Overview

overview

10

Static

static

3

db433f7069...0a.dll

windows7-x64

10

db433f7069...0a.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-10-2024 23:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db433f70692c1bb245625c99f1860d748aef2021c8918d5f1433ed12a043650a.dll

  • Size

    1.4MB

  • MD5

    e74399f942cf0cf81df1e8a4972bb8bb

  • SHA1

    13416b3359fb3b1ce03acca069454bb4c228b3f0

  • SHA256

    db433f70692c1bb245625c99f1860d748aef2021c8918d5f1433ed12a043650a

  • SHA512

    09968cb2afead5f2626ed4c85471ffa0b80fab89066e4662dd07f86824a9873f149fa840950123989fe9fdee44649de6f52a7975da6d57ff29094ddfb4b459d0

  • SSDEEP

    12288:DkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64Cw1:DkMZ+gf4ltGd8H1fYO0q2G1Ahw1

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\db433f70692c1bb245625c99f1860d748aef2021c8918d5f1433ed12a043650a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1832
  • C:\Windows\system32\vmicsvc.exe
    C:\Windows\system32\vmicsvc.exe
    1⤵
      PID:2892
    • C:\Users\Admin\AppData\Local\Sa3J4OtlF\vmicsvc.exe
      C:\Users\Admin\AppData\Local\Sa3J4OtlF\vmicsvc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2628
    • C:\Windows\system32\ddodiag.exe
      C:\Windows\system32\ddodiag.exe
      1⤵
        PID:772
      • C:\Users\Admin\AppData\Local\vJR4T\ddodiag.exe
        C:\Users\Admin\AppData\Local\vJR4T\ddodiag.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1572
      • C:\Windows\system32\osk.exe
        C:\Windows\system32\osk.exe
        1⤵
          PID:1212
        • C:\Users\Admin\AppData\Local\JUw52E\osk.exe
          C:\Users\Admin\AppData\Local\JUw52E\osk.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:576

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\JUw52E\OLEACC.dll
          Filesize

          1.4MB

          MD5

          eb276c3a6935829554ff8cda8d644097

          SHA1

          24aba3ff7b74ac8847bf7f6bfaec683df2ee19f0

          SHA256

          5ac8a25df1b0286781b56e03ebd72c3339aecd9eb3b967e453b2bda840b7b03d

          SHA512

          7a41eb07ac4640a3029b557ae4b468b03f2206c41e8a1a9bcb5e5b6f3110e81a9a531c80cd232a202c77b83f6a999278a7dec18a6bb73e7a4cf5a0f8df3cde7f

          Download Submit

        • C:\Users\Admin\AppData\Local\Sa3J4OtlF\ACTIVEDS.dll
          Filesize

          1.4MB

          MD5

          9afbe4be602768bc2465fb8d1b7fd0ad

          SHA1

          2919c7bd4eed0164156011b5d5b3150f3cea1364

          SHA256

          3d2db2189c698f262f7326ed7083e71af24a104357278520af411398ebdf8027

          SHA512

          c02b65da25fcfa5a9b11c7993649d14f29f0df7e79884a7cbdfacda361ee61b54e701a6fd41ec1271041b5bfbf42fa95dd827802266d04e7be4e2e9c6e12d003

          Download Submit

        • C:\Users\Admin\AppData\Local\Sa3J4OtlF\vmicsvc.exe
          Filesize

          238KB

          MD5

          79e14b291ca96a02f1eb22bd721deccd

          SHA1

          4c8dbff611acd8a92cd2280239f78bebd2a9947e

          SHA256

          d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

          SHA512

          f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

          Download Submit

        • C:\Users\Admin\AppData\Local\vJR4T\XmlLite.dll
          Filesize

          1.4MB

          MD5

          17ad65f37a91ec864b3b40b27028752c

          SHA1

          7f52dfe0131ddfe17f58a1b4760fb35e0971c251

          SHA256

          16b5b09f1e4b23b9e648ad021f512c236029dcd7fac2d913498ed15249082b99

          SHA512

          6ec364eafc052edb6cf7c4a4eba7d75ce54c394cdeec5d496394a002505e18f6ee32f077667f4699e255115e3c57407dfde383f4f820b76af10174a9627d365f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ukatmrkmywz.lnk
          Filesize

          1KB

          MD5

          e5cc92ea83e97109d38f3f48a1e9eef1

          SHA1

          b7f253b49951bc0856f4f80c381d75ae3d8916ba

          SHA256

          49c9ba41b11be4ac797f155de65c6ee4fb366206a16bf8582a76386a8d6f71f8

          SHA512

          30ce93ecd4f630acb76714e2d6e8e1630e255e8082193746023909acd35c6f0ee5d2ea6ed7e0b882363960f5aafb5dcb069bdef57721d39ce11c284019d0500e

          Download Submit

        • \Users\Admin\AppData\Local\JUw52E\osk.exe
          Filesize

          676KB

          MD5

          b918311a8e59fb8ccf613a110024deba

          SHA1

          a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

          SHA256

          e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

          SHA512

          e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

          Download Submit

        • \Users\Admin\AppData\Local\vJR4T\ddodiag.exe
          Filesize

          42KB

          MD5

          509f9513ca16ba2f2047f5227a05d1a8

          SHA1

          fe8d63259cb9afa17da7b7b8ede4e75081071b1a

          SHA256

          ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

          SHA512

          ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

          Download Submit

        • memory/576-94-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1156-28-0x0000000077BB0000-0x0000000077BB2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1156-10-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1156-7-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1156-16-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1156-15-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1156-13-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1156-12-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1156-27-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1156-26-0x0000000002500000-0x0000000002507000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1156-29-0x0000000077BE0000-0x0000000077BE2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1156-3-0x0000000077846000-0x0000000077847000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1156-18-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1156-17-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1156-40-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1156-39-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1156-4-0x0000000002520000-0x0000000002521000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1156-48-0x0000000077846000-0x0000000077847000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1156-8-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1156-9-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1156-6-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1156-11-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1156-14-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1572-73-0x0000000001F10000-0x0000000001F17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1572-78-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1832-47-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1832-0-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1832-2-0x0000000140000000-0x0000000140167000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2628-61-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2628-58-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2628-56-0x0000000140000000-0x0000000140168000-memory.dmp

          Filesize

          1.4MB

          Download