Overview

overview

10

Static

static

3

Trojan.Win...BM.dll

windows7-x64

10

Trojan.Win...BM.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2024 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Trojan.Win64.Dridex.ABM.dll

  • Size

    984KB

  • MD5

    5b4ed52afad791ec0dc42503eb380110

  • SHA1

    51da3175f1952b77a4cbe7d5f25651cebf663d13

  • SHA256

    b221e9990a3e37c98a73e407516a06c0905a6f5cdfb04b0acadb49448c62edd2

  • SHA512

    49814de8778b86ab5f79f03aa860db320fbf58975855740bd1306a67857256b1f360479a75ce7d0962102d7ffdb3f32d93084ac6ce66a190fa7091476f0ebcac

  • SSDEEP

    12288:Ufndx6M581WsGRouyjzC6gn5l0H1Tak8jnGg/xeq7gz3xfsPEb4sk:+dAE81W381Wk8jnYz3dsPEb4s

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 8 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Trojan.Win64.Dridex.ABM.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3328
  • C:\Windows\system32\perfmon.exe
    C:\Windows\system32\perfmon.exe
    1⤵
      PID:4444
    • C:\Users\Admin\AppData\Local\bLJ2vt\perfmon.exe
      C:\Users\Admin\AppData\Local\bLJ2vt\perfmon.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:376
    • C:\Windows\system32\wscript.exe
      C:\Windows\system32\wscript.exe
      1⤵
        PID:232
      • C:\Users\Admin\AppData\Local\4XPLM710\wscript.exe
        C:\Users\Admin\AppData\Local\4XPLM710\wscript.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1308
      • C:\Windows\system32\AtBroker.exe
        C:\Windows\system32\AtBroker.exe
        1⤵
          PID:2544
        • C:\Users\Admin\AppData\Local\qXH4\AtBroker.exe
          C:\Users\Admin\AppData\Local\qXH4\AtBroker.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:3256

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\4XPLM710\VERSION.dll
          Filesize

          988KB

          MD5

          a6f789064fc5be44d8340e5383d11b8d

          SHA1

          e55842c1c6b1e3fc21ac8062f3456ca182d9f8dd

          SHA256

          8a95f60a89bfa44d19c746dbc3694ddc4662cd6d5e250c288a7585dd885d6de8

          SHA512

          2d4ca24b807abffa31534880a0c9a30e145532e992aadb364308ea762965a93b1efcd83c2105ea0ecc9d0fc3267926aedac4181782bb565a94fd61ea48e498e9

          Download Submit

        • C:\Users\Admin\AppData\Local\4XPLM710\wscript.exe
          Filesize

          166KB

          MD5

          a47cbe969ea935bdd3ab568bb126bc80

          SHA1

          15f2facfd05daf46d2c63912916bf2887cebd98a

          SHA256

          34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100

          SHA512

          f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

          Download Submit

        • C:\Users\Admin\AppData\Local\bLJ2vt\credui.dll
          Filesize

          988KB

          MD5

          4c01a83714de7c6bc1ff0d266fdb5fcc

          SHA1

          10733526e3b4aea7c735f6aea3400004666eca98

          SHA256

          3f65d89f2f0615fecafcb603499b6c976cc093a082e8a38db3e37811efa59db5

          SHA512

          b8c1d2137e74af021e2de92922eddcaed275083974ade1afe9caaaa1e7cb6c2d7ba32dad0d7f11a9597dedeea9aae67a517d1d01822e2e8078d6ccc13960cdc9

          Download Submit

        • C:\Users\Admin\AppData\Local\bLJ2vt\perfmon.exe
          Filesize

          177KB

          MD5

          d38aa59c3bea5456bd6f95c73ad3c964

          SHA1

          40170eab389a6ba35e949f9c92962646a302d9ef

          SHA256

          5f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c

          SHA512

          59fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68

          Download Submit

        • C:\Users\Admin\AppData\Local\qXH4\AtBroker.exe
          Filesize

          90KB

          MD5

          30076e434a015bdf4c136e09351882cc

          SHA1

          584c958a35e23083a0861421357405afd26d9a0c

          SHA256

          ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd

          SHA512

          675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024

          Download Submit

        • C:\Users\Admin\AppData\Local\qXH4\UxTheme.dll
          Filesize

          988KB

          MD5

          5c2d8377d8bda96a63999d752cd7399c

          SHA1

          852f5c8f485422778021e5854508639aeaab3f1d

          SHA256

          55df3ebefa5d583ea2b5fee937ab3f66e36b4e36bbdd69d018ab191ef6b9d35f

          SHA512

          11d43b73528db33e6d32d4f0e2cff6f4a0ff197cb884cbce7dbaf9f3b7e2268d046ca02a81380436b76be083651f97ab903ebeec70a012ed3fe388cfe76d2d05

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mcinmsnhewplgza.lnk
          Filesize

          1KB

          MD5

          b588241b73970c4cb8f5d35e519f9451

          SHA1

          7d14064f27cfeed4f38082111e4e2302274bed58

          SHA256

          1eaf608f3a4b51eb1eae63cc35565dfdc376722938a4f85596b5427ccce43e44

          SHA512

          e663c3b2d6787d1b4b0b0a6766a2cc872ab33716f2c97561fb7a2c4b19bca4406fdf1b13378b626c684d63e680bac0e5263cfaa1d22db46dec53eb120b47fdc4

          Download Submit

        • memory/376-53-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/376-50-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/376-48-0x0000028C1CCC0000-0x0000028C1CCC7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1308-69-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/1308-66-0x000002220B810000-0x000002220B817000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3256-84-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/3328-41-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3328-0-0x0000016FB01F0000-0x0000016FB01F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3328-1-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3424-15-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3424-12-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3424-18-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3424-29-0x00007FF8A1D90000-0x00007FF8A1DA0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3424-28-0x00007FF8A1DA0000-0x00007FF8A1DB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3424-38-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3424-8-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3424-10-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3424-11-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3424-7-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3424-13-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3424-14-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3424-27-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3424-17-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3424-26-0x0000000002B20000-0x0000000002B27000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3424-16-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3424-6-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3424-9-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3424-3-0x0000000002B40000-0x0000000002B41000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3424-4-0x00007FF8A16DA000-0x00007FF8A16DB000-memory.dmp

          Filesize

          4KB

          Download