Overview

overview

10

Static

static

3

7ecf0f43a5...44.dll

windows7-x64

10

7ecf0f43a5...44.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 13:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ecf0f43a5389996d85ecc78bd128506009eca558379d5fb8802037b35da1544.dll

  • Size

    936KB

  • MD5

    e6080347ef82059989855367f707b6f5

  • SHA1

    af2f5c40bdd1b55fde1fab97d91e5e7e12733731

  • SHA256

    7ecf0f43a5389996d85ecc78bd128506009eca558379d5fb8802037b35da1544

  • SHA512

    6a58fb67a3cc61fdccbe8335309964d1c2d2cc9db2d1e47797fa0ba2de69631f71ba4499e9b65d921846832f33e358356ac917f836616d6a0d08209767f1c82b

  • SSDEEP

    12288:DPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:DtKTrsKSKBTSb6DUXWq8

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ecf0f43a5389996d85ecc78bd128506009eca558379d5fb8802037b35da1544.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:452
  • C:\Windows\system32\rdpinit.exe
    C:\Windows\system32\rdpinit.exe
    1⤵
      PID:340
    • C:\Users\Admin\AppData\Local\E2ZZd\rdpinit.exe
      C:\Users\Admin\AppData\Local\E2ZZd\rdpinit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1844
    • C:\Windows\system32\SystemPropertiesHardware.exe
      C:\Windows\system32\SystemPropertiesHardware.exe
      1⤵
        PID:4480
      • C:\Users\Admin\AppData\Local\2si0i8Z\SystemPropertiesHardware.exe
        C:\Users\Admin\AppData\Local\2si0i8Z\SystemPropertiesHardware.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2564
      • C:\Windows\system32\EaseOfAccessDialog.exe
        C:\Windows\system32\EaseOfAccessDialog.exe
        1⤵
          PID:1228
        • C:\Users\Admin\AppData\Local\Qcwy9LB\EaseOfAccessDialog.exe
          C:\Users\Admin\AppData\Local\Qcwy9LB\EaseOfAccessDialog.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3888

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\2si0i8Z\SYSDM.CPL
          Filesize

          940KB

          MD5

          6b6a3461e9828104534dc6eb92b5a525

          SHA1

          412552c7bca59c51e984b340f1ca7852da336f2f

          SHA256

          a9b4bb9670ebe4c3ab2bc6bbd7291987ccdb07fb9b9f6739fb783e4a6a262ca0

          SHA512

          b53109cbb4e661a27bb539092e7c261da5ed70a339ea6d6af489b6724f0f534759e8836a9237f6364a7d63980719f0be6b152038507cdd075c8f5c90af5f1d6d

          Download Submit

        • C:\Users\Admin\AppData\Local\2si0i8Z\SystemPropertiesHardware.exe
          Filesize

          82KB

          MD5

          bf5bc0d70a936890d38d2510ee07a2cd

          SHA1

          69d5971fd264d8128f5633db9003afef5fad8f10

          SHA256

          c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7

          SHA512

          0e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51

          Download Submit

        • C:\Users\Admin\AppData\Local\E2ZZd\dwmapi.dll
          Filesize

          940KB

          MD5

          79f8449fc858d178ab255dd6cfcc08e8

          SHA1

          cc9417b75f46c744c694521ef4621e2fb664b7f6

          SHA256

          8b4daf2fd95cc6d4a7974f6309afb9637538f081483f385d37fb3f52f6d351a5

          SHA512

          a5131f9d65e43da9d297867b66ede9e95d96eba8bf0fee8f152dd1734aa6f805aec441f958e535e70352e01d6ea052d6b9b4d873708e0794a0a42d6fadfcf22a

          Download Submit

        • C:\Users\Admin\AppData\Local\E2ZZd\rdpinit.exe
          Filesize

          343KB

          MD5

          b0ecd76d99c5f5134aeb52460add6f80

          SHA1

          51462078092c9d6b7fa2b9544ffe0a49eb258106

          SHA256

          51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

          SHA512

          16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

          Download Submit

        • C:\Users\Admin\AppData\Local\Qcwy9LB\DUI70.dll
          Filesize

          1.2MB

          MD5

          e4e8c6a385f63037a872f93b2396f6c2

          SHA1

          a501d50c31fc435ac612437fd76a00c29adf483d

          SHA256

          6475c00a1f90610e1e5e7589d42829b5567a72913bbc36dae5079ed4d16434da

          SHA512

          25be4eef9b2f03e3aca437fd44f226a69569317c0a4310428d5d34f3575c55286b4a60f83455987ed9aeb029f82a54a14c4ed3a57aabb17bebb215c36d7fc3be

          Download Submit

        • C:\Users\Admin\AppData\Local\Qcwy9LB\EaseOfAccessDialog.exe
          Filesize

          123KB

          MD5

          e75ee992c1041341f709a517c8723c87

          SHA1

          471021260055eac0021f0abffa2d0ba77a2f380e

          SHA256

          0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc

          SHA512

          48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ybgihhkn.lnk
          Filesize

          1KB

          MD5

          814142c9d75a23d0267f949e63f25409

          SHA1

          c52e57ba65624606db148f21c055f8c180f2fa9f

          SHA256

          082dd9bbef030dc6b30d5f4471dde84ee1ac3d05e18cb011364a4fd6f71e1f62

          SHA512

          5a655b6c7bb506299f5d00d397bcb4703d855dcecbb7d9252dbbcf4515c770d3ae12fc0b5d7425ac61af4b6192df966a6a2a872a25103e3c8f28f5be584af674

          Download Submit

        • memory/452-2-0x000001C015560000-0x000001C015567000-memory.dmp

          Filesize

          28KB

          Download

        • memory/452-37-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/452-1-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/1844-49-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1844-46-0x000001DF7B1A0000-0x000001DF7B1A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1844-44-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2564-65-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/2564-60-0x0000023E2D200000-0x0000023E2D207000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3520-11-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3520-10-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3520-34-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3520-25-0x00007FFDAB910000-0x00007FFDAB920000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3520-6-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3520-7-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3520-8-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3520-9-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3520-23-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3520-24-0x00007FFDAB920000-0x00007FFDAB930000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3520-13-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3520-22-0x0000000001100000-0x0000000001107000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3520-14-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3520-12-0x0000000140000000-0x00000001400EA000-memory.dmp

          Filesize

          936KB

          Download

        • memory/3520-3-0x0000000002B90000-0x0000000002B91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3520-5-0x00007FFDAB71A000-0x00007FFDAB71B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3888-80-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3888-76-0x0000000140000000-0x0000000140130000-memory.dmp

          Filesize

          1.2MB

          Download