Overview

overview

10

Static

static

3

e290de84b0...97.dll

windows7-x64

10

e290de84b0...97.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 12:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e290de84b0aa6e41b165970f2232c7f9df6793af3773e6713badd471aa7ab697.dll

  • Size

    1.4MB

  • MD5

    761c54dc1cf33fe2056c26e668929d7a

  • SHA1

    81394606e1b3ff225eff9172d0b2ca7004816c0d

  • SHA256

    e290de84b0aa6e41b165970f2232c7f9df6793af3773e6713badd471aa7ab697

  • SHA512

    d7500315bf5a414782736b5f41c9d095a56f4ab05c5e0e392a90d267149a6542fe44ac9755297dcca987ee52e22395faedba7a99a93526e0db86e7e14086fc65

  • SSDEEP

    12288:jkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64Caa:jkMZ+gf4ltGd8H1fYO0q2G1Ah9

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e290de84b0aa6e41b165970f2232c7f9df6793af3773e6713badd471aa7ab697.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2172
  • C:\Windows\system32\mblctr.exe
    C:\Windows\system32\mblctr.exe
    1⤵
      PID:2860
    • C:\Users\Admin\AppData\Local\6cC0G5j\mblctr.exe
      C:\Users\Admin\AppData\Local\6cC0G5j\mblctr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2632
    • C:\Windows\system32\wisptis.exe
      C:\Windows\system32\wisptis.exe
      1⤵
        PID:3020
      • C:\Users\Admin\AppData\Local\ZoTWd2ou\wisptis.exe
        C:\Users\Admin\AppData\Local\ZoTWd2ou\wisptis.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:536
      • C:\Windows\system32\notepad.exe
        C:\Windows\system32\notepad.exe
        1⤵
          PID:1672
        • C:\Users\Admin\AppData\Local\mu6\notepad.exe
          C:\Users\Admin\AppData\Local\mu6\notepad.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2044

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\6cC0G5j\WTSAPI32.dll
          Filesize

          1.4MB

          MD5

          b3c2ee04e41abc9f06d145c78285969f

          SHA1

          7a82716980b56bc14b0fcd74c348bc04b691a2c5

          SHA256

          52b50b5fe03780afddf5d84f56efbc23d013965253ed3c672a789f8439bd827c

          SHA512

          c8154973cc9587b80818e8ae366aa2265c58acbd40033c743f5387788e7fdcfda953ea6d672c409195472d5bf100714accc351c3eeb9fd84a398bc3f1e3beba3

          Download Submit

        • C:\Users\Admin\AppData\Local\ZoTWd2ou\OLEACC.dll
          Filesize

          1.4MB

          MD5

          91c75a5d4e8a9e597cde2c054b5f76fe

          SHA1

          f3a309884e851f9b7d1f1e6bde99a9902a1ff4c0

          SHA256

          fd68e085eba0c93344b9aa345fb413d4236ce40354cb3ac6a28aa7c89c99e394

          SHA512

          ac1c0e04fa87cf29b2e4e567a463e05b53afc4790d0999ae2c8190d07321f8436ec6c114536d3065f7a581cff0f51c3ff3cbae7dcf0af0dab36243de12d9f14d

          Download Submit

        • C:\Users\Admin\AppData\Local\ZoTWd2ou\wisptis.exe
          Filesize

          396KB

          MD5

          02e20372d9d6d28e37ba9704edc90b67

          SHA1

          d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

          SHA256

          3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

          SHA512

          bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

          Download Submit

        • C:\Users\Admin\AppData\Local\mu6\VERSION.dll
          Filesize

          1.4MB

          MD5

          1366d4dd2357defd487768cc790f012a

          SHA1

          f328fec6424e3e8811281bf1313a197ae36c961e

          SHA256

          2771df346ffcb4a739622a1e641d64b5ab78d124e97f3640fba4199a76363ca8

          SHA512

          8f72250daf293a04f066fd928feac0156150b11d8d2103f0dcceec9248218c634051682ab1bed935534ad63c9dfac7c7230d0605c8e4b4065931d59ce428dc32

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ppapbotpack.lnk
          Filesize

          1015B

          MD5

          115e4449c9cf65feff9cdab45a025764

          SHA1

          05ec4fd1f8bef085584d55045091c0477a837294

          SHA256

          c70e7b7f8d4aa00d5e002033b865e57e2f5bfd3906698bd1855b170637f9f931

          SHA512

          25973d8b5c48ab3d5ebac6a7603455f24a05f5756963f1184974c91a224a07a470c3478849121aa98d2c14add95cafdd27740a1487ec422f345069d09ab38876

          Download Submit

        • \Users\Admin\AppData\Local\6cC0G5j\mblctr.exe
          Filesize

          935KB

          MD5

          fa4c36b574bf387d9582ed2c54a347a8

          SHA1

          149077715ee56c668567e3a9cb9842284f4fe678

          SHA256

          b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f

          SHA512

          1f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55

          Download Submit

        • \Users\Admin\AppData\Local\mu6\notepad.exe
          Filesize

          189KB

          MD5

          f2c7bb8acc97f92e987a2d4087d021b1

          SHA1

          7eb0139d2175739b3ccb0d1110067820be6abd29

          SHA256

          142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

          SHA512

          2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

          Download Submit

        • memory/536-74-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/536-71-0x0000000000190000-0x0000000000197000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1264-26-0x0000000076F40000-0x0000000076F42000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1264-10-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1264-13-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1264-15-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1264-23-0x0000000002530000-0x0000000002537000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1264-14-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1264-24-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1264-3-0x0000000076BA6000-0x0000000076BA7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1264-25-0x0000000076F10000-0x0000000076F12000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1264-35-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1264-38-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1264-4-0x0000000002550000-0x0000000002551000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1264-45-0x0000000076BA6000-0x0000000076BA7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1264-7-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1264-8-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1264-12-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1264-11-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1264-6-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1264-9-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2044-88-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2172-44-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2172-2-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2172-0-0x0000000140000000-0x0000000140162000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2632-58-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2632-54-0x0000000140000000-0x0000000140163000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/2632-53-0x0000000000280000-0x0000000000287000-memory.dmp

          Filesize

          28KB

          Download