Overview

overview

10

Static

static

3

e9e528ce64...b8.dll

windows7-x64

10

e9e528ce64...b8.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 18:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9e528ce64fe548d5315d36d4ae765585f2c28f58104c3d579377e79862cd6b8.dll

  • Size

    940KB

  • MD5

    d63ff00d75923760db3db59ad66520ee

  • SHA1

    698ef541cd9d32955422d8af16fdbc2437039bd0

  • SHA256

    e9e528ce64fe548d5315d36d4ae765585f2c28f58104c3d579377e79862cd6b8

  • SHA512

    347238b6dbe7c5a1b9e4610a5d3b2b9f93ca34a3999c21b1257ccec507bcb1a4d792164f6461fde911147b1cff20e817d575e7c7e10406b9c00fabaf0372b1e2

  • SSDEEP

    12288:gPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:gtKTrsKSKBTSb6DUXWq8

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9e528ce64fe548d5315d36d4ae765585f2c28f58104c3d579377e79862cd6b8.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4164
  • C:\Windows\system32\rdpinput.exe
    C:\Windows\system32\rdpinput.exe
    1⤵
      PID:1896
    • C:\Users\Admin\AppData\Local\SIti\rdpinput.exe
      C:\Users\Admin\AppData\Local\SIti\rdpinput.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3548
    • C:\Windows\system32\CameraSettingsUIHost.exe
      C:\Windows\system32\CameraSettingsUIHost.exe
      1⤵
        PID:2844
      • C:\Users\Admin\AppData\Local\VpDDNC4kP\CameraSettingsUIHost.exe
        C:\Users\Admin\AppData\Local\VpDDNC4kP\CameraSettingsUIHost.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3164
      • C:\Windows\system32\systemreset.exe
        C:\Windows\system32\systemreset.exe
        1⤵
          PID:4512
        • C:\Users\Admin\AppData\Local\Mwr2jxpWl\systemreset.exe
          C:\Users\Admin\AppData\Local\Mwr2jxpWl\systemreset.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1000

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Mwr2jxpWl\DUI70.dll
          Filesize

          1.2MB

          MD5

          d3faa0d03e561371274534656c16498e

          SHA1

          4c2ac29fc2f282488e94433e2e63ea698b253d2c

          SHA256

          073e4bb640ddcb34c62b83f92d99fd2d7d533f0e7bf7c51e32e0671025a495f9

          SHA512

          862cd4d7dae50a641756f46c26cd248b5fdeeb06610def10b62fd155c2d868a46fec1eecb7c20338bcd5ce1ebdcdff42567d7b2527f24083b17d207ea7440dff

          Download Submit

        • C:\Users\Admin\AppData\Local\Mwr2jxpWl\systemreset.exe
          Filesize

          508KB

          MD5

          325ff647506adb89514defdd1c372194

          SHA1

          84234ff97d6ddc8a4ea21303ea842aa76a74e0ea

          SHA256

          ebff6159a7627234f94f606afa2e55e98e1548fd197d22779a5fcff24aa477ad

          SHA512

          8a9758f4af0264be08d684125827ef11efe651138059f6b463c52476f8a8e1bed94d093042f85893cb3e37c5f3ba7b55c6ce9394595001e661bccbc578da3868

          Download Submit

        • C:\Users\Admin\AppData\Local\SIti\WINSTA.dll
          Filesize

          948KB

          MD5

          f773f52a6b7cce2f4165100e4d314cd7

          SHA1

          268abd01d8798f9f03e9d6ce7b0aba3bdfecf209

          SHA256

          adde5159160b0967e29935932c16b7ef9ae1b1053faf4d060767937b7462e6b4

          SHA512

          9467ab392ee79f080c9c1d737651f7900d01bc38b7909c28819d6effe408f91e54d9da985097c6725b2f38810e144b21f5b4ada648ad13b148f814dad3150566

          Download Submit

        • C:\Users\Admin\AppData\Local\SIti\rdpinput.exe
          Filesize

          180KB

          MD5

          bd99eeca92869f9a3084d689f335c734

          SHA1

          a2839f6038ea50a4456cd5c2a3ea003e7b77688c

          SHA256

          39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143

          SHA512

          355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

          Download Submit

        • C:\Users\Admin\AppData\Local\VpDDNC4kP\CameraSettingsUIHost.exe
          Filesize

          31KB

          MD5

          9e98636523a653c7a648f37be229cf69

          SHA1

          bd4da030e7cf4d55b7c644dfacd26b152e6a14c4

          SHA256

          3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717

          SHA512

          41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

          Download Submit

        • C:\Users\Admin\AppData\Local\VpDDNC4kP\DUI70.dll
          Filesize

          1.2MB

          MD5

          226a8b6507e926daff19914ab97e9c05

          SHA1

          a0842860186e7fd67b448007dd62ae703a182b3f

          SHA256

          fa486e0507f9b39ffceb27649c0cf8b0092545a6bfde56a3dbc9985b44128c8e

          SHA512

          16f37359fb417b757dc623c65f2bce99d48fe8d72fff819e58020aec85e059825edaa2dd4ef177051aec02824c7f6f45eb8e7725a58c5b81c9231d3e2bb4c69f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ltmfycbfnis.lnk
          Filesize

          1KB

          MD5

          b562cbd8706a0148bd959b14ba545760

          SHA1

          995a29efcac16ff710766d12e48a3f067cca1efa

          SHA256

          6c360d3cebd582ec0657c2e8d3c736e89aa6f61b073fad882756ac28036c2016

          SHA512

          6db9d0dd5b962d5e8af7fcfcd4caa6d0e93940d9dddba654496bf87c05fe50db1ca32f1e1bf6c092fefacdd6e3dffa598bc23ce94f252b2810bf063af0b2e333

          Download Submit

        • memory/1000-81-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3164-66-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3164-63-0x000001F3E6200000-0x000001F3E6207000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3164-61-0x0000000140000000-0x0000000140131000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3348-7-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3348-11-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3348-9-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3348-15-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3348-8-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3348-5-0x00007FF93C48A000-0x00007FF93C48B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3348-6-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3348-35-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3348-3-0x0000000003000000-0x0000000003001000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3348-12-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3348-24-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3348-14-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3348-13-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3348-23-0x0000000000BB0000-0x0000000000BB7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3348-25-0x00007FF93D2A0000-0x00007FF93D2B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3348-26-0x00007FF93D290000-0x00007FF93D2A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3348-10-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3548-50-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/3548-45-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/3548-47-0x000001FA16DA0000-0x000001FA16DA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4164-38-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/4164-0-0x0000017288030000-0x0000017288037000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4164-1-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download