Overview

overview

10

Static

static

3

39c3ba8e5a...be.dll

windows7-x64

10

39c3ba8e5a...be.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 17:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39c3ba8e5a0aaf8719fa57d866f02bb2dfae2474a42b6ae346af16a73f92c2be.dll

  • Size

    672KB

  • MD5

    83907ddf64aa95e7da9c6e9758b2610c

  • SHA1

    8c096240c45f1b4c05d8e07a1b5df38615e54aaf

  • SHA256

    39c3ba8e5a0aaf8719fa57d866f02bb2dfae2474a42b6ae346af16a73f92c2be

  • SHA512

    6d7bab6de77969b6f01fa03a95dbf371a0ec03ba0709a4118a71550b126aa7eb1cd55c161a8f898a131da9a10c79730f52c3950073a32d0157c5eea3e9c92688

  • SSDEEP

    6144:E34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:EIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 12 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\39c3ba8e5a0aaf8719fa57d866f02bb2dfae2474a42b6ae346af16a73f92c2be.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2124
  • C:\Windows\system32\rdpinit.exe
    C:\Windows\system32\rdpinit.exe
    1⤵
      PID:2932
    • C:\Users\Admin\AppData\Local\jYHM5\rdpinit.exe
      C:\Users\Admin\AppData\Local\jYHM5\rdpinit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2828
    • C:\Windows\system32\PresentationSettings.exe
      C:\Windows\system32\PresentationSettings.exe
      1⤵
        PID:2596
      • C:\Users\Admin\AppData\Local\hAv\PresentationSettings.exe
        C:\Users\Admin\AppData\Local\hAv\PresentationSettings.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2616
      • C:\Windows\system32\DisplaySwitch.exe
        C:\Windows\system32\DisplaySwitch.exe
        1⤵
          PID:2404
        • C:\Users\Admin\AppData\Local\snnnt\DisplaySwitch.exe
          C:\Users\Admin\AppData\Local\snnnt\DisplaySwitch.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1736

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\hAv\WINMM.dll
          Filesize

          680KB

          MD5

          4947d24e293553fca2e376537b5ea3e4

          SHA1

          87764e9701fbf02e1ac1979d7ee7a6e78447b32d

          SHA256

          d079cb87e81a05eeb434b570a67aab43aa397dc3287eb27835a6c11e8be15283

          SHA512

          5da71aea4c407bf44d5ddf61d7f224508ccc1ce2a3832e286a2e1a1c27cd19eef5bf99f9f76a92944712d3080d588888ed5f543333103c933d7178159dd6cb90

          Download Submit

        • C:\Users\Admin\AppData\Local\jYHM5\rdpinit.exe
          Filesize

          174KB

          MD5

          664e12e0ea009cc98c2b578ff4983c62

          SHA1

          27b302c0108851ac6cc37e56590dd9074b09c3c9

          SHA256

          00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

          SHA512

          f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

          Download Submit

        • C:\Users\Admin\AppData\Local\jYHM5\slc.dll
          Filesize

          676KB

          MD5

          80f0bf41abfb2094b703acd7acee8987

          SHA1

          d4e17f506be0407e1878b50505ce14118925b5ff

          SHA256

          bacf1e130030cacfd87450f5f55af81ad3a838e02dc2bd6bd8247d6548ec17d0

          SHA512

          a4c2cca78ea60178832b17123c2ccdec55230a8bf4f264c413f52163f52d9ec960b3535732042f77ff83296f0e0972a7fc5e183540c5c52ca514b11865ea1320

          Download Submit

        • C:\Users\Admin\AppData\Local\snnnt\slc.dll
          Filesize

          676KB

          MD5

          bb5086381539ef29a3a64cc6cea7c4ea

          SHA1

          259034d162cb5daef9a738dd8692f10d5d828aa4

          SHA256

          45a450e9e1af3d581d712915580aab1a8fc1cc52301e9d01c6adbd166495bf10

          SHA512

          267ce55bf5412a340d79741aafe91b819278aad84c013e51a5805b7f9199580e527898b1fabe60c0814ef05a174652b6e137c291dc0865ac3b2b155efc0e21a6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk
          Filesize

          1KB

          MD5

          e3441f8e1fe65f4e2e731617cd4151dd

          SHA1

          c78d03b900d7a6a87192564d1c15a7dbdacc5ff5

          SHA256

          aec98797ae312d3856b10fa3058fae65afef9c04e92d067e958c2df398774772

          SHA512

          7c129c0935c34052ebd57bef5197a3dd48229af0c578ec4abd3a37b4d5f52e918577095f6a554716110a1c6b8a63bb981bdae8fad81d9ae9b96582be3fa5eb3f

          Download Submit

        • \Users\Admin\AppData\Local\hAv\PresentationSettings.exe
          Filesize

          172KB

          MD5

          a6f8d318f6041334889481b472000081

          SHA1

          b8cf08ec17b30c8811f2514246fcdff62731dd58

          SHA256

          208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

          SHA512

          60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

          Download Submit

        • \Users\Admin\AppData\Local\snnnt\DisplaySwitch.exe
          Filesize

          517KB

          MD5

          b795e6138e29a37508285fc31e92bd78

          SHA1

          d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

          SHA256

          01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

          SHA512

          8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

          Download Submit

        • memory/1216-27-0x0000000077760000-0x0000000077762000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1216-24-0x0000000002630000-0x0000000002637000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1216-12-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1216-11-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1216-10-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1216-25-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1216-9-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1216-14-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1216-8-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1216-7-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1216-6-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1216-3-0x00000000773C6000-0x00000000773C7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-26-0x0000000077730000-0x0000000077732000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1216-37-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1216-36-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1216-4-0x0000000002650000-0x0000000002651000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-46-0x00000000773C6000-0x00000000773C7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-15-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1216-16-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1216-17-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1216-13-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1736-88-0x000007FEF66E0000-0x000007FEF6789000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1736-92-0x000007FEF66E0000-0x000007FEF6789000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2124-45-0x000007FEF6D70000-0x000007FEF6E18000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2124-0-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2124-2-0x000007FEF6D70000-0x000007FEF6E18000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2616-71-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2616-72-0x000007FEF66E0000-0x000007FEF678A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2616-76-0x000007FEF66E0000-0x000007FEF678A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2828-59-0x000007FEF6D70000-0x000007FEF6E19000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2828-55-0x000007FEF6D70000-0x000007FEF6E19000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2828-54-0x0000000000320000-0x0000000000327000-memory.dmp

          Filesize

          28KB

          Download