Overview

overview

10

Static

static

3

bbd6d896a5...ca.dll

windows7-x64

10

bbd6d896a5...ca.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-10-2024 17:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bbd6d896a535b1e9b382eda903972c62e1aeb045c9fb4057a8aae51feb85eeca.dll

  • Size

    720KB

  • MD5

    f859e1567e45f47b3b3746c4fb49e3f5

  • SHA1

    e824cabc3b25fe5173ff02fbb4b3e7912bd71a72

  • SHA256

    bbd6d896a535b1e9b382eda903972c62e1aeb045c9fb4057a8aae51feb85eeca

  • SHA512

    bc5b15dbe0dbb3f77dca8839123c95e77a2733af33827fc911e24404ab1dd793f04cab91669a075ab7fef7f6fa1d64ef6c8888d642a862c07a90c41ea3ebc29b

  • SSDEEP

    12288:ZqJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:ZqGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\bbd6d896a535b1e9b382eda903972c62e1aeb045c9fb4057a8aae51feb85eeca.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4636
  • C:\Windows\system32\omadmclient.exe
    C:\Windows\system32\omadmclient.exe
    1⤵
      PID:2104
    • C:\Users\Admin\AppData\Local\yKxui\omadmclient.exe
      C:\Users\Admin\AppData\Local\yKxui\omadmclient.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:804
    • C:\Windows\system32\OptionalFeatures.exe
      C:\Windows\system32\OptionalFeatures.exe
      1⤵
        PID:1280
      • C:\Users\Admin\AppData\Local\oLM60dL\OptionalFeatures.exe
        C:\Users\Admin\AppData\Local\oLM60dL\OptionalFeatures.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1996
      • C:\Windows\system32\consent.exe
        C:\Windows\system32\consent.exe
        1⤵
          PID:2384
        • C:\Users\Admin\AppData\Local\uSHhfla5d\consent.exe
          C:\Users\Admin\AppData\Local\uSHhfla5d\consent.exe
          1⤵
          • Executes dropped EXE
          PID:3640
        • C:\Windows\system32\LockScreenContentServer.exe
          C:\Windows\system32\LockScreenContentServer.exe
          1⤵
            PID:1412
          • C:\Users\Admin\AppData\Local\VoUYT30TE\LockScreenContentServer.exe
            C:\Users\Admin\AppData\Local\VoUYT30TE\LockScreenContentServer.exe
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks whether UAC is enabled
            PID:1108

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\VoUYT30TE\DUser.dll
            Filesize

            728KB

            MD5

            76def423cf911501bb917c954615a70e

            SHA1

            087ab7734b5ebd87fb171151d40d7915931c9eb5

            SHA256

            62af71eca31de1f87e0298b977d8a78b154f53d0ebeb40e704f63f3459585b4e

            SHA512

            e6aedb104bcabc49bc041567e03e0e692b270ace2230a7af3155c74bebcbfa77dbd05ffa24345bd65ac3f2b373e777508f98be953079cbf2512a8c7352057c19

            Download Submit

          • C:\Users\Admin\AppData\Local\VoUYT30TE\LockScreenContentServer.exe
            Filesize

            47KB

            MD5

            a0b7513c98cf46ca2cea3a567fec137c

            SHA1

            2307fc8e3fc620ea3c2fdc6248ad4658479ba995

            SHA256

            cb2278884f04fd34753f7a20e5865ef5fc4fa47c28df9ac14ad6e922713af8c6

            SHA512

            3928485a60ffa7f2d2b7d0be51863e1f8197578cfb397f1086a1ab5132843a23bbc4042b04b5d01fafad04878bd839161fa492d0cf1a6bac6be92023cdee3d15

            Download Submit

          • C:\Users\Admin\AppData\Local\oLM60dL\OptionalFeatures.exe
            Filesize

            110KB

            MD5

            d6cd8bef71458804dbc33b88ace56372

            SHA1

            a18b58445be2492c5d37abad69b5aa0d29416a60

            SHA256

            fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8

            SHA512

            1bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d

            Download Submit

          • C:\Users\Admin\AppData\Local\oLM60dL\appwiz.cpl
            Filesize

            724KB

            MD5

            0852a772c24666e12c8169859b078330

            SHA1

            f873d908b28348fffd5f1a1e2e6c5547095766cb

            SHA256

            6e8faa077f2c86dd78160c546d2506346295a7b367c44fcf9f47de61d2b70e21

            SHA512

            383e40a8ff2cc48b909422a334633ee86203222391f3058409f8f8a07cb4c223c1e4daf53be9764bab855ebf4ff3f568c1b58ee11c0fb95d41f11b32f5c343f5

            Download Submit

          • C:\Users\Admin\AppData\Local\uSHhfla5d\consent.exe
            Filesize

            162KB

            MD5

            6646631ce4ad7128762352da81f3b030

            SHA1

            1095bd4b63360fc2968d75622aa745e5523428ab

            SHA256

            56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64

            SHA512

            1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da

            Download Submit

          • C:\Users\Admin\AppData\Local\yKxui\XmlLite.dll
            Filesize

            724KB

            MD5

            c1b6cffd6f9b3eb7823f4f1684974c37

            SHA1

            f4719ad068979cb32f9cc1a00eeee1b05a869633

            SHA256

            147a02d2e8591f8f9476f6326ac8d4b1356464c84b2cf1bd6f2765e4cb13b4d7

            SHA512

            8d1caa7b22c9ed34cf68560359c9ffa7f1e0ef58888c328c9139cd16af548015477510087ffab778728c8c0aeb0192ef8d1af622e33abb52680d5aa61c990f20

            Download Submit

          • C:\Users\Admin\AppData\Local\yKxui\omadmclient.exe
            Filesize

            425KB

            MD5

            8992b5b28a996eb83761dafb24959ab4

            SHA1

            697ecb33b8ff5b0e73ef29ce471153b368b1b729

            SHA256

            e0c6c1b082c5d61be95b7fad95155b7cb2e516d6dcd51b8e1554a176876699e7

            SHA512

            4ab0d71f6f9e5a5d0870d8e6eaa4b5db74ea6148de0a00603e3e56303d0fec4722172e0207b9678a5bd0136f2d43d43b9d34907183369ab3b9b9c1484034fe3d

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yxuzhivmkyvewy.lnk
            Filesize

            1KB

            MD5

            1462ff63065d3f7f51509fd3b6a0e833

            SHA1

            b6866523054ec8e0b907db1e73c9c8e9d5736c8b

            SHA256

            d941d6c8ec2a5d459e1fcef450e13f1014264a6d9a7445b7a8d446ba4cfe849d

            SHA512

            4b341c6df787dd5d69a9c13272fe05272b47a250175a30c0e75efad9332bfd6c16b095ce87cd885928cbecdbe1c1ec478d78d27e1d4c386f9ec61a4736a4826c

            Download Submit

          • memory/804-50-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/804-45-0x000001F680FF0000-0x000001F680FF7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/804-46-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/1108-85-0x0000000140000000-0x00000001400B6000-memory.dmp

            Filesize

            728KB

            Download

          • memory/1108-89-0x0000000140000000-0x00000001400B6000-memory.dmp

            Filesize

            728KB

            Download

          • memory/1996-61-0x0000021C146D0000-0x0000021C146D7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/1996-66-0x0000000140000000-0x00000001400B5000-memory.dmp

            Filesize

            724KB

            Download

          • memory/3528-11-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3528-25-0x00007FFB28690000-0x00007FFB286A0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3528-6-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3528-5-0x00007FFB284AA000-0x00007FFB284AB000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3528-8-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3528-9-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3528-34-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3528-10-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3528-24-0x00007FFB286A0000-0x00007FFB286B0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3528-7-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3528-23-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3528-3-0x0000000003060000-0x0000000003061000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3528-14-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3528-22-0x0000000002ED0000-0x0000000002ED7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/3528-13-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/3528-12-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/4636-0-0x00000256F5A90000-0x00000256F5A97000-memory.dmp

            Filesize

            28KB

            Download

          • memory/4636-37-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download

          • memory/4636-1-0x0000000140000000-0x00000001400B4000-memory.dmp

            Filesize

            720KB

            Download