Overview

overview

10

Static

static

3

0e11ca1228...72.dll

windows7-x64

10

0e11ca1228...72.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 00:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e11ca1228cbc474d5f0fd149fd3615d7caeadc4421cd478bb281716958e5a72.dll

  • Size

    664KB

  • MD5

    bca074a7366a91b631507914afcac0c1

  • SHA1

    d15420166ea0070adb76b254deac7e50188b12a3

  • SHA256

    0e11ca1228cbc474d5f0fd149fd3615d7caeadc4421cd478bb281716958e5a72

  • SHA512

    ff9c141437aa1cd6a7176b2943ae1a134be32d5711eb03aee64cad8650b013c0c54895b4de3cb1229fa8bf2b940caac2fabca9e90d99c86075dc57adaecc5094

  • SSDEEP

    6144:O34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:OIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0e11ca1228cbc474d5f0fd149fd3615d7caeadc4421cd478bb281716958e5a72.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1088
  • C:\Windows\system32\TpmInit.exe
    C:\Windows\system32\TpmInit.exe
    1⤵
      PID:2660
    • C:\Users\Admin\AppData\Local\TYbplVMM\TpmInit.exe
      C:\Users\Admin\AppData\Local\TYbplVMM\TpmInit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:3052
    • C:\Windows\system32\iexpress.exe
      C:\Windows\system32\iexpress.exe
      1⤵
        PID:2480
      • C:\Users\Admin\AppData\Local\zSz06Y\iexpress.exe
        C:\Users\Admin\AppData\Local\zSz06Y\iexpress.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2904
      • C:\Windows\system32\rdpinit.exe
        C:\Windows\system32\rdpinit.exe
        1⤵
          PID:2456
        • C:\Users\Admin\AppData\Local\VjXNfzi\rdpinit.exe
          C:\Users\Admin\AppData\Local\VjXNfzi\rdpinit.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2056

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\TYbplVMM\ACTIVEDS.dll
          Filesize

          668KB

          MD5

          1555a3b0161a1a93419e3ebb30bc9608

          SHA1

          53a5ee562ed142fa054292fbb8a37ac27b7c6ba7

          SHA256

          f55f514320b5c939e1a2a044394272c5dd83ce5a7f54f0947040586c45ec45fb

          SHA512

          1f09c5a1fc3e87c74c7ec17f2ad52a34d0204293a2d0e75b40e99ba22f79e785dc90f0992a18461d671e97b57cbd1d917b5e32b6917f5c11b7e0867e84c82803

          Download Submit

        • C:\Users\Admin\AppData\Local\VjXNfzi\WTSAPI32.dll
          Filesize

          668KB

          MD5

          a5f43ed3b4e535437230430051696ca7

          SHA1

          471a680c9e5fbc14757778b3e5d39eaa7538d7b9

          SHA256

          88105524eaf93e71e94a5613378a976a69060b39e534e06fd6ab6cc73a3d1c02

          SHA512

          f2967b5eb0d8cf00678b663354e7f07ce30ea53286e1e9cdf3a60d292e38804271e7b08210d6efecf2a2aaafbabc28d6ca557fbe7b8dc670537317c53e8c9379

          Download Submit

        • C:\Users\Admin\AppData\Local\VjXNfzi\rdpinit.exe
          Filesize

          174KB

          MD5

          664e12e0ea009cc98c2b578ff4983c62

          SHA1

          27b302c0108851ac6cc37e56590dd9074b09c3c9

          SHA256

          00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

          SHA512

          f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

          Download Submit

        • C:\Users\Admin\AppData\Local\zSz06Y\VERSION.dll
          Filesize

          668KB

          MD5

          e1fb2d87818e388ae8e84f5a3f9fa588

          SHA1

          2006c19e20a1521aaccf6081a37cc11ed41cb30d

          SHA256

          24fb7105ac0c697fb68db2ab28221a1967d89036cd5b17ac579595d577c5c4d8

          SHA512

          8360476cfab5e6d4f3ccabba310b56d144c5828e1f216ec45227bcf6c4390dc825ef6c2a8121b75123c45754d9248cf1ce8e7e5b728bb172ff131722eb96196e

          Download Submit

        • C:\Users\Admin\AppData\Local\zSz06Y\iexpress.exe
          Filesize

          163KB

          MD5

          46fd16f9b1924a2ea8cd5c6716cc654f

          SHA1

          99284bc91cf829e9602b4b95811c1d72977700b6

          SHA256

          9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

          SHA512

          52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Adlnwv.lnk
          Filesize

          916B

          MD5

          c09acd4ab68d7c6891884d0fda59474b

          SHA1

          ac6cca03d49b18f41624eed12ceb89b920711585

          SHA256

          47f8858e9c04ca47d43ea316cce257ea334d8eb4a79b6346058f141d457ec496

          SHA512

          5d67a5f0a6d2a58212b3bd89d046a693afb47962b42ea7a569b4f2fdc0d752847a70c8d6107868681a906bcbd50d5c507765e62361b79f8bbde8d916fc742953

          Download Submit

        • \Users\Admin\AppData\Local\TYbplVMM\TpmInit.exe
          Filesize

          112KB

          MD5

          8b5eb38e08a678afa129e23129ca1e6d

          SHA1

          a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

          SHA256

          4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

          SHA512

          a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

          Download Submit

        • memory/1088-2-0x00000000000A0000-0x00000000000A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1088-1-0x000007FEF7680000-0x000007FEF7726000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1088-43-0x000007FEF7680000-0x000007FEF7726000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1232-25-0x00000000773A0000-0x00000000773A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1232-22-0x0000000002510000-0x0000000002517000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1232-10-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1232-8-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1232-7-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1232-23-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1232-12-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1232-24-0x0000000077370000-0x0000000077372000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1232-34-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1232-35-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1232-13-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1232-44-0x0000000077006000-0x0000000077007000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1232-15-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1232-11-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1232-3-0x0000000077006000-0x0000000077007000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1232-6-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1232-4-0x0000000002530000-0x0000000002531000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1232-14-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1232-9-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/2056-90-0x000007FEFA800000-0x000007FEFA8A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2904-74-0x000007FEFA800000-0x000007FEFA8A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2904-71-0x0000000000310000-0x0000000000317000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3052-57-0x000007FEFA800000-0x000007FEFA8A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3052-53-0x000007FEFA800000-0x000007FEFA8A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3052-52-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

          Download