Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
18-10-2024 04:15
General
-
Target
7b5abbc20d881379a184b6c2f29a1e70196b4dabdbfbebc60f439a83be323bb4.dll
-
Size
668KB
-
MD5
95c5f4396d2f989fa54fd09521fc2676
-
SHA1
7bf1a0ee837c77866dd7ea42eb0ddf060990fd81
-
SHA256
7b5abbc20d881379a184b6c2f29a1e70196b4dabdbfbebc60f439a83be323bb4
-
SHA512
1ce9ef6f4f5cc2d4ce245b0efc330d7e62dd0e4a8ad57570f25efb67364bb6ca5888ad9dcc1a41ee95d682aa0b4633971c6d83428cf307fa6ea6fd0692dc7494
-
SSDEEP
6144:v34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:vIKp/UWCZdCDh2IZDwAFRpR6Au
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Dridex payload 11 IoCs
Detects Dridex x64 core DLL in memory.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7b5abbc20d881379a184b6c2f29a1e70196b4dabdbfbebc60f439a83be323bb4.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\PresentationSettings.exeC:\Windows\system32\PresentationSettings.exe1⤵
-
C:\Users\Admin\AppData\Local\Zfw\PresentationSettings.exeC:\Users\Admin\AppData\Local\Zfw\PresentationSettings.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\Magnify.exeC:\Windows\system32\Magnify.exe1⤵
-
C:\Users\Admin\AppData\Local\sZCp\Magnify.exeC:\Users\Admin\AppData\Local\sZCp\Magnify.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\SystemPropertiesRemote.exeC:\Windows\system32\SystemPropertiesRemote.exe1⤵
-
C:\Users\Admin\AppData\Local\d95ox\SystemPropertiesRemote.exeC:\Users\Admin\AppData\Local\d95ox\SystemPropertiesRemote.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
672KB
MD594e0b028c53ee811c2c25d877dbd0059
SHA1905b6030b395a6691ac26e2b237c5b63ea8f2024
SHA256d307c11c9393583e6455dd1b0b5b20e21b0865c8fc8fbf3cba229bcb75d5a4d0
SHA5124b5a017c62b9c789478d28386d73f161e07fe16e35fb3e9eac22b3e2e699a36d22b7cb8e07ccbfd6bc08644aecb0ec2585898e08e3b6fd2c8a8a19399de0095c
-
Filesize
672KB
MD5a4f26e1263b65a4020081f08e92fcdbc
SHA1bae8c8fb1376c3cf709605d0d66776d243a48a58
SHA256bfc57c5bb845261948ac0881173158e77d69d41f319a82b294ea175fdba168d4
SHA512cdd375362e94931ec14990f55d65692caf2c3727f64671ea6bb0f8156d47f073be2c0ae47ba2dc3c7eb08bd012fa68441f2a707174ae568245dbca64f5c7c150
-
Filesize
672KB
MD5fbc5e5f8458f3402b8fbe55bcfff7e44
SHA16d305ddd409039137087870600d9657f0eeff7b7
SHA2565cb9bc1b8495280ac6d8da2b26db311b96a325ed00f8c3e998523a9641d2d76b
SHA5128b1de579f2081e44169fa100bc948bfdab16c5eef0fbe7915f3d150d540cf91ef2517437959de51badf9409d3dad87a212a006917919cc687a968dd8741f011d
-
Filesize
1KB
MD5aa33789b0c9e23bde4bdc2cd8a3e6496
SHA10a3fbb73954222c06adf9cbcec56442462c985ee
SHA2569e32dacce120aeb939408166cd5edd0b461a1c4b6ecdd2812045b1c4db2707ab
SHA5123a4374a9fba542befe3630f09a17ac06f3f3c6025f3e7d193b1cc1278c2ad2ec8059797abd6da92a2de53b957f68fe20dfef75364f439e724ccc58b5952dfce8
-
Filesize
172KB
MD5a6f8d318f6041334889481b472000081
SHA1b8cf08ec17b30c8811f2514246fcdff62731dd58
SHA256208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258
SHA51260f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69
-
Filesize
80KB
MD5d0d7ac869aa4e179da2cc333f0440d71
SHA1e7b9a58f5bfc1ec321f015641a60978c0c683894
SHA2565762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a
SHA5121808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7
-
Filesize
637KB
MD5233b45ddf77bd45e53872881cff1839b
SHA1d4b8cafce4664bb339859a90a9dd1506f831756d
SHA256adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a
SHA5126fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
668KB
-
Filesize
668KB
-
Filesize
668KB
-
Filesize
668KB
-
Filesize
668KB
-
Filesize
668KB
-
Filesize
668KB
-
Filesize
668KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
668KB
-
Filesize
668KB
-
Filesize
4KB
-
Filesize
668KB
-
Filesize
28KB
-
Filesize
668KB
-
Filesize
668KB
-
Filesize
668KB
-
Filesize
672KB
-
Filesize
668KB
-
Filesize
668KB
-
Filesize
28KB
-
Filesize
672KB
-
Filesize
28KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
28KB