Overview

overview

10

Static

static

3

c6bbb76d18...7a.dll

windows7-x64

10

c6bbb76d18...7a.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-10-2024 18:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6bbb76d18634295f6f1d11741f32dd2661592bfdc63904b8fff93c88ae7297a.dll

  • Size

    668KB

  • MD5

    2b74d0db8f4ef0ccf074936ddbcb69e9

  • SHA1

    85ca042ed32308e0ae1666f87808947ec70832e3

  • SHA256

    c6bbb76d18634295f6f1d11741f32dd2661592bfdc63904b8fff93c88ae7297a

  • SHA512

    338f8f7435f69688cabf59cba525e7678ff5b472ff428ff91dc96362baf489eeac0616cf933883ca669df267f46e1c7743004da18c41eaf1b78e187a9e924a40

  • SSDEEP

    6144:S34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuT6:SIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c6bbb76d18634295f6f1d11741f32dd2661592bfdc63904b8fff93c88ae7297a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2524
  • C:\Windows\system32\WMPDMC.exe
    C:\Windows\system32\WMPDMC.exe
    1⤵
      PID:4588
    • C:\Users\Admin\AppData\Local\naTiCRpA\WMPDMC.exe
      C:\Users\Admin\AppData\Local\naTiCRpA\WMPDMC.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2920
    • C:\Windows\system32\PresentationHost.exe
      C:\Windows\system32\PresentationHost.exe
      1⤵
        PID:3940
      • C:\Users\Admin\AppData\Local\QE8eVOrtk\PresentationHost.exe
        C:\Users\Admin\AppData\Local\QE8eVOrtk\PresentationHost.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1068
      • C:\Windows\system32\sessionmsg.exe
        C:\Windows\system32\sessionmsg.exe
        1⤵
          PID:552
        • C:\Users\Admin\AppData\Local\W02jBxDk\sessionmsg.exe
          C:\Users\Admin\AppData\Local\W02jBxDk\sessionmsg.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3456

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\QE8eVOrtk\PresentationHost.exe
          Filesize

          276KB

          MD5

          ef27d65b92d89e8175e6751a57ed9d93

          SHA1

          7279b58e711b459434f047e9098f9131391c3778

          SHA256

          17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

          SHA512

          40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

          Download Submit

        • C:\Users\Admin\AppData\Local\QE8eVOrtk\VERSION.dll
          Filesize

          672KB

          MD5

          c54be3bd05941e86a01a1aaebb61c859

          SHA1

          0a5bdaa19274fd1e0e70a999fb9c4765ecbc9772

          SHA256

          9e2a873e3e3bb557b9c13fa616e6cfe505b9abb504e83c2fab35bfaf28ad85c5

          SHA512

          36c6546b2f08660ff4c40141d1ecd2029d238276177c52397e7a3858192b6293b54915a5ded1453828f65b3daf630b0cd19429ae9241b4936e01a990572a51a5

          Download Submit

        • C:\Users\Admin\AppData\Local\W02jBxDk\DUser.dll
          Filesize

          676KB

          MD5

          23a137d493757b2597356ea2bbaab6da

          SHA1

          4939d98b21abaad3895aac3c83ea22f8438d9b48

          SHA256

          36ad337ab77a9a8eefe7db765092ac55ea3a7fdeea60e463c6243c79dbe233bc

          SHA512

          8998a39c589200e9b047c6c7da420e3276b5625cc5491e3cedebf1bd025cc5bba68ad785d6cb371d947b29ed67948dcfcb373d98818ecbf9d74a85cb3c37e336

          Download Submit

        • C:\Users\Admin\AppData\Local\W02jBxDk\sessionmsg.exe
          Filesize

          85KB

          MD5

          480f710806b68dfe478ca1ec7d7e79cc

          SHA1

          b4fc97fed2dbff9c4874cb65ede7b50699db37cd

          SHA256

          2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc

          SHA512

          29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

          Download Submit

        • C:\Users\Admin\AppData\Local\naTiCRpA\UxTheme.dll
          Filesize

          672KB

          MD5

          81079d7168b3ddcf63b647acf0181bc3

          SHA1

          d0b85a2e8749089cce4b11ce7db433cbeb8940c1

          SHA256

          2b6c0a3bcca120d8d45318bbcfaf8f7dafb81d38a162347bb73352bc9d9fce0a

          SHA512

          bc065a60fa973b350a855b2c98ba60f0358e615f57e1ebb6a273b3ffcdfeaf9bbb41fc775c16eb6fa209c1766b9f1d72e650bdf9859467e31f76bca342af0baa

          Download Submit

        • C:\Users\Admin\AppData\Local\naTiCRpA\WMPDMC.exe
          Filesize

          1.5MB

          MD5

          59ce6e554da0a622febce19eb61c4d34

          SHA1

          176a4a410cb97b3d4361d2aea0edbf17e15d04c7

          SHA256

          c36eba7186f7367fe717595f3372a49503c9613893c2ab2eff38b625a50d04ba

          SHA512

          e9b0d310416b66e0055381391bb6b0c19ee26bbcf0e3bb9ea7d696d5851e6efbdd9bdeb250c74638b7d73b20528ea1dfb718e75ad5977aaad77aae36cc7b7e18

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk
          Filesize

          1KB

          MD5

          0fbdd9881dda5921271b828b91ccfe6f

          SHA1

          8d2b04746375f44385fadcbcc21cd805d325a33a

          SHA256

          1cdbeff6f218a900a14c66a4fca5f45224c703b9f58a53f298fd1eaa44427837

          SHA512

          8836240e1d7ec21c94d10c85f7ad878e2026a8a5349ae37951a36ad18a4ba778366a2d02dec1fd22e586304ed4b777131d1d8132ebed01ed023da4eb9d073cf0

          Download Submit

        • memory/1068-66-0x00007FFE76060000-0x00007FFE76108000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1068-62-0x00007FFE76060000-0x00007FFE76108000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1068-61-0x000001DCC0BA0000-0x000001DCC0BA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2524-38-0x00007FFE867A0000-0x00007FFE86847000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2524-0-0x0000022F9AD90000-0x0000022F9AD97000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2524-1-0x00007FFE867A0000-0x00007FFE86847000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2920-50-0x00007FFE760D0000-0x00007FFE76178000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2920-45-0x000002D3A0E10000-0x000002D3A0E17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2920-46-0x00007FFE760D0000-0x00007FFE76178000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3416-15-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3416-16-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3416-24-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3416-35-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3416-26-0x00007FFE947B0000-0x00007FFE947C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3416-11-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3416-12-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3416-13-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3416-14-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3416-25-0x00007FFE947C0000-0x00007FFE947D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3416-23-0x0000000006F50000-0x0000000006F57000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3416-3-0x00007FFE93F9A000-0x00007FFE93F9B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3416-6-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3416-7-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3416-8-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3416-9-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3416-10-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3416-4-0x0000000006F70000-0x0000000006F71000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3456-81-0x00007FFE75EC0000-0x00007FFE75F69000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3456-77-0x00007FFE75EC0000-0x00007FFE75F69000-memory.dmp

          Filesize

          676KB

          Download