Overview

overview

10

Static

static

3

e881cf1064...70.dll

windows7-x64

10

e881cf1064...70.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10-10-2024 20:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e881cf10644b85844c12cdb53cd3e5c26776b7248da85c031373ed11eb030270.dll

  • Size

    1.2MB

  • MD5

    5a0c4c42f5e08a8c849585c2e879144a

  • SHA1

    510fe0f87805421371b01665c7ae5f99b74826b1

  • SHA256

    e881cf10644b85844c12cdb53cd3e5c26776b7248da85c031373ed11eb030270

  • SHA512

    2511f59c1e6fcca80327d870dcfd4c76bc9b028956fcadab17fcf7d052b6118d5d672b5a26c6db2fe5c4e23279930c5baeadc72e1e427a8cfcb3600cf2a23f8e

  • SSDEEP

    12288:ZPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK85rQsy:ZtKTrsKSKBTSb6DUXWq8is

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e881cf10644b85844c12cdb53cd3e5c26776b7248da85c031373ed11eb030270.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1976
  • C:\Windows\system32\osk.exe
    C:\Windows\system32\osk.exe
    1⤵
      PID:2648
    • C:\Users\Admin\AppData\Local\XIH4\osk.exe
      C:\Users\Admin\AppData\Local\XIH4\osk.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2860
    • C:\Windows\system32\Netplwiz.exe
      C:\Windows\system32\Netplwiz.exe
      1⤵
        PID:2596
      • C:\Users\Admin\AppData\Local\RXxs\Netplwiz.exe
        C:\Users\Admin\AppData\Local\RXxs\Netplwiz.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1288
      • C:\Windows\system32\winlogon.exe
        C:\Windows\system32\winlogon.exe
        1⤵
          PID:2272
        • C:\Users\Admin\AppData\Local\x01thTeQ\winlogon.exe
          C:\Users\Admin\AppData\Local\x01thTeQ\winlogon.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2724

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\RXxs\NETPLWIZ.dll
          Filesize

          1.2MB

          MD5

          2bc0ec33151ca03a81c241a0e7267c11

          SHA1

          d0cc7c018408d63bbba5fcdfeadc2eb41f04d03e

          SHA256

          8f55d766ab346b5bef41e5bc2b83259cef0f6934c5da9fd01e87444e515b466d

          SHA512

          bd7f448917f567e15fb6247b47ec959033d5d213bb484fd379dc07972be2bd95c6c62cc4372e13d610e22675ca69f57442da90286bca06d67882074baa041a20

          Download Submit

        • C:\Users\Admin\AppData\Local\XIH4\DUser.dll
          Filesize

          1.2MB

          MD5

          db3c3d552b842a19a3e12c5ac466db9c

          SHA1

          0f246dbcc4bd094b37ccdf5c98e60fbc7ed7482a

          SHA256

          ff4de7442ecf646f0fb1cd0f8c6e100704690f79c3a70587e97a4fbbd9aee3db

          SHA512

          0c9e062171a52f37e6cec35978eb44e11989caeef82c75bb8562470dca39a5da9c2fa264b9a696dcb663b74d77b17bf5a97c869d52aa3c6c8e3b131ac31059db

          Download Submit

        • C:\Users\Admin\AppData\Local\x01thTeQ\WINSTA.dll
          Filesize

          1.2MB

          MD5

          a901e7c6d3b1a7e2114394f80cb2387e

          SHA1

          d9a1be1f0aaa6e9ba5fafb60c309b67c5e8681ea

          SHA256

          4c5576ca89f73eab8ccca04cb64b028877d451ce1bf4ef7981708af8b40901af

          SHA512

          95f673d46b58949e1e389d1737726d7a4039778398a8b2b7c76661d16903dfa2321f71b7dbe6f25dd3e3544ef8bd60ef3b92c8f60c74d653b67ab1dccf9f8e7c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ygxjfqh.lnk
          Filesize

          1KB

          MD5

          21b832207dc47983bd5a1ec845ff1bdd

          SHA1

          3055863e38ad7cb2eae8a9317e4c31569ba49ad9

          SHA256

          76456e44870a32e2d15f3ea38102e4272b2fa1dfb39eed0c8ae1f4cc5859c34f

          SHA512

          6f31e6f4a0b279cd824734640be218c4aeb92e59afeba4450e6dbe34f9acff4a55e10b6a97d421a5918674fbe16210ef3528cea04cc00d967136b2146216d92a

          Download Submit

        • \Users\Admin\AppData\Local\RXxs\Netplwiz.exe
          Filesize

          26KB

          MD5

          e43ec3c800d4c0716613392e81fba1d9

          SHA1

          37de6a235e978ecf3bb0fc2c864016c5b0134348

          SHA256

          636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

          SHA512

          176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

          Download Submit

        • \Users\Admin\AppData\Local\XIH4\osk.exe
          Filesize

          676KB

          MD5

          b918311a8e59fb8ccf613a110024deba

          SHA1

          a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

          SHA256

          e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

          SHA512

          e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

          Download Submit

        • \Users\Admin\AppData\Local\x01thTeQ\winlogon.exe
          Filesize

          381KB

          MD5

          1151b1baa6f350b1db6598e0fea7c457

          SHA1

          434856b834baf163c5ea4d26434eeae775a507fb

          SHA256

          b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

          SHA512

          df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

          Download Submit

        • memory/1184-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-3-0x0000000077236000-0x0000000077237000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1184-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-23-0x0000000002970000-0x0000000002977000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1184-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-26-0x00000000774D0000-0x00000000774D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1184-25-0x00000000774A0000-0x00000000774A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1184-36-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-4-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1184-45-0x0000000077236000-0x0000000077237000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1184-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-6-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1184-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1288-70-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1288-75-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1976-44-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1976-0-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1976-2-0x00000000002A0000-0x00000000002A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2724-87-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2724-91-0x0000000140000000-0x0000000140132000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2860-58-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2860-54-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2860-53-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download