Overview

overview

10

Static

static

3

bbd6d896a5...ca.dll

windows7-x64

10

bbd6d896a5...ca.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bbd6d896a535b1e9b382eda903972c62e1aeb045c9fb4057a8aae51feb85eeca.dll

  • Size

    720KB

  • MD5

    f859e1567e45f47b3b3746c4fb49e3f5

  • SHA1

    e824cabc3b25fe5173ff02fbb4b3e7912bd71a72

  • SHA256

    bbd6d896a535b1e9b382eda903972c62e1aeb045c9fb4057a8aae51feb85eeca

  • SHA512

    bc5b15dbe0dbb3f77dca8839123c95e77a2733af33827fc911e24404ab1dd793f04cab91669a075ab7fef7f6fa1d64ef6c8888d642a862c07a90c41ea3ebc29b

  • SSDEEP

    12288:ZqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:ZqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bbd6d896a535b1e9b382eda903972c62e1aeb045c9fb4057a8aae51feb85eeca.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2096
  • C:\Windows\system32\rdpclip.exe
    C:\Windows\system32\rdpclip.exe
    1⤵
      PID:2948
    • C:\Users\Admin\AppData\Local\FX6\rdpclip.exe
      C:\Users\Admin\AppData\Local\FX6\rdpclip.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2748
    • C:\Windows\system32\BdeUISrv.exe
      C:\Windows\system32\BdeUISrv.exe
      1⤵
        PID:2616
      • C:\Users\Admin\AppData\Local\HQnEdT\BdeUISrv.exe
        C:\Users\Admin\AppData\Local\HQnEdT\BdeUISrv.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2632
      • C:\Windows\system32\eudcedit.exe
        C:\Windows\system32\eudcedit.exe
        1⤵
          PID:1492
        • C:\Users\Admin\AppData\Local\G6zX3Xj\eudcedit.exe
          C:\Users\Admin\AppData\Local\G6zX3Xj\eudcedit.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1320

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\FX6\rdpclip.exe
          Filesize

          206KB

          MD5

          25d284eb2f12254c001afe9a82575a81

          SHA1

          cf131801fdd5ec92278f9e0ae62050e31c6670a5

          SHA256

          837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

          SHA512

          7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

          Download Submit

        • C:\Users\Admin\AppData\Local\G6zX3Xj\MFC42u.dll
          Filesize

          748KB

          MD5

          692e2690beffab8e4647dd345cae9f32

          SHA1

          0a64c22f1e37a4f819ff01ffaf6ff5e976decfde

          SHA256

          bfb8b0262ff986401bd85214f3d6d5f02c1747fa8fcc4ee5c9fe710708114ac3

          SHA512

          e218714a39b38674ff1385cb59b26651b329a6bade31b673dd4134c15c7baa3aae3de909f48fec9e5d253f2a2d00128b0c9858624b1b7611f5e6fa7e18c07cda

          Download Submit

        • C:\Users\Admin\AppData\Local\HQnEdT\WTSAPI32.dll
          Filesize

          724KB

          MD5

          90bcf6dc6d3dc83120b76e8dcfada772

          SHA1

          df381b38b5f6d4c2848e459bc65cda0ddcb9a41f

          SHA256

          5b67da10e5a9cd2d45204ed85e79ad4d6b5e7ea38816e160feef23157f1d7eff

          SHA512

          95fabb559bd341716f89996a5bdb8da3b235838ab3f09b1291648561a708474f699ed08cfc29e0e40c065574dfc02629bdced8f55a10dca30a319efad756b03b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gwifj.lnk
          Filesize

          1KB

          MD5

          e329495a0a2940c59c4009e4972c24c7

          SHA1

          ecc236f4f72564e4308c3f37d94c16eca4b8368b

          SHA256

          06da62b71f9400b25c7495fb6c320b73ff52f81d4c8b6ea6a4ace4b9ff384e82

          SHA512

          70a091375f243298e066472ec53e01ab2e10647089ee7783e33fd84fec0713e3526268ef78c01a573bbdb43cba7c85d46064f521b63a868a4fbd14490c797149

          Download Submit

        • \Users\Admin\AppData\Local\FX6\WINSTA.dll
          Filesize

          728KB

          MD5

          fd176ed6ca5efa21185ccdaa47d6542b

          SHA1

          a5c0e1abadace85ee04f69530c4e68da7f61bc70

          SHA256

          8ba67d4d6f643c90d2f18bbb6ac399cf057d6308ee399b00911a01698f138858

          SHA512

          8b07d1db3e07ca89d445bb3f3bfee4421d7affa9401cee018e4a84a962ddecd136af47cd44d6b5e39d15d907feda874debca6ecc36ad495115600d70c65d597b

          Download Submit

        • \Users\Admin\AppData\Local\G6zX3Xj\eudcedit.exe
          Filesize

          351KB

          MD5

          35e397d6ca8407b86d8a7972f0c90711

          SHA1

          6b39830003906ef82442522d22b80460c03f6082

          SHA256

          1f64118bdc3515e8e9fce6ad182f6d0c8a6528d638fedb4901a6152cde4c7cde

          SHA512

          71b0c4ac120e5841308b0c19718bdc28366b0d79c8177091328ef5421392b9ee5e4758816ffb8c0977f178e1b33ed064f64781eaf7d6952878dc8aea402f035e

          Download Submit

        • \Users\Admin\AppData\Local\HQnEdT\BdeUISrv.exe
          Filesize

          47KB

          MD5

          1da6b19be5d4949c868a264bc5e74206

          SHA1

          d5ee86ba03a03ef8c93d93accafe40461084c839

          SHA256

          00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

          SHA512

          9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

          Download Submit

        • memory/1224-12-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1224-14-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1224-3-0x0000000077B96000-0x0000000077B97000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1224-10-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1224-9-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1224-8-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1224-7-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1224-23-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1224-25-0x0000000077E30000-0x0000000077E32000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1224-24-0x0000000077E00000-0x0000000077E02000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1224-34-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1224-35-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1224-4-0x0000000002540000-0x0000000002541000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1224-44-0x0000000077B96000-0x0000000077B97000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1224-22-0x0000000002520000-0x0000000002527000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1224-13-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1224-6-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1224-11-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1320-86-0x0000000140000000-0x00000001400BB000-memory.dmp

          Filesize

          748KB

          Download

        • memory/1320-90-0x0000000140000000-0x00000001400BB000-memory.dmp

          Filesize

          748KB

          Download

        • memory/2096-43-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/2096-0-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/2096-2-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2632-69-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/2632-74-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/2632-71-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2748-57-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download

        • memory/2748-53-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download

        • memory/2748-52-0x0000000000200000-0x0000000000207000-memory.dmp

          Filesize

          28KB

          Download