Overview

overview

10

Static

static

3

328aa9b106...5a.dll

windows7-x64

10

328aa9b106...5a.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 14:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    328aa9b1065fe77cc18f9c738b30eb12b1c1bb7c857fd91b075440d5e725885a.dll

  • Size

    696KB

  • MD5

    09eac984a186ff4bc57bbf0d7a04057b

  • SHA1

    fbef060f577b7aac6346db2072fc852aa4832b20

  • SHA256

    328aa9b1065fe77cc18f9c738b30eb12b1c1bb7c857fd91b075440d5e725885a

  • SHA512

    a690df7c00db4aa59b6a19995754820fc704a8f3524ce4394f8f99e2086b83ba835be63e490e63b59641c2e5ffd7cd575a4313021172351afe5d986a6a50980e

  • SSDEEP

    12288:RqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:RqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\328aa9b1065fe77cc18f9c738b30eb12b1c1bb7c857fd91b075440d5e725885a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1520
  • C:\Windows\system32\MpSigStub.exe
    C:\Windows\system32\MpSigStub.exe
    1⤵
      PID:2844
    • C:\Users\Admin\AppData\Local\ZIPSJAoX\MpSigStub.exe
      C:\Users\Admin\AppData\Local\ZIPSJAoX\MpSigStub.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2704
    • C:\Windows\system32\Magnify.exe
      C:\Windows\system32\Magnify.exe
      1⤵
        PID:2588
      • C:\Users\Admin\AppData\Local\SHqnuM\Magnify.exe
        C:\Users\Admin\AppData\Local\SHqnuM\Magnify.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2604
      • C:\Windows\system32\SystemPropertiesRemote.exe
        C:\Windows\system32\SystemPropertiesRemote.exe
        1⤵
          PID:1472
        • C:\Users\Admin\AppData\Local\dTjgc\SystemPropertiesRemote.exe
          C:\Users\Admin\AppData\Local\dTjgc\SystemPropertiesRemote.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:764

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\SHqnuM\dwmapi.dll
          Filesize

          700KB

          MD5

          b782f23cf270045c2adaabfe8282cc87

          SHA1

          01e126928ea6a6aa29e36ed6fc24f69ab1391ad1

          SHA256

          9d6679d9b5a11f8224ba639ddc596f2b5a687a369a400fda7099e0c213f5cf05

          SHA512

          812e72609d5081b952b1e64b8d557a652c92144bc9b6ea4966955c6a943c5ae999bfe1ecf6f2eec8ad33fc13e155543c8020ff7a227bf6684692938dd80041d8

          Download Submit

        • C:\Users\Admin\AppData\Local\ZIPSJAoX\VERSION.dll
          Filesize

          700KB

          MD5

          2d392089c25aaea94485455481d755c3

          SHA1

          1642424c62702d3c6857dbe1f1e1a46f48bdde89

          SHA256

          7379ef5d513c2ad459df7b04dcd876f305790dbc9f6e749492cfbb95ba47a76d

          SHA512

          b09b1e58f6a18f7b1c1f1511196036a86c0a4a1f1cc7a59ba538a46f68472830dff5d8fe5675f893781fe6831227d84c18f2ff13f9ec5884792150ffa1f3a75d

          Download Submit

        • C:\Users\Admin\AppData\Local\dTjgc\SYSDM.CPL
          Filesize

          700KB

          MD5

          a74fc12a50ee4b9f195f005edc850abf

          SHA1

          2f634694847e88a8ba5a61f71ecfaf1211e43cff

          SHA256

          2b8bf40849b90f649a93fcb4c983dec43061c22dcfdf64fd79e68cfdd65121bc

          SHA512

          496fde8d7f6223abc2df89d870e3f10e008206771bb35d3ec8baf060922a116970e98e1469a72857bcbf27cffa8fbc8f5ac7354bf39f20be7f81b2c28b6e9fad

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk
          Filesize

          1KB

          MD5

          9295e649f237496f91c908aa43237ec3

          SHA1

          562fadb6889fbd502f436ba08c8fed18efb7d562

          SHA256

          b06b454d98000458a0fec8fa64f05ceedbe6a1a4a3d420af1fb2f2d825adddb8

          SHA512

          642e7c5b8bb3df85b8483c4082707cb554933623a3922000fbfdd8a2c1e88bcce7aa9cdaad90cbc22ee0e568a45116eae2f0a059255268e5a8964d02965c1298

          Download Submit

        • \Users\Admin\AppData\Local\SHqnuM\Magnify.exe
          Filesize

          637KB

          MD5

          233b45ddf77bd45e53872881cff1839b

          SHA1

          d4b8cafce4664bb339859a90a9dd1506f831756d

          SHA256

          adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a

          SHA512

          6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

          Download Submit

        • \Users\Admin\AppData\Local\ZIPSJAoX\MpSigStub.exe
          Filesize

          264KB

          MD5

          2e6bd16aa62e5e95c7b256b10d637f8f

          SHA1

          350be084477b1fe581af83ca79eb58d4defe260f

          SHA256

          d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

          SHA512

          1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

          Download Submit

        • \Users\Admin\AppData\Local\dTjgc\SystemPropertiesRemote.exe
          Filesize

          80KB

          MD5

          d0d7ac869aa4e179da2cc333f0440d71

          SHA1

          e7b9a58f5bfc1ec321f015641a60978c0c683894

          SHA256

          5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

          SHA512

          1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

          Download Submit

        • memory/764-87-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/1216-24-0x0000000077730000-0x0000000077732000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1216-12-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1216-9-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1216-8-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1216-7-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1216-23-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1216-10-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1216-25-0x0000000077760000-0x0000000077762000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1216-3-0x00000000773C6000-0x00000000773C7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-34-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1216-35-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1216-4-0x0000000002E10000-0x0000000002E11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-44-0x00000000773C6000-0x00000000773C7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-11-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1216-13-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1216-6-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1216-14-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1216-22-0x0000000002640000-0x0000000002647000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1520-43-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1520-1-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1520-0-0x0000000001D80000-0x0000000001D87000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2604-69-0x00000000001B0000-0x00000000001B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2604-73-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/2704-57-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/2704-53-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/2704-52-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

          Download