Overview

overview

10

Static

static

3

Trojan.Win...BM.dll

windows7-x64

10

Trojan.Win...BM.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-09-2024 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Trojan.Win64.Dridex.ABM.dll

  • Size

    984KB

  • MD5

    5b4ed52afad791ec0dc42503eb380110

  • SHA1

    51da3175f1952b77a4cbe7d5f25651cebf663d13

  • SHA256

    b221e9990a3e37c98a73e407516a06c0905a6f5cdfb04b0acadb49448c62edd2

  • SHA512

    49814de8778b86ab5f79f03aa860db320fbf58975855740bd1306a67857256b1f360479a75ce7d0962102d7ffdb3f32d93084ac6ce66a190fa7091476f0ebcac

  • SSDEEP

    12288:Ufndx6M581WsGRouyjzC6gn5l0H1Tak8jnGg/xeq7gz3xfsPEb4sk:+dAE81W381Wk8jnYz3dsPEb4s

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Trojan.Win64.Dridex.ABM.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1700
  • C:\Windows\system32\sethc.exe
    C:\Windows\system32\sethc.exe
    1⤵
      PID:2676
    • C:\Users\Admin\AppData\Local\CyaOC\sethc.exe
      C:\Users\Admin\AppData\Local\CyaOC\sethc.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2752
    • C:\Windows\system32\rdpclip.exe
      C:\Windows\system32\rdpclip.exe
      1⤵
        PID:2500
      • C:\Users\Admin\AppData\Local\VV1\rdpclip.exe
        C:\Users\Admin\AppData\Local\VV1\rdpclip.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2616
      • C:\Windows\system32\osk.exe
        C:\Windows\system32\osk.exe
        1⤵
          PID:2952
        • C:\Users\Admin\AppData\Local\Q3DEN60bc\osk.exe
          C:\Users\Admin\AppData\Local\Q3DEN60bc\osk.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2536

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\CyaOC\UxTheme.dll
          Filesize

          988KB

          MD5

          106b47c947296757488759f8b9b5f345

          SHA1

          a729b40ff473b53b5bbd6009e373e0b870bb8d74

          SHA256

          b22160374b5fa88e4762629378b5346a908df9a61ee01ddb9e3e08ce7668398d

          SHA512

          586388533642fcae34b8d4296e3eedfec25425117d031480e31e387465bd725d156dad7c1c738987aa2c0f12d226a4684aa8ce5c2aea3ee00ecddc1ad62f9dd3

          Download Submit

        • C:\Users\Admin\AppData\Local\Q3DEN60bc\MSSWCH.dll
          Filesize

          988KB

          MD5

          ab39fcbaa14fda6d91437d4a72a0c04e

          SHA1

          f3c2e58760d56842d534622ce896d040321fa992

          SHA256

          a8fd3477293a9d3c365b6962d8514e1900841eed9f97635f4aa4111952f6d8db

          SHA512

          07e1045c405e37ab309e2e9bdb1d3e6fef6b482562b5f168afd176d69b30c289bb60a7c6499212af63b372626f6a59785133dbd64238bf72abc770b1f013763b

          Download Submit

        • C:\Users\Admin\AppData\Local\VV1\WINSTA.dll
          Filesize

          992KB

          MD5

          80bc03c11ed6892cbc362a9cfeb69287

          SHA1

          e8bb21d2281117b9649ddcc1e132893e12809c97

          SHA256

          d6045c88ee38f96bc6df9fbd1ed4f15f2d48706dc94b25d38ef8d843c42350a0

          SHA512

          994a48229cdce3f0821c7c7215e9b952546bfc8a365c3d423e0743149c00902c1752d365b5a21657b37df0e9ed366f68627fc71b1628b1eb19ca609b7517fe80

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ykefwsdudlbqds.lnk
          Filesize

          972B

          MD5

          56714a62f6d2e08e9854aeee2a78e579

          SHA1

          0df16208796768c1387978bc8409e45c4c52980a

          SHA256

          44c53cff3fe3bcb3c7388ea85b158a8b46462d7733eb1c3ae98b7ec3710cceff

          SHA512

          d1f63d1cdb5aa1d61dfbbfc66bec3ddcc9e7aa9749bcec6f218e20e6b6514ddaa1f7679619d555813945a302827d956dc9900f00a6f170f0aa21079ac35f4c8b

          Download Submit

        • \Users\Admin\AppData\Local\CyaOC\sethc.exe
          Filesize

          272KB

          MD5

          3bcb70da9b5a2011e01e35ed29a3f3f3

          SHA1

          9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

          SHA256

          dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

          SHA512

          69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

          Download Submit

        • \Users\Admin\AppData\Local\Q3DEN60bc\osk.exe
          Filesize

          676KB

          MD5

          b918311a8e59fb8ccf613a110024deba

          SHA1

          a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

          SHA256

          e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

          SHA512

          e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

          Download Submit

        • \Users\Admin\AppData\Local\VV1\rdpclip.exe
          Filesize

          206KB

          MD5

          25d284eb2f12254c001afe9a82575a81

          SHA1

          cf131801fdd5ec92278f9e0ae62050e31c6670a5

          SHA256

          837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

          SHA512

          7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

          Download Submit

        • memory/1196-29-0x00000000773F0000-0x00000000773F2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1196-38-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1196-14-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1196-13-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1196-12-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1196-11-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1196-10-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1196-9-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1196-8-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1196-7-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1196-6-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1196-3-0x0000000077156000-0x0000000077157000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-28-0x00000000773C0000-0x00000000773C2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1196-27-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1196-39-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1196-15-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1196-4-0x0000000002D00000-0x0000000002D01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-48-0x0000000077156000-0x0000000077157000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-16-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1196-20-0x0000000002CE0000-0x0000000002CE7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1196-17-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1196-18-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1700-47-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1700-2-0x0000000000120000-0x0000000000127000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1700-0-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/2536-94-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/2616-73-0x0000000140000000-0x00000001400F8000-memory.dmp

          Filesize

          992KB

          Download

        • memory/2616-75-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2616-78-0x0000000140000000-0x00000001400F8000-memory.dmp

          Filesize

          992KB

          Download

        • memory/2752-61-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/2752-57-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/2752-56-0x0000000000530000-0x0000000000537000-memory.dmp

          Filesize

          28KB

          Download