Overview

overview

10

Static

static

3

15e232aa5f...ae.dll

windows7-x64

10

15e232aa5f...ae.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 00:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15e232aa5f26fe7ff3ec901f1ce86f8d42e1cab7b455bcb542c16029db6e9cae.dll

  • Size

    668KB

  • MD5

    b534ddbf1e179b81850ddc36674a766c

  • SHA1

    9cbb409970c10468d338937d8a8e85dbd69b48e8

  • SHA256

    15e232aa5f26fe7ff3ec901f1ce86f8d42e1cab7b455bcb542c16029db6e9cae

  • SHA512

    8d1e304e6d11509b34f40ab23a8ce2ea4391b5c177388c938cd6e99d22036c80a515cdea95755997cfbacf443b9e1f6bf0b81eec7b7581aee316348a79c32ced

  • SSDEEP

    6144:J34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTt:JIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\15e232aa5f26fe7ff3ec901f1ce86f8d42e1cab7b455bcb542c16029db6e9cae.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2516
  • C:\Windows\system32\osk.exe
    C:\Windows\system32\osk.exe
    1⤵
      PID:2760
    • C:\Users\Admin\AppData\Local\cTC\osk.exe
      C:\Users\Admin\AppData\Local\cTC\osk.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2436
    • C:\Windows\system32\msconfig.exe
      C:\Windows\system32\msconfig.exe
      1⤵
        PID:2084
      • C:\Users\Admin\AppData\Local\9xLCnLaI0\msconfig.exe
        C:\Users\Admin\AppData\Local\9xLCnLaI0\msconfig.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2144
      • C:\Windows\system32\mstsc.exe
        C:\Windows\system32\mstsc.exe
        1⤵
          PID:536
        • C:\Users\Admin\AppData\Local\FZ39\mstsc.exe
          C:\Users\Admin\AppData\Local\FZ39\mstsc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:304

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\9xLCnLaI0\MFC42u.dll
          Filesize

          696KB

          MD5

          b7b5018f17d632676528bc5d61578e3d

          SHA1

          34038cf07f78b55e96074cf69cb9d195fdc223aa

          SHA256

          a418d9049d65efe269d4e51f151978294a840c12faf478cc4ea770bbaf03491c

          SHA512

          0c0c746235113ed9e8d2a2bb6b04c213cacce2f8302dc03d670b046361f3a87292744b077a496a45c570f1fb2994cee9d98c6d147eb0409597edebbb132f0c73

          Download Submit

        • C:\Users\Admin\AppData\Local\FZ39\credui.dll
          Filesize

          672KB

          MD5

          41734c2e637545ab0475e2170edffbc1

          SHA1

          b4f6fe538ef018615879f7f19e4e8169cf0e3e20

          SHA256

          e5472bc7285d10af4ef7af55ca949c07c827fc90190af466ba2789b7ce60f371

          SHA512

          a3e1830a8b0093bd5a5d05d9acb24f70652aed3618c2874864401bcfd4866b7ced220ef1cbeb2a1883e3114c107eb335173bc90487a246118e4244c853413085

          Download Submit

        • C:\Users\Admin\AppData\Local\cTC\OLEACC.dll
          Filesize

          672KB

          MD5

          badeeede883e04a657f131ec83c4817e

          SHA1

          d4e2912a256b1a7f6f28e7864aa2f3192b15e554

          SHA256

          71ab345cf62daf1ce257a92971dca626eaf16e24cef151e76b9ecdbfe969ecc3

          SHA512

          ddbd63fdf80bfac1df796a6fcbebe45427aa7456f62d30a8cd07a1a37a09acb560c36c9b3b1cab9a7c9ad60c1dc19be4d6629723df08a619d8d0a02baad3bf4f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gwifj.lnk
          Filesize

          1KB

          MD5

          a1038804d29f1bb7d9fd4a3980bd81ce

          SHA1

          64297bbf2f3d8ac7ee2f505698fbb5c377b510fc

          SHA256

          e1477c1bdd56ca377920cbb4fa9b2860d3249a2d2dca7105c1f1267e80b7d95d

          SHA512

          279cf35d05233fc2b8930b18b776bee22b7584439afd79c7f362ea84488dd4c965e4312a8aafcfb476715cbdc03b25524b4e54382a8c60e4bcd0eb1c7968cd7a

          Download Submit

        • \Users\Admin\AppData\Local\9xLCnLaI0\msconfig.exe
          Filesize

          293KB

          MD5

          e19d102baf266f34592f7c742fbfa886

          SHA1

          c9c9c45b7e97bb7a180064d0a1962429f015686d

          SHA256

          f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

          SHA512

          1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

          Download Submit

        • \Users\Admin\AppData\Local\FZ39\mstsc.exe
          Filesize

          1.1MB

          MD5

          50f739538ef014b2e7ec59431749d838

          SHA1

          b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

          SHA256

          85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

          SHA512

          02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

          Download Submit

        • \Users\Admin\AppData\Local\cTC\osk.exe
          Filesize

          676KB

          MD5

          b918311a8e59fb8ccf613a110024deba

          SHA1

          a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

          SHA256

          e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

          SHA512

          e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

          Download Submit

        • memory/304-89-0x000007FEF7000000-0x000007FEF70A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1216-24-0x0000000076F10000-0x0000000076F12000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1216-44-0x0000000076CA6000-0x0000000076CA7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-10-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1216-9-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1216-8-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1216-7-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1216-23-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1216-12-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1216-3-0x0000000076CA6000-0x0000000076CA7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-25-0x0000000076F40000-0x0000000076F42000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1216-34-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1216-35-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1216-4-0x00000000025F0000-0x00000000025F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-11-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1216-13-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1216-14-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1216-6-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1216-15-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/1216-22-0x00000000025D0000-0x00000000025D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2144-69-0x000007FEF7000000-0x000007FEF70AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2144-73-0x000007FEF7000000-0x000007FEF70AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2436-57-0x000007FEF7000000-0x000007FEF70A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2436-53-0x000007FEF7000000-0x000007FEF70A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2436-52-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2516-43-0x000007FEF6A20000-0x000007FEF6AC7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2516-2-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2516-0-0x000007FEF6A20000-0x000007FEF6AC7000-memory.dmp

          Filesize

          668KB

          Download