Overview

overview

10

Static

static

3

39c3ba8e5a...be.dll

windows7-x64

10

39c3ba8e5a...be.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 17:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39c3ba8e5a0aaf8719fa57d866f02bb2dfae2474a42b6ae346af16a73f92c2be.dll

  • Size

    672KB

  • MD5

    83907ddf64aa95e7da9c6e9758b2610c

  • SHA1

    8c096240c45f1b4c05d8e07a1b5df38615e54aaf

  • SHA256

    39c3ba8e5a0aaf8719fa57d866f02bb2dfae2474a42b6ae346af16a73f92c2be

  • SHA512

    6d7bab6de77969b6f01fa03a95dbf371a0ec03ba0709a4118a71550b126aa7eb1cd55c161a8f898a131da9a10c79730f52c3950073a32d0157c5eea3e9c92688

  • SSDEEP

    6144:E34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:EIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\39c3ba8e5a0aaf8719fa57d866f02bb2dfae2474a42b6ae346af16a73f92c2be.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1968
  • C:\Windows\system32\Utilman.exe
    C:\Windows\system32\Utilman.exe
    1⤵
      PID:2472
    • C:\Users\Admin\AppData\Local\Ka9rRxpn\Utilman.exe
      C:\Users\Admin\AppData\Local\Ka9rRxpn\Utilman.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2720
    • C:\Windows\system32\OptionalFeatures.exe
      C:\Windows\system32\OptionalFeatures.exe
      1⤵
        PID:3492
      • C:\Users\Admin\AppData\Local\VWJ8Z\OptionalFeatures.exe
        C:\Users\Admin\AppData\Local\VWJ8Z\OptionalFeatures.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:5088
      • C:\Windows\system32\sppsvc.exe
        C:\Windows\system32\sppsvc.exe
        1⤵
          PID:220
        • C:\Users\Admin\AppData\Local\Z2M4i\sppsvc.exe
          C:\Users\Admin\AppData\Local\Z2M4i\sppsvc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3436

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Ka9rRxpn\DUser.dll
          Filesize

          680KB

          MD5

          c8a929138d104b875b23b02a249b546a

          SHA1

          62b4533637b4edd884fe8fa4ffb2182ce1b8de53

          SHA256

          a9e74e7dbae6033ae1f3b2c9c9bb9fb3ad531f1cc694031a1ecb2324a0cfa52e

          SHA512

          8b7ea71e317676fac72b4415c006ab2207b7973847e2c281faf877d158738e42b728407fe7d3ea3dc10ccb561bdf64e6740a213c7a2b8dec29c9d950551d1e03

          Download Submit

        • C:\Users\Admin\AppData\Local\Ka9rRxpn\Utilman.exe
          Filesize

          123KB

          MD5

          a117edc0e74ab4770acf7f7e86e573f7

          SHA1

          5ceffb1a5e05e52aafcbc2d44e1e8445440706f3

          SHA256

          b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37

          SHA512

          72883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97

          Download Submit

        • C:\Users\Admin\AppData\Local\VWJ8Z\OptionalFeatures.exe
          Filesize

          110KB

          MD5

          d6cd8bef71458804dbc33b88ace56372

          SHA1

          a18b58445be2492c5d37abad69b5aa0d29416a60

          SHA256

          fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8

          SHA512

          1bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d

          Download Submit

        • C:\Users\Admin\AppData\Local\VWJ8Z\appwiz.cpl
          Filesize

          676KB

          MD5

          36c18951b80f65ee0c78283448d1c850

          SHA1

          cad4df328db309004a48b6372dde831e0f16e384

          SHA256

          93bfde3cf06750984e3328e9cbf117953f6dc90642d5a09c9d6764c553271bd0

          SHA512

          218bf3ee011f43a8912627fb4c68dca3edc038fd6d74cfd4d73e88b512c12215690bfb7106610ccc006addf6d7c16e35c56bd8682fb7547a4062a9f63a020a43

          Download Submit

        • C:\Users\Admin\AppData\Local\Z2M4i\XmlLite.dll
          Filesize

          676KB

          MD5

          2c5b9a6ef2cada1cb0d529a2b3ba2e16

          SHA1

          b019621884809cf1a1d0c5520d1e951d0f702044

          SHA256

          87fd767cd22d324fb46d6bf8d91b78389436ab96dc4bfb375484667bbd32986b

          SHA512

          cb61c50e719571e2255e829b759d7db2a61bb5c5858049b4d6dcfd57023b134211de7c86870590d9619ec1c29da5d4c96290145edf78546563a3b478c09e4b3b

          Download Submit

        • C:\Users\Admin\AppData\Local\Z2M4i\sppsvc.exe
          Filesize

          4.4MB

          MD5

          ec6cef0a81f167668e18fa32f1606fce

          SHA1

          6d56837a388ae5573a38a439cee16e6dde5b4de8

          SHA256

          82c59a2f606ebf1a8a0de16be150600ac63ad8351c6bf3952c27a70257cb70f8

          SHA512

          f40b37675329ca7875d958b4b0019082548a563ada217c7431c2ca5c7f93957b242f095f7f04bcdd6240b97ea99e89bfe3a003f97c43366d00a93768fef7b4c5

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk
          Filesize

          1KB

          MD5

          02dc0d36ea7adbe8ae9c2867983e1b02

          SHA1

          024e4d4d83cf25153847e8d61d5079188973fa21

          SHA256

          5e60bf18fc223571c17a5fd4dd97939939a6723782fc6c726cd2f72c6ee272a1

          SHA512

          293a99da0532c236a0aa2661b910efc8bc44d6ccfc96bd41ffaa28b7e79e09d6dfc4409025f9f751f4c71040d5194c11aac7f69645d2de055da4bb0e46d31048

          Download Submit

        • memory/1968-1-0x00007FFAC1940000-0x00007FFAC19E8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1968-39-0x00007FFAC1940000-0x00007FFAC19E8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1968-0-0x00000000011E0000-0x00000000011E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2720-51-0x00007FFAB21C0000-0x00007FFAB226A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2720-46-0x00007FFAB21C0000-0x00007FFAB226A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2720-48-0x000001BDEC7D0000-0x000001BDEC7D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3436-82-0x00007FFAB2370000-0x00007FFAB2419000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3476-13-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3476-25-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3476-7-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3476-15-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3476-26-0x00007FFACFDA0000-0x00007FFACFDB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3476-27-0x00007FFACFD90000-0x00007FFACFDA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3476-36-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3476-9-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3476-10-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3476-11-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3476-12-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3476-8-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3476-16-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3476-24-0x0000000007C50000-0x0000000007C57000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3476-17-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3476-3-0x00007FFACFC2A000-0x00007FFACFC2B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3476-4-0x0000000007C70000-0x0000000007C71000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3476-6-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3476-14-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/5088-67-0x00007FFAB2370000-0x00007FFAB2419000-memory.dmp

          Filesize

          676KB

          Download

        • memory/5088-63-0x00007FFAB2370000-0x00007FFAB2419000-memory.dmp

          Filesize

          676KB

          Download

        • memory/5088-62-0x00000224E7220000-0x00000224E7227000-memory.dmp

          Filesize

          28KB

          Download