Overview

overview

10

Static

static

3

26fa4f3e2f...6a.dll

windows7-x64

10

26fa4f3e2f...6a.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 16:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26fa4f3e2ff9d20e54a8ed92898d8d524f973424a6d7b6d62e489e3d5b9fa66a.dll

  • Size

    672KB

  • MD5

    e4b4e6107ac85d6d9981acf940fe05ef

  • SHA1

    c049818fd585fe51844578411859c17c463b9bbc

  • SHA256

    26fa4f3e2ff9d20e54a8ed92898d8d524f973424a6d7b6d62e489e3d5b9fa66a

  • SHA512

    09e324a23666faacf1817e4c4b148944789756bab8521d5d1182a007b0b680382769b09c6b376b1a07ce154a80aa1243271ca4d64b75abf73b7238bce72fd960

  • SSDEEP

    6144:U34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:UIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\26fa4f3e2ff9d20e54a8ed92898d8d524f973424a6d7b6d62e489e3d5b9fa66a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2044
  • C:\Windows\system32\mspaint.exe
    C:\Windows\system32\mspaint.exe
    1⤵
      PID:2812
    • C:\Users\Admin\AppData\Local\TLvDI\mspaint.exe
      C:\Users\Admin\AppData\Local\TLvDI\mspaint.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2688
    • C:\Windows\system32\sethc.exe
      C:\Windows\system32\sethc.exe
      1⤵
        PID:2684
      • C:\Users\Admin\AppData\Local\UIl\sethc.exe
        C:\Users\Admin\AppData\Local\UIl\sethc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2728
      • C:\Windows\system32\SystemPropertiesRemote.exe
        C:\Windows\system32\SystemPropertiesRemote.exe
        1⤵
          PID:1700
        • C:\Users\Admin\AppData\Local\zOr3JZp\SystemPropertiesRemote.exe
          C:\Users\Admin\AppData\Local\zOr3JZp\SystemPropertiesRemote.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2828

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\TLvDI\VERSION.dll
          Filesize

          676KB

          MD5

          ab3e8b1c4d75d410cc995b30b0dc61ac

          SHA1

          59975c08a75e5d1d7047c95858a288b3c955a9d7

          SHA256

          9e766dc1fe90f19d3059c84fa0103e6ff2665a6a69123c179ba50c02590462a7

          SHA512

          e0d03f8ac56916f6bac31ad802ff0c95dab027df38ab974d2ba10e6cbe8a3703893437670cc5d72ea39067f11b139f4b452e3364b887429a989e07cf2c7b3637

          Download Submit

        • C:\Users\Admin\AppData\Local\UIl\OLEACC.dll
          Filesize

          676KB

          MD5

          f2032529f345e34c339595feba780f0b

          SHA1

          08b88922df7f7d4399cf7b78440884e67b440ad6

          SHA256

          5d500d192cf947773f70237de61d4cbd4c2d41571da4afb91ef561d38e8e472e

          SHA512

          48217786e040ddad727a6c12bc760669a0e989fa21622e2cdf567db6bf694a6bdbe0d857faef183cc0882a49d003dbbbd16723c4fc39974279d98d71bfd6c444

          Download Submit

        • C:\Users\Admin\AppData\Local\UIl\sethc.exe
          Filesize

          272KB

          MD5

          3bcb70da9b5a2011e01e35ed29a3f3f3

          SHA1

          9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

          SHA256

          dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

          SHA512

          69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

          Download Submit

        • C:\Users\Admin\AppData\Local\zOr3JZp\SYSDM.CPL
          Filesize

          676KB

          MD5

          e1ff9e0aa97b7902ab139542fd5b36c9

          SHA1

          903c2a0b1f43b7439d0e00349912c5b51fd2697c

          SHA256

          23ba65760ceb365494f2447eedaf02480efeec74a370872e4fb7dc613831c60c

          SHA512

          fb00aadc05c98d8f5e090402ad4b076f25a4927c1e31e9d78fe58b0ea47403881cf79f6e395731590a6700807533f5dc20e361823da320422190ad366ff9c2e7

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk
          Filesize

          1KB

          MD5

          26e90f480bc0cecc05abd6687faed3cc

          SHA1

          d113bb1c6b078653f2a79321a9da4529bbb5c22b

          SHA256

          1a8372dfe3e1da4a8fdd1b639e06f677ad0b84df0611070743dc6f55c396fc07

          SHA512

          777f0a8263ce3d809149308daaf2d185a5915362a7b83b673c9186cb6a3d63803ed000afe6ed377432ca0d8a9e38e80dceb57d34a47a21490641f47b8fa2f9d7

          Download Submit

        • \Users\Admin\AppData\Local\TLvDI\mspaint.exe
          Filesize

          6.4MB

          MD5

          458f4590f80563eb2a0a72709bfc2bd9

          SHA1

          3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

          SHA256

          ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

          SHA512

          e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

          Download Submit

        • \Users\Admin\AppData\Local\zOr3JZp\SystemPropertiesRemote.exe
          Filesize

          80KB

          MD5

          d0d7ac869aa4e179da2cc333f0440d71

          SHA1

          e7b9a58f5bfc1ec321f015641a60978c0c683894

          SHA256

          5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

          SHA512

          1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

          Download Submit

        • memory/1200-26-0x00000000779D0000-0x00000000779D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1200-24-0x0000000002A60000-0x0000000002A67000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1200-13-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-12-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-11-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-10-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-9-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-8-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-7-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-15-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-25-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-3-0x0000000077766000-0x0000000077767000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1200-27-0x0000000077A00000-0x0000000077A02000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1200-36-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-37-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-4-0x0000000002A80000-0x0000000002A81000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1200-46-0x0000000077766000-0x0000000077767000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1200-16-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-17-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-6-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1200-14-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2044-45-0x000007FEF7030000-0x000007FEF70D8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2044-2-0x0000000000520000-0x0000000000527000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2044-1-0x000007FEF7030000-0x000007FEF70D8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2688-61-0x000007FEF67C0000-0x000007FEF6869000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2688-54-0x000007FEF67C0000-0x000007FEF6869000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2688-56-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2728-73-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2728-74-0x000007FEF7C40000-0x000007FEF7CE9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2728-78-0x000007FEF7C40000-0x000007FEF7CE9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2828-94-0x000007FEF7C40000-0x000007FEF7CE9000-memory.dmp

          Filesize

          676KB

          Download