Overview

overview

10

Static

static

3

e661ee88d2...f8.dll

windows7-x64

10

e661ee88d2...f8.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 02:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e661ee88d2b42533974dbaf54bd50d687c83bc35e2110e3aac9dbf40358d5cf8.dll

  • Size

    1.3MB

  • MD5

    c1149d0d1cd46a9b3eb35371b41c4a63

  • SHA1

    9001ee8245fd45cfdf537afc41cdf6338fe66928

  • SHA256

    e661ee88d2b42533974dbaf54bd50d687c83bc35e2110e3aac9dbf40358d5cf8

  • SHA512

    448fb9b0e378ce4c33fc691343e6b0e1aba4f12b17f0e960d3a575ec9ac3a9d59e9972072d222c3f615433fb58cadfad85f7433a6abf43042fd53e36f18f6dba

  • SSDEEP

    12288:BXBQ3fMQyWV0rbDxyBWZh2TvtgHoiemIKI1ydX7wmqzq3wkgJ:9B/Qn0rbD8UZUDtgIiemI51Mwtewkm

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e661ee88d2b42533974dbaf54bd50d687c83bc35e2110e3aac9dbf40358d5cf8.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4472
  • C:\Windows\system32\RecoveryDrive.exe
    C:\Windows\system32\RecoveryDrive.exe
    1⤵
      PID:3520
    • C:\Users\Admin\AppData\Local\bEW\RecoveryDrive.exe
      C:\Users\Admin\AppData\Local\bEW\RecoveryDrive.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4556
    • C:\Windows\system32\SystemPropertiesPerformance.exe
      C:\Windows\system32\SystemPropertiesPerformance.exe
      1⤵
        PID:2948
      • C:\Users\Admin\AppData\Local\CPzqn\SystemPropertiesPerformance.exe
        C:\Users\Admin\AppData\Local\CPzqn\SystemPropertiesPerformance.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3832
      • C:\Windows\system32\rdpinit.exe
        C:\Windows\system32\rdpinit.exe
        1⤵
          PID:4616
        • C:\Users\Admin\AppData\Local\HlqHkvU\rdpinit.exe
          C:\Users\Admin\AppData\Local\HlqHkvU\rdpinit.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1180

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\CPzqn\SYSDM.CPL
          Filesize

          1.3MB

          MD5

          cc02a836a4eb955eb4d0c58035a6f581

          SHA1

          3dc41de41c03464f2d5b67e0bc45fbb063644e5f

          SHA256

          c112f34df0e56f253428e8ccb4d64555bc566b496f88c2029d89db329c38fc1a

          SHA512

          9f98c002efd2870a467d5d6d52feef9cd772c85d4c5b4f24dc7bab83b75361021e0c7d0705e8f68b5e05fad753bfeeee3eec208e1fd95a9f354664b1337679bc

          Download Submit

        • C:\Users\Admin\AppData\Local\CPzqn\SystemPropertiesPerformance.exe
          Filesize

          82KB

          MD5

          e4fbf7cab8669c7c9cef92205d2f2ffc

          SHA1

          adbfa782b7998720fa85678cc85863b961975e28

          SHA256

          b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30

          SHA512

          c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

          Download Submit

        • C:\Users\Admin\AppData\Local\HlqHkvU\WINSTA.dll
          Filesize

          1.3MB

          MD5

          124ef5f7f0a0b526eda0dc97afe7caca

          SHA1

          851792312df4a99558c26e463ee02107c7d4c227

          SHA256

          a98c4f34bb5aeac5c68913ff9b404f86d800fb3ea4966c6e7fb717e062038579

          SHA512

          8b19856d89a5ef4b51f2b5e0564d87b060ca7c4384f22c621a66de880d4696910e125f4825af3501c5c4721a4768616ea87213c3c2a4d6772eab38c71d9a0a35

          Download Submit

        • C:\Users\Admin\AppData\Local\HlqHkvU\rdpinit.exe
          Filesize

          343KB

          MD5

          b0ecd76d99c5f5134aeb52460add6f80

          SHA1

          51462078092c9d6b7fa2b9544ffe0a49eb258106

          SHA256

          51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

          SHA512

          16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

          Download Submit

        • C:\Users\Admin\AppData\Local\bEW\RecoveryDrive.exe
          Filesize

          911KB

          MD5

          b9b3dc6f2eb89e41ff27400952602c74

          SHA1

          24ae07e0db3ace0809d08bbd039db3a9d533e81b

          SHA256

          630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

          SHA512

          7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

          Download Submit

        • C:\Users\Admin\AppData\Local\bEW\UxTheme.dll
          Filesize

          1.3MB

          MD5

          2b2952f23a27dc3d7083f8635e3cc45b

          SHA1

          5cd1ea97e7deb1638cd95e693393c4b478aa9828

          SHA256

          9e3d15a1c02198b28f35eefc318d747130d24316abfcd86b2a967bf088e85191

          SHA512

          68a5451540b6a328f6bd3bf92ed8b2d4a4c31aee9e3ff06fc233db904d702864edff8bff30e7d58279b757d19da6441c3454db418a0417b0d23d67aa04d78ab3

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zcgcwwxuxxxcbkn.lnk
          Filesize

          1KB

          MD5

          c7bba5cc4a3974d4b872c22540b00958

          SHA1

          58811bdc1625679fef9fea80cd79431bd715d14c

          SHA256

          8c53dbc8dfab080cfdb49504b02f0b5fcafe1750236d6434f2c81eed7d3bcaff

          SHA512

          913bdde740d84adf6c514244e10c5eae97209ce28cffb8dcb2cac8f02070465044563ea1a82925f887cfed8671b1fca38d56198ed72ff00c6b680e37873d43fa

          Download Submit

        • memory/1180-86-0x00007FFBBCA30000-0x00007FFBBCB7C000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1180-82-0x00007FFBBCA30000-0x00007FFBBCB7C000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3500-8-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3500-6-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3500-20-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3500-28-0x0000000001350000-0x0000000001357000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3500-18-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3500-17-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3500-16-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3500-15-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3500-14-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3500-13-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3500-12-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3500-4-0x00000000033D0000-0x00000000033D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3500-10-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3500-9-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3500-7-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3500-21-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3500-3-0x00007FFBC97CA000-0x00007FFBC97CB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3500-29-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3500-11-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3500-19-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3500-40-0x0000000140000000-0x000000014014A000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3500-31-0x00007FFBCB2D0000-0x00007FFBCB2E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3500-30-0x00007FFBCB2E0000-0x00007FFBCB2F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3832-66-0x00007FFBBCA30000-0x00007FFBBCB7B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3832-68-0x0000021C4F970000-0x0000021C4F977000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3832-71-0x00007FFBBCA30000-0x00007FFBBCB7B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4472-43-0x00007FFBBC6B0000-0x00007FFBBC7FA000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4472-0-0x0000021067BD0000-0x0000021067BD7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4472-1-0x00007FFBBC6B0000-0x00007FFBBC7FA000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4556-55-0x00007FFBBC910000-0x00007FFBBCA5B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4556-51-0x00007FFBBC910000-0x00007FFBBCA5B000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4556-50-0x0000025A76730000-0x0000025A76737000-memory.dmp

          Filesize

          28KB

          Download