Overview

overview

10

Static

static

3

e1d0c9ec09...59.dll

windows7-x64

10

e1d0c9ec09...59.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 01:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e1d0c9ec091309e43c83ca07653cf608a2b60ea3f195f6692a13f1f70faf4459.dll

  • Size

    1.5MB

  • MD5

    18fe877565482627cb5fe6fe8b5f5440

  • SHA1

    8e7e8926e6e88075fdf115b72bf63e47ac93c258

  • SHA256

    e1d0c9ec091309e43c83ca07653cf608a2b60ea3f195f6692a13f1f70faf4459

  • SHA512

    11688819210d0eaa084f11d7f393d922cac9b86f803259ebd8d77db4ddaaa5e37b5deeb8324f2ac995241a17b1aaab51d4b287ae6f79885f71a6a49c5ec79e1d

  • SSDEEP

    12288:+XBQ3fMQyWV0rbDxyBWZh2TvtgHoiemIKI1ydX7wmqzq3wkgJLnq:8B/Qn0rbD8UZUDtgIiemI51Mwtewkm7

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 12 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e1d0c9ec091309e43c83ca07653cf608a2b60ea3f195f6692a13f1f70faf4459.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2280
  • C:\Windows\system32\raserver.exe
    C:\Windows\system32\raserver.exe
    1⤵
      PID:2644
    • C:\Users\Admin\AppData\Local\QgnI\raserver.exe
      C:\Users\Admin\AppData\Local\QgnI\raserver.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2792
    • C:\Windows\system32\rekeywiz.exe
      C:\Windows\system32\rekeywiz.exe
      1⤵
        PID:3052
      • C:\Users\Admin\AppData\Local\IJWK3OqS\rekeywiz.exe
        C:\Users\Admin\AppData\Local\IJWK3OqS\rekeywiz.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1864
      • C:\Windows\system32\VaultSysUi.exe
        C:\Windows\system32\VaultSysUi.exe
        1⤵
          PID:1072
        • C:\Users\Admin\AppData\Local\tOdhY\VaultSysUi.exe
          C:\Users\Admin\AppData\Local\tOdhY\VaultSysUi.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2680

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\IJWK3OqS\slc.dll
          Filesize

          1.5MB

          MD5

          6b2a986924e2f941b5f16a8951d82be8

          SHA1

          ee8baf0b487c3dbb55d81413ed00da16d29e9001

          SHA256

          b66334d786b469b7b8fd36b364d07fe50f1b63d6e3930233ac3f60fc06823e62

          SHA512

          b1cad64e6566f900ff37c59602fb5bc078b79b62674803120a7d9c8fb3051299c1c825f6a8c071f45e887d74ac9f5bd4b99a053730afa4d9e40605cd604c6bd7

          Download Submit

        • C:\Users\Admin\AppData\Local\QgnI\WTSAPI32.dll
          Filesize

          1.5MB

          MD5

          3759b16027a38d16ff6b08d2675f4a7c

          SHA1

          d78695964eef7b977b19277e0eee631c81dc2168

          SHA256

          8fcbc0967c70baab3e064b6c64e108af25a846960e4752e3c5f309787fc60971

          SHA512

          f3eb6316db42c3d7bacaa677c196b0e311ebca25ad3a5de375ed983dc5137b74415e6d1cd992326f0696e96e43ba39035a5d9e9ae6bb50867b26e2acbfbe8c8a

          Download Submit

        • C:\Users\Admin\AppData\Local\tOdhY\credui.dll
          Filesize

          1.5MB

          MD5

          a5a3bd58bdb5d534e323f5af91f5090d

          SHA1

          21ce56d9da32b4c88b5123fefe012dc407156354

          SHA256

          9a370345e817905c35737a8ba3d37c4b9e3260695f22cce0ce30be56ca128af4

          SHA512

          3b36cacfcfae9fe9102d4bcb3d889390a4029b813762ab3aea71641586563b0c0126b9155afa283102644b93cb34f303eb8562072a8da9d70a7da7fa90d04db9

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ygxjfqh.lnk
          Filesize

          1KB

          MD5

          beb98fc0e3ca316087f5cffe60906a58

          SHA1

          4c8b4e9bd212f81d364e1c76aa7db2b3de8933f4

          SHA256

          a50e6fb684b8d0925cdcf638b51fd3c2c9af1fb36b995348204139b032d29c77

          SHA512

          659d06ebb9475dbbd23ca41a4e62170a0d11f4fbd1bea4e02a0ac531e8f31aec9e8be3a306a8f0daf2d76d0d4b0a2e1d890638f98698e64efa7f6886c4db9c06

          Download Submit

        • \Users\Admin\AppData\Local\IJWK3OqS\rekeywiz.exe
          Filesize

          67KB

          MD5

          767c75767b00ccfd41a547bb7b2adfff

          SHA1

          91890853a5476def402910e6507417d400c0d3cb

          SHA256

          bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

          SHA512

          f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

          Download Submit

        • \Users\Admin\AppData\Local\QgnI\raserver.exe
          Filesize

          123KB

          MD5

          cd0bc0b6b8d219808aea3ecd4e889b19

          SHA1

          9f8f4071ce2484008e36fdfd963378f4ebad703f

          SHA256

          16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

          SHA512

          84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

          Download Submit

        • \Users\Admin\AppData\Local\tOdhY\VaultSysUi.exe
          Filesize

          39KB

          MD5

          f40ef105d94350d36c799ee23f7fec0f

          SHA1

          ee3a5cfe8b807e1c1718a27eb97fa134360816e3

          SHA256

          eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

          SHA512

          f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

          Download Submit

        • memory/1216-12-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1216-8-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1216-20-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1216-19-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1216-31-0x0000000076F90000-0x0000000076F92000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1216-30-0x0000000076F60000-0x0000000076F62000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1216-29-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1216-28-0x0000000002D70000-0x0000000002D77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1216-16-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1216-36-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1216-17-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1216-15-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1216-14-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1216-3-0x0000000076CF6000-0x0000000076CF7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-11-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1216-10-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1216-9-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1216-13-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1216-37-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1216-4-0x0000000002D90000-0x0000000002D91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-46-0x0000000076CF6000-0x0000000076CF7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1216-22-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1216-18-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1216-7-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1216-6-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1864-70-0x0000000000170000-0x0000000000177000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1864-72-0x000007FEF5880000-0x000007FEF59FE000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1864-75-0x000007FEF5880000-0x000007FEF59FE000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2280-45-0x000007FEF5DB0000-0x000007FEF5F2D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2280-0-0x000007FEF5DB0000-0x000007FEF5F2D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2280-2-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2680-90-0x000007FEF59D0000-0x000007FEF5B4E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2680-94-0x000007FEF59D0000-0x000007FEF5B4E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2792-58-0x000007FEF5DB0000-0x000007FEF5F2E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2792-54-0x000007FEF5DB0000-0x000007FEF5F2E000-memory.dmp

          Filesize

          1.5MB

          Download