Overview

overview

10

Static

static

3

022313a687...8e.dll

windows7-x64

10

022313a687...8e.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-10-2024 21:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    022313a6879b728319802186991b9397e351b4d9cb7ad36120172e81bc035d8e.dll

  • Size

    692KB

  • MD5

    a1e6e208002d96dc17583432e060abc7

  • SHA1

    4fb85dcc732c7e3e33efe9b9b7a41e94afa4c113

  • SHA256

    022313a6879b728319802186991b9397e351b4d9cb7ad36120172e81bc035d8e

  • SHA512

    d73597eddce800228be18aafdcb03e9b4fb78e15efd00ba7f44a4e38c93ef6240c8e293543a621a223b7eaf074b3d8f74f5caaf68753a18a938acd5840cd608a

  • SSDEEP

    12288:Kfndx6M581WsGRouyjzC6gn5l0H1Tak8jnGg/xeq7gz3xfsPEb4sk:MdAE81W381Wk8jnYz3dsPEb4s

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\022313a6879b728319802186991b9397e351b4d9cb7ad36120172e81bc035d8e.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1664
  • C:\Windows\system32\osk.exe
    C:\Windows\system32\osk.exe
    1⤵
      PID:2928
    • C:\Users\Admin\AppData\Local\CYFk15l\osk.exe
      C:\Users\Admin\AppData\Local\CYFk15l\osk.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2540
    • C:\Windows\system32\Utilman.exe
      C:\Windows\system32\Utilman.exe
      1⤵
        PID:2672
      • C:\Users\Admin\AppData\Local\L86mLcu\Utilman.exe
        C:\Users\Admin\AppData\Local\L86mLcu\Utilman.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2748
      • C:\Windows\system32\p2phost.exe
        C:\Windows\system32\p2phost.exe
        1⤵
          PID:2084
        • C:\Users\Admin\AppData\Local\Vesd4T1\p2phost.exe
          C:\Users\Admin\AppData\Local\Vesd4T1\p2phost.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:756

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\CYFk15l\OLEACC.dll
          Filesize

          696KB

          MD5

          fcdc3cb8c2aa761270adf47f338e22b2

          SHA1

          ecd9f04d260c427c137f5041e47e809d86500577

          SHA256

          ffad131d4a0830348b3e960b9b32e7616186f075ab5a0fd5fbd23d96b5b58dcb

          SHA512

          3203074c6241876f74e9688451f5249fdcf618ce0fb7ed6b94de9bdb4302b55d066bd13e0ffcc36da62eee1845633e6a77a3ca0975a189e939e0595bb74f854b

          Download Submit

        • C:\Users\Admin\AppData\Local\L86mLcu\DUI70.dll
          Filesize

          900KB

          MD5

          6d0a59dc92d9ecd091cc6366431e7961

          SHA1

          49348bf5a9f998dbfc91e0f98a399673d4e22208

          SHA256

          105b34146cd411af662a97ccfcfe0d51e7df9897f470ed8a6e9c5ea8a5d7486e

          SHA512

          c96540f609b00dd8dd9c14d9e1a5fc37e5d1cf7843cf9728c8db1d6c5ec5d4ea86ee931477e1405ccd053690695ad6f9b63444012d37540e2abbc0850acca8cf

          Download Submit

        • C:\Users\Admin\AppData\Local\Vesd4T1\P2PCOLLAB.dll
          Filesize

          696KB

          MD5

          0320636ffc3ea1588d8eb675d1ca4ec8

          SHA1

          627fa6ca114a7105b84d4c38c2f8cbc9cfe0ec02

          SHA256

          3ee2807c68b10c63e058ccb71c86c6efe71e3d380ca8ac34522fff6059d29c26

          SHA512

          420c454c5803108210dd6713ec78d82798d847db641a5356734d96e2fe4b976088c586bce3ee518b1884cec0afaedff24a381bfb21b94bedfbf912a5d5f30276

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Kkwpdvbxvgx.lnk
          Filesize

          1KB

          MD5

          e9d82a62653ce05a498ed2720e4a2e55

          SHA1

          5e48ead66358ea889211ad3f5532eea483bb84dc

          SHA256

          3b70d693b68314f5a675dabce03d39a87dd6fbf8685bb08cf4aeb208ea48a340

          SHA512

          4922df943897412448f76ad66a470b973b2b03e5b81360dafb1da38c71b9bc9ae70d5bfb556466a07110061c0fb2ede55227e24f1980e3998ac9c3613ce7af04

          Download Submit

        • \Users\Admin\AppData\Local\CYFk15l\osk.exe
          Filesize

          676KB

          MD5

          b918311a8e59fb8ccf613a110024deba

          SHA1

          a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

          SHA256

          e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

          SHA512

          e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

          Download Submit

        • \Users\Admin\AppData\Local\L86mLcu\Utilman.exe
          Filesize

          1.3MB

          MD5

          32c5ee55eadfc071e57851e26ac98477

          SHA1

          8f8d0aee344e152424143da49ce2c7badabb8f9d

          SHA256

          7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

          SHA512

          e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

          Download Submit

        • \Users\Admin\AppData\Local\Vesd4T1\p2phost.exe
          Filesize

          172KB

          MD5

          0dbd420477352b278dfdc24f4672b79c

          SHA1

          df446f25be33ac60371557717073249a64e04bb2

          SHA256

          1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

          SHA512

          84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

          Download Submit

        • memory/756-90-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/1184-26-0x0000000077660000-0x0000000077662000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1184-45-0x00000000772C6000-0x00000000772C7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1184-11-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1184-10-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1184-9-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1184-8-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1184-24-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1184-7-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1184-3-0x00000000772C6000-0x00000000772C7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1184-25-0x0000000077630000-0x0000000077632000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1184-37-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1184-35-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1184-5-0x0000000002E30000-0x0000000002E31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1184-12-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1184-13-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1184-14-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1184-6-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1184-15-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1184-23-0x0000000002E10000-0x0000000002E17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1664-44-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1664-2-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1664-0-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/2540-57-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2540-53-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/2748-69-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download

        • memory/2748-71-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2748-74-0x0000000140000000-0x00000001400E1000-memory.dmp

          Filesize

          900KB

          Download