Overview

overview

10

Static

static

3

6dbd1df545...76.dll

windows7-x64

10

6dbd1df545...76.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2024 19:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6dbd1df5459b17bb2c9fdb7849e4294657404971ac6495660b29464e4a69e176.dll

  • Size

    724KB

  • MD5

    6a6345e39d25621d971721a635aa86e5

  • SHA1

    36c3b301d60b34ebe4b206e1660d496f991a9a1d

  • SHA256

    6dbd1df5459b17bb2c9fdb7849e4294657404971ac6495660b29464e4a69e176

  • SHA512

    1b7cfcb8d052928407cc38126c7001140ed77f07c2162ef79128fef40bc3aea42b38ede6412b9c60e361a6a29cabdcc43d38cdbd83b5191d63d0296f3dde22ee

  • SSDEEP

    12288:JqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:JqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6dbd1df5459b17bb2c9fdb7849e4294657404971ac6495660b29464e4a69e176.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1032
  • C:\Windows\system32\rdpinit.exe
    C:\Windows\system32\rdpinit.exe
    1⤵
      PID:2588
    • C:\Users\Admin\AppData\Local\MSkEz\rdpinit.exe
      C:\Users\Admin\AppData\Local\MSkEz\rdpinit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:3052
    • C:\Windows\system32\msdt.exe
      C:\Windows\system32\msdt.exe
      1⤵
        PID:2536
      • C:\Users\Admin\AppData\Local\XZinBh3\msdt.exe
        C:\Users\Admin\AppData\Local\XZinBh3\msdt.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2668
      • C:\Windows\system32\msinfo32.exe
        C:\Windows\system32\msinfo32.exe
        1⤵
          PID:2976
        • C:\Users\Admin\AppData\Local\qLJNw7u3F\msinfo32.exe
          C:\Users\Admin\AppData\Local\qLJNw7u3F\msinfo32.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2692

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\qLJNw7u3F\MFC42u.dll
          Filesize

          752KB

          MD5

          56738cbfad0a93313507360c216b353a

          SHA1

          c281ad4c5b17f877dc8cc81981158cd576914261

          SHA256

          2799c8cdeff985787e64bee1fbb1d9feb2ab18df2a30ad7c625627a9e8482ff4

          SHA512

          9c29877de01c627cc9caebbe4dc0520df3f1a68a7f55f4bf48e5057ff00d6972d4e65e0d8a7e76c2a39da5b89e60cf14f6b61bef88e95bdc3d3c2d4490358dfa

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ncfyujonfo.lnk
          Filesize

          1012B

          MD5

          801abbc974231e02504be7ecae1140b8

          SHA1

          51399a9716fc057cb678e417e4a3114782826bbe

          SHA256

          959885c9eebd93ced8aa67d647b1f83cc9172d37b8f6cb270103d3f72281c39b

          SHA512

          60237b4f92743f6fd767043456ba9b5a613bc9d98516c2f5b04d93cb94c162c266d3b8dd1bf5ef875648d660e584e5e6e592f398ea992697b361a66632334071

          Download Submit

        • \Users\Admin\AppData\Local\MSkEz\rdpinit.exe
          Filesize

          174KB

          MD5

          664e12e0ea009cc98c2b578ff4983c62

          SHA1

          27b302c0108851ac6cc37e56590dd9074b09c3c9

          SHA256

          00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

          SHA512

          f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

          Download Submit

        • \Users\Admin\AppData\Local\MSkEz\slc.dll
          Filesize

          728KB

          MD5

          8698ac6f1fd71badb074a93662c249cf

          SHA1

          ddebe7c9eeaa034d8247bec2ab5fa6ff92f94709

          SHA256

          b04f3e416766962ebeff722539ba388db8adcbf4cfb8180d10573d205547e3e4

          SHA512

          75c0e5db71f40a2570e24c48b783d13bc2cd1e9fb511c295aeb73f994c3059facd01acf2c3f8f266c611a076127877ba3636485bfe1cfa1d41b2d9b40963c36f

          Download Submit

        • \Users\Admin\AppData\Local\XZinBh3\DUser.dll
          Filesize

          728KB

          MD5

          a42975276538e05d7e2ec89c002c074c

          SHA1

          d8ebaf527e4788428d531710ad10fa329f195ed7

          SHA256

          448b3dc1ecd26f7ec9c0b3619c1a49565fd1fa722be14fea1719fd3f1308f1e3

          SHA512

          10b33618b0b9f6fe2d3caf8edbcc795bfca88cdf870ea569482fdac875048715b58fb144a301ced30207850c19ad5ba667a1b8b93da99db9b7a49a42178877e8

          Download Submit

        • \Users\Admin\AppData\Local\XZinBh3\msdt.exe
          Filesize

          1.0MB

          MD5

          aecb7b09566b1f83f61d5a4b44ae9c7e

          SHA1

          3a4a2338c6b5ac833dc87497e04fe89c5481e289

          SHA256

          fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

          SHA512

          6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

          Download Submit

        • \Users\Admin\AppData\Local\qLJNw7u3F\msinfo32.exe
          Filesize

          370KB

          MD5

          d291620d4c51c5f5ffa62ccdc52c5c13

          SHA1

          2081c97f15b1c2a2eadce366baf3c510da553cc7

          SHA256

          76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

          SHA512

          75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

          Download Submit

        • memory/1032-2-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1032-0-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1032-44-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1196-26-0x0000000077AB0000-0x0000000077AB2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1196-36-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1196-8-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1196-24-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1196-7-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1196-11-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1196-10-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1196-25-0x0000000077A80000-0x0000000077A82000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1196-35-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1196-9-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1196-12-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1196-45-0x0000000077816000-0x0000000077817000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-13-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1196-3-0x0000000077816000-0x0000000077817000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-4-0x0000000002A30000-0x0000000002A31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-14-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1196-6-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1196-23-0x0000000002900000-0x0000000002907000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1196-15-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/2668-73-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download

        • memory/2692-86-0x0000000140000000-0x00000001400BC000-memory.dmp

          Filesize

          752KB

          Download

        • memory/2692-90-0x0000000140000000-0x00000001400BC000-memory.dmp

          Filesize

          752KB

          Download

        • memory/3052-58-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download

        • memory/3052-53-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3052-54-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download