Overview

overview

10

Static

static

3

Trojan.Win...BM.dll

windows7-x64

10

Trojan.Win...BM.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-09-2024 17:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Trojan.Win64.Dridex.ABM.dll

  • Size

    984KB

  • MD5

    5b4ed52afad791ec0dc42503eb380110

  • SHA1

    51da3175f1952b77a4cbe7d5f25651cebf663d13

  • SHA256

    b221e9990a3e37c98a73e407516a06c0905a6f5cdfb04b0acadb49448c62edd2

  • SHA512

    49814de8778b86ab5f79f03aa860db320fbf58975855740bd1306a67857256b1f360479a75ce7d0962102d7ffdb3f32d93084ac6ce66a190fa7091476f0ebcac

  • SSDEEP

    12288:Ufndx6M581WsGRouyjzC6gn5l0H1Tak8jnGg/xeq7gz3xfsPEb4sk:+dAE81W381Wk8jnYz3dsPEb4s

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Trojan.Win64.Dridex.ABM.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2388
  • C:\Windows\system32\Dxpserver.exe
    C:\Windows\system32\Dxpserver.exe
    1⤵
      PID:2940
    • C:\Users\Admin\AppData\Local\MnrlwK\Dxpserver.exe
      C:\Users\Admin\AppData\Local\MnrlwK\Dxpserver.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:860
    • C:\Windows\system32\SystemPropertiesHardware.exe
      C:\Windows\system32\SystemPropertiesHardware.exe
      1⤵
        PID:1872
      • C:\Users\Admin\AppData\Local\wPD\SystemPropertiesHardware.exe
        C:\Users\Admin\AppData\Local\wPD\SystemPropertiesHardware.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2200
      • C:\Windows\system32\spreview.exe
        C:\Windows\system32\spreview.exe
        1⤵
          PID:2788
        • C:\Users\Admin\AppData\Local\LNl7\spreview.exe
          C:\Users\Admin\AppData\Local\LNl7\spreview.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2784

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\LNl7\VERSION.dll
          Filesize

          988KB

          MD5

          527bf86494ba1dc8d0710e1eb1d8dd2a

          SHA1

          ec181a3c817e06f62a4604d34ef923b341f958ae

          SHA256

          8b93103b23387a7e80f4c260a6428b84f501010c27bd7be2e96984f665f65a79

          SHA512

          33e61e544e828f7341031ad78f547ec3ce2554724e3ab23386307a8c796eff826b95c7377f6273b409e9a51f23838d7ef3bfd529a42d685c6b6d62fcc79d8d93

          Download Submit

        • C:\Users\Admin\AppData\Local\MnrlwK\XmlLite.dll
          Filesize

          988KB

          MD5

          1bab1e11e6c2108ce09f919739842144

          SHA1

          f5667691760c49d9d51c40e7af67e292a1de13c1

          SHA256

          e2f80334a2dc28525aa87cd2d710a60f1cc1a159281ff9a723ed365689a1cd5d

          SHA512

          a045618faf2d2fc31ed0a22c7bbe1c98b53296311c424fe79fa64c5c77810aa3a122000e716c17fe688dd012c2454f92b2fa82d52d4790cb40e60d016623c51e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gwifj.lnk
          Filesize

          1KB

          MD5

          38ce5179dc4f33a192ec568dee47e126

          SHA1

          ddd076852aae9836b36ced6bb23127f2fee36e65

          SHA256

          e3bc18706a5b3b8901185f142c5bb9065526ac114a4cd4af4e7815c4fadd6224

          SHA512

          9d5e384ec507db800326d1466eb4ea5dd533100520abf48e67fa75ecdef4df95f51cef382652ff8bfde5f082e53ac107ce93dbe7f4e66e194152ec72c6d69f70

          Download Submit

        • \Users\Admin\AppData\Local\LNl7\spreview.exe
          Filesize

          294KB

          MD5

          704cd4cac010e8e6d8de9b778ed17773

          SHA1

          81856abf70640f102b8b3defe2cf65669fe8e165

          SHA256

          4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

          SHA512

          b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

          Download Submit

        • \Users\Admin\AppData\Local\MnrlwK\Dxpserver.exe
          Filesize

          259KB

          MD5

          4d38389fb92e43c77a524fd96dbafd21

          SHA1

          08014e52f6894cad4f1d1e6fc1a703732e9acd19

          SHA256

          070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

          SHA512

          02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

          Download Submit

        • \Users\Admin\AppData\Local\wPD\SYSDM.CPL
          Filesize

          988KB

          MD5

          3e2a344261f077b78ccc0050901deaad

          SHA1

          3844bbd8b428fa0dc1c34fc5ea26b271595d9358

          SHA256

          0abfe5257646e0ea4134298467a6e9b26d26cb51893b526d6b2802492d87ca08

          SHA512

          37b744b6d1639b6839e0cce864887244f910cf9cbeca0178cb56f8a4d4768b2dd5dcb96c5789e74e14ce357a69446e2f37477586e4b5f2c4933572f07fb32749

          Download Submit

        • \Users\Admin\AppData\Local\wPD\SystemPropertiesHardware.exe
          Filesize

          80KB

          MD5

          c63d722641c417764247f683f9fb43be

          SHA1

          948ec61ebf241c4d80efca3efdfc33fe746e3b98

          SHA256

          4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

          SHA512

          7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

          Download Submit

        • memory/860-61-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/860-57-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/860-56-0x0000000000200000-0x0000000000207000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1208-17-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1208-26-0x00000000025C0000-0x00000000025C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1208-13-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1208-12-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1208-11-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1208-10-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1208-9-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1208-15-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1208-8-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1208-29-0x0000000077370000-0x0000000077372000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1208-28-0x0000000077340000-0x0000000077342000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1208-40-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1208-38-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1208-3-0x00000000770D6000-0x00000000770D7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-48-0x00000000770D6000-0x00000000770D7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-16-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1208-4-0x00000000025E0000-0x00000000025E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1208-18-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1208-27-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1208-14-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1208-6-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/1208-7-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/2200-73-0x0000000000180000-0x0000000000187000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2200-78-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/2388-2-0x0000000000390000-0x0000000000397000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2388-47-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/2388-0-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/2784-94-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download