Overview

overview

10

Static

static

3

123a833c6a...ff.dll

windows7-x64

10

123a833c6a...ff.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2025 14:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff.dll

  • Size

    984KB

  • MD5

    f5e2ec95b6d3d591609351b2c32c15fc

  • SHA1

    56ff4415603201d5367280e88348a56f24e4863b

  • SHA256

    123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff

  • SHA512

    ccd2977e2a21ea3f8c0ca0774f84af450813a9b338dcf31e59ae377f7cca9206e64f7be2e756ead7abcc61114b7d1a20480bec7dca56e6252d264fbc824f6fc0

  • SSDEEP

    24576:yWyoHFMVMKkN3ZvxEhb0IsaQ4KriCo0j6Ijgx:1nuVMK6vx2RsIKNrjE

Score
10/10
dridexbotnetdefense_evasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Drops startup file 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    defense_evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\123a833c6ad4fefb0e612a93c8bfb2fda9525414b308f18c9d3ea56a5ea37fff.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2508
  • C:\Windows\system32\PresentationHost.exe
    C:\Windows\system32\PresentationHost.exe
    1⤵
      PID:3828
    • C:\Users\Admin\AppData\Local\Q5U\PresentationHost.exe
      C:\Users\Admin\AppData\Local\Q5U\PresentationHost.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:756
    • C:\Windows\system32\Magnify.exe
      C:\Windows\system32\Magnify.exe
      1⤵
        PID:1124
      • C:\Users\Admin\AppData\Local\9GCRQ\Magnify.exe
        C:\Users\Admin\AppData\Local\9GCRQ\Magnify.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1508
      • C:\Windows\system32\PresentationHost.exe
        C:\Windows\system32\PresentationHost.exe
        1⤵
          PID:2612
        • C:\Users\Admin\AppData\Local\NsnfRfP\PresentationHost.exe
          C:\Users\Admin\AppData\Local\NsnfRfP\PresentationHost.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2380

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\9GCRQ\MAGNIFICATION.dll
          Filesize

          984KB

          MD5

          a44ec537ddba1c7460b96e4f56b81fa8

          SHA1

          cf5a9e30c23c7989b5531979add74de9ca992e1e

          SHA256

          8b168c653b9ed516d61c05dba920671efa34c9b400efccbebfe25443b25fc4d3

          SHA512

          23d1366cc471555da699dce0ff1b09863feea86fd6db8f5f1b5489cd5778b760089b56db3e42bd64c662ba0f9a774c2584c90a29eca5da99de570fe20ce72f40

          Download Submit

        • C:\Users\Admin\AppData\Local\9GCRQ\Magnify.exe
          Filesize

          639KB

          MD5

          4029890c147e3b4c6f41dfb5f9834d42

          SHA1

          10d08b3f6dabe8171ca2dd52e5737e3402951c75

          SHA256

          57137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d

          SHA512

          dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d

          Download Submit

        • C:\Users\Admin\AppData\Local\NsnfRfP\VERSION.dll
          Filesize

          984KB

          MD5

          e8f5dd83a1e39ccb5be793e2d66173e0

          SHA1

          1d3ab236d7bec843fc529fd94747fffa51ee3f6b

          SHA256

          6b70a0222c7ea8a3891634446f04d47e3189f6ee3b9ac9449c05e5e4673b8c11

          SHA512

          4673983c8d44eb7c5be61c624453893215353deb30c8d43b77634e6e3650de438ad81f00c04e2c6bf1cf71c31cfec89711f08d8837cbc44b398e5fccc93f0f7e

          Download Submit

        • C:\Users\Admin\AppData\Local\Q5U\PresentationHost.exe
          Filesize

          276KB

          MD5

          ef27d65b92d89e8175e6751a57ed9d93

          SHA1

          7279b58e711b459434f047e9098f9131391c3778

          SHA256

          17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

          SHA512

          40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

          Download Submit

        • C:\Users\Admin\AppData\Local\Q5U\VERSION.dll
          Filesize

          984KB

          MD5

          dc1d69b75f3b2b7cb35964cf78e50e6f

          SHA1

          345d1d28123ae555967ea38aeb65ae0cfe0a9ed9

          SHA256

          1a610162bda785f68a2ba48f682f53a19e30f48dc67d417dc78bf9afab920473

          SHA512

          b101fdec641f4baebb5bbf05e416ced799a06c2744a975ba9eb746efc4f22d3c24d7f74763ade36dcc472ceea09ac09d394caece9663111360cb686519fb50ab

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yxuzhivmkyvewy.lnk
          Filesize

          1KB

          MD5

          b08cededc52b78f12008c49078166472

          SHA1

          071bb5b14547587c41aec5837cec3be2fc04239e

          SHA256

          26afbc2725abeac6c276a9ad6bbdbafb660ef2fd512ba9af7f212005a7d8e421

          SHA512

          e97d88887654cbe6710441e738f287d8929483a2844d0325b1751c7bc7d148dd5c7fa0b194632146d4cd899f573600cc281cba07ccc3093f30f70db781c1e4d6

          Download Submit

        • memory/756-49-0x000001F424B10000-0x000001F424B17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/756-50-0x00007FFFA6840000-0x00007FFFA6936000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1508-67-0x00007FFFA6840000-0x00007FFFA6936000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1508-64-0x0000025E271C0000-0x0000025E271C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2380-83-0x00007FFFA6840000-0x00007FFFA6936000-memory.dmp

          Filesize

          984KB

          Download

        • memory/2508-0-0x0000014D91A90000-0x0000014D91A97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2508-14-0x00007FFFA6840000-0x00007FFFA6936000-memory.dmp

          Filesize

          984KB

          Download

        • memory/2508-1-0x00007FFFA6840000-0x00007FFFA6936000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3568-35-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3568-9-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3568-15-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3568-13-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3568-12-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3568-11-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3568-10-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3568-33-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3568-8-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3568-16-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3568-23-0x0000000001030000-0x0000000001037000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3568-24-0x00007FFFB51C0000-0x00007FFFB51D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3568-22-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3568-7-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3568-4-0x00007FFFB395A000-0x00007FFFB395B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3568-5-0x0000000001050000-0x0000000001051000-memory.dmp

          Filesize

          4KB

          Download