Analysis
-
max time kernel
149s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
30-10-2024 23:38
General
-
Target
db433f70692c1bb245625c99f1860d748aef2021c8918d5f1433ed12a043650a.dll
-
Size
1.4MB
-
MD5
e74399f942cf0cf81df1e8a4972bb8bb
-
SHA1
13416b3359fb3b1ce03acca069454bb4c228b3f0
-
SHA256
db433f70692c1bb245625c99f1860d748aef2021c8918d5f1433ed12a043650a
-
SHA512
09968cb2afead5f2626ed4c85471ffa0b80fab89066e4662dd07f86824a9873f149fa840950123989fe9fdee44649de6f52a7975da6d57ff29094ddfb4b459d0
-
SSDEEP
12288:DkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64Cw1:DkMZ+gf4ltGd8H1fYO0q2G1Ahw1
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex family
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Dridex payload 9 IoCs
Detects Dridex x64 core DLL in memory.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\db433f70692c1bb245625c99f1860d748aef2021c8918d5f1433ed12a043650a.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\osk.exeC:\Windows\system32\osk.exe1⤵
-
C:\Users\Admin\AppData\Local\rEaMo3\osk.exeC:\Users\Admin\AppData\Local\rEaMo3\osk.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\sdclt.exeC:\Windows\system32\sdclt.exe1⤵
-
C:\Users\Admin\AppData\Local\1ZcXRS0\sdclt.exeC:\Users\Admin\AppData\Local\1ZcXRS0\sdclt.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\InfDefaultInstall.exeC:\Windows\system32\InfDefaultInstall.exe1⤵
-
C:\Users\Admin\AppData\Local\nkFUtnAN\InfDefaultInstall.exeC:\Users\Admin\AppData\Local\nkFUtnAN\InfDefaultInstall.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD565a1e750b5a3a6bee92a09c1fc7a4eed
SHA1839aaa6edd291b7774ef7ec26d68d2283d699d44
SHA256c7afd58f384e8f180923eeaf94a567f700b624ed9ec88a435eed36559cab3498
SHA5128ad13c261e02021ed891b8ab0b0c8bd10f5047042f41a3d106ccaab485ff5e80da1bc8004dd522abf7054248570dd52d02a66e4c07a7a94169c9f9152de02d6a
-
Filesize
1.2MB
MD5e09d48f225e7abcab14ebd3b8a9668ec
SHA11c5b9322b51c09a407d182df481609f7cb8c425d
SHA256efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3
SHA512384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4
-
Filesize
13KB
MD5ee18876c1e5de583de7547075975120e
SHA1f7fcb3d77da74deee25de9296a7c7335916504e3
SHA256e59127b5fe82714956c7a1f10392a8673086a8e1f609e059935c7da1fa015a5d
SHA51208bc4d28b8f528582c58175a74871dd33ac97955c3709c991779fc34b5ba4b2ba6ff40476d9f59345b61b0153fd932b0ea539431a67ff5012cb2ac8ab392f73c
-
Filesize
1.4MB
MD569943b8053b3ceadc3c235dae6f524b7
SHA1d7de3e46be014e5791babab4dbeafb681411e915
SHA2564cd4f703a3a0d938dee1552bb30597abef26078c1877782fb1f841167f9f5297
SHA512f4390592777bb083bff5bf93ca8b6f3ff6ed68df4c43659d48e3792d75a569f7cb99609d9881e54ffb5d9b8aa7acb656111187551ded42e74a98dd03256d48a6
-
Filesize
1.4MB
MD56f35f57b42ebbbcb43e970def86738b7
SHA1f7b4e7e8c31242af78ca5e4778b19127684c08fb
SHA256fa228257752312086113a47e17898bb57bb9b32eee869dc099eff0ad14b9b339
SHA512991ff96dbbde7f0b57b44247d10814dccfc25c87b5845a74a4243373fb54081440204327669dab53489736198e1092a40b32f6d2eccd708bdef7fe7a0d23c949
-
Filesize
638KB
MD5745f2df5beed97b8c751df83938cb418
SHA12f9fc33b1bf28e0f14fd75646a7b427ddbe14d25
SHA256f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51
SHA5122125d021e6f45a81bd75c9129f4b098ad9aa15c25d270051f4da42458a9737bff44d6adf17aa1f2547715d159fb621829f7cd3b9d42f1521c919549cc7deb228
-
Filesize
1KB
MD5659b113d61d340db0704696b3278de60
SHA1570cd82ce6229840c763c63f81c12597acad8b73
SHA2561a0e1a45e11848a2a8024646e5382be67efad712b06601a835fc8d7c05b27056
SHA512b189bb8bcb6956f931e36edfc285c0e44575a51edba4f490ff64e9ae06321383a6741b9ee38f205fcc8fd8d0625f08965134d7759f5d4f3fc8182358d3cc4010
-
Filesize
1.4MB
-
Filesize
28KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
28KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
64KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
4KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
64KB
-
Filesize
1.4MB
-
Filesize
28KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
4KB
-
Filesize
4KB