Overview

overview

10

Static

static

3

51f1a8d441...b0.dll

windows7-x64

10

51f1a8d441...b0.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51f1a8d4410d73d9176dcd9625d7522c719e816e43bffda25085e63161d789b0.dll

  • Size

    672KB

  • MD5

    583d65e532c265246326dd54fca82723

  • SHA1

    459a26aa86533f45c0dc34201174d773d9c00e45

  • SHA256

    51f1a8d4410d73d9176dcd9625d7522c719e816e43bffda25085e63161d789b0

  • SHA512

    31b313d6bfbe3eff58ceace0a442c83ec4eeb183b2281a79bbe66527c171bc866adfb5f9c9f1b5ea8f54046278c30eaa9f215dfcf207e76ac6e63dd3555dd94b

  • SSDEEP

    6144:R34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:RIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\51f1a8d4410d73d9176dcd9625d7522c719e816e43bffda25085e63161d789b0.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1292
  • C:\Windows\system32\dvdupgrd.exe
    C:\Windows\system32\dvdupgrd.exe
    1⤵
      PID:2336
    • C:\Users\Admin\AppData\Local\wKw5ePp\dvdupgrd.exe
      C:\Users\Admin\AppData\Local\wKw5ePp\dvdupgrd.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2884
    • C:\Windows\system32\Netplwiz.exe
      C:\Windows\system32\Netplwiz.exe
      1⤵
        PID:2396
      • C:\Users\Admin\AppData\Local\bKlLU4\Netplwiz.exe
        C:\Users\Admin\AppData\Local\bKlLU4\Netplwiz.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2240
      • C:\Windows\system32\osk.exe
        C:\Windows\system32\osk.exe
        1⤵
          PID:1028
        • C:\Users\Admin\AppData\Local\yrdV3mu\osk.exe
          C:\Users\Admin\AppData\Local\yrdV3mu\osk.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2948

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\bKlLU4\NETPLWIZ.dll
          Filesize

          676KB

          MD5

          fa68c29b258b98506ec5ece1a0db8e69

          SHA1

          4f71993d18b59c22ac247facf45b5f6c3a70ccf2

          SHA256

          f22c73bab8b07ff82dd1319b5b0fb87b0219abd9ea30fb444e6e14e30c907d17

          SHA512

          140e1ec936e4efce2824ac5a337ce678119222bb55cc7348c4e054770d1473bd0e78a90c535ee0a4419290ac00583c21bc24c0e33a7688c8f156eb2902b060e6

          Download Submit

        • C:\Users\Admin\AppData\Local\wKw5ePp\VERSION.dll
          Filesize

          676KB

          MD5

          703aa7cf5b9118abfb2146a84d514a6e

          SHA1

          62f17b033dba9bd524910cc881899db1917ea096

          SHA256

          f539e615b5ac7144860d814d4035f1939d98894c1d6e82398da21692d6a77b25

          SHA512

          3dfa8a2260c0eb5c26b96f30a17c4001fe14a5c2142d35ba4e5773e3669065692bc49e544c5503fd9d91333f34d357e20cb44485f8d353c50dfd667115e5c373

          Download Submit

        • C:\Users\Admin\AppData\Local\wKw5ePp\dvdupgrd.exe
          Filesize

          25KB

          MD5

          75a9b4172eac01d9648c6d2133af952f

          SHA1

          63c7e1af762d2b584e9cc841e8b0100f2a482b81

          SHA256

          18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

          SHA512

          5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

          Download Submit

        • C:\Users\Admin\AppData\Local\yrdV3mu\dwmapi.dll
          Filesize

          676KB

          MD5

          1e54c16eb84be03a668937fe023967d3

          SHA1

          a98caf8d085d6cf490a22f8c3d0b5c6fc8699e8c

          SHA256

          1ac28f1edeafaee615ea898aac85c3c61b9857ab08a88b43f81491686a0df17f

          SHA512

          42bdb2399a011d06b7e06a0ff54a3caafc25b6b53d91275e86fec4e5e307552ead485be426f4a09623647ebb1eeba5e791acb758837b95d1be7c398b63443d9d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk
          Filesize

          976B

          MD5

          49a65f893adf7eb35de327b4bd13e1be

          SHA1

          096dc5133af63eeca8d598aef6c31fd9a98748ac

          SHA256

          97460868380ee23e1f9a95fae118bb137ee3fc457bfedeefada6a827297d516e

          SHA512

          f65bdc3bbb0555c592386a85c0e45ae29e9a93207b4aaf9d335cc0d867377427d8b9e40734dc6a88388e692b5eb244fb1cfc61eec86ac196af6f84f08ce8eb43

          Download Submit

        • \Users\Admin\AppData\Local\bKlLU4\Netplwiz.exe
          Filesize

          26KB

          MD5

          e43ec3c800d4c0716613392e81fba1d9

          SHA1

          37de6a235e978ecf3bb0fc2c864016c5b0134348

          SHA256

          636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

          SHA512

          176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

          Download Submit

        • \Users\Admin\AppData\Local\yrdV3mu\osk.exe
          Filesize

          676KB

          MD5

          b918311a8e59fb8ccf613a110024deba

          SHA1

          a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

          SHA256

          e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

          SHA512

          e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

          Download Submit

        • memory/1208-27-0x00000000772B0000-0x00000000772B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1208-12-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1208-8-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1208-7-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1208-6-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1208-17-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1208-24-0x0000000002970000-0x0000000002977000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1208-16-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1208-15-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1208-14-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1208-25-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1208-3-0x0000000076F16000-0x0000000076F17000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-26-0x0000000077280000-0x0000000077282000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1208-36-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1208-37-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1208-4-0x0000000002990000-0x0000000002991000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-46-0x0000000076F16000-0x0000000076F17000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-10-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1208-11-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1208-13-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1208-9-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1292-45-0x000007FEF68E0000-0x000007FEF6988000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1292-0-0x000007FEF68E0000-0x000007FEF6988000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1292-2-0x0000000000390000-0x0000000000397000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2240-71-0x0000000000380000-0x0000000000387000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2240-76-0x000007FEF7520000-0x000007FEF75C9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2884-59-0x000007FEF7520000-0x000007FEF75C9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2884-55-0x000007FEF7520000-0x000007FEF75C9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2884-54-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2948-92-0x000007FEF7520000-0x000007FEF75C9000-memory.dmp

          Filesize

          676KB

          Download