Overview

overview

10

Static

static

3

6dbd1df545...76.dll

windows7-x64

10

6dbd1df545...76.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2024 19:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6dbd1df5459b17bb2c9fdb7849e4294657404971ac6495660b29464e4a69e176.dll

  • Size

    724KB

  • MD5

    6a6345e39d25621d971721a635aa86e5

  • SHA1

    36c3b301d60b34ebe4b206e1660d496f991a9a1d

  • SHA256

    6dbd1df5459b17bb2c9fdb7849e4294657404971ac6495660b29464e4a69e176

  • SHA512

    1b7cfcb8d052928407cc38126c7001140ed77f07c2162ef79128fef40bc3aea42b38ede6412b9c60e361a6a29cabdcc43d38cdbd83b5191d63d0296f3dde22ee

  • SSDEEP

    12288:JqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:JqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6dbd1df5459b17bb2c9fdb7849e4294657404971ac6495660b29464e4a69e176.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3644
  • C:\Windows\system32\raserver.exe
    C:\Windows\system32\raserver.exe
    1⤵
      PID:4988
    • C:\Users\Admin\AppData\Local\7zfF7p\raserver.exe
      C:\Users\Admin\AppData\Local\7zfF7p\raserver.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4392
    • C:\Windows\system32\sethc.exe
      C:\Windows\system32\sethc.exe
      1⤵
        PID:3764
      • C:\Users\Admin\AppData\Local\cZJMZo9\sethc.exe
        C:\Users\Admin\AppData\Local\cZJMZo9\sethc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4396
      • C:\Windows\system32\SysResetErr.exe
        C:\Windows\system32\SysResetErr.exe
        1⤵
          PID:2468
        • C:\Users\Admin\AppData\Local\iuEsP\SysResetErr.exe
          C:\Users\Admin\AppData\Local\iuEsP\SysResetErr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1764

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\7zfF7p\WTSAPI32.dll
          Filesize

          728KB

          MD5

          ae9f3633e1c327d82da665e8386b94e9

          SHA1

          ea9d0b12d0d52ae49b557499a83ac1c7ec2351f7

          SHA256

          9d3284db1ec3f38ebc5b2aff9a100d4fd9c6fa6760eca7c79ce1c4f2c3859625

          SHA512

          49b4221a678ff2bea0d273357bcfe55093bdf64b6cc13ebfd6449910d695622a79cf431bd667b6687db59fdc12c463e8c973f1d3fc410628ea9576c9d4871b27

          Download Submit

        • C:\Users\Admin\AppData\Local\7zfF7p\raserver.exe
          Filesize

          132KB

          MD5

          d1841c6ee4ea45794ced131d4b68b60e

          SHA1

          4be6d2116060d7c723ac2d0b5504efe23198ea01

          SHA256

          38732626242988cc5b8f97fe8d3b030d483046ef66ea90d7ea3607f1adc0600d

          SHA512

          d8bad215872c5956c6e8acac1cd3ad19b85f72b224b068fb71cfd1493705bc7d3390853ba923a1aa461140294f8793247df018484a378e4f026c2a12cb3fa5c9

          Download Submit

        • C:\Users\Admin\AppData\Local\cZJMZo9\OLEACC.dll
          Filesize

          728KB

          MD5

          f002ebbf18cc32193f3c93546c0ab77e

          SHA1

          d5f820c5eb16e77ac46f5b9e9069a2423340a746

          SHA256

          cb5b99bd96cfeb092ceab513da1206c2b523f00673ad17f5d89fc93c619875c8

          SHA512

          94794f5dab5031175be689ce23283f92179efa2b78272908085179266958a2ed95c3b62bc1bc2e7ef747d09e73560eb8e6f157e555b34d5200acc69b149d5869

          Download Submit

        • C:\Users\Admin\AppData\Local\cZJMZo9\sethc.exe
          Filesize

          104KB

          MD5

          8ba3a9702a3f1799431cad6a290223a6

          SHA1

          9c7dc9b6830297c8f759d1f46c8b36664e26c031

          SHA256

          615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8

          SHA512

          680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746

          Download Submit

        • C:\Users\Admin\AppData\Local\iuEsP\DUI70.dll
          Filesize

          1004KB

          MD5

          50f7acc87a67ddc16e243f47737af205

          SHA1

          767fbc616cf4c3cb014a052d033196b42df056eb

          SHA256

          b294746a9929bf903c97e73c27aabb5aefffd6490bce3c862c44ae4b0d5fd52e

          SHA512

          04b9101b940297813d537c9b94e2036d4d19f23a50218ba76f0a6fc7015b2fe9babb95a90ce7543e3c6fee6ef20ee8471d1abe523d849542ff5a13b03bab6a37

          Download Submit

        • C:\Users\Admin\AppData\Local\iuEsP\SysResetErr.exe
          Filesize

          41KB

          MD5

          090c6f458d61b7ddbdcfa54e761b8b57

          SHA1

          c5a93e9d6eca4c3842156cc0262933b334113864

          SHA256

          a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

          SHA512

          c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fkasxldymr.lnk
          Filesize

          1KB

          MD5

          51652e117d2ffdee2bea60fb6a9fb289

          SHA1

          0fe8bf9a3c162d69268a06bb5996c04aae8d8f85

          SHA256

          2b02f448182263831532a92907ef468710e893361b8d1d30465a6c104611fba6

          SHA512

          e10dea767a1a3a9f7b75f7b40af744916857ca3204328b600e85c604ef2daa0ff1e6a57bdfdcbb1b751dabca88727d6255411a3027a330c2ccf3414358a672c3

          Download Submit

        • memory/1764-81-0x0000000140000000-0x00000001400FB000-memory.dmp

          Filesize

          1004KB

          Download

        • memory/1764-77-0x0000000140000000-0x00000001400FB000-memory.dmp

          Filesize

          1004KB

          Download

        • memory/3536-13-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3536-35-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3536-11-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3536-10-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3536-9-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3536-8-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3536-7-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3536-12-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3536-6-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3536-15-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3536-3-0x0000000003310000-0x0000000003311000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3536-24-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3536-25-0x00007FF85AD40000-0x00007FF85AD50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3536-14-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3536-23-0x00000000012F0000-0x00000000012F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3536-5-0x00007FF85A52A000-0x00007FF85A52B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3536-26-0x00007FF85AD30000-0x00007FF85AD40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3644-1-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3644-38-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/3644-2-0x0000014FF8040000-0x0000014FF8047000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4392-47-0x000001D7854B0000-0x000001D7854B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4392-50-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download

        • memory/4392-45-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download

        • memory/4396-66-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download

        • memory/4396-63-0x000001F50A650000-0x000001F50A657000-memory.dmp

          Filesize

          28KB

          Download