Overview

overview

10

Static

static

3

81b6123f37...dd.dll

windows7-x64

10

81b6123f37...dd.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 05:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    81b6123f37af744dc0f4589543d609eef8d715afd6aa69526d822b9b2843e3dd.dll

  • Size

    944KB

  • MD5

    e94305a2d837ad0f083f15a2b86f37d0

  • SHA1

    da603e9964396165dd776409d725d88c8150a940

  • SHA256

    81b6123f37af744dc0f4589543d609eef8d715afd6aa69526d822b9b2843e3dd

  • SHA512

    fbeeb478c17fe57d4a8ba93c8a4a9f552ce6dc45ca6e2e4ff0b007df101167348d191e58f967c9a283b3ed4f4b209ddf534debf8d24f3eca90b0311c55bf70a6

  • SSDEEP

    6144:D34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuT3:DIKp/UWCZdCDh2IZDwAFRpR6AuJZK

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\81b6123f37af744dc0f4589543d609eef8d715afd6aa69526d822b9b2843e3dd.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2108
  • C:\Windows\system32\ApplySettingsTemplateCatalog.exe
    C:\Windows\system32\ApplySettingsTemplateCatalog.exe
    1⤵
      PID:3200
    • C:\Users\Admin\AppData\Local\DRCERxuem\ApplySettingsTemplateCatalog.exe
      C:\Users\Admin\AppData\Local\DRCERxuem\ApplySettingsTemplateCatalog.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3756
    • C:\Windows\system32\SystemPropertiesRemote.exe
      C:\Windows\system32\SystemPropertiesRemote.exe
      1⤵
        PID:2548
      • C:\Users\Admin\AppData\Local\y0Z\SystemPropertiesRemote.exe
        C:\Users\Admin\AppData\Local\y0Z\SystemPropertiesRemote.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2800
      • C:\Windows\system32\SysResetErr.exe
        C:\Windows\system32\SysResetErr.exe
        1⤵
          PID:1848
        • C:\Users\Admin\AppData\Local\9ro\SysResetErr.exe
          C:\Users\Admin\AppData\Local\9ro\SysResetErr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4012

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\9ro\DUI70.dll
          Filesize

          1.2MB

          MD5

          ce06278af0acb04f9a17d74cef8b4128

          SHA1

          afc60bb658665f0d04be4dd6be0dad5514e97a49

          SHA256

          7d6cc3fd5225e6ccfade43e7afba3ddf53c1edd6af4fef55b4f30d4f91ab54e8

          SHA512

          d87c4b3b0cd53c07fce7a2e42902510df57982ed7c99a93a40ca193f7924d7525509bb4da7e48a692b7bd90821ccc6083448140769686796c4bd96da5ded14ab

          Download Submit

        • C:\Users\Admin\AppData\Local\9ro\SysResetErr.exe
          Filesize

          41KB

          MD5

          090c6f458d61b7ddbdcfa54e761b8b57

          SHA1

          c5a93e9d6eca4c3842156cc0262933b334113864

          SHA256

          a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

          SHA512

          c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

          Download Submit

        • C:\Users\Admin\AppData\Local\DRCERxuem\ACTIVEDS.dll
          Filesize

          948KB

          MD5

          19dca5d6f6b07669a18df66d261cd13c

          SHA1

          cee811709d5f2262ca07abcd65d7320cf65d95d5

          SHA256

          70d898ddccf5639aa03b8959a2f39aac34ba3d58c9c2885e9d55ee87e5330ddf

          SHA512

          a03d1f1ad7a2771fda675faf5c86929935deb8f06a37c8483ef2a83410a7e65ca91a3b6809b32394ba74b57495b76cf3a70218a5be4bfb7275f5c0b358ccd359

          Download Submit

        • C:\Users\Admin\AppData\Local\DRCERxuem\ApplySettingsTemplateCatalog.exe
          Filesize

          1.1MB

          MD5

          13af41b1c1c53c7360cd582a82ec2093

          SHA1

          7425f893d1245e351483ab4a20a5f59d114df4e1

          SHA256

          a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

          SHA512

          c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

          Download Submit

        • C:\Users\Admin\AppData\Local\y0Z\SYSDM.CPL
          Filesize

          948KB

          MD5

          94d75eeb8ca03e8b22cf5681f55a1fc0

          SHA1

          985474e10c51a61a8eaac51576b8d7b29ceaa624

          SHA256

          ae09e4075e5dc65df769030069d9b9684393ab3448ea50ce320bcf4a57a045be

          SHA512

          b8ce2beeed9ea0f87a5058056082acd8ce4b1f593f163648d9ae15150c3da4a8476b5752a992be032c56f4ecb132979135b7f39bb8e50cda4ea71706cfc62395

          Download Submit

        • C:\Users\Admin\AppData\Local\y0Z\SystemPropertiesRemote.exe
          Filesize

          82KB

          MD5

          cdce1ee7f316f249a3c20cc7a0197da9

          SHA1

          dadb23af07827758005ec0235ac1573ffcea0da6

          SHA256

          7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932

          SHA512

          f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ehuvmtvuxjwd.lnk
          Filesize

          1KB

          MD5

          b93b0f5472e8ed6ae3ef9b2931447a48

          SHA1

          f9b9d402e8b008a0cd04d754d3dd09a0caaefc3c

          SHA256

          bba676ae95077fa1b6b95e191f709f50d8baec28f12f536022bcac4d8c54d477

          SHA512

          a2f5f05a59349b74c9961e8c8831dff16acf838fda4c4c4cd0a622d4337735890a392dd41d537779a1295f1faab0895adf0e355c07c367836e88f3212a3e9cee

          Download Submit

        • memory/2108-0-0x00000250A7050000-0x00000250A7057000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2108-1-0x00007FFAA9390000-0x00007FFAA947C000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2108-38-0x00007FFAA9390000-0x00007FFAA947C000-memory.dmp

          Filesize

          944KB

          Download

        • memory/2800-66-0x00007FFA9A120000-0x00007FFA9A20D000-memory.dmp

          Filesize

          948KB

          Download

        • memory/2800-63-0x000001E5E8C50000-0x000001E5E8C57000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3528-26-0x00007FFAB8B70000-0x00007FFAB8B80000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3528-23-0x0000000000D70000-0x0000000000D77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3528-7-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3528-6-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3528-9-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3528-25-0x00007FFAB8B80000-0x00007FFAB8B90000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3528-24-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3528-35-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3528-11-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3528-10-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3528-13-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3528-5-0x00007FFAB824A000-0x00007FFAB824B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3528-3-0x0000000002B50000-0x0000000002B51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3528-12-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3528-15-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3528-16-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3528-8-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3528-14-0x0000000140000000-0x00000001400EC000-memory.dmp

          Filesize

          944KB

          Download

        • memory/3756-50-0x00007FFA9A120000-0x00007FFA9A20D000-memory.dmp

          Filesize

          948KB

          Download

        • memory/3756-46-0x00007FFA9A120000-0x00007FFA9A20D000-memory.dmp

          Filesize

          948KB

          Download

        • memory/3756-45-0x0000013946150000-0x0000013946157000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4012-77-0x00007FFA9A0D0000-0x00007FFA9A202000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4012-81-0x00007FFA9A0D0000-0x00007FFA9A202000-memory.dmp

          Filesize

          1.2MB

          Download