Overview

overview

10

Static

static

3

fd7fddc39d...58.dll

windows7-x64

10

fd7fddc39d...58.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2024 02:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd7fddc39d5bc3bc942c4575c57bb305068eed4e8bbe1285733e23ec9b18fb58.dll

  • Size

    672KB

  • MD5

    089bbe4454e8a5806c2c27247bd47c3a

  • SHA1

    837ada8cd4d906788c34507cc413a78389e91c02

  • SHA256

    fd7fddc39d5bc3bc942c4575c57bb305068eed4e8bbe1285733e23ec9b18fb58

  • SHA512

    a789910c2cd0698cd0f383ca4bfa2f54b8c11c640aa74d632ccaf9596c8353c319f0b05612b7b590fc860eaf131a7d783f1ed735f82975e7d77a3332154a937d

  • SSDEEP

    6144:534xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:5IKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\fd7fddc39d5bc3bc942c4575c57bb305068eed4e8bbe1285733e23ec9b18fb58.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1628
  • C:\Windows\system32\InfDefaultInstall.exe
    C:\Windows\system32\InfDefaultInstall.exe
    1⤵
      PID:2364
    • C:\Users\Admin\AppData\Local\qPHt3u\InfDefaultInstall.exe
      C:\Users\Admin\AppData\Local\qPHt3u\InfDefaultInstall.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3684
    • C:\Windows\system32\osk.exe
      C:\Windows\system32\osk.exe
      1⤵
        PID:232
      • C:\Users\Admin\AppData\Local\1YAKxCYrS\osk.exe
        C:\Users\Admin\AppData\Local\1YAKxCYrS\osk.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4940
      • C:\Windows\system32\SystemPropertiesProtection.exe
        C:\Windows\system32\SystemPropertiesProtection.exe
        1⤵
          PID:32
        • C:\Users\Admin\AppData\Local\GHLkgnHr9\SystemPropertiesProtection.exe
          C:\Users\Admin\AppData\Local\GHLkgnHr9\SystemPropertiesProtection.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1488

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1YAKxCYrS\DUI70.dll
          Filesize

          952KB

          MD5

          ac3e2c0fc1c3a425fdd996037b7f55a3

          SHA1

          f66739c3046379d0d6c15bb937248af6abec0690

          SHA256

          bc63b716b3d6a86a4386913e6b9277c4905d83c0dd6a8b26aa2519fcd40d347b

          SHA512

          78accd34f33d686c02881388b40c490e33ce6dc00fae7f84175c1e409cc3909b1af2c42dfdb6142404c6536d63656e2551b8c9ce31942ee0b9d67cde2c87b0f9

          Download Submit

        • C:\Users\Admin\AppData\Local\1YAKxCYrS\osk.exe
          Filesize

          638KB

          MD5

          745f2df5beed97b8c751df83938cb418

          SHA1

          2f9fc33b1bf28e0f14fd75646a7b427ddbe14d25

          SHA256

          f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51

          SHA512

          2125d021e6f45a81bd75c9129f4b098ad9aa15c25d270051f4da42458a9737bff44d6adf17aa1f2547715d159fb621829f7cd3b9d42f1521c919549cc7deb228

          Download Submit

        • C:\Users\Admin\AppData\Local\GHLkgnHr9\SYSDM.CPL
          Filesize

          676KB

          MD5

          16a1ded008f37380ecf69345a6b6a89e

          SHA1

          278b94ed6fdfa1c73b1483dbae4e771b26b426e3

          SHA256

          6bc87e0178eb0c39ac9917ec618145143646e50f1411f9369f2346f0c9a79328

          SHA512

          fda97822bdca29bdfe617a8ea78ab528c7b4a987df59d9666f6e011cbd65cbf4880a29ddc8958d51ea9c8154006ec1fdb87035f59140b35ef1e37f8ede2e937f

          Download Submit

        • C:\Users\Admin\AppData\Local\GHLkgnHr9\SystemPropertiesProtection.exe
          Filesize

          82KB

          MD5

          26640d2d4fa912fc9a354ef6cfe500ff

          SHA1

          a343fd82659ce2d8de3beb587088867cf2ab8857

          SHA256

          a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37

          SHA512

          26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

          Download Submit

        • C:\Users\Admin\AppData\Local\qPHt3u\InfDefaultInstall.exe
          Filesize

          13KB

          MD5

          ee18876c1e5de583de7547075975120e

          SHA1

          f7fcb3d77da74deee25de9296a7c7335916504e3

          SHA256

          e59127b5fe82714956c7a1f10392a8673086a8e1f609e059935c7da1fa015a5d

          SHA512

          08bc4d28b8f528582c58175a74871dd33ac97955c3709c991779fc34b5ba4b2ba6ff40476d9f59345b61b0153fd932b0ea539431a67ff5012cb2ac8ab392f73c

          Download Submit

        • C:\Users\Admin\AppData\Local\qPHt3u\newdev.dll
          Filesize

          676KB

          MD5

          bbda6cce76c008a1b282fda494c052fc

          SHA1

          1415056e0f6df2a2576b7fd7d6c342b478478a04

          SHA256

          cfbd0fd5fa8d26e8d485417b6d8588141bfce5c2aed9e720ee5d771d68260aa0

          SHA512

          9031b839913967a4d0e8dde79d5b45a3e039456dad81d260be8ce38a14dcf9dc98022e52ba76246a1645174f74a638ce431c112a88ac7c6ec6a439a2e9c835aa

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk
          Filesize

          1KB

          MD5

          c0325ef01d0e3fcbb1079509deccf1f1

          SHA1

          a0a71d0a87139b9bc7ee28bc828d9ba0cc4f89a0

          SHA256

          039574f1bd74dd965d7f63eeaeed09c7eba594245ac475aa3831dfd284cab124

          SHA512

          68c8e3fd6f1a8fffe9f9aa2da5a457f10eecfdf2fe0246faad2981e7fcb49ac8dd1c33a71979624b83980e53f4ac560911d7345cfb4158c7c5684d3f0254d43c

          Download Submit

        • memory/1488-82-0x00007FFA97700000-0x00007FFA977A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1628-39-0x00007FFAA6950000-0x00007FFAA69F8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1628-1-0x00007FFAA6950000-0x00007FFAA69F8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1628-2-0x00000232B7900000-0x00000232B7907000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3444-26-0x00007FFAB5140000-0x00007FFAB5150000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3444-3-0x0000000008000000-0x0000000008001000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3444-13-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3444-12-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3444-11-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3444-9-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3444-7-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3444-10-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3444-5-0x00007FFAB429A000-0x00007FFAB429B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3444-24-0x0000000007FE0000-0x0000000007FE7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3444-15-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3444-36-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3444-27-0x00007FFAB5130000-0x00007FFAB5140000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3444-14-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3444-6-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3444-8-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3444-25-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3444-16-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3444-17-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3684-46-0x0000024F5B050000-0x0000024F5B057000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3684-51-0x00007FFA97700000-0x00007FFA977A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3684-47-0x00007FFA97700000-0x00007FFA977A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4940-67-0x00007FFA96700000-0x00007FFA967EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/4940-62-0x00007FFA96700000-0x00007FFA967EE000-memory.dmp

          Filesize

          952KB

          Download

        • memory/4940-64-0x0000023EB37E0000-0x0000023EB37E7000-memory.dmp

          Filesize

          28KB

          Download