Overview

overview

10

Static

static

3

659fb5a890...af.dll

windows7-x64

10

659fb5a890...af.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 04:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    659fb5a890e7be6cbfe2a20042a83f9032907ea12a549de3aab9c0c79211beaf.dll

  • Size

    944KB

  • MD5

    a4804bb1aba480dec5d7b54e9a82747b

  • SHA1

    69f96371c589b596531fc402aabe99165472904d

  • SHA256

    659fb5a890e7be6cbfe2a20042a83f9032907ea12a549de3aab9c0c79211beaf

  • SHA512

    a2f4980109bd4109a61cc618c5a09772291286c6d5ceefaa180b340a4f57fb49cd8bdfb510710c5293dbe2d2031acfe7575f9b4e42d019078bd2d007058ef37c

  • SSDEEP

    6144:j34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTR:jIKp/UWCZdCDh2IZDwAFRpR6AuvS0K

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 12 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\659fb5a890e7be6cbfe2a20042a83f9032907ea12a549de3aab9c0c79211beaf.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2728
  • C:\Windows\system32\sethc.exe
    C:\Windows\system32\sethc.exe
    1⤵
      PID:532
    • C:\Users\Admin\AppData\Local\fH3GXWe\sethc.exe
      C:\Users\Admin\AppData\Local\fH3GXWe\sethc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1140
    • C:\Windows\system32\sethc.exe
      C:\Windows\system32\sethc.exe
      1⤵
        PID:1804
      • C:\Users\Admin\AppData\Local\AMwE\sethc.exe
        C:\Users\Admin\AppData\Local\AMwE\sethc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2120
      • C:\Windows\system32\UI0Detect.exe
        C:\Windows\system32\UI0Detect.exe
        1⤵
          PID:2116
        • C:\Users\Admin\AppData\Local\aWvm0\UI0Detect.exe
          C:\Users\Admin\AppData\Local\aWvm0\UI0Detect.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2404

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\AMwE\DUI70.dll
          Filesize

          1.1MB

          MD5

          19228c7a0cfb6479694ac7a213420106

          SHA1

          361029aa4565757df4c4064219e2d970d2d23f70

          SHA256

          19c1379503f88a2ea36a418a2a735ba8572a36e7265b73e287037ffaf0c25423

          SHA512

          1b2c41573d5a56b6f683e3817f36c5ab07e42214b0caada2cae9d4970278e6368ab9651665ee13609222a23188eb15b7a23d2ed6f8d4a8a0c186cbb59bb680ed

          Download Submit

        • C:\Users\Admin\AppData\Local\aWvm0\VERSION.dll
          Filesize

          948KB

          MD5

          b06ed2579fcc7fdea2437a7f9772c054

          SHA1

          1ff4e8fd11d7ef0a709855d3b73eb657ea86caaf

          SHA256

          a5426d13ad03d6e2ccb8e4a56e78ba19a923d8c5d85983350891527b9cf7b25d

          SHA512

          c52687490c315cbdc0e754a4151af6c8c7f1db5479866e5906cd73618e0e0db4e74a45e50ae5d2eaf2aecdfa82dda503d4fe5836aaa1ab473c7d9f5c9bfef93e

          Download Submit

        • C:\Users\Admin\AppData\Local\fH3GXWe\UxTheme.dll
          Filesize

          948KB

          MD5

          db0ffd67e2bb917eb87118fe57e0a0f4

          SHA1

          baa67050b6a388636a2eadaf9ef7d82b449e5d94

          SHA256

          73c0e9dab31addca003fc770c22213af63c2127b136ecf886c9be867b38ffce9

          SHA512

          b15c12eca7e62b851d761e34f912cc59003d5850ccbb86d7c549a7b5de90494990f72e0f03e9673f7ed6dc30d64e07f943a7e883b53d887d7ea6c40a90d74153

          Download Submit

        • C:\Users\Admin\AppData\Local\fH3GXWe\sethc.exe
          Filesize

          272KB

          MD5

          3bcb70da9b5a2011e01e35ed29a3f3f3

          SHA1

          9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

          SHA256

          dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

          SHA512

          69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk
          Filesize

          1KB

          MD5

          c343bd9d2528f8b8173eb0d1b33e951f

          SHA1

          386500d2ec86271dd4383c4808585e052f9e3d73

          SHA256

          0fdbdc14a41bece073de018bda1bf98935b9730c1384b3f4ec5c5673ec6fad5f

          SHA512

          51f7f709ed0552a373069ca039ec79d641752a9bc26326c1da471501f29b6f73dbb14510f9be8453a2c876b0e4351e4ec753a6e4def0cd3e088d25349ecf979d

          Download Submit

        • \Users\Admin\AppData\Local\aWvm0\UI0Detect.exe
          Filesize

          40KB

          MD5

          3cbdec8d06b9968aba702eba076364a1

          SHA1

          6e0fcaccadbdb5e3293aa3523ec1006d92191c58

          SHA256

          b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

          SHA512

          a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

          Download Submit

        • memory/1140-57-0x000007FEF62C0000-0x000007FEF63AD000-memory.dmp

          Filesize

          948KB

          Download

        • memory/1140-53-0x000007FEF62C0000-0x000007FEF63AD000-memory.dmp

          Filesize

          948KB

          Download

        • memory/1140-52-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1192-8-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1192-25-0x0000000076EF0000-0x0000000076EF2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-17-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1192-16-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1192-15-0x0000000002AC0000-0x0000000002AC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1192-13-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1192-12-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1192-24-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1192-26-0x0000000076F20000-0x0000000076F22000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1192-11-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1192-35-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1192-37-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1192-3-0x0000000076B86000-0x0000000076B87000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-4-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1192-9-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1192-10-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1192-14-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1192-7-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1192-6-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2120-69-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2120-70-0x000007FEF5C70000-0x000007FEF5D90000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2120-74-0x000007FEF5C70000-0x000007FEF5D90000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2404-86-0x000007FEF5CA0000-0x000007FEF5D8D000-memory.dmp

          Filesize

          948KB

          Download

        • memory/2404-90-0x000007FEF5CA0000-0x000007FEF5D8D000-memory.dmp

          Filesize

          948KB

          Download

        • memory/2728-0-0x000007FEF5CA0000-0x000007FEF5D8C000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2728-44-0x000007FEF5CA0000-0x000007FEF5D8C000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2728-2-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download