Overview

overview

10

Static

static

3

6dbd1df545...76.dll

windows7-x64

10

6dbd1df545...76.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2024 19:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6dbd1df5459b17bb2c9fdb7849e4294657404971ac6495660b29464e4a69e176.dll

  • Size

    724KB

  • MD5

    6a6345e39d25621d971721a635aa86e5

  • SHA1

    36c3b301d60b34ebe4b206e1660d496f991a9a1d

  • SHA256

    6dbd1df5459b17bb2c9fdb7849e4294657404971ac6495660b29464e4a69e176

  • SHA512

    1b7cfcb8d052928407cc38126c7001140ed77f07c2162ef79128fef40bc3aea42b38ede6412b9c60e361a6a29cabdcc43d38cdbd83b5191d63d0296f3dde22ee

  • SSDEEP

    12288:JqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:JqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6dbd1df5459b17bb2c9fdb7849e4294657404971ac6495660b29464e4a69e176.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1892
  • C:\Windows\system32\irftp.exe
    C:\Windows\system32\irftp.exe
    1⤵
      PID:2576
    • C:\Users\Admin\AppData\Local\7ezR\irftp.exe
      C:\Users\Admin\AppData\Local\7ezR\irftp.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1644
    • C:\Windows\system32\tcmsetup.exe
      C:\Windows\system32\tcmsetup.exe
      1⤵
        PID:840
      • C:\Users\Admin\AppData\Local\44KoeDto\tcmsetup.exe
        C:\Users\Admin\AppData\Local\44KoeDto\tcmsetup.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2216
      • C:\Windows\system32\SystemPropertiesProtection.exe
        C:\Windows\system32\SystemPropertiesProtection.exe
        1⤵
          PID:2864
        • C:\Users\Admin\AppData\Local\lrUSS9Ss\SystemPropertiesProtection.exe
          C:\Users\Admin\AppData\Local\lrUSS9Ss\SystemPropertiesProtection.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2268

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\44KoeDto\TAPI32.dll
          Filesize

          732KB

          MD5

          be2a069dc6c22df2ab37e000c5ad2f10

          SHA1

          bcda592b28f32476ea87e23c396eab39a6cf3415

          SHA256

          6ec8e9b11c719c660fd8a8c46ed422abfd7280fcc8c50a787aa3938762101558

          SHA512

          57ba5fc4ac650ab65eb5b487e00e1a091832d69079eb9ebbe68e1b8223554bce3d126c6a0abf2d6cc1129c2399d7e0937d6eb448b098aad0b78a2737f605f1b5

          Download Submit

        • C:\Users\Admin\AppData\Local\7ezR\WTSAPI32.dll
          Filesize

          728KB

          MD5

          d2c235c2d8589e7fb33a2bc4d66f2f95

          SHA1

          18822bf0e016841621c2b2880a417d279173bc61

          SHA256

          ec907b62fae2174ded7ec7b2581182fa98c453becb5dd89a2b56acced8ae78cd

          SHA512

          1383143269a047f5d846a459a59bcd0c9fa8ca2ecbe620b6d5bbda0839bcc7d4adb2f4f04aa34f34c1fafb4e0609396d14b9b414dffb83306926a98fcd2c20ee

          Download Submit

        • C:\Users\Admin\AppData\Local\lrUSS9Ss\SYSDM.CPL
          Filesize

          728KB

          MD5

          a24b6da79639ec25315573d5b98804a0

          SHA1

          a393f09ea8eee4dc13ab7ca8df8c862897b99c4c

          SHA256

          a0919302126e718abae04f9989282e9ce64c523274a62b00e0a98343f0d02400

          SHA512

          a6c3a91e986b6aecd06f3e7e300fb8bba615031fc395bc90943357f83fd43cee22c392ac18f51d3c98c513a1a4aa8109d81e6bc3a7110dfa8c0ea5cc7be4c3e5

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ygxjfqh.lnk
          Filesize

          1KB

          MD5

          6982b0f15433d6bd30ee28949e0ede35

          SHA1

          d0bcbe67cb315c42bf200da507451893c3a526eb

          SHA256

          7695b114b9daeb6b4e2a24ccae64ced5c6337dc14917f5eafc048549288c9adf

          SHA512

          6a57bb75cc235226a0f7efa7dd5dfa85c354c53c5d9cddcbdb8b7a18252afb47c8b9f2b893afe81ed17215f6e7d59eb135756ecf10fe409c693fe4b8fb98088b

          Download Submit

        • \Users\Admin\AppData\Local\44KoeDto\tcmsetup.exe
          Filesize

          15KB

          MD5

          0b08315da0da7f9f472fbab510bfe7b8

          SHA1

          33ba48fd980216becc532466a5ff8476bec0b31c

          SHA256

          e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

          SHA512

          c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

          Download Submit

        • \Users\Admin\AppData\Local\7ezR\irftp.exe
          Filesize

          192KB

          MD5

          0cae1fb725c56d260bfd6feba7ae9a75

          SHA1

          102ac676a1de3ec3d56401f8efd518c31c8b0b80

          SHA256

          312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

          SHA512

          db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

          Download Submit

        • \Users\Admin\AppData\Local\lrUSS9Ss\SystemPropertiesProtection.exe
          Filesize

          80KB

          MD5

          05138d8f952d3fff1362f7c50158bc38

          SHA1

          780bc59fcddf06a7494d09771b8340acffdcc720

          SHA256

          753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

          SHA512

          27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

          Download Submit

        • memory/1260-13-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1260-15-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1260-3-0x0000000076D36000-0x0000000076D37000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1260-12-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1260-11-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1260-10-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1260-8-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1260-7-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1260-24-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1260-25-0x0000000076FA0000-0x0000000076FA2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1260-26-0x0000000076FD0000-0x0000000076FD2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1260-35-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1260-36-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1260-4-0x00000000031F0000-0x00000000031F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1260-45-0x0000000076D36000-0x0000000076D37000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1260-23-0x00000000030D0000-0x00000000030D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1260-14-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1260-6-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1260-9-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1644-58-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download

        • memory/1644-54-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download

        • memory/1644-53-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1892-44-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1892-0-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/1892-2-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2216-70-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2216-71-0x0000000140000000-0x00000001400B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/2216-75-0x0000000140000000-0x00000001400B7000-memory.dmp

          Filesize

          732KB

          Download

        • memory/2268-91-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download