Overview

overview

10

Static

static

3

e36e530730...3a.dll

windows7-x64

10

e36e530730...3a.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 00:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e36e53073055480f0401b56d3149b60bb3e47a95237eee92ba62f659b875e33a.dll

  • Size

    668KB

  • MD5

    180c0aa7fe397e299b050b5a9fa20041

  • SHA1

    7c6f6b915e18f322b65187b831cbb5f68ed02c09

  • SHA256

    e36e53073055480f0401b56d3149b60bb3e47a95237eee92ba62f659b875e33a

  • SHA512

    822daa11c3f169efb36848e9ac0e0ad391d9401cb8d329cd3b9d1a0dc3d5aae029f356bded5dd625e44ba364fb615b861846c5d580dc7d65b4faeccc9ff5fea7

  • SSDEEP

    6144:o34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:oIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\e36e53073055480f0401b56d3149b60bb3e47a95237eee92ba62f659b875e33a.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3324
  • C:\Windows\system32\bdeunlock.exe
    C:\Windows\system32\bdeunlock.exe
    1⤵
      PID:2540
    • C:\Users\Admin\AppData\Local\k9ttrC\bdeunlock.exe
      C:\Users\Admin\AppData\Local\k9ttrC\bdeunlock.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4796
    • C:\Windows\system32\wlrmdr.exe
      C:\Windows\system32\wlrmdr.exe
      1⤵
        PID:100
      • C:\Users\Admin\AppData\Local\02LizO\wlrmdr.exe
        C:\Users\Admin\AppData\Local\02LizO\wlrmdr.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2180
      • C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
        C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
        1⤵
          PID:2392
        • C:\Users\Admin\AppData\Local\jXYcok\SystemPropertiesDataExecutionPrevention.exe
          C:\Users\Admin\AppData\Local\jXYcok\SystemPropertiesDataExecutionPrevention.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3800

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\02LizO\DUI70.dll
          Filesize

          948KB

          MD5

          638f351b1b5db6ce1011d70d9e0ff86d

          SHA1

          3bf5e873847d08d44f4bddec9defa102e171e439

          SHA256

          b80290f6db1701f808a512fae7ae2537acc4db650c866b48daca3630a393cc92

          SHA512

          42145354a38452167f76c6818f939011a5d458ff420826e156b308b7c06575ad481b762307b4917feec50b3bd8bc053b2cdb771eb3bc2961c1f25796a2564569

          Download Submit

        • C:\Users\Admin\AppData\Local\02LizO\wlrmdr.exe
          Filesize

          66KB

          MD5

          ef9bba7a637a11b224a90bf90a8943ac

          SHA1

          4747ec6efd2d41e049159249c2d888189bb33d1d

          SHA256

          2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

          SHA512

          4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

          Download Submit

        • C:\Users\Admin\AppData\Local\jXYcok\SYSDM.CPL
          Filesize

          672KB

          MD5

          100e94adb935b455dd47dad42437fc8c

          SHA1

          05bee8b542c9197b8802fd646c5d257bd4dcde9e

          SHA256

          80ba1c9809d364418bb57300db2d69432463a4c79860c412370694440a954647

          SHA512

          f80bb4331ff73126c0f2e79eefec96f6917a662e16b304ca371c56930836166976537908515bda9a0a828b33491278e9e8cd5585a0bef9bb29d60177a938139a

          Download Submit

        • C:\Users\Admin\AppData\Local\jXYcok\SystemPropertiesDataExecutionPrevention.exe
          Filesize

          82KB

          MD5

          de58532954c2704f2b2309ffc320651d

          SHA1

          0a9fc98f4d47dccb0b231edf9a63309314f68e3b

          SHA256

          1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3

          SHA512

          d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed

          Download Submit

        • C:\Users\Admin\AppData\Local\k9ttrC\DUser.dll
          Filesize

          676KB

          MD5

          c98ff14067e1dec3c0eca0f8a3380343

          SHA1

          99d5b0b0eeb9c057ced5da21ac2131bb17eac86d

          SHA256

          e844d16e10ba1718230469265e26bcc7de04c1096e657250a3f28d6126559f07

          SHA512

          74223d0f055a3b293ec4e948818a30895e9f1c039177ed1e94d954d72ec8422d4eb9b60ecbc84331ae94715c1b40c9623cbc29a549755545c7aaf6b864066c9d

          Download Submit

        • C:\Users\Admin\AppData\Local\k9ttrC\bdeunlock.exe
          Filesize

          279KB

          MD5

          fef5d67150c249db3c1f4b30a2a5a22e

          SHA1

          41ca037b0229be9338da4d78244b4f0ea5a3d5f3

          SHA256

          dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603

          SHA512

          4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Womuvunldsugi.lnk
          Filesize

          1KB

          MD5

          fa900de21fc89fc5907874d10c6c8fc3

          SHA1

          57917dab9feccc0ca85439ef2e1a084147ba4d86

          SHA256

          c1a5095bac3e5799c40c7af24e0c2e6588d1ff36d3c58cfbf958d026b3d67b23

          SHA512

          d771324eb5ae21551b7aea58e8fcf4a1e840fe56dba673288920b57787dde427be8b08d5b97ed5b3b15a2d2f63697c64eb5c28508347bcd278c2a46b2d9563da

          Download Submit

        • memory/2180-61-0x00007FFEC6040000-0x00007FFEC612D000-memory.dmp

          Filesize

          948KB

          Download

        • memory/2180-63-0x0000026A915E0000-0x0000026A915E7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2180-66-0x00007FFEC6040000-0x00007FFEC612D000-memory.dmp

          Filesize

          948KB

          Download

        • memory/3324-0-0x00007FFED6280000-0x00007FFED6327000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3324-38-0x00007FFED6280000-0x00007FFED6327000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3324-2-0x000001F9AF8D0000-0x000001F9AF8D7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3520-26-0x00007FFEE42D0000-0x00007FFEE42E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3520-23-0x00000000008C0000-0x00000000008C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3520-10-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3520-9-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3520-8-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3520-7-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3520-6-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3520-13-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3520-35-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3520-15-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3520-5-0x00007FFEE2EBA000-0x00007FFEE2EBB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3520-3-0x00000000028F0000-0x00000000028F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3520-12-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3520-25-0x00007FFEE42E0000-0x00007FFEE42F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3520-24-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3520-16-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3520-11-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3520-14-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3800-77-0x00007FFEC66C0000-0x00007FFEC6768000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3800-81-0x00007FFEC66C0000-0x00007FFEC6768000-memory.dmp

          Filesize

          672KB

          Download

        • memory/4796-50-0x00007FFEC66C0000-0x00007FFEC6769000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4796-47-0x000001BC83080000-0x000001BC83087000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4796-45-0x00007FFEC66C0000-0x00007FFEC6769000-memory.dmp

          Filesize

          676KB

          Download