Overview

overview

10

Static

static

3

0e11ca1228...72.dll

windows7-x64

10

0e11ca1228...72.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 00:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e11ca1228cbc474d5f0fd149fd3615d7caeadc4421cd478bb281716958e5a72.dll

  • Size

    664KB

  • MD5

    bca074a7366a91b631507914afcac0c1

  • SHA1

    d15420166ea0070adb76b254deac7e50188b12a3

  • SHA256

    0e11ca1228cbc474d5f0fd149fd3615d7caeadc4421cd478bb281716958e5a72

  • SHA512

    ff9c141437aa1cd6a7176b2943ae1a134be32d5711eb03aee64cad8650b013c0c54895b4de3cb1229fa8bf2b940caac2fabca9e90d99c86075dc57adaecc5094

  • SSDEEP

    6144:O34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:OIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0e11ca1228cbc474d5f0fd149fd3615d7caeadc4421cd478bb281716958e5a72.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3036
  • C:\Windows\system32\tcmsetup.exe
    C:\Windows\system32\tcmsetup.exe
    1⤵
      PID:1404
    • C:\Users\Admin\AppData\Local\fzl\tcmsetup.exe
      C:\Users\Admin\AppData\Local\fzl\tcmsetup.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4912
    • C:\Windows\system32\rdpinput.exe
      C:\Windows\system32\rdpinput.exe
      1⤵
        PID:1280
      • C:\Users\Admin\AppData\Local\k65nT\rdpinput.exe
        C:\Users\Admin\AppData\Local\k65nT\rdpinput.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4832
      • C:\Windows\system32\EhStorAuthn.exe
        C:\Windows\system32\EhStorAuthn.exe
        1⤵
          PID:2820
        • C:\Users\Admin\AppData\Local\wztkPT\EhStorAuthn.exe
          C:\Users\Admin\AppData\Local\wztkPT\EhStorAuthn.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2240

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\fzl\TAPI32.dll
          Filesize

          672KB

          MD5

          fa0815d0502dde4e95b668b048b1c693

          SHA1

          a9c8cafad808e321f65ae541cac3cc288ecc812a

          SHA256

          5de5eb9e8c29c38f7e9ca71ad66136f074139fb998a79d473c4264d37b27649a

          SHA512

          ff8f2d45058dddd5a21c8951183eadd71336a30ea68fdba91ba846eb2bd38d22edcc5f5fada05d02107da474c3788c8d443748f9d969ddc610b5254795b92da6

          Download Submit

        • C:\Users\Admin\AppData\Local\fzl\tcmsetup.exe
          Filesize

          16KB

          MD5

          58f3b915b9ae7d63431772c2616b0945

          SHA1

          6346e837da3b0f551becb7cac6d160e3063696e9

          SHA256

          e243501ba2ef7a6f04f51410bb916faffe0ec23450a4d030ce6bfe747e544b39

          SHA512

          7b09192af460c502d1a94989a0d06191c8c7a058ce3a4541e3f45960a1e12529d0cdaff9da3d5bacfdceed57aeb6dc9a159c6c0a95675c438f99bf7e418c6dc5

          Download Submit

        • C:\Users\Admin\AppData\Local\k65nT\WTSAPI32.dll
          Filesize

          668KB

          MD5

          ced1efad4da34141faa15a06bfe96c48

          SHA1

          3dbf028736fdcf5bfd4b41be85ef38665218cb1f

          SHA256

          b3399e236a51c05813afde7e1e6b7b739e596db83fd25508b552d7fb6cfae2f5

          SHA512

          95ba698283348bfa5b97b973d3961f6aa771ff81cc1c0819938b8c6d8c5d57083de6ca8907a7741fa2898a034d6444fd504acd25e07a9ecb240317b728565a9a

          Download Submit

        • C:\Users\Admin\AppData\Local\k65nT\rdpinput.exe
          Filesize

          180KB

          MD5

          bd99eeca92869f9a3084d689f335c734

          SHA1

          a2839f6038ea50a4456cd5c2a3ea003e7b77688c

          SHA256

          39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143

          SHA512

          355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

          Download Submit

        • C:\Users\Admin\AppData\Local\wztkPT\EhStorAuthn.exe
          Filesize

          128KB

          MD5

          d45618e58303edb4268a6cca5ec99ecc

          SHA1

          1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

          SHA256

          d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

          SHA512

          5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

          Download Submit

        • C:\Users\Admin\AppData\Local\wztkPT\UxTheme.dll
          Filesize

          668KB

          MD5

          c1d0e0545d8079df39901841a6e25eaa

          SHA1

          1875702795a5d515a9c26b2f0a6dac835ff2e853

          SHA256

          9e1edef3755ad4d7fc45526dfd182071b524b3941717e8b25fa7f97de9bd10f9

          SHA512

          5bb0e574857bf916f2868f52fd1f0f9713f6f9a447eafab3671b923496c7e3046ae496daf60f2a0f55cccf09aed94611e4bfd141d18f046ee7a17ae2a0e23b89

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ybgihhkn.lnk
          Filesize

          1KB

          MD5

          d5c7f9900e5ef1efd8f498ceb36b464a

          SHA1

          273a709dd15d71b2072739f92972cbb2cd878910

          SHA256

          80a18305f72940d99812d6f8a6edc6967ed6d8f502f23e247ec6bdca65178d26

          SHA512

          a53b5a68ccc706785721a2844b7519264ed67e506c31a161c5e15250ded444a96f8af258f643c91cde1baa01b7f84ecbf6d1f40c338420517320ce7da8170625

          Download Submit

        • memory/2240-80-0x00007FFA38E10000-0x00007FFA38EB7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3036-0-0x00007FFA49060000-0x00007FFA49106000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3036-2-0x00000232B6920000-0x00000232B6927000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3036-37-0x00007FFA49060000-0x00007FFA49106000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3448-7-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3448-25-0x00007FFA57930000-0x00007FFA57940000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3448-11-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3448-10-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3448-8-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3448-24-0x00007FFA57940000-0x00007FFA57950000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3448-15-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3448-6-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3448-34-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3448-12-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3448-14-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3448-3-0x00000000016C0000-0x00000000016C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3448-4-0x00007FFA5701A000-0x00007FFA5701B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3448-9-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3448-13-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/3448-22-0x00000000014E0000-0x00000000014E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3448-23-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/4832-60-0x000001D4AE240000-0x000001D4AE247000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4832-65-0x00007FFA38E10000-0x00007FFA38EB7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/4832-61-0x00007FFA38E10000-0x00007FFA38EB7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/4912-49-0x00007FFA38E10000-0x00007FFA38EB8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/4912-46-0x00000289F3240000-0x00000289F3247000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4912-44-0x00007FFA38E10000-0x00007FFA38EB8000-memory.dmp

          Filesize

          672KB

          Download