Analysis
-
max time kernel
115s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
02/11/2024, 02:59
General
-
Target
ff69e56f8ee29f346c9495468b07dc2d2eb486642a1cfcc54d31d7a813bd95ef.dll
-
Size
672KB
-
MD5
584c0aedb20485c2e84e74c629507bca
-
SHA1
68adc01881c74a7e747c02fcc8b3bf6a992595c7
-
SHA256
ff69e56f8ee29f346c9495468b07dc2d2eb486642a1cfcc54d31d7a813bd95ef
-
SHA512
f0de47f3fe7cac1ec434e5e29d33c6ace9e3ee64102acd2f5c05860d782f6c74f34b740ad21615fff80054c9bfa2333492a9c9ed51f182dc3f72805901945e4e
-
SSDEEP
6144:t34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:tIKp/UWCZdCDh2IZDwAFRpR6Au
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex family
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Dridex payload 10 IoCs
Detects Dridex x64 core DLL in memory.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ff69e56f8ee29f346c9495468b07dc2d2eb486642a1cfcc54d31d7a813bd95ef.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\MpSigStub.exeC:\Windows\system32\MpSigStub.exe1⤵
-
C:\Users\Admin\AppData\Local\H2M5ofnrv\MpSigStub.exeC:\Users\Admin\AppData\Local\H2M5ofnrv\MpSigStub.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\DisplaySwitch.exeC:\Windows\system32\DisplaySwitch.exe1⤵
-
C:\Users\Admin\AppData\Local\emVQA\DisplaySwitch.exeC:\Users\Admin\AppData\Local\emVQA\DisplaySwitch.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\SystemPropertiesProtection.exeC:\Windows\system32\SystemPropertiesProtection.exe1⤵
-
C:\Users\Admin\AppData\Local\YgHLAEwS\SystemPropertiesProtection.exeC:\Users\Admin\AppData\Local\YgHLAEwS\SystemPropertiesProtection.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD52e6bd16aa62e5e95c7b256b10d637f8f
SHA1350be084477b1fe581af83ca79eb58d4defe260f
SHA256d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3
SHA5121f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542
-
Filesize
676KB
MD53e9b37660426409713976996bc4fd1d8
SHA173999a809db1dbe36132f824f358e5e0f08350f0
SHA256fa31e8e7b3665b4cd2d01a060948d9a9bdd56d6bc070d1fae1f37453d553dab7
SHA51226ccf9eeb29c22073da0a4d1fd5fe925215fc053e5592fc02ce0331c8ceaabd6b545b621ec3640a1330f5a223fcf25496f67d8590bc6de684663367a2af8e0cf
-
Filesize
676KB
MD5ff6a5a0c7cd67483dec9942d49347065
SHA193888bf01a4148dceebebc09275c2df9b2a03944
SHA25629b705d122009cbcfb0430e112cabbed3151850dd3b50a8c82a29cce1f2839a1
SHA512d4c21374e748c3338814ee56832ab551d91c5d08caa0fd24f745201c3433d85a0fd86feeb53629c8c4bbd9f0cb632760e1185e89f805b841ca6d5c6963068ef4
-
Filesize
676KB
MD5b63fab0b41a6cb9658206a79bdd2432e
SHA1856514326a35f30c17a48b2c9c077a8e89fa4a03
SHA256db8ab10b5360dbafe51f17b3a1c37f499c9339618650704b843ea3e0e7e27f01
SHA512d6a3a5c1f18d3c12ecb99732a418bf9a6bd585595a425927e10e8964170d71c0fe5e9c77b89c7911960d46eef357a4be213f2c2c03e966115c44a0ff25ed3637
-
Filesize
1KB
MD5141bb4ca029abc36d7cfdf5c58cfe99c
SHA1754e1a8a9d525e56341521de5a3ffc3bd5d6ba6e
SHA2560a73305124a3650e682efb5b12ca74b259ea0125b0ba4ad76de64997f1a3b3ff
SHA512978f323b2d189a5d6c43858f68a6b3deb0d5f25f3e7e8ec33f01dd4b419e1075f7775f79094205c3e49cc47c71b4d826d9d7d8818fc1c57eedc047d0ae187624
-
Filesize
80KB
MD505138d8f952d3fff1362f7c50158bc38
SHA1780bc59fcddf06a7494d09771b8340acffdcc720
SHA256753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd
SHA51227fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255
-
Filesize
517KB
MD5b795e6138e29a37508285fc31e92bd78
SHA1d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a
SHA25601a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659
SHA5128312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1
-
Filesize
676KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
4KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
672KB
-
Filesize
676KB
-
Filesize
28KB
-
Filesize
672KB
-
Filesize
28KB
-
Filesize
672KB
-
Filesize
28KB
-
Filesize
676KB
-
Filesize
676KB