970ee6de43cc05b054d1715215b

          SHA1

          0ef8702505e525b51a0fe40dde237d7ed04f01b6

          SHA256

          eef51e3ea0076b278b369101d8d25b7a725a8cdd4a7be5608a873cca8c2ab087

          SHA512

          d2a3657bec11d3e752bf23c76a9ec255f7af21235abf26b89d014a9e16f69ada0c7f9c393cfe3cd935631c5be73b4455c94b31d6302f7eef5a90085365c4e0c7

          Download Submit

        • C:\Users\Admin\AppData\Local\gaxabfI\Magnify.exe
          Filesize

          639KB

          MD5

          4029890c147e3b4c6f41dfb5f9834d42

          SHA1

          10d08b3f6dabe8171ca2dd52e5737e3402951c75

          SHA256

          57137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d

          SHA512

          dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk
          Filesize

          1KB

          MD5

          f12b54f847fa0a3ee2be5c0a66d51aa6

          SHA1

          ab78b30aaa736f32f944858b174b563e83cdd41f

          SHA256

          3b10e96901ee5b129f0a7326110f30dc7f38b263388c6fe141599c39ce4ace9c

          SHA512

          27c91543f37748d1ccdfbc48682b84a30e5f722e3aa0bfa6fc38ed72b9af0a7761db457827775b4cf25538bb3d4a176d8004f9ca7851b11abe5000dd652805f7

          Download Submit

        • memory/8-65-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/8-62-0x000001BDD4860000-0x000001BDD4867000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3000-49-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3000-46-0x000001F9CA370000-0x000001F9CA377000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3000-44-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3256-77-0x0000000140000000-0x00000001400F4000-memory.dmp

          Filesize

          976KB

          Download

        • memory/3256-80-0x0000000140000000-0x00000001400F4000-memory.dmp

          Filesize

          976KB

          Download

        • memory/3416-10-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3416-8-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3416-34-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3416-23-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3416-4-0x0000000002550000-0x0000000002551000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3416-25-0x00007FFE947B0000-0x00007FFE947C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3416-6-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3416-14-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3416-7-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3416-24-0x00007FFE947C0000-0x00007FFE947D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3416-9-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3416-3-0x00007FFE93F9A000-0x00007FFE93F9B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3416-12-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3416-22-0x0000000000380000-0x0000000000387000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3416-13-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3416-11-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/4940-0-0x0000020434540000-0x0000020434547000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4940-37-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/4940-1-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download