Overview

overview

10

Static

static

3

6603627b82...4d.dll

windows7-x64

10

6603627b82...4d.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-10-2024 16:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6603627b822e6cddf2cb9cd264d26ebc46790f4ca90c6806e06a4b3c1be6a14d.dll

  • Size

    688KB

  • MD5

    551c56a5dd44632dba1058d26deb2fce

  • SHA1

    f160c54abfeb843c44d85abd9d7eb88519d1c104

  • SHA256

    6603627b822e6cddf2cb9cd264d26ebc46790f4ca90c6806e06a4b3c1be6a14d

  • SHA512

    c72c753caf8cd7f1c9be2cd4776be3175704acbdecb0494cd9734d84fab04f12a1d419954ac1ba985b03ba863a7a946c94b5bfe572eef8c4134e0221f3499160

  • SSDEEP

    12288:bfndx6M581WsGRouyjzC6gn5l0H1Tak8jnGg/xeq7gz3xfsPEb4sk:zdAE81W381Wk8jnYz3dsPEb4s

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\6603627b822e6cddf2cb9cd264d26ebc46790f4ca90c6806e06a4b3c1be6a14d.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1168
  • C:\Windows\system32\SystemPropertiesPerformance.exe
    C:\Windows\system32\SystemPropertiesPerformance.exe
    1⤵
      PID:1364
    • C:\Users\Admin\AppData\Local\Uq9s1\SystemPropertiesPerformance.exe
      C:\Users\Admin\AppData\Local\Uq9s1\SystemPropertiesPerformance.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:892
    • C:\Windows\system32\rdpinput.exe
      C:\Windows\system32\rdpinput.exe
      1⤵
        PID:3616
      • C:\Users\Admin\AppData\Local\gI7Z5bFnW\rdpinput.exe
        C:\Users\Admin\AppData\Local\gI7Z5bFnW\rdpinput.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3144
      • C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
        C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
        1⤵
          PID:2744
        • C:\Users\Admin\AppData\Local\QDsM\PasswordOnWakeSettingFlyout.exe
          C:\Users\Admin\AppData\Local\QDsM\PasswordOnWakeSettingFlyout.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2056

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\QDsM\DUI70.dll
          Filesize

          968KB

          MD5

          334b5724a0514745d34715da73c9d1d7

          SHA1

          e89724adbada38eab4625c8609ef7ecb460a6b89

          SHA256

          b46378d718b64cade246eb1df75ce92c90c724b2f32955ac383b3d67f5fd7e3b

          SHA512

          a1bd38ff058ba71d94ab5d3e88bccd8835bfebd7d73f5189125f430fbc145eae9b7423eba54cfc8770e9bae8ced3cb3ba43ae7c7888177d02bc12d4ed18243c0

          Download Submit

        • C:\Users\Admin\AppData\Local\QDsM\PasswordOnWakeSettingFlyout.exe
          Filesize

          44KB

          MD5

          591a98c65f624c52882c2b238d6cd4c4

          SHA1

          c960d08c19d777069cf265dcc281807fbd8502d7

          SHA256

          5e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06

          SHA512

          1999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074

          Download Submit

        • C:\Users\Admin\AppData\Local\Uq9s1\SYSDM.CPL
          Filesize

          692KB

          MD5

          ffe7bbb175a87856b62a9772a6ed4792

          SHA1

          e1dde60a522b3bd01cb8a6465c65f239df8c465c

          SHA256

          71ea251ae2015077170d35e58d05772eb46651fbf75951dbf09899978dac8cd5

          SHA512

          38739a1058d3c0ffe5a1eca7b3275dd28ca9d93a93b04503dc0a799f6cb868523a46ecbc83612a376b26b7f21e148fb04320885cdd793387421c288f26dcc9b8

          Download Submit

        • C:\Users\Admin\AppData\Local\Uq9s1\SystemPropertiesPerformance.exe
          Filesize

          82KB

          MD5

          e4fbf7cab8669c7c9cef92205d2f2ffc

          SHA1

          adbfa782b7998720fa85678cc85863b961975e28

          SHA256

          b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30

          SHA512

          c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

          Download Submit

        • C:\Users\Admin\AppData\Local\gI7Z5bFnW\WINSTA.dll
          Filesize

          696KB

          MD5

          fa80100422aa92f98f365a160c349a48

          SHA1

          ae808a0c466703f51df909e80bc79ecc23f65892

          SHA256

          0ed2a4b9a8ea882675a18690d79c3a0fcbd5b807fd23a62c364ab2c39d044562

          SHA512

          e80dee6ca4d60f8c406a3a7ea748ed081e698284b029d828a62d29f87aea35786a6a9ba8c132e4bb291cd4a9c5fb8dee5f9e8c2e2154bd41a558c852c6226e4c

          Download Submit

        • C:\Users\Admin\AppData\Local\gI7Z5bFnW\rdpinput.exe
          Filesize

          180KB

          MD5

          bd99eeca92869f9a3084d689f335c734

          SHA1

          a2839f6038ea50a4456cd5c2a3ea003e7b77688c

          SHA256

          39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143

          SHA512

          355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk
          Filesize

          1KB

          MD5

          7cd192232b9cdaabe3850f62c1059cc9

          SHA1

          e9fdd7ce8ae2c73f5e1b1998e3ed041d019927bb

          SHA256

          0273948fbdee72972b2546e3acf7b6231c3f40bec5f4cb563310aec92e29c3f3

          SHA512

          612e92a35da176cafd8695e7072c28da3482c640ecef9d6d38dac03ec3103077fccd0645b0b49ec0247e4bcf145286de817e457e088ac33dfd668a6729adf0cc

          Download Submit

        • memory/892-44-0x000002617F170000-0x000002617F177000-memory.dmp

          Filesize

          28KB

          Download

        • memory/892-45-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/892-49-0x0000000140000000-0x00000001400AD000-memory.dmp

          Filesize

          692KB

          Download

        • memory/1168-0-0x000001CDEF0F0000-0x000001CDEF0F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1168-37-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/1168-1-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/2056-76-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/2056-80-0x0000000140000000-0x00000001400F2000-memory.dmp

          Filesize

          968KB

          Download

        • memory/3144-60-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3144-65-0x0000000140000000-0x00000001400AE000-memory.dmp

          Filesize

          696KB

          Download

        • memory/3144-62-0x0000018A4A9B0000-0x0000018A4A9B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3456-25-0x00007FFF04F30000-0x00007FFF04F40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3456-3-0x00000000081E0000-0x00000000081E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3456-5-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3456-6-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3456-8-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3456-9-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3456-10-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3456-23-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3456-34-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3456-24-0x00007FFF04F40000-0x00007FFF04F50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3456-11-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3456-12-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3456-13-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3456-21-0x00007FFF0465A000-0x00007FFF0465B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3456-22-0x0000000007A80000-0x0000000007A87000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3456-7-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download