Overview

overview

10

Static

static

e123d54b17...ff.dll

windows7_x64

10

e123d54b17...ff.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    74s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    17-04-2022 07:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e123d54b17c5dba50509d3d0abdd61cf01d27eaf82e7d810351c550f018636ff.dll

  • Size

    881KB

  • MD5

    ef39ac4244c3fc0ee69d71563bcdb993

  • SHA1

    bb3f3706cced11a8140015d587654640cbeb99bb

  • SHA256

    e123d54b17c5dba50509d3d0abdd61cf01d27eaf82e7d810351c550f018636ff

  • SHA512

    11cc5fa8bc6f479bcbaa11332dbf6c47b5bc3d742bfaca8ec52aa929c8857db9bd2de99148006c89695c37b13601ba2e712f48f5d57deff95d36c99ed7fac33e

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e123d54b17c5dba50509d3d0abdd61cf01d27eaf82e7d810351c550f018636ff.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4104
  • C:\Users\Admin\AppData\Local\Ye3ThZ\Utilman.exe
    C:\Users\Admin\AppData\Local\Ye3ThZ\Utilman.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    PID:2256
  • C:\Windows\system32\Utilman.exe
    C:\Windows\system32\Utilman.exe
    1⤵
      PID:2660
    • C:\Users\Admin\AppData\Local\7c8O1A\rdpinit.exe
      C:\Users\Admin\AppData\Local\7c8O1A\rdpinit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2424
    • C:\Windows\system32\rdpinit.exe
      C:\Windows\system32\rdpinit.exe
      1⤵
        PID:1196
      • C:\Windows\system32\WindowsActionDialog.exe
        C:\Windows\system32\WindowsActionDialog.exe
        1⤵
          PID:2252
        • C:\Users\Admin\AppData\Local\Jai0png\WindowsActionDialog.exe
          C:\Users\Admin\AppData\Local\Jai0png\WindowsActionDialog.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2772

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\7c8O1A\WTSAPI32.dll
          Filesize

          883KB

          MD5

          ce54f3c4b23f550231e24680916a750e

          SHA1

          3053920c4253869b71c8137f4e3c4dbacf1c365e

          SHA256

          8c2944a97d309b771054ccaf3d639d56bf3cf51d14c991f2505cd8dbf1b3235c

          SHA512

          fc7eb32c1b01b241fbc71d69dce523ccffda7037ab4f9c48ca1a5c1a9d71af2f31b4ab1fa48c6a95a3df61e19ee151a872abb9cf9ca52bf8389bc4eff1903b53

          Download Submit
        • C:\Users\Admin\AppData\Local\7c8O1A\WTSAPI32.dll
          Filesize

          883KB

          MD5

          ce54f3c4b23f550231e24680916a750e

          SHA1

          3053920c4253869b71c8137f4e3c4dbacf1c365e

          SHA256

          8c2944a97d309b771054ccaf3d639d56bf3cf51d14c991f2505cd8dbf1b3235c

          SHA512

          fc7eb32c1b01b241fbc71d69dce523ccffda7037ab4f9c48ca1a5c1a9d71af2f31b4ab1fa48c6a95a3df61e19ee151a872abb9cf9ca52bf8389bc4eff1903b53

          Download Submit
        • C:\Users\Admin\AppData\Local\7c8O1A\rdpinit.exe
          Filesize

          343KB

          MD5

          b0ecd76d99c5f5134aeb52460add6f80

          SHA1

          51462078092c9d6b7fa2b9544ffe0a49eb258106

          SHA256

          51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

          SHA512

          16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

          Download Submit
        • C:\Users\Admin\AppData\Local\Jai0png\DUI70.dll
          Filesize

          1.1MB

          MD5

          4cadc1106061817a8fda38ff0682545a

          SHA1

          7e73dbcb8b29e7aa9459a7af7e283ca73329a7bd

          SHA256

          182146f5b38b507e14d20fc273c02b3e25d7feffcbecf99cdc2b89fcc65a6c1b

          SHA512

          25ce86162d8334f32efd27320f74b87ff89889329d0be36e2f1f6b50f264cb45445cd6ee3e6eeda9b598e837a71d8146dab08610a030d4e879f5d88381ac6e52

          Download Submit
        • C:\Users\Admin\AppData\Local\Jai0png\DUI70.dll
          Filesize

          1.1MB

          MD5

          4cadc1106061817a8fda38ff0682545a

          SHA1

          7e73dbcb8b29e7aa9459a7af7e283ca73329a7bd

          SHA256

          182146f5b38b507e14d20fc273c02b3e25d7feffcbecf99cdc2b89fcc65a6c1b

          SHA512

          25ce86162d8334f32efd27320f74b87ff89889329d0be36e2f1f6b50f264cb45445cd6ee3e6eeda9b598e837a71d8146dab08610a030d4e879f5d88381ac6e52

          Download Submit
        • C:\Users\Admin\AppData\Local\Jai0png\WindowsActionDialog.exe
          Filesize

          61KB

          MD5

          73c523b6556f2dc7eefc662338d66f8d

          SHA1

          1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5

          SHA256

          0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31

          SHA512

          69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

          Download Submit
        • C:\Users\Admin\AppData\Local\Ye3ThZ\OLEACC.dll
          Filesize

          882KB

          MD5

          19066abd07af5e74394efe405829afac

          SHA1

          ac65c2eb6e135bb311fdeaa3e1d8198ddcc71aee

          SHA256

          7c7b4978682ca8f67605e64ac53cc43ad36f2c49acc07867468f972a1cf86ed4

          SHA512

          9ae1ea97b2f92e89baf4eb7b5867e3d0c6361bf62bea34c6bdc0303e21b68d21963a762c2642251de7f232a75a7958b9843b16ddeb44a1b10e1be8a957b767b4

          Download Submit
        • C:\Users\Admin\AppData\Local\Ye3ThZ\OLEACC.dll
          Filesize

          882KB

          MD5

          19066abd07af5e74394efe405829afac

          SHA1

          ac65c2eb6e135bb311fdeaa3e1d8198ddcc71aee

          SHA256

          7c7b4978682ca8f67605e64ac53cc43ad36f2c49acc07867468f972a1cf86ed4

          SHA512

          9ae1ea97b2f92e89baf4eb7b5867e3d0c6361bf62bea34c6bdc0303e21b68d21963a762c2642251de7f232a75a7958b9843b16ddeb44a1b10e1be8a957b767b4

          Download Submit
        • C:\Users\Admin\AppData\Local\Ye3ThZ\Utilman.exe
          Filesize

          123KB

          MD5

          a117edc0e74ab4770acf7f7e86e573f7

          SHA1

          5ceffb1a5e05e52aafcbc2d44e1e8445440706f3

          SHA256

          b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37

          SHA512

          72883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97

          Download Submit
        • memory/2256-144-0x0000000000000000-mapping.dmp
          Download
        • memory/2424-148-0x0000000000000000-mapping.dmp
          Download
        • memory/2772-152-0x0000000000000000-mapping.dmp
          Download
        • memory/3180-141-0x00007FF92069C000-0x00007FF92069D000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3180-138-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/3180-133-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/3180-143-0x00007FF9205B0000-0x00007FF9205C0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3180-134-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/3180-135-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/3180-136-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/3180-132-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/3180-130-0x00000000014D0000-0x00000000014D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3180-142-0x00007FF92066C000-0x00007FF92066D000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3180-140-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/3180-139-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/3180-137-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download
        • memory/3180-131-0x0000000140000000-0x00000001400DF000-memory.dmp
          Filesize

          892KB

          Download