Overview

overview

10

Static

static

3

b9414ec1a9...1f.dll

windows7-x64

10

b9414ec1a9...1f.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 16:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9414ec1a9551702c1248ce53e3b9f80fd023fb0393c957f3cc949dfcdfcb11f.dll

  • Size

    692KB

  • MD5

    c2b6f8ebb1dd8692d134ed9dd9891cfa

  • SHA1

    1a1eb14433d4be1fb5e464c913a478f286fbf991

  • SHA256

    b9414ec1a9551702c1248ce53e3b9f80fd023fb0393c957f3cc949dfcdfcb11f

  • SHA512

    a6a938cdb0718f6757cffbf122d7f36420b78a20df3727872469c8f4bacf131d5ea596c90b148771e95c89cf9ccc10388f36e19098e491c1dbc0a96ff563befe

  • SSDEEP

    12288:wqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:wqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b9414ec1a9551702c1248ce53e3b9f80fd023fb0393c957f3cc949dfcdfcb11f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1732
  • C:\Windows\system32\DisplaySwitch.exe
    C:\Windows\system32\DisplaySwitch.exe
    1⤵
      PID:2648
    • C:\Users\Admin\AppData\Local\NO93utIaE\DisplaySwitch.exe
      C:\Users\Admin\AppData\Local\NO93utIaE\DisplaySwitch.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2952
    • C:\Windows\system32\tcmsetup.exe
      C:\Windows\system32\tcmsetup.exe
      1⤵
        PID:2732
      • C:\Users\Admin\AppData\Local\xCI\tcmsetup.exe
        C:\Users\Admin\AppData\Local\xCI\tcmsetup.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2252
      • C:\Windows\system32\SystemPropertiesComputerName.exe
        C:\Windows\system32\SystemPropertiesComputerName.exe
        1⤵
          PID:1808
        • C:\Users\Admin\AppData\Local\MVvq\SystemPropertiesComputerName.exe
          C:\Users\Admin\AppData\Local\MVvq\SystemPropertiesComputerName.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1676

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\MVvq\SYSDM.CPL
          Filesize

          696KB

          MD5

          ada8bf7c75ea835f941c16f321dc9f7c

          SHA1

          744f89d3212d3b218e33a4ad68e075378beb0282

          SHA256

          08a2a94757b34280da41d4b54a17245f4438f0da820434ee94d13eb694bd99b5

          SHA512

          4e5554df795c34a0f8974359325fd20c4ef8eaec96ca5733d2314f24292644ea4217e41bb87d45241b12faf008af7673fd63341d0ff90400e42be33a913659df

          Download Submit

        • C:\Users\Admin\AppData\Local\NO93utIaE\slc.dll
          Filesize

          696KB

          MD5

          261e90d423cb864973bbb086e1068c4a

          SHA1

          8feff2f8cd1524e13ac20f1e312319117868e6d1

          SHA256

          55634ce7189791496f5ebc05d07431f6f5356eca23cc0192cbc1d7bdf399e670

          SHA512

          7a2505a377b94deab57db637c523336537d34348d314e70217bc05b7533551299404b8b142425ede238d5ce9600324e74b9f917bbfe379e5d756fad4d67fb274

          Download Submit

        • C:\Users\Admin\AppData\Local\xCI\TAPI32.dll
          Filesize

          700KB

          MD5

          f396e8b02c503da4250fa86f5cb626ce

          SHA1

          db118f4f2c1a445d203ee528e49dfce3c469b2a9

          SHA256

          001dff616dca9c516543d4ca1b823217c015a3eabe638e471881d943368977b2

          SHA512

          51e12df58a314f5c1e39d5a3df2ac67402fb1b10f73462d0fba830ce4fa83260cfa0754905546c3ca52ad1f3e8a1ccb74eae20085259080564cbbd0145e4ded6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ncfyujonfo.lnk
          Filesize

          1KB

          MD5

          bea3b2affd1ea24bce7e15fb64e8dc15

          SHA1

          2f8e78e9bd155eef344a1fe78e8ef2ccd1f2cf2d

          SHA256

          f02209f9feff387e9415342618e9ddf9481167e99b4fe6611912de5712d0c1ef

          SHA512

          896be449a494953adc263d61ea2a259826fa607053c38b7e9a5fb48ae4b48556b8854775352a7a090e4726308a9b5883ca98bf2b9d12232bacfffbe18f73f7cb

          Download Submit

        • \Users\Admin\AppData\Local\MVvq\SystemPropertiesComputerName.exe
          Filesize

          80KB

          MD5

          bd889683916aa93e84e1a75802918acf

          SHA1

          5ee66571359178613a4256a7470c2c3e6dd93cfa

          SHA256

          0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

          SHA512

          9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

          Download Submit

        • \Users\Admin\AppData\Local\NO93utIaE\DisplaySwitch.exe
          Filesize

          517KB

          MD5

          b795e6138e29a37508285fc31e92bd78

          SHA1

          d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

          SHA256

          01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

          SHA512

          8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

          Download Submit

        • \Users\Admin\AppData\Local\xCI\tcmsetup.exe
          Filesize

          15KB

          MD5

          0b08315da0da7f9f472fbab510bfe7b8

          SHA1

          33ba48fd980216becc532466a5ff8476bec0b31c

          SHA256

          e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

          SHA512

          c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

          Download Submit

        • memory/1204-33-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1204-12-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1204-10-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1204-8-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1204-7-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1204-9-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1204-22-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1204-23-0x0000000077290000-0x0000000077292000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-24-0x00000000772C0000-0x00000000772C2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-3-0x0000000077026000-0x0000000077027000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-35-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1204-4-0x0000000002D40000-0x0000000002D41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-43-0x0000000077026000-0x0000000077027000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-11-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1204-21-0x0000000002D20000-0x0000000002D27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1204-6-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1204-13-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1676-89-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1732-42-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1732-0-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1732-2-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2252-68-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2252-69-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/2252-73-0x0000000140000000-0x00000001400AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/2952-56-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2952-52-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2952-51-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

          Download