Overview

overview

10

Static

static

3

b9414ec1a9...1f.dll

windows7-x64

10

b9414ec1a9...1f.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-10-2024 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9414ec1a9551702c1248ce53e3b9f80fd023fb0393c957f3cc949dfcdfcb11f.dll

  • Size

    692KB

  • MD5

    c2b6f8ebb1dd8692d134ed9dd9891cfa

  • SHA1

    1a1eb14433d4be1fb5e464c913a478f286fbf991

  • SHA256

    b9414ec1a9551702c1248ce53e3b9f80fd023fb0393c957f3cc949dfcdfcb11f

  • SHA512

    a6a938cdb0718f6757cffbf122d7f36420b78a20df3727872469c8f4bacf131d5ea596c90b148771e95c89cf9ccc10388f36e19098e491c1dbc0a96ff563befe

  • SSDEEP

    12288:wqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:wqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 8 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b9414ec1a9551702c1248ce53e3b9f80fd023fb0393c957f3cc949dfcdfcb11f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2028
  • C:\Windows\system32\ie4ushowIE.exe
    C:\Windows\system32\ie4ushowIE.exe
    1⤵
      PID:4000
    • C:\Users\Admin\AppData\Local\mph\ie4ushowIE.exe
      C:\Users\Admin\AppData\Local\mph\ie4ushowIE.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2056
    • C:\Windows\system32\BdeUISrv.exe
      C:\Windows\system32\BdeUISrv.exe
      1⤵
        PID:1124
      • C:\Users\Admin\AppData\Local\nGm1TeD\BdeUISrv.exe
        C:\Users\Admin\AppData\Local\nGm1TeD\BdeUISrv.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:736
      • C:\Windows\system32\sethc.exe
        C:\Windows\system32\sethc.exe
        1⤵
          PID:1748
        • C:\Users\Admin\AppData\Local\mwO2J\sethc.exe
          C:\Users\Admin\AppData\Local\mwO2J\sethc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1872

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\mph\VERSION.dll
          Filesize

          696KB

          MD5

          c67aaadd61b779bb2c0fcd59cc341f45

          SHA1

          80107759e70850b4f4a760b0a706169b85aef5e5

          SHA256

          d9add21a1ef369169d53c1cfc581fe006b9f846aa884afc8365c5a2a8be186cc

          SHA512

          4dea297f575c547150abdd90af42985f4bab23f06fcaae543b18f8c3c66aabb1b6ffb220d21ac7bbb2d48de1dbb199f236b762fadc726fb837a44adb947809bc

          Download Submit

        • C:\Users\Admin\AppData\Local\mph\ie4ushowIE.exe
          Filesize

          76KB

          MD5

          9de952f476abab0cd62bfd81e20a3deb

          SHA1

          109cc4467b78dad4b12a3225020ea590bccee3e6

          SHA256

          e9cb6336359ac6f71ac75af2836efb28daa3bafd10a1f0b775dcdc2ec8850a6b

          SHA512

          3cbe50a146ca50b0657a78a2d89a34630c69823005668906785b2d2015cc6139c8dbbf7aefa5fe55957ef55ae06e758933b3b41eaf822e49dba3b7700582e2c9

          Download Submit

        • C:\Users\Admin\AppData\Local\mwO2J\UxTheme.dll
          Filesize

          696KB

          MD5

          dcbb64931e5bab559961bb0c9e6631e1

          SHA1

          80125a7469adca3600c4ec878daf1986b0fd9e4a

          SHA256

          58210b8111e567d57dfc8223df9bad8ee241178fab28a638f0b8a6de49417c68

          SHA512

          952181903f801b16c8cc139f4a6719c39aeceeebf559edc922f48ed0fca1c1d8816d014ace1883c525ddc24877ebf9e29ac5e2c5665535bd0035915b6a479f5a

          Download Submit

        • C:\Users\Admin\AppData\Local\mwO2J\sethc.exe
          Filesize

          104KB

          MD5

          8ba3a9702a3f1799431cad6a290223a6

          SHA1

          9c7dc9b6830297c8f759d1f46c8b36664e26c031

          SHA256

          615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8

          SHA512

          680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746

          Download Submit

        • C:\Users\Admin\AppData\Local\nGm1TeD\BdeUISrv.exe
          Filesize

          54KB

          MD5

          8595075667ff2c9a9f9e2eebc62d8f53

          SHA1

          c48b54e571f05d4e21d015bb3926c2129f19191a

          SHA256

          20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db

          SHA512

          080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

          Download Submit

        • C:\Users\Admin\AppData\Local\nGm1TeD\WTSAPI32.dll
          Filesize

          696KB

          MD5

          a95b23b000542406c970070c121d79f8

          SHA1

          4e45c9d02984e2d7f8f84ca636b2c14bde83a949

          SHA256

          6cc6b14c9985a41b4d1f5e0d6254992a284176403103e389ce4982d20878a084

          SHA512

          7954e4493c72489c799cf8c6211859f4b7cd43f5df5e8c00703f5e6b16425ed97bd80eee29afcddf631d8a1929d6d58e85fb5b15157cfd9fe619c89458436ad4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Womuvunldsugi.lnk
          Filesize

          1KB

          MD5

          691283be083c55da4adb1aaec1e857bd

          SHA1

          904eec19e7b81c3acb8bca3b70270936ae4ab856

          SHA256

          83130aeae4a0901d9f81a94a4ee903895a8aa85f47960ed14258d48a87233d13

          SHA512

          723b66e93925266763194f20b1744903738e9155fe6599334eb61bd5f6634fe8f49b9ec54c5e01edf0deef963423979f953d324c330d95900e4b3de9c8f4016a

          Download Submit

        • memory/736-59-0x0000028EBDC60000-0x0000028EBDC67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/736-64-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1872-79-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2028-36-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/2028-2-0x0000022355890000-0x0000022355897000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2028-0-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/2056-46-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2056-43-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2056-45-0x0000020585D00000-0x0000020585D07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3560-10-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3560-33-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3560-6-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3560-7-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3560-8-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3560-12-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3560-9-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3560-22-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3560-23-0x00007FFD40060000-0x00007FFD40070000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3560-24-0x00007FFD40050000-0x00007FFD40060000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3560-21-0x0000000002C20000-0x0000000002C27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3560-13-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3560-11-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/3560-5-0x00007FFD3FFCA000-0x00007FFD3FFCB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3560-3-0x0000000002C10000-0x0000000002C11000-memory.dmp

          Filesize

          4KB

          Download