Overview

overview

10

Static

static

3

caee6535f2...3e.dll

windows7-x64

10

caee6535f2...3e.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 11:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    caee6535f291e3a5121d05100e5c5561b9ff1a7369c482a8f051e1223dbbf73e.dll

  • Size

    1.4MB

  • MD5

    d871932dc35f1e6cea8fe6444ca04590

  • SHA1

    76232653612cd8c1d327a368d08d267d538ed158

  • SHA256

    caee6535f291e3a5121d05100e5c5561b9ff1a7369c482a8f051e1223dbbf73e

  • SHA512

    568e8a96fd8960897ed97d4288b29e420b9ac31503bdcd792cd928571f0c6a37c7d8b5ef2cb2b1d2702e15de9061b01776be72c8a83e10724ea9e01a23b7d6d0

  • SSDEEP

    12288:ekMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64CA+:ekMZ+gf4ltGd8H1fYO0q2G1Ahb

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\caee6535f291e3a5121d05100e5c5561b9ff1a7369c482a8f051e1223dbbf73e.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4560
  • C:\Windows\system32\sethc.exe
    C:\Windows\system32\sethc.exe
    1⤵
      PID:4832
    • C:\Users\Admin\AppData\Local\Colba6lp\sethc.exe
      C:\Users\Admin\AppData\Local\Colba6lp\sethc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3496
    • C:\Windows\system32\bdeunlock.exe
      C:\Windows\system32\bdeunlock.exe
      1⤵
        PID:3296
      • C:\Users\Admin\AppData\Local\UwHx4AsP\bdeunlock.exe
        C:\Users\Admin\AppData\Local\UwHx4AsP\bdeunlock.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4104
      • C:\Windows\system32\MusNotifyIcon.exe
        C:\Windows\system32\MusNotifyIcon.exe
        1⤵
          PID:3068
        • C:\Users\Admin\AppData\Local\bqRwE\MusNotifyIcon.exe
          C:\Users\Admin\AppData\Local\bqRwE\MusNotifyIcon.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1532

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Colba6lp\DUI70.dll
          Filesize

          1.7MB

          MD5

          350d595d7ea2d74052945c3e39ebd094

          SHA1

          19531bfbdee6e1af26d530e77b07f2180331067e

          SHA256

          b6969176cc7280b4bcccdb3fc2829d0ca4ddecf108779ad85c04b3c3160b6538

          SHA512

          c836f2beac9e7cd20f53f807db5d46f152d36461b77b5ffd68d89c8c519f69a9248174e0bb2ddccb20459fca128a4b203a576011e9cc46909965ecac77bb1a78

          Download Submit

        • C:\Users\Admin\AppData\Local\Colba6lp\sethc.exe
          Filesize

          104KB

          MD5

          8ba3a9702a3f1799431cad6a290223a6

          SHA1

          9c7dc9b6830297c8f759d1f46c8b36664e26c031

          SHA256

          615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8

          SHA512

          680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746

          Download Submit

        • C:\Users\Admin\AppData\Local\UwHx4AsP\DUser.dll
          Filesize

          1.4MB

          MD5

          e1fe2c4c9097ce091c99b72091bfeb42

          SHA1

          712c1306754ba42927713ed12b77ae868d1c787e

          SHA256

          85e18d899c40380c231fdf2c7cb0177d1f79e6f6bb2ea847f1ee9639235d5477

          SHA512

          70453e363e87f86ae7382defe9e0469e9ffca9c8be18461f2bced2e0da958f1c17d85c8f89576a63f5cb5846f1fd6ac537171dd3b29613a2cab52e20d0454405

          Download Submit

        • C:\Users\Admin\AppData\Local\UwHx4AsP\bdeunlock.exe
          Filesize

          279KB

          MD5

          fef5d67150c249db3c1f4b30a2a5a22e

          SHA1

          41ca037b0229be9338da4d78244b4f0ea5a3d5f3

          SHA256

          dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603

          SHA512

          4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7

          Download Submit

        • C:\Users\Admin\AppData\Local\bqRwE\MusNotifyIcon.exe
          Filesize

          629KB

          MD5

          c54b1a69a21e03b83ebb0aeb3758b6f7

          SHA1

          b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c

          SHA256

          ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf

          SHA512

          2680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19

          Download Submit

        • C:\Users\Admin\AppData\Local\bqRwE\XmlLite.dll
          Filesize

          1.4MB

          MD5

          2b448d482f6aece7489498204f4f6a7f

          SHA1

          096f9597c44c2095cb06aae22526d4f5b3359455

          SHA256

          c51a45733b0f0a38cf86721061afbd1031be00db7d9cbffa04a48e88ca155ea6

          SHA512

          703400515de5271bffc80a5023e5f83bb539c56470e5c9764c4a68ced5cb81c5a09a0f87cccd43cddf5460f8802e4b4c6e9a49c59f7a36a5f52f366ddf3ae77b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rasxaa.lnk
          Filesize

          1KB

          MD5

          11c5a9815a95f1b989fc64559c94e11d

          SHA1

          152b3d660325a987a8abb7e81800682bdc909b20

          SHA256

          9333297be15c3e335ec4801c37abeb29bd17e42cc17e6cadc1134b80a837e131

          SHA512

          5f5463d24edcd03ba6ef45a78dd503d1c3b72da5141ac96ea83b03181fe16549dc712acfe8ca8512c7662daaf8dc1ab1778f4d97881463f37d23a18c34197170

          Download Submit

        • memory/1532-81-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1532-77-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3496-48-0x0000000140000000-0x00000001401A8000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3496-46-0x0000000140000000-0x00000001401A8000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3496-45-0x000002B709610000-0x000002B709617000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3500-25-0x00007FFCC3840000-0x00007FFCC3850000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3500-24-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3500-9-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3500-8-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3500-7-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3500-15-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3500-35-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3500-3-0x00000000032C0000-0x00000000032C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3500-12-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3500-11-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3500-13-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3500-10-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3500-5-0x00007FFCC23EA000-0x00007FFCC23EB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3500-26-0x00007FFCC3830000-0x00007FFCC3840000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3500-23-0x0000000001530000-0x0000000001537000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3500-6-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/3500-14-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4104-66-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4104-63-0x000001356BF00000-0x000001356BF07000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4104-61-0x0000000140000000-0x0000000140164000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4560-0-0x000001FB7CB30000-0x000001FB7CB37000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4560-38-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4560-1-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download