Overview

overview

10

Static

static

3

ee92609ef4...7d.dll

windows7-x64

10

ee92609ef4...7d.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-10-2024 17:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee92609ef4b2d72fbd598a3ae26ab5e94ecee615e0666e9040d5f58d280ae17d.dll

  • Size

    720KB

  • MD5

    5774c50c00067b08c38d3585dec17637

  • SHA1

    e001beca0128d6c8ddd1c7ebc38e73c6244d2eb9

  • SHA256

    ee92609ef4b2d72fbd598a3ae26ab5e94ecee615e0666e9040d5f58d280ae17d

  • SHA512

    2a06a15cd17f32185e1b60095512a2420d0a5537e701fa7603dcb702c7cd3c5a7d8a43f553c3b6ca43f82f1af15ae09a53fa4795c1768e58508c7f485cbe4d7a

  • SSDEEP

    12288:1qJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:1qGBHTxvt+g2gYed

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ee92609ef4b2d72fbd598a3ae26ab5e94ecee615e0666e9040d5f58d280ae17d.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3028
  • C:\Windows\system32\MoUsoCoreWorker.exe
    C:\Windows\system32\MoUsoCoreWorker.exe
    1⤵
      PID:3908
    • C:\Users\Admin\AppData\Local\0DfELZTz\MoUsoCoreWorker.exe
      C:\Users\Admin\AppData\Local\0DfELZTz\MoUsoCoreWorker.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:728
    • C:\Windows\system32\msra.exe
      C:\Windows\system32\msra.exe
      1⤵
        PID:4472
      • C:\Users\Admin\AppData\Local\5QfCeI\msra.exe
        C:\Users\Admin\AppData\Local\5QfCeI\msra.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4264
      • C:\Windows\system32\RdpSaUacHelper.exe
        C:\Windows\system32\RdpSaUacHelper.exe
        1⤵
          PID:3004
        • C:\Users\Admin\AppData\Local\Qen\RdpSaUacHelper.exe
          C:\Users\Admin\AppData\Local\Qen\RdpSaUacHelper.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3464

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0DfELZTz\MoUsoCoreWorker.exe
          Filesize

          1.6MB

          MD5

          47c6b45ff22b73caf40bb29392386ce3

          SHA1

          7e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9

          SHA256

          cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0

          SHA512

          c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331

          Download Submit

        • C:\Users\Admin\AppData\Local\0DfELZTz\XmlLite.dll
          Filesize

          724KB

          MD5

          b9569e73354957344f0f80d65679d564

          SHA1

          3e59e689a9e51658726298692ddd861563dc0785

          SHA256

          53a9b0b9f4a0fb331d93272ec0501d6aa3ba82b8183d9b0269bc4eef4f238195

          SHA512

          85e1e5c8723237a04f4d2b12c032cf44874346af1b3f633a411ad93b344a677d7c42edbbead3b332f2e088c3b824ef285c70e8a3980031e525dabf13996c4551

          Download Submit

        • C:\Users\Admin\AppData\Local\5QfCeI\NDFAPI.DLL
          Filesize

          724KB

          MD5

          6843b9907a3bca693f2565cc42b2e81c

          SHA1

          9d1d9a076dc5d67f9300025901dbe2fb0ae2fa8d

          SHA256

          b090c7010b06f328740f302f3c91aebf3e76dcd8f76677fa7478c81a90afea09

          SHA512

          6e9563db2e2a95526cc65fd1ce85a3a16c782d4f5a64729ea8fe5b3c6e35358fedb20949232da638d292664e035039539e8314d9aab8c9b07632ee4050180d54

          Download Submit

        • C:\Users\Admin\AppData\Local\5QfCeI\msra.exe
          Filesize

          579KB

          MD5

          dcda3b7b8eb0bfbccb54b4d6a6844ad6

          SHA1

          316a2925e451f739f45e31bc233a95f91bf775fa

          SHA256

          011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae

          SHA512

          18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5

          Download Submit

        • C:\Users\Admin\AppData\Local\Qen\RdpSaUacHelper.exe
          Filesize

          33KB

          MD5

          0d5b016ac7e7b6257c069e8bb40845de

          SHA1

          5282f30e90cbd1be8da95b73bc1b6a7d041e43c2

          SHA256

          6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067

          SHA512

          cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

          Download Submit

        • C:\Users\Admin\AppData\Local\Qen\WINSTA.dll
          Filesize

          728KB

          MD5

          6c9a1ad154b64807887b59aba36716ca

          SHA1

          8d0e2d50ea0e2f72cb3c4bd43c3c8b0852919eb9

          SHA256

          f9e3cb9bb54c10daf98200d2669d8072ca9835ff993dec56c0e230f2510061dc

          SHA512

          bb5e4b7b35f603cf986fd2d1f34e5b5dfec827b668ce8c3f45827b94a48cdc39c21e21fd34de0bc277088a2cd6641182321e363773077881795e054f135f0338

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fkasxldymr.lnk
          Filesize

          1KB

          MD5

          3cf4c0da544f3e67973f5ed0a911c1cc

          SHA1

          80ae39943dfa6710081962d1fb7b9c5790ce2a5f

          SHA256

          41951d9e56f1e655cbc03a3f8498352d7218924a19a56e6fc8c3f765685333a9

          SHA512

          c2faac629511e6c7a7134e4e4290188a840225975ce851f5f6b6193be3d77621c62285a9ff6804b4f83843f284e7640313b91c72816fa614b92be08d12b69634

          Download Submit

        • memory/728-44-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/728-49-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/728-46-0x000001CAB3920000-0x000001CAB3927000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3028-37-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/3028-0-0x000001B0D8660000-0x000001B0D8667000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3028-1-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/3464-76-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download

        • memory/3464-80-0x0000000140000000-0x00000001400B6000-memory.dmp

          Filesize

          728KB

          Download

        • memory/3504-25-0x00007FFCE05F0000-0x00007FFCE0600000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3504-24-0x00007FFCE0600000-0x00007FFCE0610000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3504-6-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/3504-9-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/3504-10-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/3504-11-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/3504-12-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/3504-23-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/3504-34-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/3504-7-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/3504-14-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/3504-5-0x00007FFCDFAEA000-0x00007FFCDFAEB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3504-3-0x00000000023F0000-0x00000000023F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3504-22-0x00000000008D0000-0x00000000008D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3504-13-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/3504-8-0x0000000140000000-0x00000001400B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/4264-65-0x0000000140000000-0x00000001400B5000-memory.dmp

          Filesize

          724KB

          Download

        • memory/4264-62-0x0000027E1D260000-0x0000027E1D267000-memory.dmp

          Filesize

          28KB

          Download