Overview

overview

10

Static

static

3

6e00c66fc1...2e.dll

windows7-x64

10

6e00c66fc1...2e.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 03:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6e00c66fc1b25613485d0e05cf9ba5df425c26529072dc9cf040ee5061b24d2e.dll

  • Size

    668KB

  • MD5

    c3d17f1d13f9abf90498dd0124f5b116

  • SHA1

    602a31d2909146fa0046ee1edf1c3a79ffb1a8f1

  • SHA256

    6e00c66fc1b25613485d0e05cf9ba5df425c26529072dc9cf040ee5061b24d2e

  • SHA512

    f4007128d563482dd03f34c720d3058668313a8613962d333052656b24b6735a5727dd1a49d9a1a5af9cef0381c77eb527fb366d444177c445f9f4e4fd1c4f12

  • SSDEEP

    6144:A34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:AIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6e00c66fc1b25613485d0e05cf9ba5df425c26529072dc9cf040ee5061b24d2e.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2624
  • C:\Windows\system32\msra.exe
    C:\Windows\system32\msra.exe
    1⤵
      PID:2428
    • C:\Users\Admin\AppData\Local\0FxXSDfTr\msra.exe
      C:\Users\Admin\AppData\Local\0FxXSDfTr\msra.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2980
    • C:\Windows\system32\RdpSa.exe
      C:\Windows\system32\RdpSa.exe
      1⤵
        PID:3928
      • C:\Users\Admin\AppData\Local\x8OUnS\RdpSa.exe
        C:\Users\Admin\AppData\Local\x8OUnS\RdpSa.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2112
      • C:\Windows\system32\osk.exe
        C:\Windows\system32\osk.exe
        1⤵
          PID:4716
        • C:\Users\Admin\AppData\Local\L65hC8B\osk.exe
          C:\Users\Admin\AppData\Local\L65hC8B\osk.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1496

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0FxXSDfTr\NDFAPI.DLL
          Filesize

          672KB

          MD5

          7c34ccc96f61f6483fb3f235703b86f9

          SHA1

          273a5cd63c16131c0dc8472a186b15f1706de02e

          SHA256

          748d4b9be5574fa520915838e03f02dc26746c1d95b88f3be7323da5458719cc

          SHA512

          8017294cc26ddb440cfa464083aef26d25478d2b96cbbd2eccf734cf1bfcede8b33652c8260f8ad03496d6e9c9fe721293e549677b0cf53dbda6d454b952b43c

          Download Submit

        • C:\Users\Admin\AppData\Local\0FxXSDfTr\msra.exe
          Filesize

          579KB

          MD5

          dcda3b7b8eb0bfbccb54b4d6a6844ad6

          SHA1

          316a2925e451f739f45e31bc233a95f91bf775fa

          SHA256

          011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae

          SHA512

          18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5

          Download Submit

        • C:\Users\Admin\AppData\Local\L65hC8B\DUI70.dll
          Filesize

          948KB

          MD5

          3a18762164665041208f92f9af10f066

          SHA1

          03e757dc3916a0467e64ccf064e9d29ba4c1c27f

          SHA256

          efdfde80f2367aed74fa43a3a3ad9a273e7ab7a04c7f9e1494a3d087bb53ce76

          SHA512

          10a147017727c25cb14c9469a359402a7dcf1fd91d3d6bb858090e8de5e40ef79388800660f055c73da8d41bff0203a20ee6aa7321018bbfdd46ee4b2f367e7f

          Download Submit

        • C:\Users\Admin\AppData\Local\L65hC8B\osk.exe
          Filesize

          638KB

          MD5

          745f2df5beed97b8c751df83938cb418

          SHA1

          2f9fc33b1bf28e0f14fd75646a7b427ddbe14d25

          SHA256

          f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51

          SHA512

          2125d021e6f45a81bd75c9129f4b098ad9aa15c25d270051f4da42458a9737bff44d6adf17aa1f2547715d159fb621829f7cd3b9d42f1521c919549cc7deb228

          Download Submit

        • C:\Users\Admin\AppData\Local\x8OUnS\RdpSa.exe
          Filesize

          56KB

          MD5

          5992f5b5d0b296b83877da15b54dd1b4

          SHA1

          0d87be8d4b7aeada4b55d1d05c0539df892f8f82

          SHA256

          32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c

          SHA512

          4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

          Download Submit

        • C:\Users\Admin\AppData\Local\x8OUnS\WINSTA.dll
          Filesize

          676KB

          MD5

          1174ba4c489e8ff1c993df46ecabe26f

          SHA1

          a5c834886e7c95a5125d6a35bdffb6e228909dba

          SHA256

          da395ee58d4f85faba3c686d138780e70bd376e3d0d6c58426d220b258419c8f

          SHA512

          907c0a148bdf5e4fbab70d5f5d35da97ee47ebf0d069b40f2dfeef6ffe958ec9c9d7fee796ea29ed4388672c2ea6c42c9dbb8716c8f8b67d724e835af0958e7c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk
          Filesize

          1KB

          MD5

          39de521599a94292980d0eff1270a19d

          SHA1

          a9be6b1bcb8f8083ffb6267512bd2f905a9e7f1a

          SHA256

          e8f6712862fedf34e32352b4796b3f1984778bfe0ab1b1499faf370c6e142b6b

          SHA512

          04cdef2e6389ec47f7400c96986b85e4b64d1c5d2fa7c977f63f49ced582fd3fd8ed8c95a1b04ab33547389f766878ef00e075e1e739bb8ddc706a6ae7fd4632

          Download Submit

        • memory/1496-77-0x00007FFEB34F0000-0x00007FFEB35DD000-memory.dmp

          Filesize

          948KB

          Download

        • memory/1496-81-0x00007FFEB34F0000-0x00007FFEB35DD000-memory.dmp

          Filesize

          948KB

          Download

        • memory/2112-61-0x00007FFEB4C30000-0x00007FFEB4CD9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2112-63-0x000001FEF49D0000-0x000001FEF49D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2112-66-0x00007FFEB4C30000-0x00007FFEB4CD9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2624-0-0x000001BB764F0000-0x000001BB764F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2624-38-0x00007FFEC2650000-0x00007FFEC26F7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2624-1-0x00007FFEC2650000-0x00007FFEC26F7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2980-50-0x00007FFEB4C30000-0x00007FFEB4CD8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2980-45-0x00007FFEB4C30000-0x00007FFEB4CD8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2980-47-0x000002958F040000-0x000002958F047000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3428-12-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3428-24-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3428-35-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3428-25-0x00007FFED1CE0000-0x00007FFED1CF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3428-26-0x00007FFED1CD0000-0x00007FFED1CE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3428-6-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3428-7-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3428-8-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3428-9-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3428-10-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3428-11-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3428-15-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3428-16-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3428-23-0x0000000001160000-0x0000000001167000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3428-14-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3428-13-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3428-3-0x0000000002B70000-0x0000000002B71000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3428-5-0x00007FFED07EA000-0x00007FFED07EB000-memory.dmp

          Filesize

          4KB

          Download