Overview

overview

10

Static

static

3

51f1a8d441...b0.dll

windows7-x64

10

51f1a8d441...b0.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51f1a8d4410d73d9176dcd9625d7522c719e816e43bffda25085e63161d789b0.dll

  • Size

    672KB

  • MD5

    583d65e532c265246326dd54fca82723

  • SHA1

    459a26aa86533f45c0dc34201174d773d9c00e45

  • SHA256

    51f1a8d4410d73d9176dcd9625d7522c719e816e43bffda25085e63161d789b0

  • SHA512

    31b313d6bfbe3eff58ceace0a442c83ec4eeb183b2281a79bbe66527c171bc866adfb5f9c9f1b5ea8f54046278c30eaa9f215dfcf207e76ac6e63dd3555dd94b

  • SSDEEP

    6144:R34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:RIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\51f1a8d4410d73d9176dcd9625d7522c719e816e43bffda25085e63161d789b0.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1036
  • C:\Windows\system32\EhStorAuthn.exe
    C:\Windows\system32\EhStorAuthn.exe
    1⤵
      PID:2904
    • C:\Users\Admin\AppData\Local\nkv\EhStorAuthn.exe
      C:\Users\Admin\AppData\Local\nkv\EhStorAuthn.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3256
    • C:\Windows\system32\LockScreenContentServer.exe
      C:\Windows\system32\LockScreenContentServer.exe
      1⤵
        PID:5064
      • C:\Users\Admin\AppData\Local\eP2\LockScreenContentServer.exe
        C:\Users\Admin\AppData\Local\eP2\LockScreenContentServer.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3352
      • C:\Windows\system32\shrpubw.exe
        C:\Windows\system32\shrpubw.exe
        1⤵
          PID:1832
        • C:\Users\Admin\AppData\Local\u61j\shrpubw.exe
          C:\Users\Admin\AppData\Local\u61j\shrpubw.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3416

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\eP2\DUser.dll
          Filesize

          680KB

          MD5

          26689034dbe0e875776ccba7ca5a47fa

          SHA1

          0b57e65e168d79f79a3d242aa2518c1556148235

          SHA256

          fd95f93346ce5a1f270dd6aae1a20ebb805847651a1589faff7b5d6b41f2552c

          SHA512

          2b738b49bcaf413232c9f06995cf0002b73936df565131e60fe657cdb58189bab7f8aded97d1dc7831d121afa2b885ef5fbf50e7a24c13107b4bc5fb85eaf085

          Download Submit

        • C:\Users\Admin\AppData\Local\eP2\LockScreenContentServer.exe
          Filesize

          47KB

          MD5

          a0b7513c98cf46ca2cea3a567fec137c

          SHA1

          2307fc8e3fc620ea3c2fdc6248ad4658479ba995

          SHA256

          cb2278884f04fd34753f7a20e5865ef5fc4fa47c28df9ac14ad6e922713af8c6

          SHA512

          3928485a60ffa7f2d2b7d0be51863e1f8197578cfb397f1086a1ab5132843a23bbc4042b04b5d01fafad04878bd839161fa492d0cf1a6bac6be92023cdee3d15

          Download Submit

        • C:\Users\Admin\AppData\Local\nkv\EhStorAuthn.exe
          Filesize

          128KB

          MD5

          d45618e58303edb4268a6cca5ec99ecc

          SHA1

          1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

          SHA256

          d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

          SHA512

          5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

          Download Submit

        • C:\Users\Admin\AppData\Local\nkv\UxTheme.dll
          Filesize

          676KB

          MD5

          033fb72598b9152453c7bc518dda1c3c

          SHA1

          03bbeba204bc454df87d689d22a38560ba50bc49

          SHA256

          87f402bc7cde42f52f43c819ea084af5e5173ce0a7fffea5a9d3b0d626c913ae

          SHA512

          5260f0e3b0c6e711a2931f785808bb84ac1b9266c5ef0708c763a62fb52fa30dbc0615dc1846bc9d01a51fc2ebecd90a3bfd35246b4f485743c8ee7e50c732be

          Download Submit

        • C:\Users\Admin\AppData\Local\u61j\ACLUI.dll
          Filesize

          676KB

          MD5

          2c3c9626d98ea70c517cba54dfb86316

          SHA1

          86b125d208f9787520e9e26c7c15f7c24ef86fa4

          SHA256

          e9b1e54b60649871df5a8e30293c42f4cef91aea1852f0b8b08c6d00c49bbd01

          SHA512

          8024f1152d459f082c7fc0e5310fd1ca1e203254cd9da53488b5d1009d16392ceb42c5dad561a384febf16f12803412bbcf2fb8750ea4c3c203e2721fd698ec0

          Download Submit

        • C:\Users\Admin\AppData\Local\u61j\shrpubw.exe
          Filesize

          59KB

          MD5

          9910d5c62428ec5f92b04abf9428eec9

          SHA1

          05f27d7515e8ae1fa3bc974ec65b864ec4c9ac8b

          SHA256

          6b84e6e55d8572d7edf0b6243d00abb651fcb0cddddac8461de5f9bb80035a2e

          SHA512

          01be043f7ff879a683e53962eec58456ba200d6787ea66581bb62669ae65d5e58a5577cdf23441165f7a535fce1dec933e3ad2465c72172b4a1488b24ce722cb

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eswctkc.lnk
          Filesize

          1KB

          MD5

          a57dffa3ce1acec871d53bb6ce0c5002

          SHA1

          0d5a578c65bd8dc2f88e61a083651f2f7588e6b3

          SHA256

          5e773707f6e7de8eea6cf82cff1cbd0eb38ba8d056d6d0ab8eb42ee0fb6888c2

          SHA512

          142d535204e6e1ea6147638a17ec3f880284f0c9566bf3476d36a1083cc7713996b697800c29675b529d4498427ef7c5632ce9f293f2a8e80e10809bd31de2e5

          Download Submit

        • memory/1036-0-0x00007FFCF9320000-0x00007FFCF93C8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1036-39-0x00007FFCF9320000-0x00007FFCF93C8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1036-2-0x00000241A2440000-0x00000241A2447000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3256-51-0x00007FFCF8D40000-0x00007FFCF8DE9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3256-46-0x0000016528E80000-0x0000016528E87000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3256-47-0x00007FFCF8D40000-0x00007FFCF8DE9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3352-67-0x00007FFCF8D40000-0x00007FFCF8DEA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3352-64-0x000001ED3D160000-0x000001ED3D167000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3352-62-0x00007FFCF8D40000-0x00007FFCF8DEA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3356-13-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3356-9-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3356-11-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3356-5-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3356-36-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3356-23-0x00007FFD06D3A000-0x00007FFD06D3B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3356-6-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3356-7-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3356-8-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3356-15-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3356-10-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3356-12-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3356-14-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3356-16-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3356-25-0x0000000140000000-0x00000001400A8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3356-26-0x00007FFD07C40000-0x00007FFD07C50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3356-27-0x00007FFD07C30000-0x00007FFD07C40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3356-24-0x0000000002320000-0x0000000002327000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3356-3-0x0000000002370000-0x0000000002371000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3416-82-0x00007FFCF8D40000-0x00007FFCF8DE9000-memory.dmp

          Filesize

          676KB

          Download