Overview

overview

10

Static

static

3

c6ce1e919d...e3.dll

windows7-x64

10

c6ce1e919d...e3.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-10-2024 19:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6ce1e919d846871e82fefd5a57f6a7af4a5e729ee1b9c0f67d4fd71807ef7e3.dll

  • Size

    684KB

  • MD5

    906ed4f1c15ea3e6cf8d3bc271ba5d07

  • SHA1

    897965a6c69be2b105847ee4ab1ca5d704eb53a4

  • SHA256

    c6ce1e919d846871e82fefd5a57f6a7af4a5e729ee1b9c0f67d4fd71807ef7e3

  • SHA512

    c498880b98d3b4cbc67c0784a2b80426f937ce7f6160f460b01b69b3d2e6cb3e2545fd50ecfd3eefbf3df960e3489dfb2c1c536fad1d32f8e65e6b54925a0061

  • SSDEEP

    12288:bfndx6M581WsGRouyjzC6gn5l0H1Tak8jnGg/xeq7gz3xfsPEb4sk:zdAE81W381Wk8jnYz3dsPEb4s

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c6ce1e919d846871e82fefd5a57f6a7af4a5e729ee1b9c0f67d4fd71807ef7e3.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2304
  • C:\Windows\system32\SystemPropertiesRemote.exe
    C:\Windows\system32\SystemPropertiesRemote.exe
    1⤵
      PID:2676
    • C:\Users\Admin\AppData\Local\wbE\SystemPropertiesRemote.exe
      C:\Users\Admin\AppData\Local\wbE\SystemPropertiesRemote.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2928
    • C:\Windows\system32\sethc.exe
      C:\Windows\system32\sethc.exe
      1⤵
        PID:2680
      • C:\Users\Admin\AppData\Local\YLkGm\sethc.exe
        C:\Users\Admin\AppData\Local\YLkGm\sethc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2732
      • C:\Windows\system32\SystemPropertiesAdvanced.exe
        C:\Windows\system32\SystemPropertiesAdvanced.exe
        1⤵
          PID:1552
        • C:\Users\Admin\AppData\Local\Q6f5xd\SystemPropertiesAdvanced.exe
          C:\Users\Admin\AppData\Local\Q6f5xd\SystemPropertiesAdvanced.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2708

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\YLkGm\DUI70.dll
          Filesize

          892KB

          MD5

          3cdf2dd101f92aee8fdf5daf2abaf8f6

          SHA1

          b59f90d001e94275a51d3c47ab0765391a968474

          SHA256

          d1e9e229684b26b7346d0a5dcc56250e692a4bd61abcb2f6d986305794cc0b46

          SHA512

          187950a56d7cc345293cfc51af0089cdd91f2f1fe53c29ef51c492ce54c109d4e67f65b9e944269defa325c1fead1cbb51acfc091be40e28c18763e73f2d00f3

          Download Submit

        • C:\Users\Admin\AppData\Local\wbE\SYSDM.CPL
          Filesize

          688KB

          MD5

          dc8298aec216a64936c29e16607e9776

          SHA1

          9c0b8df75ed81034b89b56fe8f35fe17ab26d409

          SHA256

          739a086e1138ea6aeff9c3c4fc197feaacc904843902fa787f250e7da7305102

          SHA512

          cec55f7130818242bc27512f9bd8dbe7a213f180d0e5fc2e0a2a5d8a47cb7cf07a2b2cedee41f3e581dfa30d157cf54a57b09988a88a04532c1784ce6c15a860

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk
          Filesize

          1KB

          MD5

          d32aae2f5a5e926fa4ed770d69d7c3d0

          SHA1

          277c59e96c2924b6781aa5412e1a0fbb68878e83

          SHA256

          127156e1766330f731f5110e409befbfdbb2601cf93500c2b9c29aa0f0636073

          SHA512

          f9971144e2d112e7b7302ca1a01d9077696de8ba015d7177b8236acb91eb3791c47962b70e98b516fc26255d2a6eec2bfd11b2bdc744faa21cdf9161b757e20d

          Download Submit

        • \Users\Admin\AppData\Local\Q6f5xd\SYSDM.CPL
          Filesize

          688KB

          MD5

          55c6cd716a488614eba5c0c57476bea2

          SHA1

          28b7651fc30e95a131c1031487b2677e7269cb74

          SHA256

          d33b1661adaaaa87b592b0af9fc62f6a1326a598bdf7f05cafc7143b437cf58f

          SHA512

          958d22e3d5acb93e44dfd88efe2d7956aeb4e8c1424a834de5816765bf06a0283ec92ad007f67618a8d0ad9dc61e3fba27ef71a4a57a2962b88e9f743d2b0bfb

          Download Submit

        • \Users\Admin\AppData\Local\Q6f5xd\SystemPropertiesAdvanced.exe
          Filesize

          80KB

          MD5

          25dc1e599591871c074a68708206e734

          SHA1

          27a9dffa92d979d39c07d889fada536c062dac77

          SHA256

          a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

          SHA512

          f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

          Download Submit

        • \Users\Admin\AppData\Local\YLkGm\sethc.exe
          Filesize

          272KB

          MD5

          3bcb70da9b5a2011e01e35ed29a3f3f3

          SHA1

          9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

          SHA256

          dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

          SHA512

          69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

          Download Submit

        • \Users\Admin\AppData\Local\wbE\SystemPropertiesRemote.exe
          Filesize

          80KB

          MD5

          d0d7ac869aa4e179da2cc333f0440d71

          SHA1

          e7b9a58f5bfc1ec321f015641a60978c0c683894

          SHA256

          5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

          SHA512

          1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

          Download Submit

        • memory/1268-25-0x0000000077450000-0x0000000077452000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1268-44-0x00000000770B6000-0x00000000770B7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1268-14-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1268-12-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1268-11-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1268-10-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1268-6-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1268-23-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1268-24-0x0000000077420000-0x0000000077422000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1268-3-0x00000000770B6000-0x00000000770B7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1268-34-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1268-36-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1268-4-0x0000000002A20000-0x0000000002A21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1268-13-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1268-22-0x0000000002A00000-0x0000000002A07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1268-7-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1268-9-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/1268-8-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/2304-43-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/2304-0-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/2304-2-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2708-90-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/2732-69-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2732-70-0x0000000140000000-0x00000001400DF000-memory.dmp

          Filesize

          892KB

          Download

        • memory/2732-74-0x0000000140000000-0x00000001400DF000-memory.dmp

          Filesize

          892KB

          Download

        • memory/2928-57-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/2928-53-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/2928-52-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download