Overview

overview

10

Static

static

3

e36e530730...3a.dll

windows7-x64

10

e36e530730...3a.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 00:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e36e53073055480f0401b56d3149b60bb3e47a95237eee92ba62f659b875e33a.dll

  • Size

    668KB

  • MD5

    180c0aa7fe397e299b050b5a9fa20041

  • SHA1

    7c6f6b915e18f322b65187b831cbb5f68ed02c09

  • SHA256

    e36e53073055480f0401b56d3149b60bb3e47a95237eee92ba62f659b875e33a

  • SHA512

    822daa11c3f169efb36848e9ac0e0ad391d9401cb8d329cd3b9d1a0dc3d5aae029f356bded5dd625e44ba364fb615b861846c5d580dc7d65b4faeccc9ff5fea7

  • SSDEEP

    6144:o34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:oIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e36e53073055480f0401b56d3149b60bb3e47a95237eee92ba62f659b875e33a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3200
  • C:\Windows\system32\SysResetErr.exe
    C:\Windows\system32\SysResetErr.exe
    1⤵
      PID:4240
    • C:\Users\Admin\AppData\Local\YyhyNWhHu\SysResetErr.exe
      C:\Users\Admin\AppData\Local\YyhyNWhHu\SysResetErr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4444
    • C:\Windows\system32\dwm.exe
      C:\Windows\system32\dwm.exe
      1⤵
        PID:2976
      • C:\Users\Admin\AppData\Local\gKCo8F\dwm.exe
        C:\Users\Admin\AppData\Local\gKCo8F\dwm.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3036
      • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
        C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
        1⤵
          PID:4964
        • C:\Users\Admin\AppData\Local\yDyN\SystemPropertiesDataExecutionPrevention.exe
          C:\Users\Admin\AppData\Local\yDyN\SystemPropertiesDataExecutionPrevention.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:5052

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\YyhyNWhHu\DUI70.dll
          Filesize

          948KB

          MD5

          82b776ea2e74fcf70bf0bf9f50be3349

          SHA1

          3293d76d40a8011b6bd27de2e95eafe9834fa6a6

          SHA256

          bd0fb43ccd9cc646ff1c4840e4053a2b978cfb5c7c3bd1c300a2c8066ee317b8

          SHA512

          9a18bc4692ee4bf19a68e786feaf8548e7eb82d35ac6e200ab0c5fac84b8de9e9d7bec8d9e81d99e85a2ae7b533bffb7b5f03b210e89570f6e33b152da8bcf10

          Download Submit

        • C:\Users\Admin\AppData\Local\YyhyNWhHu\SysResetErr.exe
          Filesize

          41KB

          MD5

          090c6f458d61b7ddbdcfa54e761b8b57

          SHA1

          c5a93e9d6eca4c3842156cc0262933b334113864

          SHA256

          a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

          SHA512

          c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

          Download Submit

        • C:\Users\Admin\AppData\Local\gKCo8F\dwm.exe
          Filesize

          92KB

          MD5

          5c27608411832c5b39ba04e33d53536c

          SHA1

          f92f8b7439ce1de4c297046ed1d3ff9f20bc97af

          SHA256

          0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565

          SHA512

          1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

          Download Submit

        • C:\Users\Admin\AppData\Local\gKCo8F\dxgi.dll
          Filesize

          672KB

          MD5

          ba6353b6ca7cb994a343a25d3540d7bd

          SHA1

          9981481b88cf791ddd3188c86cd20444a6c3df72

          SHA256

          dfff625e011938bf96672679efcb4d5c0ee030708be46fee40a6f51e6857429f

          SHA512

          667a50369d192565bd55de16412998d6f09c6a0e271fde0bf1ab539e018a08f308cfa6eef540b68086a988f46b83b0dd8a8299e2b2fba46a7cd3448abb5e591a

          Download Submit

        • C:\Users\Admin\AppData\Local\yDyN\SYSDM.CPL
          Filesize

          672KB

          MD5

          8d51209636bcffb788a53397315fbc86

          SHA1

          5e85ad6630fc3ebc014c9dc38b2e600dfc4364d2

          SHA256

          f0de41d954fe3e113aa12ded2aaadeb5c75801a18bfcb93c0e8127c31c01921d

          SHA512

          8a4e4ecefe13ca8b21b324b8b0475a4825b420d4fec3360b1304d57b48e5a1389dc436a4904e0fc380652ab54f4a2514ce01e115cf12e5d814318bd62f74a915

          Download Submit

        • C:\Users\Admin\AppData\Local\yDyN\SystemPropertiesDataExecutionPrevention.exe
          Filesize

          82KB

          MD5

          de58532954c2704f2b2309ffc320651d

          SHA1

          0a9fc98f4d47dccb0b231edf9a63309314f68e3b

          SHA256

          1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3

          SHA512

          d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk
          Filesize

          1KB

          MD5

          acc7bf847ed1999e23e036a0fe5763be

          SHA1

          4ecc152edd526046b7434b3aa8340e8aadfa8119

          SHA256

          b506b6ae7eb07a770620bcdeeb55fa9c121cb7a56127ba4b47e5896b0e71c949

          SHA512

          3bb4ae555ee3d8112f24ec35db07a91d34c9e8c5c29a9575fb33bc03ef4e24439e4a7f4ec7c10bf2013035f235cc1777f035e15c95cb155f8c93a6a41eec304c

          Download Submit

        • memory/3036-67-0x00007FFE03920000-0x00007FFE039C8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3036-65-0x00007FFE03920000-0x00007FFE039C8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3200-0-0x00007FFE16580000-0x00007FFE16627000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3200-2-0x000001AD05910000-0x000001AD05917000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3200-38-0x00007FFE16580000-0x00007FFE16627000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3512-9-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3512-23-0x0000000000CF0000-0x0000000000CF7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3512-12-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3512-10-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3512-25-0x00007FFE21520000-0x00007FFE21530000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3512-8-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3512-7-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3512-6-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3512-35-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3512-26-0x00007FFE21510000-0x00007FFE21520000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3512-24-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3512-3-0x0000000002C20000-0x0000000002C21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3512-5-0x00007FFE20DAA000-0x00007FFE20DAB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3512-11-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3512-15-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3512-16-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3512-13-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3512-14-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/4444-50-0x00007FFE038E0000-0x00007FFE039CD000-memory.dmp

          Filesize

          948KB

          Download

        • memory/4444-45-0x00007FFE038E0000-0x00007FFE039CD000-memory.dmp

          Filesize

          948KB

          Download

        • memory/4444-47-0x00000205D06A0000-0x00000205D06A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/5052-80-0x00007FFE03920000-0x00007FFE039C8000-memory.dmp

          Filesize

          672KB

          Download