Overview

overview

10

Static

static

6b52c3cded...f4.dll

windows7_x64

10

6b52c3cded...f4.dll

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    26-11-2021 09:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b52c3cdedbe90056bc1059f944e484e5afbd88a4665ed54e8d6ad94346785f4.dll

  • Size

    1.3MB

  • MD5

    1512aa31502548e90535fb698dcd81e9

  • SHA1

    736f8631610b6f8aa8cdfffc7aa28c7fb3235afd

  • SHA256

    6b52c3cdedbe90056bc1059f944e484e5afbd88a4665ed54e8d6ad94346785f4

  • SHA512

    45ed80a73c180d2569eaf6a7ddce6f9e422bb47b8880a19fc4058a5addea812c2c8d60c4bfe0a5a441253f5aca8922dc2095f8a3ce915de3428ce4f3798b9010

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b52c3cdedbe90056bc1059f944e484e5afbd88a4665ed54e8d6ad94346785f4.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1256
  • C:\Windows\system32\wusa.exe
    C:\Windows\system32\wusa.exe
    1⤵
      PID:808
    • C:\Users\Admin\AppData\Local\qw1yq1Q\wusa.exe
      C:\Users\Admin\AppData\Local\qw1yq1Q\wusa.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:956
    • C:\Windows\system32\UI0Detect.exe
      C:\Windows\system32\UI0Detect.exe
      1⤵
        PID:1084
      • C:\Users\Admin\AppData\Local\GC84Nr\UI0Detect.exe
        C:\Users\Admin\AppData\Local\GC84Nr\UI0Detect.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: EnumeratesProcesses
        PID:1124
      • C:\Windows\system32\consent.exe
        C:\Windows\system32\consent.exe
        1⤵
          PID:996
        • C:\Users\Admin\AppData\Local\btdc\consent.exe
          C:\Users\Admin\AppData\Local\btdc\consent.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1748

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\GC84Nr\UI0Detect.exe
          MD5

          3cbdec8d06b9968aba702eba076364a1

          SHA1

          6e0fcaccadbdb5e3293aa3523ec1006d92191c58

          SHA256

          b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

          SHA512

          a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

          Download Submit
        • C:\Users\Admin\AppData\Local\GC84Nr\WTSAPI32.dll
          MD5

          acfe696a9e377ff18ffa96a011b99974

          SHA1

          1ad74d86f161477d51ceba2f52fe7bc5e344f4db

          SHA256

          d8696826429e54b400e4ab21fe69d0a56240e96957aa1d69d6953b0fde2e1fd4

          SHA512

          277c0d384ff1d0fedee1eb6af673d049708e95a8217446b3fa9a89741c0fc793f99b5ad6d8046c42c1044b707bc19b9619d47edf7758b3330e5938bcdbdfd3dd

          Download Submit
        • C:\Users\Admin\AppData\Local\btdc\WINSTA.dll
          MD5

          14f3b5cdaec25ba6e828196d9d980cde

          SHA1

          8ecc57f3390816dee642572ad715d023f8f7197b

          SHA256

          f126b02ee849e84ba65978ca2df2e8331118c044888f341d9dd61f3e6cabc393

          SHA512

          a0475199ba2fea7d0575ddf38de38f88ae48339292386e410f37492adecd597743e21f6c44251e282b88c0c64bcfb98eb65e58f6e541c6c5a189d5739b51e827

          Download Submit
        • C:\Users\Admin\AppData\Local\btdc\consent.exe
          MD5

          0b5511674394666e9d221f8681b2c2e6

          SHA1

          6e4e720dfc424a12383f0b8194e4477e3bc346dc

          SHA256

          ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

          SHA512

          00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

          Download Submit
        • C:\Users\Admin\AppData\Local\qw1yq1Q\WTSAPI32.dll
          MD5

          01b6bf1d1228ef09bcfb0f6329a7a0ec

          SHA1

          02177fd08dbd5637d883cb952170413f0a8451ca

          SHA256

          b291cf2b528a1af06c09a78701f93760973fa79bcf571eaeb82595496044baec

          SHA512

          95afce916365b248222d5e29797e635da7d2f0c49ce10e660818be882241f43777c816bda55a0cfac376c982e885305fbe31fdccec4dbefbbb9de3f80c3d2c59

          Download Submit
        • C:\Users\Admin\AppData\Local\qw1yq1Q\wusa.exe
          MD5

          c15b3d813f4382ade98f1892350f21c7

          SHA1

          a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

          SHA256

          8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

          SHA512

          6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

          Download Submit
        • \Users\Admin\AppData\Local\GC84Nr\UI0Detect.exe
          MD5

          3cbdec8d06b9968aba702eba076364a1

          SHA1

          6e0fcaccadbdb5e3293aa3523ec1006d92191c58

          SHA256

          b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b

          SHA512

          a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

          Download Submit
        • \Users\Admin\AppData\Local\GC84Nr\WTSAPI32.dll
          MD5

          acfe696a9e377ff18ffa96a011b99974

          SHA1

          1ad74d86f161477d51ceba2f52fe7bc5e344f4db

          SHA256

          d8696826429e54b400e4ab21fe69d0a56240e96957aa1d69d6953b0fde2e1fd4

          SHA512

          277c0d384ff1d0fedee1eb6af673d049708e95a8217446b3fa9a89741c0fc793f99b5ad6d8046c42c1044b707bc19b9619d47edf7758b3330e5938bcdbdfd3dd

          Download Submit
        • \Users\Admin\AppData\Local\btdc\WINSTA.dll
          MD5

          14f3b5cdaec25ba6e828196d9d980cde

          SHA1

          8ecc57f3390816dee642572ad715d023f8f7197b

          SHA256

          f126b02ee849e84ba65978ca2df2e8331118c044888f341d9dd61f3e6cabc393

          SHA512

          a0475199ba2fea7d0575ddf38de38f88ae48339292386e410f37492adecd597743e21f6c44251e282b88c0c64bcfb98eb65e58f6e541c6c5a189d5739b51e827

          Download Submit
        • \Users\Admin\AppData\Local\btdc\consent.exe
          MD5

          0b5511674394666e9d221f8681b2c2e6

          SHA1

          6e4e720dfc424a12383f0b8194e4477e3bc346dc

          SHA256

          ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

          SHA512

          00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

          Download Submit
        • \Users\Admin\AppData\Local\qw1yq1Q\WTSAPI32.dll
          MD5

          01b6bf1d1228ef09bcfb0f6329a7a0ec

          SHA1

          02177fd08dbd5637d883cb952170413f0a8451ca

          SHA256

          b291cf2b528a1af06c09a78701f93760973fa79bcf571eaeb82595496044baec

          SHA512

          95afce916365b248222d5e29797e635da7d2f0c49ce10e660818be882241f43777c816bda55a0cfac376c982e885305fbe31fdccec4dbefbbb9de3f80c3d2c59

          Download Submit
        • \Users\Admin\AppData\Local\qw1yq1Q\wusa.exe
          MD5

          c15b3d813f4382ade98f1892350f21c7

          SHA1

          a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

          SHA256

          8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

          SHA512

          6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

          Download Submit
        • \Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\5PKT6P9F\g3p1p8MUDj\consent.exe
          MD5

          0b5511674394666e9d221f8681b2c2e6

          SHA1

          6e4e720dfc424a12383f0b8194e4477e3bc346dc

          SHA256

          ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

          SHA512

          00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

          Download Submit
        • memory/956-89-0x000007FEF69E0000-0x000007FEF6B29000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/956-88-0x000007FEFBC51000-0x000007FEFBC53000-memory.dmp
          Filesize

          8KB

          Download
        • memory/956-84-0x0000000000000000-mapping.dmp
          Download
        • memory/1124-94-0x0000000000000000-mapping.dmp
          Download
        • memory/1256-59-0x0000000000100000-0x0000000000107000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1256-55-0x000007FEF69E0000-0x000007FEF6B28000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1384-74-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1384-71-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1384-77-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1384-61-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1384-76-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1384-75-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1384-73-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1384-66-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1384-68-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1384-70-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1384-72-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1384-82-0x0000000077580000-0x0000000077582000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1384-69-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1384-67-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1384-63-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1384-60-0x00000000027D0000-0x00000000027D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1384-65-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1384-64-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1384-62-0x0000000140000000-0x0000000140148000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1748-108-0x000007FEF69E0000-0x000007FEF6B2A000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1748-103-0x0000000000000000-mapping.dmp
          Download