Overview

overview

10

Static

static

3

e2de0d401a...66.dll

windows7-x64

10

e2de0d401a...66.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    17/07/2024, 19:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2de0d401a8809be7f287cdb30e3151282c0de21c5bcb7b41437e8fdd6b38f66.dll

  • Size

    800KB

  • MD5

    252395046102ed9612e50d71bdc56fe5

  • SHA1

    23b893ede7e9473b4fdae8051d935ca08593c958

  • SHA256

    e2de0d401a8809be7f287cdb30e3151282c0de21c5bcb7b41437e8fdd6b38f66

  • SHA512

    a5cde48eff1e96551d66cae42d8cc88c58efd71bf3ce9da18bdd77c82b285d643c11ffbe55631d22c6e9ecaaa0c45053d74ba46254766c983563704d5d4ba12e

  • SSDEEP

    12288:zBim9Tnts08FbKuPcA8NAc1l/XkGaZKoRQIpRX2/0Ak2ng/Zi66wNdufAdN:t/nts0Q9K/0ooRQIxAk2wi0N/

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e2de0d401a8809be7f287cdb30e3151282c0de21c5bcb7b41437e8fdd6b38f66.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2384
  • C:\Windows\system32\dpnsvr.exe
    C:\Windows\system32\dpnsvr.exe
    1⤵
      PID:1624
    • C:\Users\Admin\AppData\Local\hdQU\dpnsvr.exe
      C:\Users\Admin\AppData\Local\hdQU\dpnsvr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:2608
    • C:\Windows\system32\perfmon.exe
      C:\Windows\system32\perfmon.exe
      1⤵
        PID:876
      • C:\Users\Admin\AppData\Local\plicqJ\perfmon.exe
        C:\Users\Admin\AppData\Local\plicqJ\perfmon.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1036
      • C:\Windows\system32\SystemPropertiesComputerName.exe
        C:\Windows\system32\SystemPropertiesComputerName.exe
        1⤵
          PID:2828
        • C:\Users\Admin\AppData\Local\eEiXM\SystemPropertiesComputerName.exe
          C:\Users\Admin\AppData\Local\eEiXM\SystemPropertiesComputerName.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1812

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\eEiXM\SYSDM.CPL
          Filesize

          804KB

          MD5

          f2bdf2364790d1be9f6683a3bd1d6983

          SHA1

          723499ce87b05f03905c30d77863348671ee7dda

          SHA256

          92a80b424e3771068f73b97e52e1b63df7e5979984536fa131c3145688eac05f

          SHA512

          90247ebe2c99d25c55f2db482aa2b0915ba296988344a0b562be1545388e2284cb433ff33e202e7a37a4ec980323f6383b469803453b252b2e1ba87cf6b54f86

          Download Submit

        • C:\Users\Admin\AppData\Local\hdQU\WINMM.dll
          Filesize

          808KB

          MD5

          e897f0c4aab89ee797828423449c4d23

          SHA1

          40c1cbe08b2dcbc949c636826b3e92ce520cc971

          SHA256

          480918156fede89192ec08403db11a4ebd2c0a47b8fd2fff87c70f924a05905b

          SHA512

          5e46a7a3a103f48c1aea0578f9e90800257d23f7ae90fc5fd36507e5047dba871bf1072252565bfe581e0ae6d9af2b18184bceff250bbbf567961229ad654c01

          Download Submit

        • C:\Users\Admin\AppData\Local\plicqJ\credui.dll
          Filesize

          804KB

          MD5

          30921147fe8a324cf18008ae652a0fd8

          SHA1

          30ca7d81c01877cc0d542780003a3f71130b6d5f

          SHA256

          525411fd4b857a9ec0b1588d6782aa01252b70e3825c9d417f42836599d6dfa1

          SHA512

          0d3b1c579d0468c93e41ede8fd4cd39f1c2ec278c32c8f7416248c15934be755451699ab1dc57fbd76d5e3cd2923f01188b7d7c28cacbcc4cdc75dd454c1458f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mityoyoyxpr.lnk
          Filesize

          1KB

          MD5

          03ef75560f24e70fe7104c45c0220e9a

          SHA1

          80f095f3fb2be4e89621e79ace9acd22f92b6779

          SHA256

          85107716de99ec31166c711caba52d94b920a9d36900e9ab7977a739c405baf5

          SHA512

          db63c797de88dc4e85d23c441e2035c9d3742ecd2f20746aa712ec8077f901c4b316b8c6f470c3fc624637a0c4326a3f75747d1fbd1465062ace67cfc1f39ac2

          Download Submit

        • \Users\Admin\AppData\Local\eEiXM\SystemPropertiesComputerName.exe
          Filesize

          80KB

          MD5

          bd889683916aa93e84e1a75802918acf

          SHA1

          5ee66571359178613a4256a7470c2c3e6dd93cfa

          SHA256

          0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

          SHA512

          9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

          Download Submit

        • \Users\Admin\AppData\Local\hdQU\dpnsvr.exe
          Filesize

          33KB

          MD5

          6806b72978f6bd27aef57899be68b93b

          SHA1

          713c246d0b0b8dcc298afaed4f62aed82789951c

          SHA256

          3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

          SHA512

          43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

          Download Submit

        • \Users\Admin\AppData\Local\plicqJ\perfmon.exe
          Filesize

          168KB

          MD5

          3eb98cff1c242167df5fdbc6441ce3c5

          SHA1

          730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

          SHA256

          6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

          SHA512

          f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

          Download Submit

        • memory/1036-87-0x000007FEF6660000-0x000007FEF6729000-memory.dmp

          Filesize

          804KB

          Download

        • memory/1036-84-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1036-82-0x000007FEF6660000-0x000007FEF6729000-memory.dmp

          Filesize

          804KB

          Download

        • memory/1204-26-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-38-0x0000000077640000-0x0000000077642000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-3-0x00000000772D6000-0x00000000772D7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-25-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-24-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-23-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-22-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-21-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-20-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-19-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-18-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-16-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-15-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-14-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-13-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-12-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-11-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-10-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-9-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-8-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-39-0x0000000077670000-0x0000000077672000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1204-27-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-49-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-48-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-4-0x0000000002550000-0x0000000002551000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-28-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-34-0x0000000002530000-0x0000000002537000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1204-92-0x00000000772D6000-0x00000000772D7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1204-6-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-7-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-37-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-29-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1204-17-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/1812-102-0x0000000000100000-0x0000000000107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1812-105-0x000007FEF6660000-0x000007FEF6729000-memory.dmp

          Filesize

          804KB

          Download

        • memory/2384-57-0x000007FEF6BB0000-0x000007FEF6C78000-memory.dmp

          Filesize

          800KB

          Download

        • memory/2384-2-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2384-1-0x000007FEF6BB0000-0x000007FEF6C78000-memory.dmp

          Filesize

          800KB

          Download

        • memory/2608-70-0x000007FEF6C80000-0x000007FEF6D4A000-memory.dmp

          Filesize

          808KB

          Download

        • memory/2608-67-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2608-65-0x000007FEF6C80000-0x000007FEF6D4A000-memory.dmp

          Filesize

          808KB

          Download