Overview

overview

10

Static

static

3

e9e528ce64...b8.dll

windows7-x64

10

e9e528ce64...b8.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 18:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9e528ce64fe548d5315d36d4ae765585f2c28f58104c3d579377e79862cd6b8.dll

  • Size

    940KB

  • MD5

    d63ff00d75923760db3db59ad66520ee

  • SHA1

    698ef541cd9d32955422d8af16fdbc2437039bd0

  • SHA256

    e9e528ce64fe548d5315d36d4ae765585f2c28f58104c3d579377e79862cd6b8

  • SHA512

    347238b6dbe7c5a1b9e4610a5d3b2b9f93ca34a3999c21b1257ccec507bcb1a4d792164f6461fde911147b1cff20e817d575e7c7e10406b9c00fabaf0372b1e2

  • SSDEEP

    12288:gPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:gtKTrsKSKBTSb6DUXWq8

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9e528ce64fe548d5315d36d4ae765585f2c28f58104c3d579377e79862cd6b8.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4924
  • C:\Windows\system32\upfc.exe
    C:\Windows\system32\upfc.exe
    1⤵
      PID:3848
    • C:\Users\Admin\AppData\Local\KXGOg\upfc.exe
      C:\Users\Admin\AppData\Local\KXGOg\upfc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:5000
    • C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      1⤵
        PID:3220
      • C:\Users\Admin\AppData\Local\5rzm2Tk\dialer.exe
        C:\Users\Admin\AppData\Local\5rzm2Tk\dialer.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4688
      • C:\Windows\system32\GamePanel.exe
        C:\Windows\system32\GamePanel.exe
        1⤵
          PID:4056
        • C:\Users\Admin\AppData\Local\m93fq\GamePanel.exe
          C:\Users\Admin\AppData\Local\m93fq\GamePanel.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1696

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\5rzm2Tk\TAPI32.dll
          Filesize

          948KB

          MD5

          82e82aa3b19c4dfd21256286835dd303

          SHA1

          69508e62155e7490a4cf368062de0198fb727a14

          SHA256

          3d6242cee653ddfe4523f93ec4434c16c4fb065edeb2642f2e363df95315c05d

          SHA512

          153858897f44f0b0bee18ba651de7f448c3429e380ac27c2c0795014affa579a92ba92828d9be729c6c7fe746c3a5b8d09887d16354937f2a7b76654d10c9f1c

          Download Submit

        • C:\Users\Admin\AppData\Local\5rzm2Tk\dialer.exe
          Filesize

          39KB

          MD5

          b2626bdcf079c6516fc016ac5646df93

          SHA1

          838268205bd97d62a31094d53643c356ea7848a6

          SHA256

          e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb

          SHA512

          615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971

          Download Submit

        • C:\Users\Admin\AppData\Local\KXGOg\XmlLite.dll
          Filesize

          944KB

          MD5

          706a2b5d5f6efd9035817d02f53489b2

          SHA1

          6836d68b25e60e69bb151154309a91aa16d92de5

          SHA256

          5cf30e7a7dabc7ab413041cfb116ca2136b4ca00dccb941a69e8d499a41fe3e5

          SHA512

          2c220dfb3fc339fb13008e2a6dcf36478e2a9cbc5888f093e8afcf6fc6cca6f187d850a4c6029c4ce171eacd5abce13a51b6191cd6a74e773c3d2167e4a144b7

          Download Submit

        • C:\Users\Admin\AppData\Local\KXGOg\upfc.exe
          Filesize

          118KB

          MD5

          299ea296575ccb9d2c1a779062535d5c

          SHA1

          2497169c13b0ba46a6be8a1fe493b250094079b7

          SHA256

          ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2

          SHA512

          02fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa

          Download Submit

        • C:\Users\Admin\AppData\Local\m93fq\GamePanel.exe
          Filesize

          1.2MB

          MD5

          266f6a62c16f6a889218800762b137be

          SHA1

          31b9bd85a37bf0cbb38a1c30147b83671458fa72

          SHA256

          71f8f11f26f3a7c1498373f20f0f4cc960513d0383fe24906eeb1bc9678beecd

          SHA512

          b21d9b0656ab6bd3b158922722a332f07096ddd4215c802776c5807c9cf6ece40082dd986ea6867bdc8d22878ce035a5c8dfcc26cfae94aeee059701b6bf1e68

          Download Submit

        • C:\Users\Admin\AppData\Local\m93fq\dwmapi.dll
          Filesize

          944KB

          MD5

          e7ac7f769cfea64cfd57e329fab1168b

          SHA1

          cc2487b531f7d9bc1ee0785660dd119e4f4b2056

          SHA256

          a8308a2c98d2d354f2772b58965f22fb735822b407386e365bedcb410a21ba8d

          SHA512

          234813ae6d9e15423c125f79da18f497efd92f2cf384255fc8533779b8bfc4a94c57cfe93305c53647397ff46d4030d5903fb58844fd16d2a2fe1ba8fab6979f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ybgihhkn.lnk
          Filesize

          1KB

          MD5

          d6a92c0045beb85178d8e9f8cdf44e11

          SHA1

          53fa80f79915b30d1c25dccbf09c587283458684

          SHA256

          bfd90a40880344fb9cd7658638a52afe32a43569e117262eb8ee9e6429ddb6dd

          SHA512

          11226ca07f104f8f9d2e1b1bd674f8c2620430221dd17d4bf6f8c6fa9da5a010d5803606bf33d5a247d75df1c8f412f698d9e0463d558cc98a21655c56fe5be8

          Download Submit

        • memory/1696-81-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3528-26-0x00007FFDBBB30000-0x00007FFDBBB40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3528-15-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3528-10-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3528-9-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3528-8-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3528-7-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3528-6-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3528-24-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3528-5-0x00007FFDBA31A000-0x00007FFDBA31B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3528-25-0x00007FFDBBB40000-0x00007FFDBBB50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3528-35-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3528-3-0x00000000024E0000-0x00000000024E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3528-12-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3528-11-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3528-13-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3528-14-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/3528-23-0x0000000000760000-0x0000000000767000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4688-63-0x00000283916B0000-0x00000283916B7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4688-61-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/4688-66-0x0000000140000000-0x00000001400ED000-memory.dmp

          Filesize

          948KB

          Download

        • memory/4924-38-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/4924-0-0x000001AABF780000-0x000001AABF787000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4924-1-0x0000000140000000-0x00000001400EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/5000-48-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/5000-45-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/5000-47-0x000001B6ADB80000-0x000001B6ADB87000-memory.dmp

          Filesize

          28KB

          Download