Overview

overview

10

Static

static

3

659fb5a890...af.dll

windows7-x64

10

659fb5a890...af.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 04:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    659fb5a890e7be6cbfe2a20042a83f9032907ea12a549de3aab9c0c79211beaf.dll

  • Size

    944KB

  • MD5

    a4804bb1aba480dec5d7b54e9a82747b

  • SHA1

    69f96371c589b596531fc402aabe99165472904d

  • SHA256

    659fb5a890e7be6cbfe2a20042a83f9032907ea12a549de3aab9c0c79211beaf

  • SHA512

    a2f4980109bd4109a61cc618c5a09772291286c6d5ceefaa180b340a4f57fb49cd8bdfb510710c5293dbe2d2031acfe7575f9b4e42d019078bd2d007058ef37c

  • SSDEEP

    6144:j34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTR:jIKp/UWCZdCDh2IZDwAFRpR6AuvS0K

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\659fb5a890e7be6cbfe2a20042a83f9032907ea12a549de3aab9c0c79211beaf.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1316
  • C:\Windows\system32\psr.exe
    C:\Windows\system32\psr.exe
    1⤵
      PID:4420
    • C:\Users\Admin\AppData\Local\qpCcK1\psr.exe
      C:\Users\Admin\AppData\Local\qpCcK1\psr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:636
    • C:\Windows\system32\CameraSettingsUIHost.exe
      C:\Windows\system32\CameraSettingsUIHost.exe
      1⤵
        PID:2856
      • C:\Users\Admin\AppData\Local\1sombeXF\CameraSettingsUIHost.exe
        C:\Users\Admin\AppData\Local\1sombeXF\CameraSettingsUIHost.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1076
      • C:\Windows\system32\CustomShellHost.exe
        C:\Windows\system32\CustomShellHost.exe
        1⤵
          PID:5116
        • C:\Users\Admin\AppData\Local\o3CdxM6\CustomShellHost.exe
          C:\Users\Admin\AppData\Local\o3CdxM6\CustomShellHost.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:5032

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\1sombeXF\CameraSettingsUIHost.exe
          Filesize

          31KB

          MD5

          9e98636523a653c7a648f37be229cf69

          SHA1

          bd4da030e7cf4d55b7c644dfacd26b152e6a14c4

          SHA256

          3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717

          SHA512

          41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

          Download Submit

        • C:\Users\Admin\AppData\Local\1sombeXF\DUI70.dll
          Filesize

          1.2MB

          MD5

          36dbed5af12723ef5e9fa86125da07a7

          SHA1

          384c4ce7d2d7da24fe893a2ae5a9f8a3182242f3

          SHA256

          2fb778f70bdce876e2f4f6e066896b3898c240d98c3f381dcf9042ad3ba23521

          SHA512

          5d418d95b801a0d0360d6af4490d0ec9dc8f9e48b49610cd1b32798e0c0bdce3311b14b12752be1579ab51af105b1c2af01a58e93239dfa275cf74d1d2eb924f

          Download Submit

        • C:\Users\Admin\AppData\Local\o3CdxM6\CustomShellHost.exe
          Filesize

          835KB

          MD5

          70400e78b71bc8efdd063570428ae531

          SHA1

          cd86ecd008914fdd0389ac2dc00fe92d87746096

          SHA256

          91333f3282a2420359ae9d3adf537688741d21e964f021e2b152ab293447f289

          SHA512

          53005dda237fb23af79f54779c74a09835ad4cad3ca7b9dcec80e3793a60dd262f45b910bef96ab9c8e69d0c6990fea6ca5fee85d7f8425db523ae658372959e

          Download Submit

        • C:\Users\Admin\AppData\Local\o3CdxM6\WTSAPI32.dll
          Filesize

          948KB

          MD5

          99cf674d173906bf53f74cd5979f3038

          SHA1

          142771ee9b4ab5d9008a73d2a86f2681c53e5685

          SHA256

          af110655a586284a05321cff872cc9ec885e3dd1d3aa68407e49d1a4a209004c

          SHA512

          a6e6ae3c44454cd89b218c4d1f28aedab6b8f8c1873607ab4961bff6c1ad14338291b1be84873855a0904bf017485e30e2b30254476223bd82214bb404f66d04

          Download Submit

        • C:\Users\Admin\AppData\Local\qpCcK1\VERSION.dll
          Filesize

          948KB

          MD5

          d29049fd05afdde14668b58a2def29be

          SHA1

          e56a414dcce38767cbd5bf21b186d7dd5dba83bb

          SHA256

          a3d8959c9ee7d90ffc8a543b9461e0b7d6181be5657985171c453e4f99267dd2

          SHA512

          19c04e38d7578151fba15a6f0ee4657547543272f74ce73d9b0b933c2f20973b2377a6f0d8ba0d32a003e07f440ca9d36424ce17f262ab9249cd121abc0ef074

          Download Submit

        • C:\Users\Admin\AppData\Local\qpCcK1\psr.exe
          Filesize

          232KB

          MD5

          ad53ead5379985081b7c3f1f357e545a

          SHA1

          6f5aa32c1d15fbf073558fadafd046d97b60184e

          SHA256

          4f0144f0e3e721b44babbf41b513942e4117f730546105480571f9c8fce56a1f

          SHA512

          433098bd74c34fbadfa447ef45cfa9dc076aef4cf7f2a0a6fe79d5e67f2504eebe8aa31fc1b7a4c5eeb20ede2c5485f75ad0fd77b4ecba3d68ca63313e6f6ea0

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eswctkc.lnk
          Filesize

          1KB

          MD5

          deefb862e8c29869f0bc7d1e80d767f6

          SHA1

          16c4bf736a016a461b2a4b747976840f583581b8

          SHA256

          33fffd9e8600ce80b78f144f323c499eaf55c91c4323094f4ce49675b498fd3e

          SHA512

          2748258d9c6723dc64fb88e90a9687550a6178935988a764d03efc111612534e9efbe615ed7c54ba4b62d6ffa071e7e4f69a89d9443e73cbf4e1c373321a77b0

          Download Submit

        • memory/636-46-0x00007FFC54210000-0x00007FFC542FD000-memory.dmp

          Filesize

          948KB

          Download

        • memory/636-50-0x00007FFC54210000-0x00007FFC542FD000-memory.dmp

          Filesize

          948KB

          Download

        • memory/636-45-0x000001EEF83B0000-0x000001EEF83B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1076-63-0x0000022566430000-0x0000022566437000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1076-61-0x00007FFC541C0000-0x00007FFC542F2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1076-66-0x00007FFC541C0000-0x00007FFC542F2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1316-0-0x0000027241FD0000-0x0000027241FD7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1316-38-0x00007FFC633A0000-0x00007FFC6348C000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1316-1-0x00007FFC633A0000-0x00007FFC6348C000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3560-15-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3560-24-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3560-6-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3560-35-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3560-8-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3560-14-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3560-10-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3560-11-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3560-12-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3560-7-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3560-25-0x00007FFC71840000-0x00007FFC71850000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3560-26-0x00007FFC71830000-0x00007FFC71840000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3560-16-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3560-23-0x0000000000B40000-0x0000000000B47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3560-13-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3560-9-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3560-3-0x0000000002E20000-0x0000000002E21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3560-5-0x00007FFC7168A000-0x00007FFC7168B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5032-81-0x00007FFC54210000-0x00007FFC542FD000-memory.dmp

          Filesize

          948KB

          Download