Overview

overview

10

Static

static

3

328aa9b106...5a.dll

windows7-x64

10

328aa9b106...5a.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-10-2024 14:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    328aa9b1065fe77cc18f9c738b30eb12b1c1bb7c857fd91b075440d5e725885a.dll

  • Size

    696KB

  • MD5

    09eac984a186ff4bc57bbf0d7a04057b

  • SHA1

    fbef060f577b7aac6346db2072fc852aa4832b20

  • SHA256

    328aa9b1065fe77cc18f9c738b30eb12b1c1bb7c857fd91b075440d5e725885a

  • SHA512

    a690df7c00db4aa59b6a19995754820fc704a8f3524ce4394f8f99e2086b83ba835be63e490e63b59641c2e5ffd7cd575a4313021172351afe5d986a6a50980e

  • SSDEEP

    12288:RqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:RqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\328aa9b1065fe77cc18f9c738b30eb12b1c1bb7c857fd91b075440d5e725885a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3920
  • C:\Windows\system32\dccw.exe
    C:\Windows\system32\dccw.exe
    1⤵
      PID:3708
    • C:\Users\Admin\AppData\Local\XxcsENqYk\dccw.exe
      C:\Users\Admin\AppData\Local\XxcsENqYk\dccw.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3824
    • C:\Windows\system32\WindowsActionDialog.exe
      C:\Windows\system32\WindowsActionDialog.exe
      1⤵
        PID:4380
      • C:\Users\Admin\AppData\Local\SjdQ\WindowsActionDialog.exe
        C:\Users\Admin\AppData\Local\SjdQ\WindowsActionDialog.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:968
      • C:\Windows\system32\Magnify.exe
        C:\Windows\system32\Magnify.exe
        1⤵
          PID:3924
        • C:\Users\Admin\AppData\Local\iqhX\Magnify.exe
          C:\Users\Admin\AppData\Local\iqhX\Magnify.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:5004

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\SjdQ\DUI70.dll
          Filesize

          976KB

          MD5

          e7cf4aa25e8ad2a8587f599f9b01e220

          SHA1

          7994713d30a476d01c4b7a365e062ae636ac4cdb

          SHA256

          2b919e15b86bd91089e7a543be0e7d0ad09cb944bfb7610f239c16c124596eaa

          SHA512

          cdecbf7bc27003966f766a69957041c196576a234b70fd75154ac38ae46931ecf63ff58212ba8382f9eed4f43a40849b15e4a5e43449f65c6e1e50fb2f94e2e4

          Download Submit

        • C:\Users\Admin\AppData\Local\SjdQ\WindowsActionDialog.exe
          Filesize

          61KB

          MD5

          73c523b6556f2dc7eefc662338d66f8d

          SHA1

          1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5

          SHA256

          0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31

          SHA512

          69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

          Download Submit

        • C:\Users\Admin\AppData\Local\XxcsENqYk\dccw.exe
          Filesize

          101KB

          MD5

          cb9374911bf5237179785c739a322c0f

          SHA1

          3f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9

          SHA256

          f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845

          SHA512

          9d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be

          Download Submit

        • C:\Users\Admin\AppData\Local\XxcsENqYk\dxva2.dll
          Filesize

          700KB

          MD5

          19c652cdf0619fa524b78c4b745bc166

          SHA1

          ed3a92da202888e0058edfae181536a7857730a4

          SHA256

          65ad2abc4ef7d966436b985078d40a16328de79817ad360e50a2167efa811654

          SHA512

          86db413126cc0c2dee83cd5ea26b34897aea1238effc15cf0af0fba8ade9645190bf11dbae17942a7245004f853027c782af0eebf55663ff8f2d5d046e0e4ae3

          Download Submit

        • C:\Users\Admin\AppData\Local\iqhX\Magnify.exe
          Filesize

          639KB

          MD5

          4029890c147e3b4c6f41dfb5f9834d42

          SHA1

          10d08b3f6dabe8171ca2dd52e5737e3402951c75

          SHA256

          57137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d

          SHA512

          dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d

          Download Submit

        • C:\Users\Admin\AppData\Local\iqhX\dwmapi.dll
          Filesize

          700KB

          MD5

          80f5bff8bb555419532434b9407d9f00

          SHA1

          77bf15a25bed35282f591509052a48b9c2321ae6

          SHA256

          e61891632ac523db0d385591363a9402a5433032a2b1fa1d7116243a9cfed231

          SHA512

          aae1f8c874440785d8d158189d0a4c98cb9a7afc18611c166284a54422b6dcf36b7db995eaa7ce948c969c4cc4065a35bafb1926d8ec2837a1b9db8e89a37105

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rasxaa.lnk
          Filesize

          1KB

          MD5

          7d79133ffbbfab9743e3245e79df65ae

          SHA1

          6debb1ee5549c26807fe9e8eea56d67bf6180bd0

          SHA256

          b5377afba570ce61db57bc473d337efebe80136171f105ad17989b6c0ac79b81

          SHA512

          90beaad27f2ead56f60c24676c3b7ccd788701073388c42b65fbac7fe4001a2da1b36398ec07eab7a5825a921534783174f299cabe25b986acbc635ae9944c83

          Download Submit

        • memory/968-65-0x0000000140000000-0x00000001400F4000-memory.dmp

          Filesize

          976KB

          Download

        • memory/968-60-0x0000000140000000-0x00000001400F4000-memory.dmp

          Filesize

          976KB

          Download

        • memory/968-62-0x000002E951CC0000-0x000002E951CC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3424-25-0x00007FF81C310000-0x00007FF81C320000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3424-14-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3424-12-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3424-11-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3424-8-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3424-9-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3424-7-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3424-6-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3424-3-0x0000000002A60000-0x0000000002A61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3424-34-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3424-24-0x00007FF81C320000-0x00007FF81C330000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3424-4-0x00007FF81B32A000-0x00007FF81B32B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3424-10-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3424-13-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3424-23-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3424-22-0x0000000000AC0000-0x0000000000AC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3824-49-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3824-46-0x000002551F2B0000-0x000002551F2B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3824-44-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/3920-2-0x0000013E93350000-0x0000013E93357000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3920-37-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3920-1-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/5004-79-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download