Overview

overview

10

Static

static

3

c6ce1e919d...e3.dll

windows7-x64

10

c6ce1e919d...e3.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-10-2024 19:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6ce1e919d846871e82fefd5a57f6a7af4a5e729ee1b9c0f67d4fd71807ef7e3.dll

  • Size

    684KB

  • MD5

    906ed4f1c15ea3e6cf8d3bc271ba5d07

  • SHA1

    897965a6c69be2b105847ee4ab1ca5d704eb53a4

  • SHA256

    c6ce1e919d846871e82fefd5a57f6a7af4a5e729ee1b9c0f67d4fd71807ef7e3

  • SHA512

    c498880b98d3b4cbc67c0784a2b80426f937ce7f6160f460b01b69b3d2e6cb3e2545fd50ecfd3eefbf3df960e3489dfb2c1c536fad1d32f8e65e6b54925a0061

  • SSDEEP

    12288:bfndx6M581WsGRouyjzC6gn5l0H1Tak8jnGg/xeq7gz3xfsPEb4sk:zdAE81W381Wk8jnYz3dsPEb4s

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c6ce1e919d846871e82fefd5a57f6a7af4a5e729ee1b9c0f67d4fd71807ef7e3.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3948
  • C:\Windows\system32\msconfig.exe
    C:\Windows\system32\msconfig.exe
    1⤵
      PID:840
    • C:\Users\Admin\AppData\Local\d6vwtkMUn\msconfig.exe
      C:\Users\Admin\AppData\Local\d6vwtkMUn\msconfig.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:216
    • C:\Windows\system32\Netplwiz.exe
      C:\Windows\system32\Netplwiz.exe
      1⤵
        PID:1828
      • C:\Users\Admin\AppData\Local\jGgkdkG\Netplwiz.exe
        C:\Users\Admin\AppData\Local\jGgkdkG\Netplwiz.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3492
      • C:\Windows\system32\mblctr.exe
        C:\Windows\system32\mblctr.exe
        1⤵
          PID:3740
        • C:\Users\Admin\AppData\Local\kLYxvZ\mblctr.exe
          C:\Users\Admin\AppData\Local\kLYxvZ\mblctr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4284

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\d6vwtkMUn\MFC42u.dll
          Filesize

          712KB

          MD5

          5814d12a361cae4105742e470ee0ee90

          SHA1

          54dd431993c3ee7f6d1c957ff31d10adddae49ce

          SHA256

          c72ba0dfb481759e8021564639f494e84d86e32f79c4557d84a7c6b276d2901c

          SHA512

          7e3770ff682c6eb1dc07c655fc58ec27552b3c814e51b65ec6dcd3491bd71ee185ab4a51968c97e4d176f14771fdf51cff6331bceb474ccc5c412cfe29a6994d

          Download Submit

        • C:\Users\Admin\AppData\Local\d6vwtkMUn\msconfig.exe
          Filesize

          193KB

          MD5

          39009536cafe30c6ef2501fe46c9df5e

          SHA1

          6ff7b4d30f31186de899665c704a105227704b72

          SHA256

          93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04

          SHA512

          95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

          Download Submit

        • C:\Users\Admin\AppData\Local\jGgkdkG\NETPLWIZ.dll
          Filesize

          688KB

          MD5

          a9f1425c2dcf354bc740a51cb895cf6c

          SHA1

          e73f754c61c4d19980f3d1382fe0053326eeef3f

          SHA256

          31d6f7fd2d912ba793062a6c3267ee0844605420aaf6efe768923591bf36f5a9

          SHA512

          eee24bf1dc61d5631e7a57f87a17947ffa354a1e85174c96dd59ff18a67bb9fafad580b731b4d739edeb7ef482a9e9b01dfd1a75da27ace6a7eb4c27c60f505d

          Download Submit

        • C:\Users\Admin\AppData\Local\jGgkdkG\Netplwiz.exe
          Filesize

          40KB

          MD5

          520a7b7065dcb406d7eca847b81fd4ec

          SHA1

          d1b3b046a456630f65d482ff856c71dfd2f335c8

          SHA256

          8323b44b6e69f02356a5ab0d03a4fc87b953edcbd85c2b6281bf92bc0a3b224d

          SHA512

          7aea2810f38d1640d4aa87efbbe20783fe7b8e7f588864a3a384a37c91108d906abd89b235672608c98c46ed76db2b0039462098a1064ebe4108ec37b6087914

          Download Submit

        • C:\Users\Admin\AppData\Local\kLYxvZ\UxTheme.dll
          Filesize

          688KB

          MD5

          7e84e6caf547e0e23a10dc121990f380

          SHA1

          85c4474415857a5905c876bbb6c57b89e8ffe8a1

          SHA256

          75b48fcc5865e747767bf1dcaaec8bec9886cc8d88daf1ada4dc386dd109b4c9

          SHA512

          29344cecfd228d1c60b59ae8d171399b62f29751458cc20c7457184bd20739c08887df1dafe0e1b77dcac9ba0140e35e8b4cc8a69bb0e58d9bc8771742db4de3

          Download Submit

        • C:\Users\Admin\AppData\Local\kLYxvZ\mblctr.exe
          Filesize

          790KB

          MD5

          d3db14eabb2679e08020bcd0c96fa9f6

          SHA1

          578dca7aad29409634064579d269e61e1f07d9dd

          SHA256

          3baa1dc0756ebb0c2c70a31be7147863d8d8ba056c1aa7f979307f8790d1ff69

          SHA512

          14dc895ae458ff0ca13d9c27aa5b4cfc906d338603d43389bb5f4429be593a587818855d1fe938f9ebebf46467fb0c1ab28247e8f9f5357098e8b822ecd8fffe

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ltmfycbfnis.lnk
          Filesize

          1KB

          MD5

          e75cfe29c91e70ed2425e821ce262b15

          SHA1

          1ca9bf793f87439276bc531009abd5dd032bc79f

          SHA256

          fd250b13889607eee30dcfeb1288a84f95a594092c3016204e8c240a820774ec

          SHA512

          3e46d12286cebae693ee1c87cdca9eb67d598ebc706d66c63cc62bbc99a3768fd9ace506b9a69dbf8334e4e41c3268b8b6850907507d6258ced1c4dfd680f24b

          Download Submit

        • memory/216-44-0x000001D1830C0000-0x000001D1830C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/216-45-0x0000000140000000-0x00000001400B2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/216-49-0x0000000140000000-0x00000001400B2000-memory.dmp

          Filesize

          712KB

          Download

        • memory/3376-24-0x00007FFD85840000-0x00007FFD85850000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3376-12-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3376-11-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3376-10-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3376-9-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3376-8-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3376-7-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3376-35-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3376-4-0x0000000007760000-0x0000000007761000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3376-14-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3376-23-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3376-3-0x00007FFD8482A000-0x00007FFD8482B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3376-25-0x00007FFD85830000-0x00007FFD85840000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3376-22-0x0000000002E10000-0x0000000002E17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3376-13-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3376-6-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3492-61-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3492-65-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download

        • memory/3492-60-0x00000233CBF10000-0x00000233CBF17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3948-1-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3948-37-0x0000000140000000-0x00000001400AB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/3948-0-0x0000026CC0C40000-0x0000026CC0C47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4284-80-0x0000000140000000-0x00000001400AC000-memory.dmp

          Filesize

          688KB

          Download