Overview

overview

10

Static

static

3

534d2ed9ba...39.dll

windows7-x64

10

534d2ed9ba...39.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    534d2ed9bae64039fe0e0f0fa0b51caf808d603f70d0e34c54dbb9a018801739.dll

  • Size

    676KB

  • MD5

    fe55563a35f75a22d84ca5916747d82c

  • SHA1

    39b3b39299ef909314d2edc5c8808b7d495c8b0e

  • SHA256

    534d2ed9bae64039fe0e0f0fa0b51caf808d603f70d0e34c54dbb9a018801739

  • SHA512

    5e74de0700fae017bbfa89b8636ba4c6c9b09e46660c56fc2502777aaea32ec98f405863bf5ec656b2282c14638864b8006853f5c711719f2d98dac6bb341ba1

  • SSDEEP

    6144:I34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:IIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 12 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\534d2ed9bae64039fe0e0f0fa0b51caf808d603f70d0e34c54dbb9a018801739.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1680
  • C:\Windows\system32\BdeUISrv.exe
    C:\Windows\system32\BdeUISrv.exe
    1⤵
      PID:2108
    • C:\Users\Admin\AppData\Local\R4S\BdeUISrv.exe
      C:\Users\Admin\AppData\Local\R4S\BdeUISrv.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:1416
    • C:\Windows\system32\DisplaySwitch.exe
      C:\Windows\system32\DisplaySwitch.exe
      1⤵
        PID:2616
      • C:\Users\Admin\AppData\Local\wkdnB4\DisplaySwitch.exe
        C:\Users\Admin\AppData\Local\wkdnB4\DisplaySwitch.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2168
      • C:\Windows\system32\dialer.exe
        C:\Windows\system32\dialer.exe
        1⤵
          PID:2372
        • C:\Users\Admin\AppData\Local\GBQEtkBL\dialer.exe
          C:\Users\Admin\AppData\Local\GBQEtkBL\dialer.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2176

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\GBQEtkBL\TAPI32.dll
          Filesize

          684KB

          MD5

          195d5b54791fdcdb5da00981e4698cdf

          SHA1

          68db1b0573845c526d46a70c2719090779794643

          SHA256

          279fbb77f4cc37759ccc59bff9cfcd42b43ed139b107c41eb5879ec527ba138e

          SHA512

          d16b12e65b8cd8818f90d205544bf244e79e59913a0e6be9f59fff0c3e02948a000b1e22e5ee6394022feb03ffa9211223ae34f3ffc2b799a096025581c069d7

          Download Submit

        • C:\Users\Admin\AppData\Local\R4S\WTSAPI32.dll
          Filesize

          680KB

          MD5

          874fb3c9d58b08428d5cc54727858dfa

          SHA1

          05c8f62cebea0516efb9114fc249f9d189ac709c

          SHA256

          2afdc7742e0d7e2e5469633fb89b2cd8a7d401ce543471022dd00af88319a6e3

          SHA512

          ca028507cb04bda33743ef102fc6b8b07bb66288a9a9ed2a33b3e6201c66ab004aaa54d90d70a1879f49cadf3d31989adb21a94436bcbdb0b8f63f16f7ead82e

          Download Submit

        • C:\Users\Admin\AppData\Local\wkdnB4\slc.dll
          Filesize

          680KB

          MD5

          1456535b7af556561e890f979f931f66

          SHA1

          070e7f5bbd6f673216ad19479379712d25a56dd9

          SHA256

          7bcbc8e41ed33b50ed8b25668f4f699690f65dfd968e51d8624e199fe5f45444

          SHA512

          bc3d26b93d7ff34b9771dbf5b617b27724af4b85c7d09813e07cb674241fe7c9a623f7bdbc0ca3e83df16ccf2a8214dd9b843130b55f0224af8b24b8c860cda8

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk
          Filesize

          1000B

          MD5

          a4c9ab78596e392d78420aef2bf5d47d

          SHA1

          b899692c56fab884464e4178087c020bef875992

          SHA256

          b08de43215bc0b22741cf9a778ba6808551fd8f6d9dba839cc9e2cd335b1131c

          SHA512

          e85687939bdc6bbc0cdde69ad2f17e5b48799d46316736652a3c5dc4a1c4a8ade7cc601ec16414623bb0509e458fd299c99be3ba843f4b443e933aec5e6c3590

          Download Submit

        • \Users\Admin\AppData\Local\GBQEtkBL\dialer.exe
          Filesize

          34KB

          MD5

          46523e17ee0f6837746924eda7e9bac9

          SHA1

          d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

          SHA256

          23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

          SHA512

          c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

          Download Submit

        • \Users\Admin\AppData\Local\R4S\BdeUISrv.exe
          Filesize

          47KB

          MD5

          1da6b19be5d4949c868a264bc5e74206

          SHA1

          d5ee86ba03a03ef8c93d93accafe40461084c839

          SHA256

          00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

          SHA512

          9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

          Download Submit

        • \Users\Admin\AppData\Local\wkdnB4\DisplaySwitch.exe
          Filesize

          517KB

          MD5

          b795e6138e29a37508285fc31e92bd78

          SHA1

          d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

          SHA256

          01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

          SHA512

          8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

          Download Submit

        • memory/1280-13-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1280-47-0x0000000076CA6000-0x0000000076CA7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1280-14-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1280-3-0x0000000076CA6000-0x0000000076CA7000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1280-12-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1280-11-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1280-10-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1280-9-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1280-8-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1280-26-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1280-7-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1280-17-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1280-28-0x0000000076F40000-0x0000000076F42000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1280-27-0x0000000076F10000-0x0000000076F12000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1280-37-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1280-39-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1280-4-0x0000000002640000-0x0000000002641000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1280-15-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1280-16-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1280-25-0x0000000002220000-0x0000000002227000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1280-6-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1280-18-0x0000000140000000-0x00000001400A9000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1416-60-0x000007FEF7220000-0x000007FEF72CA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1416-56-0x000007FEF7220000-0x000007FEF72CA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/1416-55-0x0000000000080000-0x0000000000087000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1680-46-0x000007FEF71C0000-0x000007FEF7269000-memory.dmp

          Filesize

          676KB

          Download

        • memory/1680-0-0x0000000000230000-0x0000000000237000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1680-1-0x000007FEF71C0000-0x000007FEF7269000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2168-74-0x0000000000090000-0x0000000000097000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2168-72-0x000007FEF70F0000-0x000007FEF719A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2168-77-0x000007FEF70F0000-0x000007FEF719A000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2176-89-0x000007FEF70F0000-0x000007FEF719B000-memory.dmp

          Filesize

          684KB

          Download

        • memory/2176-93-0x000007FEF70F0000-0x000007FEF719B000-memory.dmp

          Filesize

          684KB

          Download