Overview

overview

10

Static

static

3

e881cf1064...70.dll

windows7-x64

10

e881cf1064...70.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-10-2024 20:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e881cf10644b85844c12cdb53cd3e5c26776b7248da85c031373ed11eb030270.dll

  • Size

    1.2MB

  • MD5

    5a0c4c42f5e08a8c849585c2e879144a

  • SHA1

    510fe0f87805421371b01665c7ae5f99b74826b1

  • SHA256

    e881cf10644b85844c12cdb53cd3e5c26776b7248da85c031373ed11eb030270

  • SHA512

    2511f59c1e6fcca80327d870dcfd4c76bc9b028956fcadab17fcf7d052b6118d5d672b5a26c6db2fe5c4e23279930c5baeadc72e1e427a8cfcb3600cf2a23f8e

  • SSDEEP

    12288:ZPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK85rQsy:ZtKTrsKSKBTSb6DUXWq8is

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 8 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e881cf10644b85844c12cdb53cd3e5c26776b7248da85c031373ed11eb030270.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1388
  • C:\Windows\system32\WMPDMC.exe
    C:\Windows\system32\WMPDMC.exe
    1⤵
      PID:2060
    • C:\Users\Admin\AppData\Local\i4QczkT\WMPDMC.exe
      C:\Users\Admin\AppData\Local\i4QczkT\WMPDMC.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1980
    • C:\Windows\system32\ie4ushowIE.exe
      C:\Windows\system32\ie4ushowIE.exe
      1⤵
        PID:5104
      • C:\Users\Admin\AppData\Local\xbPaXJN\ie4ushowIE.exe
        C:\Users\Admin\AppData\Local\xbPaXJN\ie4ushowIE.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2132
      • C:\Windows\system32\Netplwiz.exe
        C:\Windows\system32\Netplwiz.exe
        1⤵
          PID:4432
        • C:\Users\Admin\AppData\Local\OHbr\Netplwiz.exe
          C:\Users\Admin\AppData\Local\OHbr\Netplwiz.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1216

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\OHbr\NETPLWIZ.dll
          Filesize

          1.2MB

          MD5

          59b2a24c4e4a1d1faf4ee02f77bd1f76

          SHA1

          99786b259b3c8fd6d168e0e9b157fc516549aa8d

          SHA256

          f07d3926587d321ea3217818ff50521325293907c77249cec78ffa1cb6563751

          SHA512

          f13a970c20a7e095f5924eda4ff0795706987e988183efc487694fa3e5ea0cabd690b278dc09ef68402238ed81f37c511d047be090e803df769056ba7add58f4

          Download Submit

        • C:\Users\Admin\AppData\Local\OHbr\Netplwiz.exe
          Filesize

          40KB

          MD5

          520a7b7065dcb406d7eca847b81fd4ec

          SHA1

          d1b3b046a456630f65d482ff856c71dfd2f335c8

          SHA256

          8323b44b6e69f02356a5ab0d03a4fc87b953edcbd85c2b6281bf92bc0a3b224d

          SHA512

          7aea2810f38d1640d4aa87efbbe20783fe7b8e7f588864a3a384a37c91108d906abd89b235672608c98c46ed76db2b0039462098a1064ebe4108ec37b6087914

          Download Submit

        • C:\Users\Admin\AppData\Local\i4QczkT\OLEACC.dll
          Filesize

          1.2MB

          MD5

          b0fbed9b9e237035067824e5d598aae1

          SHA1

          63533cb10776344d34e7ca15809ee5677e07af2c

          SHA256

          d80fd492fef66cc32aac461278a0ad0574378354a4e29c64bed799bdd21de7b5

          SHA512

          096e38f5be2956014cbc60d77190a0265db4c5f84bd31cb9adc904ec47abcd6b2e72df168dd56e3c37c85e364b5d340e05a820849960521c3c6d5dcb2b5aee4d

          Download Submit

        • C:\Users\Admin\AppData\Local\i4QczkT\WMPDMC.exe
          Filesize

          1.5MB

          MD5

          59ce6e554da0a622febce19eb61c4d34

          SHA1

          176a4a410cb97b3d4361d2aea0edbf17e15d04c7

          SHA256

          c36eba7186f7367fe717595f3372a49503c9613893c2ab2eff38b625a50d04ba

          SHA512

          e9b0d310416b66e0055381391bb6b0c19ee26bbcf0e3bb9ea7d696d5851e6efbdd9bdeb250c74638b7d73b20528ea1dfb718e75ad5977aaad77aae36cc7b7e18

          Download Submit

        • C:\Users\Admin\AppData\Local\xbPaXJN\VERSION.dll
          Filesize

          1.2MB

          MD5

          361223ae615a8bf7889fde36bc0da7d9

          SHA1

          c5276c712968a7391687950d5741aa92a41b171b

          SHA256

          a22197f4c367877a6f60c46a575b21f4b2d2b930a8f269571067053abbff208d

          SHA512

          24c76cc611636e3a7168e38ddece7d46cd3b0aadc9b0007a6c5701b47ff3e0b55baf944f8e1514afa8ab1940616a286fec5a75087d952c49e914fd53fed33bce

          Download Submit

        • C:\Users\Admin\AppData\Local\xbPaXJN\ie4ushowIE.exe
          Filesize

          76KB

          MD5

          9de952f476abab0cd62bfd81e20a3deb

          SHA1

          109cc4467b78dad4b12a3225020ea590bccee3e6

          SHA256

          e9cb6336359ac6f71ac75af2836efb28daa3bafd10a1f0b775dcdc2ec8850a6b

          SHA512

          3cbe50a146ca50b0657a78a2d89a34630c69823005668906785b2d2015cc6139c8dbbf7aefa5fe55957ef55ae06e758933b3b41eaf822e49dba3b7700582e2c9

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iyqor.lnk
          Filesize

          1KB

          MD5

          690c236a14f67abb1a0ca191e3994e68

          SHA1

          ed64c9c657ff4648bf40622d2bfcc465fe68b598

          SHA256

          03f7fc733a9c6c6ef0f04c6c253fcd74809405c61325564fc636458845c076c6

          SHA512

          f8668cec60ecbf9e2ab8cbdc6ede66ebae666e3a3caa44b2f73914fae1e73313c4fad99b3eab0319f23beaa00e1386d66c45394c2729def2621c39973c8a827b

          Download Submit

        • memory/1216-81-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1388-0-0x000001E2B76C0000-0x000001E2B76C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1388-38-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1388-2-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1980-50-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1980-46-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1980-45-0x0000016AE6280000-0x0000016AE6287000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2132-63-0x0000027B916A0000-0x0000027B916A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2132-66-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-26-0x00007FFFF8670000-0x00007FFFF8680000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3460-24-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-35-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-15-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-7-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-8-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-10-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-11-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-12-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-6-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-25-0x00007FFFF8680000-0x00007FFFF8690000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3460-13-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-23-0x00000000004D0000-0x00000000004D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3460-14-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-9-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3460-4-0x00000000025B0000-0x00000000025B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3460-3-0x00007FFFF7C0A000-0x00007FFFF7C0B000-memory.dmp

          Filesize

          4KB

          Download