Overview

overview

10

Static

static

3

e24980b28e...00.dll

windows7-x64

10

e24980b28e...00.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2024 02:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e24980b28ec5594c3d1a3d103fd47d1b143d0af8c5dd1209c05a92c5253a5900.dll

  • Size

    940KB

  • MD5

    e0b9356be4ee72141b4e5a8a3f3b6073

  • SHA1

    053fd016717cb83924ae47970d162f6e818c5231

  • SHA256

    e24980b28ec5594c3d1a3d103fd47d1b143d0af8c5dd1209c05a92c5253a5900

  • SHA512

    45d8c614ac2a5872755b3e29f432c7b3eb07596c4acb07d3212e26f0f5e6746d5c32f0cc8b70966cf4a2d28c4bce1afd9c3b7d8a1c0c6d2a52313f9664a02874

  • SSDEEP

    12288:wPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:wtKTrsKSKBTSb6DUXWq8

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e24980b28ec5594c3d1a3d103fd47d1b143d0af8c5dd1209c05a92c5253a5900.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2144
  • C:\Windows\system32\Dxpserver.exe
    C:\Windows\system32\Dxpserver.exe
    1⤵
      PID:3036
    • C:\Users\Admin\AppData\Local\iaEsZ0\Dxpserver.exe
      C:\Users\Admin\AppData\Local\iaEsZ0\Dxpserver.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2200
    • C:\Windows\system32\msdt.exe
      C:\Windows\system32\msdt.exe
      1⤵
        PID:2956
      • C:\Users\Admin\AppData\Local\48UNB7j\msdt.exe
        C:\Users\Admin\AppData\Local\48UNB7j\msdt.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2728
      • C:\Windows\system32\perfmon.exe
        C:\Windows\system32\perfmon.exe
        1⤵
          PID:2440
        • C:\Users\Admin\AppData\Local\kUVkgRpo\perfmon.exe
          C:\Users\Admin\AppData\Local\kUVkgRpo\perfmon.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1216

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\48UNB7j\UxTheme.dll
          Filesize

          944KB

          MD5

          bbf006632fec022fc7b9a5022d47927b

          SHA1

          d429f8e759704f7d9dffbd1f646b2edbf6adb585

          SHA256

          30898187a3b65aac22d87a12db384fedee4dc71d212b0ec63bf0bd6913bc8ce3

          SHA512

          ed0a54ee4849e3520a0cbd00d95d5ffd0492025a49fe250c5e85443ead6af518b2e8f9ad99439a23f471b28a8fc4893ee751bb4e8b987bd471bc68e81f04b052

          Download Submit

        • C:\Users\Admin\AppData\Local\iaEsZ0\dwmapi.dll
          Filesize

          944KB

          MD5

          09a0e55d9ab0a0d749c9cc812d975e0d

          SHA1

          02ffc9c3e6eb50223c516cb147bd8a7712a6d7e6

          SHA256

          059e058b7a4e7ea01484a3d6a405baa4d6005af9fbace2d37f8e6af7f6f61c20

          SHA512

          861366434580f3957b80b3d8064507c3ceebbd5d7dbdb4bcc4225d65bfab20e06c2cafe54d08bf02c94952193385dea135a85456127de8ba26d5385611de929e

          Download Submit

        • C:\Users\Admin\AppData\Local\kUVkgRpo\Secur32.dll
          Filesize

          944KB

          MD5

          81809dcba95289e7137905c08af2ff43

          SHA1

          48ddd0bee98254a454184dc907eab224a6cdaa29

          SHA256

          075f0bcb40c04e93652248274c8b2b449d8ec91e8716627bbd33e1263fba0140

          SHA512

          42900d0568ae9fdddac6cbb53ed2f157038a7a9106c342f2bf0773901d97f7dcd3efe53340a5cde7a5f8fb4e0e6d79e47781f1fa194d1f80e0b674815811ef33

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ykefwsdudlbqds.lnk
          Filesize

          892B

          MD5

          026b6d0ea028cdea86e0a5c17f8b0770

          SHA1

          49e0b5626dcd713a534e42d29fc90efb49183312

          SHA256

          8d51518fb4443f492d3442cd7946e1c7c5836d86e527f934c439fc6b85048ad0

          SHA512

          63af0b0488ffc8284b5e217e707d470501dc76157f6f5044c77089fe9b449e17ea94b8df343f778896b40a6c83252beb715bb04fe83c107fa3a55abacae0e6b4

          Download Submit

        • \Users\Admin\AppData\Local\48UNB7j\msdt.exe
          Filesize

          1.0MB

          MD5

          aecb7b09566b1f83f61d5a4b44ae9c7e

          SHA1

          3a4a2338c6b5ac833dc87497e04fe89c5481e289

          SHA256

          fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

          SHA512

          6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

          Download Submit

        • \Users\Admin\AppData\Local\iaEsZ0\Dxpserver.exe
          Filesize

          259KB

          MD5

          4d38389fb92e43c77a524fd96dbafd21

          SHA1

          08014e52f6894cad4f1d1e6fc1a703732e9acd19

          SHA256

          070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

          SHA512

          02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

          Download Submit

        • \Users\Admin\AppData\Local\kUVkgRpo\perfmon.exe
          Filesize

          168KB

          MD5

          3eb98cff1c242167df5fdbc6441ce3c5

          SHA1

          730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

          SHA256

          6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

          SHA512

          f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

          Download Submit

        • memory/1216-89-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/1236-26-0x0000000077AC0000-0x0000000077AC2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1236-9-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1236-7-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1236-6-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1236-23-0x0000000002B20000-0x0000000002B27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1236-15-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1236-14-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1236-24-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1236-3-0x0000000077826000-0x0000000077827000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1236-25-0x0000000077A90000-0x0000000077A92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1236-36-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1236-35-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1236-4-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1236-8-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1236-10-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1236-13-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1236-12-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1236-11-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2144-44-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2144-2-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2144-0-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2200-57-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2200-53-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2200-52-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2728-71-0x00000000000A0000-0x00000000000A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2728-73-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download