Overview

overview

10

Static

static

3

a13857d5df...fd.dll

windows7-x64

10

a13857d5df...fd.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2024 02:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a13857d5df595b8238d68d39bd116e7a78d3ef19ee2644bd1ce4f498b8cbdffd.dll

  • Size

    676KB

  • MD5

    3a326af7f81639f667ee14de69537a21

  • SHA1

    66c8fed72543d4c155411dc08dd21e615e2dec8d

  • SHA256

    a13857d5df595b8238d68d39bd116e7a78d3ef19ee2644bd1ce4f498b8cbdffd

  • SHA512

    15c4efe13cfedba6e9def41216acb062cae4ae59338c1878ce97507c980b771c2b332d34885ece2444e0210e7f21e79cbbb57ecf1a111e3e0f8939749c27de4f

  • SSDEEP

    6144:R34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTa:RIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 10 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a13857d5df595b8238d68d39bd116e7a78d3ef19ee2644bd1ce4f498b8cbdffd.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4592
  • C:\Windows\system32\BdeUISrv.exe
    C:\Windows\system32\BdeUISrv.exe
    1⤵
      PID:4240
    • C:\Users\Admin\AppData\Local\Ps3p\BdeUISrv.exe
      C:\Users\Admin\AppData\Local\Ps3p\BdeUISrv.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4196
    • C:\Windows\system32\DisplaySwitch.exe
      C:\Windows\system32\DisplaySwitch.exe
      1⤵
        PID:4760
      • C:\Users\Admin\AppData\Local\jtSd\DisplaySwitch.exe
        C:\Users\Admin\AppData\Local\jtSd\DisplaySwitch.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:4560
      • C:\Windows\system32\psr.exe
        C:\Windows\system32\psr.exe
        1⤵
          PID:2808
        • C:\Users\Admin\AppData\Local\aN9lNz\psr.exe
          C:\Users\Admin\AppData\Local\aN9lNz\psr.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2840

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Ps3p\BdeUISrv.exe
          Filesize

          54KB

          MD5

          8595075667ff2c9a9f9e2eebc62d8f53

          SHA1

          c48b54e571f05d4e21d015bb3926c2129f19191a

          SHA256

          20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db

          SHA512

          080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

          Download Submit

        • C:\Users\Admin\AppData\Local\Ps3p\WTSAPI32.dll
          Filesize

          680KB

          MD5

          29edbdf30fe35da6da96f104f9100fa8

          SHA1

          6e77f56b03d9bcf0b11d550130917fb406f36b50

          SHA256

          1a00664a01dcf382c51f22e3ca6edf3335b5f2cb125b62d74cab76548eef8886

          SHA512

          5f0ba3a55cb0a263d06e5c1640103f57827e36949d95c12285a36d8df1a74de43e39e7d7b00d1b1ce290530ab98951fcf054248ac33a93c6089621a04207bee2

          Download Submit

        • C:\Users\Admin\AppData\Local\aN9lNz\XmlLite.dll
          Filesize

          680KB

          MD5

          b0548066e9c742c12b17ccd11229fa47

          SHA1

          5edfcbe1a211788e67b40a556e691f363dec98eb

          SHA256

          b629a99d50504dfc5507b618bef7422f837a7b09fe8a664f821699a265983a06

          SHA512

          c3aaf2f27107bcc4fa690f2d81a60a2027957cdd6c1ee6cf9b879a557163c693fb4908f533e3fbbef231f650a67dc3c31f35d9f5a4701e21dc1191498ce68767

          Download Submit

        • C:\Users\Admin\AppData\Local\aN9lNz\psr.exe
          Filesize

          232KB

          MD5

          ad53ead5379985081b7c3f1f357e545a

          SHA1

          6f5aa32c1d15fbf073558fadafd046d97b60184e

          SHA256

          4f0144f0e3e721b44babbf41b513942e4117f730546105480571f9c8fce56a1f

          SHA512

          433098bd74c34fbadfa447ef45cfa9dc076aef4cf7f2a0a6fe79d5e67f2504eebe8aa31fc1b7a4c5eeb20ede2c5485f75ad0fd77b4ecba3d68ca63313e6f6ea0

          Download Submit

        • C:\Users\Admin\AppData\Local\jtSd\DisplaySwitch.exe
          Filesize

          1.8MB

          MD5

          5338d4beddf23db817eb5c37500b5735

          SHA1

          1b5c56f00b53fca3205ff24770203af46cbc7c54

          SHA256

          8b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e

          SHA512

          173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c

          Download Submit

        • C:\Users\Admin\AppData\Local\jtSd\WINSTA.dll
          Filesize

          684KB

          MD5

          499cc8bcdda7e180990296a7fc66f60b

          SHA1

          09d5e30db86a37c97fc169a7fc472a0fba57d5ee

          SHA256

          b8f0af7f46a77ea7b405e6350ccc95979033b958047982f65077a22831c530dd

          SHA512

          798f7c79293d08ace1319ffca230f9619c09648b518671f43c999f009bf42a3a32ea40ccf12d9527b97d2aaf309ccb6989b29ef5ee6237270255eb8cc1b3d87a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eswctkc.lnk
          Filesize

          1KB

          MD5

          dd1c0f03009c8983e3a347c73df6baaf

          SHA1

          75665355bd97896073baa615ff226bba155998cb

          SHA256

          475d07e282844f0921ef177bda1cd5a9b95f38df16d63a64ee606089aad08ce8

          SHA512

          bcdd5227b78d284439f47980833641ab54349775c141a72af4acda1e5e4523e813ed215eef2683f525982276e2be3de56724fce383431c9b6d5e5c3d0d77bdb7

          Download Submit

        • memory/2840-82-0x00007FFD30A60000-0x00007FFD30B0A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/3420-6-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3420-3-0x00000000038E0000-0x00000000038E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3420-14-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3420-13-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3420-11-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3420-10-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3420-9-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3420-17-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3420-8-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3420-7-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3420-12-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3420-26-0x00007FFD4F360000-0x00007FFD4F370000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3420-4-0x00007FFD4D59A000-0x00007FFD4D59B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3420-24-0x00000000037F0000-0x00000000037F7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3420-36-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3420-27-0x00007FFD4F350000-0x00007FFD4F360000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3420-16-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3420-15-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3420-25-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4196-46-0x000001C643C70000-0x000001C643C77000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4196-51-0x00007FFD30A60000-0x00007FFD30B0A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/4196-47-0x00007FFD30A60000-0x00007FFD30B0A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/4560-63-0x00007FFD30810000-0x00007FFD308BB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/4560-62-0x0000024D7BE50000-0x0000024D7BE57000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4560-67-0x00007FFD30810000-0x00007FFD308BB000-memory.dmp

          Filesize

          684KB

          Download

        • memory/4592-39-0x00007FFD410F0000-0x00007FFD41199000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4592-0-0x00007FFD410F0000-0x00007FFD41199000-memory.dmp

          Filesize

          676KB

          Download

        • memory/4592-2-0x000002E6A1BF0000-0x000002E6A1BF7000-memory.dmp

          Filesize

          28KB

          Download