Overview

overview

10

Static

static

3

15e232aa5f...ae.dll

windows7-x64

10

15e232aa5f...ae.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 00:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15e232aa5f26fe7ff3ec901f1ce86f8d42e1cab7b455bcb542c16029db6e9cae.dll

  • Size

    668KB

  • MD5

    b534ddbf1e179b81850ddc36674a766c

  • SHA1

    9cbb409970c10468d338937d8a8e85dbd69b48e8

  • SHA256

    15e232aa5f26fe7ff3ec901f1ce86f8d42e1cab7b455bcb542c16029db6e9cae

  • SHA512

    8d1e304e6d11509b34f40ab23a8ce2ea4391b5c177388c938cd6e99d22036c80a515cdea95755997cfbacf443b9e1f6bf0b81eec7b7581aee316348a79c32ced

  • SSDEEP

    6144:J34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTt:JIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\15e232aa5f26fe7ff3ec901f1ce86f8d42e1cab7b455bcb542c16029db6e9cae.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3452
  • C:\Windows\system32\usocoreworker.exe
    C:\Windows\system32\usocoreworker.exe
    1⤵
      PID:4264
    • C:\Users\Admin\AppData\Local\a9MRR\usocoreworker.exe
      C:\Users\Admin\AppData\Local\a9MRR\usocoreworker.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4716
    • C:\Windows\system32\sdclt.exe
      C:\Windows\system32\sdclt.exe
      1⤵
        PID:2508
      • C:\Users\Admin\AppData\Local\d3U\sdclt.exe
        C:\Users\Admin\AppData\Local\d3U\sdclt.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:296
      • C:\Windows\system32\wbengine.exe
        C:\Windows\system32\wbengine.exe
        1⤵
          PID:3276
        • C:\Users\Admin\AppData\Local\Tkjnq\wbengine.exe
          C:\Users\Admin\AppData\Local\Tkjnq\wbengine.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4700

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Tkjnq\SPP.dll
          Filesize

          672KB

          MD5

          d59163e28ce5207de220f1fc99428995

          SHA1

          bda9e8fab5c22d64e327436a45e81ba12ad661ee

          SHA256

          05671428579b96ba27768d97c7cdbe79e6ef53adba2e9a43993e9dcdea4a0dac

          SHA512

          183827173285c61e29830e41db09537310cc3c906304318698a05bddd46a3b031b5de0a4f7d8138c1cba5f52ab34f03bbb51792e667b7052934759c7523675c8

          Download Submit

        • C:\Users\Admin\AppData\Local\Tkjnq\wbengine.exe
          Filesize

          1.5MB

          MD5

          17270a354a66590953c4aac1cf54e507

          SHA1

          715babcc8e46b02ac498f4f06df7937904d9798d

          SHA256

          9954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4

          SHA512

          6be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89

          Download Submit

        • C:\Users\Admin\AppData\Local\a9MRR\XmlLite.dll
          Filesize

          672KB

          MD5

          9ba0762ca3ae5dc0885ef0f1e06e59e2

          SHA1

          423626e14acaf9689de91e7bd19ac835191672d4

          SHA256

          45e90cea431cb0567512ca2350f8d7ae013cd465ca4db132e649363b7d1d396b

          SHA512

          15a04313022c84055e97030523ce8de45ffb8a3902aa449f8e6d3834db1fff60911cb09a7a737b6fc5051795b40fce2264b80f5221c9ad858c1cc78bbfd7d978

          Download Submit

        • C:\Users\Admin\AppData\Local\a9MRR\usocoreworker.exe
          Filesize

          1.3MB

          MD5

          2c5efb321aa64af37dedc6383ce3198e

          SHA1

          a06d7020dd43a57047a62bfb443091cd9de946ba

          SHA256

          0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

          SHA512

          5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

          Download Submit

        • C:\Users\Admin\AppData\Local\d3U\sdclt.exe
          Filesize

          1.2MB

          MD5

          e09d48f225e7abcab14ebd3b8a9668ec

          SHA1

          1c5b9322b51c09a407d182df481609f7cb8c425d

          SHA256

          efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3

          SHA512

          384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4

          Download Submit

        • C:\Users\Admin\AppData\Local\d3U\wer.dll
          Filesize

          676KB

          MD5

          168c4c77af4463c873fdf0f8fb6f8cbe

          SHA1

          230c234fb210d9a6d3154083e3f615a19949b1ce

          SHA256

          e418285151d74a46ed93729c5a868e872b4f37e31916917b1e4dec016a5fb240

          SHA512

          a8f24c587bf1f2c6116e013d8aae9eb8d0abc512afd4ca6df5c636b8e6e9d6ace0f809854872995c97658f06470e7bb0c726def924a2144d11e3805da8753ccd

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eswctkc.lnk
          Filesize

          1KB

          MD5

          3993de4c759c34d5010ef7d210628c27

          SHA1

          659fd1d7992d6900b13238661c6bec4ecbc7208f

          SHA256

          d3fa2beb687410b2dece6c1607cd2f9761057673c81fc67160d74e1fb8a4f787

          SHA512

          2be03197ab9acfb714617bb5225e799f0d4872fb261cabc13300392ceb94b7514906d0e0e00f3ffc85b1e5375d3d5fe04e3f36a2cacb83c064130f2c2870ee60

          Download Submit

        • memory/296-65-0x00007FFCE70A0000-0x00007FFCE7149000-memory.dmp

          Filesize

          676KB

          Download

        • memory/296-61-0x00007FFCE70A0000-0x00007FFCE7149000-memory.dmp

          Filesize

          676KB

          Download

        • memory/296-60-0x0000019A287F0000-0x0000019A287F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3452-0-0x00007FFCF6430000-0x00007FFCF64D7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3452-2-0x000001E1D0CD0000-0x000001E1D0CD7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3452-37-0x00007FFCF6430000-0x00007FFCF64D7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3464-8-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3464-13-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3464-9-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3464-11-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3464-6-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3464-34-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3464-12-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3464-14-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3464-23-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3464-3-0x00007FFD02CFA000-0x00007FFD02CFB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3464-4-0x0000000002920000-0x0000000002921000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3464-7-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3464-24-0x00007FFD04AE0000-0x00007FFD04AF0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3464-25-0x00007FFD04AD0000-0x00007FFD04AE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3464-16-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3464-22-0x0000000002900000-0x0000000002907000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3464-10-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/4700-80-0x00007FFCE71C0000-0x00007FFCE7268000-memory.dmp

          Filesize

          672KB

          Download

        • memory/4716-49-0x00007FFCE71C0000-0x00007FFCE7268000-memory.dmp

          Filesize

          672KB

          Download

        • memory/4716-45-0x00007FFCE71C0000-0x00007FFCE7268000-memory.dmp

          Filesize

          672KB

          Download

        • memory/4716-44-0x000002236C410000-0x000002236C417000-memory.dmp

          Filesize

          28KB

          Download