Overview

overview

10

Static

static

3

Trojan.Win...BM.dll

windows7-x64

10

Trojan.Win...BM.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-09-2024 17:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Trojan.Win64.Dridex.ABM.dll

  • Size

    984KB

  • MD5

    5b4ed52afad791ec0dc42503eb380110

  • SHA1

    51da3175f1952b77a4cbe7d5f25651cebf663d13

  • SHA256

    b221e9990a3e37c98a73e407516a06c0905a6f5cdfb04b0acadb49448c62edd2

  • SHA512

    49814de8778b86ab5f79f03aa860db320fbf58975855740bd1306a67857256b1f360479a75ce7d0962102d7ffdb3f32d93084ac6ce66a190fa7091476f0ebcac

  • SSDEEP

    12288:Ufndx6M581WsGRouyjzC6gn5l0H1Tak8jnGg/xeq7gz3xfsPEb4sk:+dAE81W381Wk8jnYz3dsPEb4s

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\Trojan.Win64.Dridex.ABM.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:652
  • C:\Windows\system32\osk.exe
    C:\Windows\system32\osk.exe
    1⤵
      PID:708
    • C:\Users\Admin\AppData\Local\mPIJ\osk.exe
      C:\Users\Admin\AppData\Local\mPIJ\osk.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2640
    • C:\Windows\system32\BdeUISrv.exe
      C:\Windows\system32\BdeUISrv.exe
      1⤵
        PID:756
      • C:\Users\Admin\AppData\Local\XRU\BdeUISrv.exe
        C:\Users\Admin\AppData\Local\XRU\BdeUISrv.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2812
      • C:\Windows\system32\systemreset.exe
        C:\Windows\system32\systemreset.exe
        1⤵
          PID:1448
        • C:\Users\Admin\AppData\Local\dvsMbW\systemreset.exe
          C:\Users\Admin\AppData\Local\dvsMbW\systemreset.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2236

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\XRU\BdeUISrv.exe
          Filesize

          54KB

          MD5

          8595075667ff2c9a9f9e2eebc62d8f53

          SHA1

          c48b54e571f05d4e21d015bb3926c2129f19191a

          SHA256

          20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db

          SHA512

          080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

          Download Submit

        • C:\Users\Admin\AppData\Local\XRU\WTSAPI32.dll
          Filesize

          988KB

          MD5

          ff2e345085e61b1f62762d78b2bbfbbe

          SHA1

          a5fc0f8f5e7219d72ed2e1c2c6ab38cc01ae4466

          SHA256

          9f4b767ac245ec4dd206126a676f0d70d3e5200945ecac3b64ac1179bee11e83

          SHA512

          5a8f1216f5570136d19c4fc33bcd9b0a5d92643311fdfc60830fe93625fc430d954dd74f04838d562202c5f16b7d378da7ab2ac05b9ecb401fd6731dda592610

          Download Submit

        • C:\Users\Admin\AppData\Local\dvsMbW\DUI70.dll
          Filesize

          1.2MB

          MD5

          dfc429e7da62fb2a4098b5a8f5dadd3c

          SHA1

          f0121daa20674da20e8e9163e6ac81ca190c8778

          SHA256

          4d3e13ba76c4523a06bf00ba5455f1b9d9561f07e5613a7d025089e4447eb97b

          SHA512

          19c65727d3471827057f53a840116954d4ff1d472cc5f578a83de924a355d6b5609f402ab903645933e81a7d6541020c468df48f95105018f2e104334e3e857b

          Download Submit

        • C:\Users\Admin\AppData\Local\dvsMbW\systemreset.exe
          Filesize

          508KB

          MD5

          325ff647506adb89514defdd1c372194

          SHA1

          84234ff97d6ddc8a4ea21303ea842aa76a74e0ea

          SHA256

          ebff6159a7627234f94f606afa2e55e98e1548fd197d22779a5fcff24aa477ad

          SHA512

          8a9758f4af0264be08d684125827ef11efe651138059f6b463c52476f8a8e1bed94d093042f85893cb3e37c5f3ba7b55c6ce9394595001e661bccbc578da3868

          Download Submit

        • C:\Users\Admin\AppData\Local\mPIJ\WMsgAPI.dll
          Filesize

          988KB

          MD5

          4d3f956033648d6922382fb6e21233f7

          SHA1

          f5b27a33236be3107834c9216f03db9f7e20b6b4

          SHA256

          26752e739a9bd4a5ac9c09ddcf7dedc4e07c9d7f055ef0a86f25366c9a778e81

          SHA512

          9c20269badb741ec481ef0568aee999167a189af31cbced6b2956c5a85c79e946a1c5c887066138e34149ed15b918ea52dc4d7f76d19757c922915b91f613ff8

          Download Submit

        • C:\Users\Admin\AppData\Local\mPIJ\osk.exe
          Filesize

          638KB

          MD5

          745f2df5beed97b8c751df83938cb418

          SHA1

          2f9fc33b1bf28e0f14fd75646a7b427ddbe14d25

          SHA256

          f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51

          SHA512

          2125d021e6f45a81bd75c9129f4b098ad9aa15c25d270051f4da42458a9737bff44d6adf17aa1f2547715d159fb621829f7cd3b9d42f1521c919549cc7deb228

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ahvhgxnkgdxqlh.lnk
          Filesize

          1KB

          MD5

          ce9a0511885cd069f18c02649aa483ef

          SHA1

          d47a08fa13bebac1f721289facd5b428f1eb8ed7

          SHA256

          acd252675cbbbecb46f06e928deef7443d17e397be52918eac2e802eee309c21

          SHA512

          b6f9ab4082ed196026a6a24a1263152ac6302f7d8f8b488e95cf0c99099a0f6358101a1268059bbed8955ba05effdb264046100f67d9b645ff8930595cde772a

          Download Submit

        • memory/652-1-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/652-41-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/652-0-0x000002652D330000-0x000002652D337000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2236-80-0x0000000140000000-0x000000014013C000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2236-84-0x0000000140000000-0x000000014013C000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2640-53-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/2640-48-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/2640-50-0x000001669DBA0000-0x000001669DBA7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2812-64-0x0000027BF2900000-0x0000027BF2907000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2812-69-0x0000000140000000-0x00000001400F7000-memory.dmp

          Filesize

          988KB

          Download

        • memory/3548-29-0x00007FFB62370000-0x00007FFB62380000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3548-13-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3548-7-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3548-6-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3548-38-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3548-9-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3548-10-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3548-11-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3548-12-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3548-8-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3548-14-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3548-27-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3548-28-0x00007FFB62380000-0x00007FFB62390000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3548-15-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3548-18-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3548-26-0x00000000030A0000-0x00000000030A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3548-17-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3548-16-0x0000000140000000-0x00000001400F6000-memory.dmp

          Filesize

          984KB

          Download

        • memory/3548-3-0x00007FFB605EA000-0x00007FFB605EB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3548-4-0x00000000031E0000-0x00000000031E1000-memory.dmp

          Filesize

          4KB

          Download