Overview

overview

10

Static

static

1

6712500bb0...6f.dll

windows7-x64

10

6712500bb0...6f.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-03-2023 11:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f.dll

  • Size

    1.0MB

  • MD5

    369638ac700f3c41ebaba447d4048ff8

  • SHA1

    6c50a1abf9dc992e74a73279d40fb1a09368cdfe

  • SHA256

    6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f

  • SHA512

    5f7a1913e83cd443a3339af0a52c04a4de17c67be480646d9bb02c984196a0a1ec3d7419ee88ca12d219af927aad1859c47372e08ba6a7a35ad956d5dc4ce7f5

  • SSDEEP

    12288:ClORVEAueQmTmQKO2nMlqVaSEwzH7YxiCyJ86azEZy1f11pNxWOLPa:GORVEVNmaDznMlqVNE27dJ8J2inNxn

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3776
  • C:\Windows\system32\EhStorAuthn.exe
    C:\Windows\system32\EhStorAuthn.exe
    1⤵
      PID:4476
    • C:\Users\Admin\AppData\Local\TYEDL3hV5\EhStorAuthn.exe
      C:\Users\Admin\AppData\Local\TYEDL3hV5\EhStorAuthn.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:764
    • C:\Windows\system32\eudcedit.exe
      C:\Windows\system32\eudcedit.exe
      1⤵
        PID:4184
      • C:\Users\Admin\AppData\Local\d2b2C3\eudcedit.exe
        C:\Users\Admin\AppData\Local\d2b2C3\eudcedit.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4684
      • C:\Windows\system32\dxgiadaptercache.exe
        C:\Windows\system32\dxgiadaptercache.exe
        1⤵
          PID:1692
        • C:\Users\Admin\AppData\Local\tUML\dxgiadaptercache.exe
          C:\Users\Admin\AppData\Local\tUML\dxgiadaptercache.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4692

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\TYEDL3hV5\EhStorAuthn.exe
          Filesize

          128KB

          MD5

          d45618e58303edb4268a6cca5ec99ecc

          SHA1

          1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

          SHA256

          d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

          SHA512

          5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

          Download Submit
        • C:\Users\Admin\AppData\Local\TYEDL3hV5\EhStorAuthn.exe
          Filesize

          128KB

          MD5

          d45618e58303edb4268a6cca5ec99ecc

          SHA1

          1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

          SHA256

          d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

          SHA512

          5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

          Download Submit
        • C:\Users\Admin\AppData\Local\TYEDL3hV5\UxTheme.dll
          Filesize

          1.0MB

          MD5

          6a40d721b7a8e1eca86b9c536a10cdfa

          SHA1

          ce02db3050c643aea4921b07c595daa030c99ee1

          SHA256

          76f23084351e04a99031cf0d803e16b98402e7e199a8d192a84831cebbcea7c4

          SHA512

          a8a0eea8600468204717eabb7fd9d50898c0de49217497f750d6f27b35a7dc9a75613cc652dc3edcd522e690519fecf945631b44bed554325c660a19ada1ec8c

          Download Submit
        • C:\Users\Admin\AppData\Local\TYEDL3hV5\UxTheme.dll
          Filesize

          1.0MB

          MD5

          6a40d721b7a8e1eca86b9c536a10cdfa

          SHA1

          ce02db3050c643aea4921b07c595daa030c99ee1

          SHA256

          76f23084351e04a99031cf0d803e16b98402e7e199a8d192a84831cebbcea7c4

          SHA512

          a8a0eea8600468204717eabb7fd9d50898c0de49217497f750d6f27b35a7dc9a75613cc652dc3edcd522e690519fecf945631b44bed554325c660a19ada1ec8c

          Download Submit
        • C:\Users\Admin\AppData\Local\d2b2C3\MFC42u.dll
          Filesize

          1.0MB

          MD5

          1435e7ad49cb3b8f3d4edc78cc2b3848

          SHA1

          d573cb5e34897b2a01dccf9a1de4a5984c33c2f0

          SHA256

          6e9e706f0193a031e600b53a6fc27c9ba5f7947e124d39061a5e147a75b0282d

          SHA512

          57dfdbc5ff9f88cb7b7744f08e747d0fda59868932620d5bdf011dbeca850d0261c4322080693b596ee24280292551897e718911ef15e9c425ba7174d944d701

          Download Submit
        • C:\Users\Admin\AppData\Local\d2b2C3\MFC42u.dll
          Filesize

          1.0MB

          MD5

          1435e7ad49cb3b8f3d4edc78cc2b3848

          SHA1

          d573cb5e34897b2a01dccf9a1de4a5984c33c2f0

          SHA256

          6e9e706f0193a031e600b53a6fc27c9ba5f7947e124d39061a5e147a75b0282d

          SHA512

          57dfdbc5ff9f88cb7b7744f08e747d0fda59868932620d5bdf011dbeca850d0261c4322080693b596ee24280292551897e718911ef15e9c425ba7174d944d701

          Download Submit
        • C:\Users\Admin\AppData\Local\d2b2C3\eudcedit.exe
          Filesize

          365KB

          MD5

          a9de6557179d371938fbe52511b551ce

          SHA1

          def460b4028788ded82dc55c36cb0df28599fd5f

          SHA256

          83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe

          SHA512

          5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

          Download Submit
        • C:\Users\Admin\AppData\Local\d2b2C3\eudcedit.exe
          Filesize

          365KB

          MD5

          a9de6557179d371938fbe52511b551ce

          SHA1

          def460b4028788ded82dc55c36cb0df28599fd5f

          SHA256

          83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe

          SHA512

          5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

          Download Submit
        • C:\Users\Admin\AppData\Local\tUML\dxgi.dll
          Filesize

          1.0MB

          MD5

          720ac67427909230aee08ce88c9f7048

          SHA1

          3c5d4a142433878232b376bd7b868cb64d27f73e

          SHA256

          568450cb5e7632a17bb0d0c9796eb0b3a000cad48eb22e3bef417fbae8d4ee3c

          SHA512

          f6d99ee43406df49901999584a35440035f1fea3828439dc1d29683bd9c88f02201e4e9cf316f957faba41b894a8a41f22abff50031a9c85f2c6e9fe9e291d95

          Download Submit
        • C:\Users\Admin\AppData\Local\tUML\dxgi.dll
          Filesize

          1.0MB

          MD5

          720ac67427909230aee08ce88c9f7048

          SHA1

          3c5d4a142433878232b376bd7b868cb64d27f73e

          SHA256

          568450cb5e7632a17bb0d0c9796eb0b3a000cad48eb22e3bef417fbae8d4ee3c

          SHA512

          f6d99ee43406df49901999584a35440035f1fea3828439dc1d29683bd9c88f02201e4e9cf316f957faba41b894a8a41f22abff50031a9c85f2c6e9fe9e291d95

          Download Submit
        • C:\Users\Admin\AppData\Local\tUML\dxgi.dll
          Filesize

          1.0MB

          MD5

          720ac67427909230aee08ce88c9f7048

          SHA1

          3c5d4a142433878232b376bd7b868cb64d27f73e

          SHA256

          568450cb5e7632a17bb0d0c9796eb0b3a000cad48eb22e3bef417fbae8d4ee3c

          SHA512

          f6d99ee43406df49901999584a35440035f1fea3828439dc1d29683bd9c88f02201e4e9cf316f957faba41b894a8a41f22abff50031a9c85f2c6e9fe9e291d95

          Download Submit
        • C:\Users\Admin\AppData\Local\tUML\dxgiadaptercache.exe
          Filesize

          230KB

          MD5

          e62f89130b7253f7780a862ed9aff294

          SHA1

          b031e64a36e93f95f2061be5b0383069efac2070

          SHA256

          4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5

          SHA512

          05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

          Download Submit
        • C:\Users\Admin\AppData\Local\tUML\dxgiadaptercache.exe
          Filesize

          230KB

          MD5

          e62f89130b7253f7780a862ed9aff294

          SHA1

          b031e64a36e93f95f2061be5b0383069efac2070

          SHA256

          4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5

          SHA512

          05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\w3KL7zXI9t\MFC42u.dll
          Filesize

          1.0MB

          MD5

          1435e7ad49cb3b8f3d4edc78cc2b3848

          SHA1

          d573cb5e34897b2a01dccf9a1de4a5984c33c2f0

          SHA256

          6e9e706f0193a031e600b53a6fc27c9ba5f7947e124d39061a5e147a75b0282d

          SHA512

          57dfdbc5ff9f88cb7b7744f08e747d0fda59868932620d5bdf011dbeca850d0261c4322080693b596ee24280292551897e718911ef15e9c425ba7174d944d701

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Adcmpfyealm.lnk
          Filesize

          1KB

          MD5

          fe97da399015bcb340efa27c13391ca0

          SHA1

          8cbda510da819a1c8d50cd7d398d6582782bf284

          SHA256

          757a5e2586d1ac8f18714f581c2ecc34dd0c53c5d5214cb82eab51bcd1cf1320

          SHA512

          c8c290895f546b84ece9ea42b148bf19f1087050067737fbdd41d673ee7a829243d3eadb6fbdf141ab6560111f5ca5df3c0cdba8e9c4f184eddacebb6598e0d9

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\OpGLolzX\UxTheme.dll
          Filesize

          1.0MB

          MD5

          6a40d721b7a8e1eca86b9c536a10cdfa

          SHA1

          ce02db3050c643aea4921b07c595daa030c99ee1

          SHA256

          76f23084351e04a99031cf0d803e16b98402e7e199a8d192a84831cebbcea7c4

          SHA512

          a8a0eea8600468204717eabb7fd9d50898c0de49217497f750d6f27b35a7dc9a75613cc652dc3edcd522e690519fecf945631b44bed554325c660a19ada1ec8c

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\HV56wr\dxgi.dll
          Filesize

          1.0MB

          MD5

          720ac67427909230aee08ce88c9f7048

          SHA1

          3c5d4a142433878232b376bd7b868cb64d27f73e

          SHA256

          568450cb5e7632a17bb0d0c9796eb0b3a000cad48eb22e3bef417fbae8d4ee3c

          SHA512

          f6d99ee43406df49901999584a35440035f1fea3828439dc1d29683bd9c88f02201e4e9cf316f957faba41b894a8a41f22abff50031a9c85f2c6e9fe9e291d95

          Download Submit
        • memory/764-175-0x00007FFB08BB0000-0x00007FFB08CB6000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/764-178-0x0000021C051D0000-0x0000021C051D7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/764-181-0x00007FFB08BB0000-0x00007FFB08CB6000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3172-146-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3172-144-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3172-168-0x00007FFB269C0000-0x00007FFB269D0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3172-164-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3172-162-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3172-153-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3172-147-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3172-142-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3172-137-0x0000000000FC0000-0x0000000000FC1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3172-145-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3172-167-0x0000000000E70000-0x0000000000E77000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3172-141-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3172-139-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3172-143-0x0000000140000000-0x0000000140105000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3776-136-0x000001A781630000-0x000001A781637000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3776-140-0x00007FFB08BB0000-0x00007FFB08CB5000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/3776-133-0x00007FFB08BB0000-0x00007FFB08CB5000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/4684-198-0x00007FFB096E0000-0x00007FFB097EC000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/4684-195-0x000001C572B80000-0x000001C572B87000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4684-192-0x00007FFB096E0000-0x00007FFB097EC000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/4692-210-0x00007FFB096E0000-0x00007FFB097E5000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/4692-213-0x0000019858B20000-0x0000019858B27000-memory.dmp
          Filesize

          28KB

          Download
        • memory/4692-216-0x00007FFB096E0000-0x00007FFB097E5000-memory.dmp
          Filesize

          1.0MB

          Download