Overview

overview

10

Static

static

3

ed0719cca7...44.dll

windows7-x64

10

ed0719cca7...44.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-10-2024 21:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed0719cca7b7968d97c2f3798dc89cb942ff11938783673cdaa4124da429bc44.dll

  • Size

    688KB

  • MD5

    bf6415fc9381c0c310077c35921254ca

  • SHA1

    1a9bfa30fc33ab115e737db7bfe2a50371e815cf

  • SHA256

    ed0719cca7b7968d97c2f3798dc89cb942ff11938783673cdaa4124da429bc44

  • SHA512

    b269ded1c574eb71f895217dfe991a62cb4c16217d4b46ab6a702989de92251dd28a8b14662098ba28cdffbdcbcd1adb56dde0b17237a24a2201dc6728a32f3d

  • SSDEEP

    12288:Cfndx6M581WsGRouyjzC6gn5l0H1Tak8jnGg/xeq7gz3xfsPEb4sk:kdAE81W381Wk8jnYz3dsPEb4s

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed0719cca7b7968d97c2f3798dc89cb942ff11938783673cdaa4124da429bc44.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2876
  • C:\Windows\system32\sigverif.exe
    C:\Windows\system32\sigverif.exe
    1⤵
      PID:4888
    • C:\Users\Admin\AppData\Local\tzRi8g\sigverif.exe
      C:\Users\Admin\AppData\Local\tzRi8g\sigverif.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4884
    • C:\Windows\system32\DisplaySwitch.exe
      C:\Windows\system32\DisplaySwitch.exe
      1⤵
        PID:1076
      • C:\Users\Admin\AppData\Local\2Eot1\DisplaySwitch.exe
        C:\Users\Admin\AppData\Local\2Eot1\DisplaySwitch.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1712
      • C:\Windows\system32\SystemPropertiesPerformance.exe
        C:\Windows\system32\SystemPropertiesPerformance.exe
        1⤵
          PID:4048
        • C:\Users\Admin\AppData\Local\ShEpAD\SystemPropertiesPerformance.exe
          C:\Users\Admin\AppData\Local\ShEpAD\SystemPropertiesPerformance.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4364

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2Eot1\DUI70.dll
          Filesize

          968KB

          MD5

          36f1036f0e354aa5a1cfc95b5597e107

          SHA1

          a306e1d08122268634a730339c9f8982bf968b7d

          SHA256

          c7509f0f95cb85744ee0387d3ff71afe66bb3a54af5d9c99d98620e3efede5e0

          SHA512

          1513527e34caa58ddf76d229866085c09a9e7eaad3fe7a48ecfc10748f1bb5892db88ffd1b194ca5bed05d08dcac7ea30448f2b23ee51236848d5fbaffd62a77

          Download Submit

        • C:\Users\Admin\AppData\Local\2Eot1\DisplaySwitch.exe
          Filesize

          1.8MB

          MD5

          5338d4beddf23db817eb5c37500b5735

          SHA1

          1b5c56f00b53fca3205ff24770203af46cbc7c54

          SHA256

          8b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e

          SHA512

          173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c

          Download Submit

        • C:\Users\Admin\AppData\Local\ShEpAD\SYSDM.CPL
          Filesize

          692KB

          MD5

          f4708d43b6777d77cb5d1295bd8cb401

          SHA1

          1679536c2f60c0ee249a5e58f9b0c766016ffd2d

          SHA256

          865193655819d8d247de4148e31254dd4710c390023bae5dc0e40e1f4d8284b3

          SHA512

          735d2dc8ea85f09dd17afd2356d9a412bad5a2a388294807ee3c320af92b7d81042a671f0f8c08a55bb583f0daec1e60978c8b296df3e3e20640b89fcdc45442

          Download Submit

        • C:\Users\Admin\AppData\Local\ShEpAD\SystemPropertiesPerformance.exe
          Filesize

          82KB

          MD5

          e4fbf7cab8669c7c9cef92205d2f2ffc

          SHA1

          adbfa782b7998720fa85678cc85863b961975e28

          SHA256

          b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30

          SHA512

          c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

          Download Submit

        • C:\Users\Admin\AppData\Local\tzRi8g\VERSION.dll
          Filesize

          692KB

          MD5

          d07eba01a730a56829b4e990962feb94

          SHA1

          9bdd8c91cae23a43f5bcb61d3efb9e2720248218

          SHA256

          f96aeaea8a03a4312ed1957ca256b5515bd1beb5aca95a18e6da1ae5b6d98155

          SHA512

          830d2d8897b48e94070cbeeee25804ef7a26c3c34d9c61e4a7fa5547852e47909f5f1963b6762ad2839ab8229e644eb3ebca4d035eb240d5510d9bf8cd23fab2

          Download Submit

        • C:\Users\Admin\AppData\Local\tzRi8g\sigverif.exe
          Filesize

          77KB

          MD5

          2151a535274b53ba8a728e542cbc07a8

          SHA1

          a2304c0f2616a7d12298540dce459dd9ccf07443

          SHA256

          064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

          SHA512

          e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zugrajzkhopu.lnk
          Filesize

          1KB

          MD5

          f430e736be5890d83463079e33bd909d

          SHA1

          ddc2634982ad17862d587310002a5c205a5a7595

          SHA256

          75e6fa73bcc0ff3e7e1ffc23b5cec7dcabe125ee45d1e75d9db612f2b9105103

          SHA512

          9d010ac1400fdfad1f3e855f768f70a45a92b7bd77d596338c4e37f406cbfc53689117460faa3a4217ed05db3ba6138b2f6049f0723e82e515995e854a09767a

          Download Submit

        • memory/1712-66-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/1712-61-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/1712-63-0x000001FF93E00000-0x000001FF93E07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2876-0-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/2876-2-0x0000021B0EFB0000-0x0000021B0EFB7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2876-38-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3444-8-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3444-13-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3444-24-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3444-35-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3444-7-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3444-15-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3444-26-0x00007FFF7F350000-0x00007FFF7F360000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3444-9-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3444-10-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3444-3-0x00000000073D0000-0x00000000073D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3444-4-0x00007FFF7E63A000-0x00007FFF7E63B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3444-6-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3444-11-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3444-12-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3444-23-0x0000000002960000-0x0000000002967000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3444-14-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3444-25-0x00007FFF7F360000-0x00007FFF7F370000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4364-81-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/4884-50-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/4884-47-0x000002734C180000-0x000002734C187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4884-45-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download