Overview

overview

10

Static

static

3

81b6123f37...dd.dll

windows7-x64

10

81b6123f37...dd.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 05:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    81b6123f37af744dc0f4589543d609eef8d715afd6aa69526d822b9b2843e3dd.dll

  • Size

    944KB

  • MD5

    e94305a2d837ad0f083f15a2b86f37d0

  • SHA1

    da603e9964396165dd776409d725d88c8150a940

  • SHA256

    81b6123f37af744dc0f4589543d609eef8d715afd6aa69526d822b9b2843e3dd

  • SHA512

    fbeeb478c17fe57d4a8ba93c8a4a9f552ce6dc45ca6e2e4ff0b007df101167348d191e58f967c9a283b3ed4f4b209ddf534debf8d24f3eca90b0311c55bf70a6

  • SSDEEP

    6144:D34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuT3:DIKp/UWCZdCDh2IZDwAFRpR6AuJZK

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 12 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\81b6123f37af744dc0f4589543d609eef8d715afd6aa69526d822b9b2843e3dd.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2108
  • C:\Windows\system32\osk.exe
    C:\Windows\system32\osk.exe
    1⤵
      PID:2736
    • C:\Users\Admin\AppData\Local\1pmZ\osk.exe
      C:\Users\Admin\AppData\Local\1pmZ\osk.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2772
    • C:\Windows\system32\SystemPropertiesPerformance.exe
      C:\Windows\system32\SystemPropertiesPerformance.exe
      1⤵
        PID:1600
      • C:\Users\Admin\AppData\Local\TiBHNN1\SystemPropertiesPerformance.exe
        C:\Users\Admin\AppData\Local\TiBHNN1\SystemPropertiesPerformance.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2256
      • C:\Windows\system32\mstsc.exe
        C:\Windows\system32\mstsc.exe
        1⤵
          PID:1940
        • C:\Users\Admin\AppData\Local\k3DC\mstsc.exe
          C:\Users\Admin\AppData\Local\k3DC\mstsc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2380

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1pmZ\dwmapi.dll
          Filesize

          948KB

          MD5

          100a778dece954027fdf008a52ddc302

          SHA1

          8b4a19830a58dcfe01b3a3cd4261efa0bd3ea447

          SHA256

          c2087ff7e12cd256b69019babad057b07cef0d9010cd1123ac6f6c96b4d3b7f5

          SHA512

          072acd2bee3819adca6ee8cf31328a3fa533403c54f11b85d6e68809e5a64773e7f6d8fdd1f253162d489a8dc64400de7b22286d1b1c80ad78c795dcf72000f9

          Download Submit

        • C:\Users\Admin\AppData\Local\TiBHNN1\SYSDM.CPL
          Filesize

          948KB

          MD5

          29eb8a74b734d0e1020320f5b9084fd8

          SHA1

          15ab475143f892c211ff3a2f2926715452d5fbc0

          SHA256

          4395587b5e502484cd735e903f29e2c7f332541904b6a08b14db3d39191f039a

          SHA512

          fa98f4ea117e1e28031f979d892036724af49cde51f3f8e393916b73d0ced2eec462c18d3300bdd4d90c71dc73f4d6cc8e983c8d784aab4c402ba5dc92198f85

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk
          Filesize

          1KB

          MD5

          e178e867635477a46a2fd24a1ddddfb0

          SHA1

          b702e7ec125ea3f0cfae0b0981d3fa7ea66ffaf1

          SHA256

          abc77b75e357f88bcd035b47be7c89483179fea184256d59fe0252451b36259a

          SHA512

          a2954c1e526c39abab2e3e667cdfbc87486195a8ea4a7279e9a39262808cd04c6aa25eeffac9588dd850dcaee2ebb2c4b2cf8c30003ea938569d6f7da367351c

          Download Submit

        • \Users\Admin\AppData\Local\1pmZ\osk.exe
          Filesize

          676KB

          MD5

          b918311a8e59fb8ccf613a110024deba

          SHA1

          a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

          SHA256

          e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

          SHA512

          e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

          Download Submit

        • \Users\Admin\AppData\Local\TiBHNN1\SystemPropertiesPerformance.exe
          Filesize

          80KB

          MD5

          870726cdcc241a92785572628b89cc07

          SHA1

          63d47cc4fe9beb75862add1abca1d8ae8235710a

          SHA256

          1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

          SHA512

          89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

          Download Submit

        • \Users\Admin\AppData\Local\k3DC\WINMM.dll
          Filesize

          952KB

          MD5

          7baa392723a3c795b67410c2ef06149c

          SHA1

          54280bfb4757faa8ede2c8c6312996d916b023ba

          SHA256

          0944c63eae03bbdf9b35f1920757d3b327f989767075bb54b8f59c12088f424f

          SHA512

          d882bacc06d97f084bebd906e3c03fa4a215f81a45fe37b47097b46c4a8f93cdfef2d0d24dcbb33ea98851f59c4e15cdac29a75442e5225f00d44f22e65f2b1c

          Download Submit

        • \Users\Admin\AppData\Local\k3DC\mstsc.exe
          Filesize

          1.1MB

          MD5

          50f739538ef014b2e7ec59431749d838

          SHA1

          b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

          SHA256

          85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

          SHA512

          02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

          Download Submit

        • memory/1388-14-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1388-45-0x0000000077B26000-0x0000000077B27000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1388-13-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1388-26-0x0000000077DC0000-0x0000000077DC2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1388-25-0x0000000077D90000-0x0000000077D92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1388-12-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1388-11-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1388-10-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1388-9-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1388-8-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1388-7-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1388-3-0x0000000077B26000-0x0000000077B27000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1388-35-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1388-36-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1388-4-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1388-15-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1388-16-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1388-23-0x0000000001DB0000-0x0000000001DB7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1388-6-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1388-24-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2108-44-0x000007FEF7F70000-0x000007FEF805C000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2108-0-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2108-1-0x000007FEF7F70000-0x000007FEF805C000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2256-70-0x000007FEF7F30000-0x000007FEF801D000-memory.dmp

          Filesize

          948KB

          Download

        • memory/2256-74-0x000007FEF7F30000-0x000007FEF801D000-memory.dmp

          Filesize

          948KB

          Download

        • memory/2380-86-0x000007FEF7F30000-0x000007FEF801E000-memory.dmp

          Filesize

          952KB

          Download

        • memory/2380-90-0x000007FEF7F30000-0x000007FEF801E000-memory.dmp

          Filesize

          952KB

          Download

        • memory/2772-58-0x000007FEF8060000-0x000007FEF814D000-memory.dmp

          Filesize

          948KB

          Download

        • memory/2772-54-0x000007FEF8060000-0x000007FEF814D000-memory.dmp

          Filesize

          948KB

          Download

        • memory/2772-53-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download