Overview

overview

10

Static

static

3

f4cc073cc6...f3.dll

windows7-x64

10

f4cc073cc6...f3.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-10-2024 00:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4cc073cc601127a558b1196c98d6839965545cffad19f38370158a6450e82f3.dll

  • Size

    704KB

  • MD5

    32d919c09f97767d7a0c7972b2b52103

  • SHA1

    7a83575a7cab12034630cacb854746978e03e7f5

  • SHA256

    f4cc073cc601127a558b1196c98d6839965545cffad19f38370158a6450e82f3

  • SHA512

    5a1a51e61107464ed813eb6f9131d6a2be7993eaa8c43f7e03222db2a35152998a67924a16a4b91e8a839a11948d925ff94930248b2691cafcb7a26159139ef4

  • SSDEEP

    12288:mEwgKnIhABTW0HcD5a1PKxdZhC+k+V9Hgeb/tf/B9P632vHAA:mEwXnOAx5HcDM1Sxd3ChCHg2/P9yGo

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4cc073cc601127a558b1196c98d6839965545cffad19f38370158a6450e82f3.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1668
  • C:\Windows\system32\tcmsetup.exe
    C:\Windows\system32\tcmsetup.exe
    1⤵
      PID:3924
    • C:\Users\Admin\AppData\Local\yp6yM2\tcmsetup.exe
      C:\Users\Admin\AppData\Local\yp6yM2\tcmsetup.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1316
    • C:\Windows\system32\BdeUISrv.exe
      C:\Windows\system32\BdeUISrv.exe
      1⤵
        PID:1220
      • C:\Users\Admin\AppData\Local\Q2cyt\BdeUISrv.exe
        C:\Users\Admin\AppData\Local\Q2cyt\BdeUISrv.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3324
      • C:\Windows\system32\Magnify.exe
        C:\Windows\system32\Magnify.exe
        1⤵
          PID:1856
        • C:\Users\Admin\AppData\Local\fQl81WD\Magnify.exe
          C:\Users\Admin\AppData\Local\fQl81WD\Magnify.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2332

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Q2cyt\BdeUISrv.exe
          Filesize

          54KB

          MD5

          8595075667ff2c9a9f9e2eebc62d8f53

          SHA1

          c48b54e571f05d4e21d015bb3926c2129f19191a

          SHA256

          20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db

          SHA512

          080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

          Download Submit

        • C:\Users\Admin\AppData\Local\Q2cyt\WTSAPI32.dll
          Filesize

          708KB

          MD5

          98e810868d349e9e3b2b9270e0a4d60e

          SHA1

          e621b018f6148ab26e804e3e2cd0619629ed1600

          SHA256

          b83d66894bd7a3a0b30ea006bb2f680a3f285f6bfebccab893e940c10d409594

          SHA512

          7dd792b5d766e2f041655c2124aa5480f2763dc3e388b3fa3831bd6677d0edbeefce4f60c101c0490432933ed8d0593e8599f2dbcef451bd80c3414ffdd38ada

          Download Submit

        • C:\Users\Admin\AppData\Local\fQl81WD\Magnify.exe
          Filesize

          639KB

          MD5

          4029890c147e3b4c6f41dfb5f9834d42

          SHA1

          10d08b3f6dabe8171ca2dd52e5737e3402951c75

          SHA256

          57137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d

          SHA512

          dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d

          Download Submit

        • C:\Users\Admin\AppData\Local\fQl81WD\dwmapi.dll
          Filesize

          708KB

          MD5

          8ad4d1b94659429cf8955f8a1579ecde

          SHA1

          9d26fc72b7cf10fc82878e35e5d631a6c6d2ea28

          SHA256

          580db49a01bed217ea80fc65a7360ee916c4b5a9060e73cb3b79be6bc016a25a

          SHA512

          80912374670efa7c4308691f62853f6d435377c7993f1e4ccfeed66bc6f4e243e19062266d3ab361954d27e9f5baec61fd741295dec90789591c5a4567212942

          Download Submit

        • C:\Users\Admin\AppData\Local\yp6yM2\TAPI32.dll
          Filesize

          712KB

          MD5

          68f90184e9dfbb17298ec803899ec212

          SHA1

          4c24dcb0d86e8e7f5ecb7ea9733888f839c17b70

          SHA256

          80543cc56cf82803a328c4726f7236af15a05d2f577f26ba9d9fe9acded1c8e8

          SHA512

          854c8a307a6b36b59efa45b3c28fec5a001618ac9a0cc660a4b70fa69e5f20838c3401332eea9a561526deff26e500a3952e7b3b3477580b4d084c981d64a2ab

          Download Submit

        • C:\Users\Admin\AppData\Local\yp6yM2\tcmsetup.exe
          Filesize

          16KB

          MD5

          58f3b915b9ae7d63431772c2616b0945

          SHA1

          6346e837da3b0f551becb7cac6d160e3063696e9

          SHA256

          e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39

          SHA512

          7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zugrajzkhopu.lnk
          Filesize

          1KB

          MD5

          96ac5b0c7754e2f93f3ac23edf7b9f36

          SHA1

          db1a17353a7c7e4be4e102dfde35a449ee0aee04

          SHA256

          5b9c7f758ebd812072d9cc17ea12b0b1684be9d565519418b71fd0b4bba30a49

          SHA512

          7a3b1a9692c33bd8294414022a576d1e59a5af543c77962dc28d2fad7e4faf536fd3c024065e7cae156a6637648841c33463160bf3cbce30f2e50a30763d93af

          Download Submit

        • memory/1316-51-0x0000000140000000-0x00000001400B2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/1316-46-0x0000000140000000-0x00000001400B2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/1316-48-0x0000021E113F0000-0x0000021E113F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1668-0-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/1668-39-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/1668-2-0x00000186E8700000-0x00000186E8707000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2332-82-0x0000000140000000-0x00000001400B1000-memory.dmp

          Filesize

          708KB

          Download

        • memory/3324-62-0x0000000140000000-0x00000001400B1000-memory.dmp

          Filesize

          708KB

          Download

        • memory/3324-64-0x000001A81C880000-0x000001A81C887000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3324-67-0x0000000140000000-0x00000001400B1000-memory.dmp

          Filesize

          708KB

          Download

        • memory/3432-23-0x00007FFE4D05A000-0x00007FFE4D05B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3432-13-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/3432-3-0x00000000073E0000-0x00000000073E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3432-6-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/3432-8-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/3432-7-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/3432-9-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/3432-11-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/3432-12-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/3432-5-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/3432-15-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/3432-14-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/3432-36-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/3432-25-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/3432-27-0x00007FFE4EDF0000-0x00007FFE4EE00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3432-26-0x00007FFE4EE00000-0x00007FFE4EE10000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3432-24-0x00000000073C0000-0x00000000073C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3432-10-0x0000000140000000-0x00000001400B0000-memory.dmp

          Filesize

          704KB

          Download