Overview

overview

10

Static

static

3

2e01888629...3e.dll

windows7-x64

10

2e01888629...3e.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-10-2024 23:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e0188862974438b82ac36ba48da6ff36884ac60fb4d4d95dee475dec5785c3e.dll

  • Size

    664KB

  • MD5

    85ba6340c836fdcd7efc7fbc78d60817

  • SHA1

    53e49b348a3ff1db4a5b59f34165f3ca6c1cbe4f

  • SHA256

    2e0188862974438b82ac36ba48da6ff36884ac60fb4d4d95dee475dec5785c3e

  • SHA512

    c4249b7c390a382aeddc94c1b3e3f445517c2c5962ae8d1bebc837f30e2b2a9997c758c4f892be4c55eea757c31e4ba58baf9d336dda8b74ef2de8f263ca3a67

  • SSDEEP

    6144:P34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:PIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e0188862974438b82ac36ba48da6ff36884ac60fb4d4d95dee475dec5785c3e.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2576
  • C:\Windows\system32\osk.exe
    C:\Windows\system32\osk.exe
    1⤵
      PID:2824
    • C:\Users\Admin\AppData\Local\t8CiVlat\osk.exe
      C:\Users\Admin\AppData\Local\t8CiVlat\osk.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2656
    • C:\Windows\system32\MpSigStub.exe
      C:\Windows\system32\MpSigStub.exe
      1⤵
        PID:2264
      • C:\Users\Admin\AppData\Local\TM8qA9tA\MpSigStub.exe
        C:\Users\Admin\AppData\Local\TM8qA9tA\MpSigStub.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1972
      • C:\Windows\system32\vmicsvc.exe
        C:\Windows\system32\vmicsvc.exe
        1⤵
          PID:2968
        • C:\Users\Admin\AppData\Local\Ysv9n\vmicsvc.exe
          C:\Users\Admin\AppData\Local\Ysv9n\vmicsvc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2944

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\TM8qA9tA\VERSION.dll
          Filesize

          668KB

          MD5

          cf35758e2fbed4a87e5fec7b47e064ea

          SHA1

          27078a253c18f40a0b439304839eb54e55a052da

          SHA256

          793913ae6e6cf06733f0d204fc17360856df4b7ea00957513c80aa292f533460

          SHA512

          6e21d024bd2b3697811839135e1a9d7516c8d79c85bd0597b6a1ac9f946353d83045f87e85064d4cb975af3ca480776888f89853060a799ca059ae7b0f32b89c

          Download Submit

        • C:\Users\Admin\AppData\Local\Ysv9n\ACTIVEDS.dll
          Filesize

          668KB

          MD5

          c16b4a0ee3bfe629595a6c9e94b2d9eb

          SHA1

          b9c8a77dada4f923915d6e2e63a7c36888e63a05

          SHA256

          47c2d11dcdbadeff673455a60da508c46617d2ca2ad85177001015ed149a142a

          SHA512

          070e1a0fb6846a1ce24db17f3007196e6d64461804ba1f3302ada13837609b33eb6879933f668bc35aa451b7d2f17b43199ff40350921e0aa84478df680bd903

          Download Submit

        • C:\Users\Admin\AppData\Local\t8CiVlat\OLEACC.dll
          Filesize

          668KB

          MD5

          e3c75c16a88b98b792122996da851de9

          SHA1

          ef87fab249a3f2167a404f3ba3b1249bedfe6e67

          SHA256

          caf6e670d5322c887fe7e4e599bda93165bec311fe5cd6c8ff701dba96b9a0d1

          SHA512

          ab2de1e09f351347dc46518cd871afd9ca114d3b2dea7294d7555ad8a3b3163a4a91588d0c58b90cd5cebf07dced009256a0988ccbffa6865149c270082315e8

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ncfyujonfo.lnk
          Filesize

          1KB

          MD5

          0b00e274b53117ad47c327705e6de4c8

          SHA1

          0ddc398ab5baa3f4752d55e598b3e03178fb8f76

          SHA256

          7094e8de6fbe8965c184006ca4b134d077006b8191585d742c18be67202dc7d4

          SHA512

          d2fc88131d2d8c554c0d79ea17875592e3c36545a46da8fb4fd3df22c13f1ea58212a147ff3344b6b6ca3dccad012997e27a77674da4419239bc06033da1d568

          Download Submit

        • \Users\Admin\AppData\Local\TM8qA9tA\MpSigStub.exe
          Filesize

          264KB

          MD5

          2e6bd16aa62e5e95c7b256b10d637f8f

          SHA1

          350be084477b1fe581af83ca79eb58d4defe260f

          SHA256

          d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

          SHA512

          1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

          Download Submit

        • \Users\Admin\AppData\Local\Ysv9n\vmicsvc.exe
          Filesize

          238KB

          MD5

          79e14b291ca96a02f1eb22bd721deccd

          SHA1

          4c8dbff611acd8a92cd2280239f78bebd2a9947e

          SHA256

          d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

          SHA512

          f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

          Download Submit

        • \Users\Admin\AppData\Local\t8CiVlat\osk.exe
          Filesize

          676KB

          MD5

          b918311a8e59fb8ccf613a110024deba

          SHA1

          a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

          SHA256

          e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

          SHA512

          e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

          Download Submit

        • memory/1180-24-0x0000000077280000-0x0000000077282000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1180-3-0x0000000077016000-0x0000000077017000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1180-6-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1180-12-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1180-15-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1180-22-0x0000000002D30000-0x0000000002D37000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1180-14-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1180-13-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1180-25-0x00000000772B0000-0x00000000772B2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1180-10-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1180-23-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1180-34-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1180-36-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1180-7-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1180-44-0x0000000077016000-0x0000000077017000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1180-8-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1180-9-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1180-4-0x0000000002D50000-0x0000000002D51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1180-11-0x0000000140000000-0x00000001400A6000-memory.dmp

          Filesize

          664KB

          Download

        • memory/1972-73-0x000007FEF7B20000-0x000007FEF7BC7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2576-43-0x000007FEF6FE0000-0x000007FEF7086000-memory.dmp

          Filesize

          664KB

          Download

        • memory/2576-0-0x000007FEF6FE0000-0x000007FEF7086000-memory.dmp

          Filesize

          664KB

          Download

        • memory/2576-2-0x0000000000220000-0x0000000000227000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2656-57-0x000007FEF7B20000-0x000007FEF7BC7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2656-53-0x000007FEF7B20000-0x000007FEF7BC7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/2656-52-0x0000000000110000-0x0000000000117000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2944-89-0x000007FEF7B20000-0x000007FEF7BC7000-memory.dmp

          Filesize

          668KB

          Download