Overview

overview

10

Static

static

3

6dbd1df545...76.dll

windows7-x64

10

6dbd1df545...76.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2024 19:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6dbd1df5459b17bb2c9fdb7849e4294657404971ac6495660b29464e4a69e176.dll

  • Size

    724KB

  • MD5

    6a6345e39d25621d971721a635aa86e5

  • SHA1

    36c3b301d60b34ebe4b206e1660d496f991a9a1d

  • SHA256

    6dbd1df5459b17bb2c9fdb7849e4294657404971ac6495660b29464e4a69e176

  • SHA512

    1b7cfcb8d052928407cc38126c7001140ed77f07c2162ef79128fef40bc3aea42b38ede6412b9c60e361a6a29cabdcc43d38cdbd83b5191d63d0296f3dde22ee

  • SSDEEP

    12288:JqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:JqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6dbd1df5459b17bb2c9fdb7849e4294657404971ac6495660b29464e4a69e176.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:788
  • C:\Windows\system32\SystemSettingsAdminFlows.exe
    C:\Windows\system32\SystemSettingsAdminFlows.exe
    1⤵
      PID:4832
    • C:\Users\Admin\AppData\Local\0E34Ki\SystemSettingsAdminFlows.exe
      C:\Users\Admin\AppData\Local\0E34Ki\SystemSettingsAdminFlows.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1980
    • C:\Windows\system32\dccw.exe
      C:\Windows\system32\dccw.exe
      1⤵
        PID:2044
      • C:\Users\Admin\AppData\Local\CT6asCOLO\dccw.exe
        C:\Users\Admin\AppData\Local\CT6asCOLO\dccw.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3560
      • C:\Windows\system32\dpapimig.exe
        C:\Windows\system32\dpapimig.exe
        1⤵
          PID:3172
        • C:\Users\Admin\AppData\Local\N7G7\dpapimig.exe
          C:\Users\Admin\AppData\Local\N7G7\dpapimig.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3160

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0E34Ki\SystemSettingsAdminFlows.exe
          Filesize

          506KB

          MD5

          50adb2c7c145c729b9de8b7cf967dd24

          SHA1

          a31757f08da6f95156777c1132b6d5f1db3d8f30

          SHA256

          a7a2e7122d27308df37b7ab718ef3ac239e4216669f51331e34e205f59fb0aec

          SHA512

          715b4c93e79e896da1cf86cf4455a84cba1aeac34b6fd72d2afdf203a2034f6f8fac1d6501f0dd277a17bd1d7ab73ddd1887e01a99f2d26f39efeb94d0aac9b0

          Download Submit

        • C:\Users\Admin\AppData\Local\0E34Ki\newdev.dll
          Filesize

          728KB

          MD5

          a8d323ed76acf6f6ce35ff0cac761b52

          SHA1

          5feffacf2c7bd333356f1297fe09ae7a1d9f709a

          SHA256

          ba1f1f4aad202ea77fa829856873d1a57b7cf9c2f5bda6da5dd9921bff313c2c

          SHA512

          1e7eeafa04e9a17ab799c7e9b95779095ca9b2eccd0915260d6605a6ef520405cb1840db7ad51520c9cc213e11e93b856267deb36d2bdfe9cac03cb601bd328a

          Download Submit

        • C:\Users\Admin\AppData\Local\CT6asCOLO\dccw.exe
          Filesize

          101KB

          MD5

          cb9374911bf5237179785c739a322c0f

          SHA1

          3f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9

          SHA256

          f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845

          SHA512

          9d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be

          Download Submit

        • C:\Users\Admin\AppData\Local\CT6asCOLO\mscms.dll
          Filesize

          732KB

          MD5

          92aa1db3d02f3c2926bcba98ea68658d

          SHA1

          e5ac82332415a88fc357e9ee54d4c0db68cf1c75

          SHA256

          cc850eb11ecc6e3583f6a4fc8cd7f31d5dede0c1eea1fba1d696a4fd7864645a

          SHA512

          df8b3229335af32e736913cc77ba51fe2e2a4b4b3dbd7dee026215da333e7555abefa427947ff2cb0454001aab6e6175787c60c108ccb5b4c928ade3826bc270

          Download Submit

        • C:\Users\Admin\AppData\Local\N7G7\DUI70.dll
          Filesize

          1004KB

          MD5

          36aacecf00d46356862990204e56b851

          SHA1

          85db5568707b5201ba97b5aa1915d1b5dcb47552

          SHA256

          528888912375b53078e075bb732b2ad6bc91d48f7e819aa0b06c9a997bf4423a

          SHA512

          c0578fd6fea0f7bde0d08657b8fb5766fb00f015bb4bb8852b4cdf3c1a6b4999c537518c07739f747037b9f02cfbb108d8f5516f2f479323bafd8b965db7d304

          Download Submit

        • C:\Users\Admin\AppData\Local\N7G7\dpapimig.exe
          Filesize

          76KB

          MD5

          b6d6477a0c90a81624c6a8548026b4d0

          SHA1

          e6eac6941d27f76bbd306c2938c0a962dbf1ced1

          SHA256

          a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb

          SHA512

          72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ehuvmtvuxjwd.lnk
          Filesize

          1KB

          MD5

          0f5bbc55c4bb4bf799ef94814eb7b0cd

          SHA1

          ea1bf5d73ad3d488fb4ea576ceabb968a412cafb

          SHA256

          137af014f3fac6bd2fe2854511f36d1d31dc6d283282fa9588f86ee2f1469d57

          SHA512

          219d789528daa13d786dd4b52742366949b68549c476e72d9014a9020187b8ec89aa69cf5260b6872770c3fcf18a5273d1d8631af493e364888f0a24817919ae

          Download Submit

        • memory/788-38-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/788-0-0x000002635F980000-0x000002635F987000-memory.dmp

          Filesize

          28KB

          Download

        • memory/788-1-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1980-50-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download

        • memory/1980-45-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download

        • memory/1980-47-0x0000024BCBFB0000-0x0000024BCBFB7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3160-77-0x0000000140000000-0x00000001400FB000-memory.dmp

          Filesize

          1004KB

          Download

        • memory/3160-81-0x0000000140000000-0x00000001400FB000-memory.dmp

          Filesize

          1004KB

          Download

        • memory/3520-24-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3520-25-0x00007FFB709C0000-0x00007FFB709D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3520-7-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3520-6-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3520-10-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3520-11-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3520-12-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3520-13-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3520-35-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3520-8-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3520-26-0x00007FFB709B0000-0x00007FFB709C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3520-15-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3520-4-0x00000000033A0000-0x00000000033A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3520-3-0x00007FFB6FAFA000-0x00007FFB6FAFB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3520-9-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3520-23-0x0000000002D30000-0x0000000002D37000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3520-14-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3560-66-0x0000000140000000-0x00000001400B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/3560-61-0x0000000140000000-0x00000001400B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/3560-63-0x000001B573D10000-0x000001B573D17000-memory.dmp

          Filesize

          28KB

          Download