Overview

overview

10

Static

static

3

e1d0c9ec09...59.dll

windows7-x64

10

e1d0c9ec09...59.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 01:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e1d0c9ec091309e43c83ca07653cf608a2b60ea3f195f6692a13f1f70faf4459.dll

  • Size

    1.5MB

  • MD5

    18fe877565482627cb5fe6fe8b5f5440

  • SHA1

    8e7e8926e6e88075fdf115b72bf63e47ac93c258

  • SHA256

    e1d0c9ec091309e43c83ca07653cf608a2b60ea3f195f6692a13f1f70faf4459

  • SHA512

    11688819210d0eaa084f11d7f393d922cac9b86f803259ebd8d77db4ddaaa5e37b5deeb8324f2ac995241a17b1aaab51d4b287ae6f79885f71a6a49c5ec79e1d

  • SSDEEP

    12288:+XBQ3fMQyWV0rbDxyBWZh2TvtgHoiemIKI1ydX7wmqzq3wkgJLnq:8B/Qn0rbD8UZUDtgIiemI51Mwtewkm7

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e1d0c9ec091309e43c83ca07653cf608a2b60ea3f195f6692a13f1f70faf4459.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2276
  • C:\Windows\system32\dccw.exe
    C:\Windows\system32\dccw.exe
    1⤵
      PID:1900
    • C:\Users\Admin\AppData\Local\IPJ\dccw.exe
      C:\Users\Admin\AppData\Local\IPJ\dccw.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1188
    • C:\Windows\system32\RdpSa.exe
      C:\Windows\system32\RdpSa.exe
      1⤵
        PID:3712
      • C:\Users\Admin\AppData\Local\r2h\RdpSa.exe
        C:\Users\Admin\AppData\Local\r2h\RdpSa.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4472
      • C:\Windows\system32\AtBroker.exe
        C:\Windows\system32\AtBroker.exe
        1⤵
          PID:4716
        • C:\Users\Admin\AppData\Local\Xfel\AtBroker.exe
          C:\Users\Admin\AppData\Local\Xfel\AtBroker.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3196

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\IPJ\dccw.exe
          Filesize

          101KB

          MD5

          cb9374911bf5237179785c739a322c0f

          SHA1

          3f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9

          SHA256

          f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845

          SHA512

          9d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be

          Download Submit

        • C:\Users\Admin\AppData\Local\IPJ\dxva2.dll
          Filesize

          1.5MB

          MD5

          e84c178e9104d62f5b1b92a7659f1145

          SHA1

          cb5a0c3ff09d8452d718e4a1f745ccdd4c33c46c

          SHA256

          60b8405827fca356124afd6c74a5e8c7bbfe201bc3939d1b8e326e97e41ee555

          SHA512

          90c8d2f4d31b94aadc9e3d70aee89b83c4af482a2cce08eb8123daebceb98324012e2d2ecd6a28cde90a762065a0e75951cba60093425127495ca042e50b2232

          Download Submit

        • C:\Users\Admin\AppData\Local\Xfel\AtBroker.exe
          Filesize

          90KB

          MD5

          30076e434a015bdf4c136e09351882cc

          SHA1

          584c958a35e23083a0861421357405afd26d9a0c

          SHA256

          ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd

          SHA512

          675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024

          Download Submit

        • C:\Users\Admin\AppData\Local\Xfel\UxTheme.dll
          Filesize

          1.5MB

          MD5

          4650e5e3953485ed692a2b4287f8b3b9

          SHA1

          8f4578592d21927fadbf52387e12dfcd688508a7

          SHA256

          5c919c5ec412d2bf59bb59598c8098cf217bac7f6331fc406f5fffc8ba52d3e2

          SHA512

          5a78cd7a3461d6d69cf1d27c295434a9a1a668d8f6a63342bf4a0835f7a2ac4eb7ca4926dd64d89b0be5ccf64add63e409c9267832d1206830527566e402b9eb

          Download Submit

        • C:\Users\Admin\AppData\Local\r2h\RdpSa.exe
          Filesize

          56KB

          MD5

          5992f5b5d0b296b83877da15b54dd1b4

          SHA1

          0d87be8d4b7aeada4b55d1d05c0539df892f8f82

          SHA256

          32f60eabe54c4d0cd0f0ec29f48f55ca1ad097bf35097247b186fd70426f847c

          SHA512

          4f6da913af530301da1d0638aa2635ada446ebee6e27b5059db5c2b7fe439162ac3b1a595ecf4163a093890df9ac94d9085a53d8c991e48703f9d2691326e7e6

          Download Submit

        • C:\Users\Admin\AppData\Local\r2h\WINSTA.dll
          Filesize

          1.5MB

          MD5

          ac8c6ca9e2991bfdd61778e7ec078ff3

          SHA1

          97105a7c299f51ac8bb044fa72bc74945fac6f0f

          SHA256

          098f661a26579880adc576af41ad629ab6ce8fd8dcfc2ced18b3a8aec8e8bf54

          SHA512

          395c469e01fa933e98b05399c407a32cdf09d4a58aaf9a5800083a40f5948ba09574e3d18b5b65cbe0b4eede57f593ad8c90a8c4757c02a823552068c1a789e8

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zugrajzkhopu.lnk
          Filesize

          1KB

          MD5

          4238838ce4bb695b236b39b60f1149e0

          SHA1

          968e9addae8c368d25e8cdbed5e9fc9ad9c26fa4

          SHA256

          bc028467f6c77ae925996fd63c0fe6047cdcd5ba0c6398521390bb99f610b668

          SHA512

          ce13331fc7dbf6ff01d785d3baf27fdf68f3f3a46389f279f6a935797fb620ce2730a0486e1afa7dc093606af2c12d52c94f1f428ff70c2a4e40330a968e9122

          Download Submit

        • memory/1188-55-0x00007FF9DA2C0000-0x00007FF9DA43E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1188-50-0x00007FF9DA2C0000-0x00007FF9DA43E000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/1188-52-0x00000197058C0000-0x00000197058C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2276-43-0x00007FF9DA0F0000-0x00007FF9DA26D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2276-0-0x000001795A080000-0x000001795A087000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2276-2-0x00007FF9DA0F0000-0x00007FF9DA26D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3196-82-0x00007FF9DA470000-0x00007FF9DA5EE000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3196-86-0x00007FF9DA470000-0x00007FF9DA5EE000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-30-0x00007FF9F7B40000-0x00007FF9F7B50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3556-19-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-13-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-12-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-11-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-10-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-9-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-8-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-7-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-20-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-16-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-17-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-18-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-14-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-29-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-40-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-31-0x00007FF9F7B30000-0x00007FF9F7B40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3556-21-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-4-0x00007FF9F5C5A000-0x00007FF9F5C5B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3556-3-0x0000000003140000-0x0000000003141000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3556-6-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/3556-28-0x0000000001420000-0x0000000001427000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3556-15-0x0000000140000000-0x000000014017D000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4472-71-0x00007FF9DA470000-0x00007FF9DA5EF000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4472-66-0x00007FF9DA470000-0x00007FF9DA5EF000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4472-68-0x0000017F6A680000-0x0000017F6A687000-memory.dmp

          Filesize

          28KB

          Download