Overview

overview

10

Static

static

3

8025132bca...9N.dll

windows7-x64

10

8025132bca...9N.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2024 04:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8025132bcaf7924552395dabb6c102b0d64e94465f457199304512134f69baf9N.dll

  • Size

    668KB

  • MD5

    cb9ab1885f0cd6d07f21394cfc141ea0

  • SHA1

    03e106e193e40c8de8965a6a34330bd202016dd2

  • SHA256

    8025132bcaf7924552395dabb6c102b0d64e94465f457199304512134f69baf9

  • SHA512

    dd5c17633f836f956bc1fc7d7076a833177e1ec9e3f609aea25ab6659b88844ae755360cf1e15c193097cbb95ee1443e32391fbe7ee471817177c7228451bfa5

  • SSDEEP

    6144:F34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuTF:FIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 11 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8025132bcaf7924552395dabb6c102b0d64e94465f457199304512134f69baf9N.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:3996
  • C:\Windows\system32\DisplaySwitch.exe
    C:\Windows\system32\DisplaySwitch.exe
    1⤵
      PID:2492
    • C:\Users\Admin\AppData\Local\WscY2A\DisplaySwitch.exe
      C:\Users\Admin\AppData\Local\WscY2A\DisplaySwitch.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2908
    • C:\Windows\system32\quickassist.exe
      C:\Windows\system32\quickassist.exe
      1⤵
        PID:2792
      • C:\Users\Admin\AppData\Local\BszDRfNN\quickassist.exe
        C:\Users\Admin\AppData\Local\BszDRfNN\quickassist.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:1332
      • C:\Windows\system32\dwm.exe
        C:\Windows\system32\dwm.exe
        1⤵
          PID:4712
        • C:\Users\Admin\AppData\Local\GxsiWgdCe\dwm.exe
          C:\Users\Admin\AppData\Local\GxsiWgdCe\dwm.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1760

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\BszDRfNN\UxTheme.dll
          Filesize

          672KB

          MD5

          5a78dde634a166e23188aaf235f0ab01

          SHA1

          4abe3b95c54d43f20f8c6ddf6bc72901c67c8535

          SHA256

          db4c52977ca73cfc9b5317d8c554a2cb3846bf8e0dbac7bb38e7e40c08fb8015

          SHA512

          9b947b96341e3c6c2d5ba5792d141bade0025e85c3b9c8548be8e147dc280a36b7e59382552bcb98b097bb4af19778363be965aba22613e5a6a3de7988ef9dff

          Download Submit

        • C:\Users\Admin\AppData\Local\BszDRfNN\quickassist.exe
          Filesize

          665KB

          MD5

          d1216f9b9a64fd943539cc2b0ddfa439

          SHA1

          6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c

          SHA256

          c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2

          SHA512

          c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567

          Download Submit

        • C:\Users\Admin\AppData\Local\GxsiWgdCe\dwm.exe
          Filesize

          92KB

          MD5

          5c27608411832c5b39ba04e33d53536c

          SHA1

          f92f8b7439ce1de4c297046ed1d3ff9f20bc97af

          SHA256

          0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565

          SHA512

          1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

          Download Submit

        • C:\Users\Admin\AppData\Local\GxsiWgdCe\dxgi.dll
          Filesize

          672KB

          MD5

          2fc158ed29d1f395737f7d8534d21dec

          SHA1

          e8e7cc2e12bad3b828430d126474f76b59525994

          SHA256

          30b2196df681166f6118224afa88ec35e682212bedf4635eecab630133c13138

          SHA512

          8240524dfb1c75de9f0510b929582805669cf66da14e2be83ab2be70821127ef9ec7199b232463c25ef3d63aadde9cc8bc3b7eb36e64a2d30f5c9e6979e8167f

          Download Submit

        • C:\Users\Admin\AppData\Local\WscY2A\DisplaySwitch.exe
          Filesize

          1.8MB

          MD5

          5338d4beddf23db817eb5c37500b5735

          SHA1

          1b5c56f00b53fca3205ff24770203af46cbc7c54

          SHA256

          8b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e

          SHA512

          173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c

          Download Submit

        • C:\Users\Admin\AppData\Local\WscY2A\WINSTA.dll
          Filesize

          676KB

          MD5

          3ae391f0975952666212376e881320b3

          SHA1

          525b0e3a8c1d26c9cc25728ba90db5d0fcb1e609

          SHA256

          276bdd82eab8cccfa95525a86d830baa9b129e48574e8ffbeb04b0348384a000

          SHA512

          9b032a2c62848a64e8cad1969a12b09500b01ecf32f67edffe887716b3a75885dcfc17e5de42fef221bb35c00993cc9a1047ee18e5c3c2aa01bc535f7033132c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ehuvmtvuxjwd.lnk
          Filesize

          1KB

          MD5

          a11a88b349c0dcff567d5161d9462401

          SHA1

          c0beef3339448eb62c72beb9bbd144b4aee947c0

          SHA256

          95c7d3a35413a84db693c647cd5d57ce2d8546b1a3892247b0f6dc896fd0437a

          SHA512

          ce0d5063dca89db4c2a40a3e929d9539f1f7c40af66751633e212cd932eed09f6f77076a0842934d0caeb7347a725d50ac7fe0c19861af0b5602a88399d6423e

          Download Submit

        • memory/1332-66-0x00007FFD8EE30000-0x00007FFD8EED8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1332-63-0x000002491A450000-0x000002491A457000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1332-61-0x00007FFD8EE30000-0x00007FFD8EED8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1760-79-0x00007FFD8EFE0000-0x00007FFD8F088000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1760-81-0x00007FFD8EFE0000-0x00007FFD8F088000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2908-50-0x00007FFD8ED90000-0x00007FFD8EE39000-memory.dmp

          Filesize

          676KB

          Download

        • memory/2908-47-0x000001DBA79C0000-0x000001DBA79C7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2908-45-0x00007FFD8ED90000-0x00007FFD8EE39000-memory.dmp

          Filesize

          676KB

          Download

        • memory/3592-26-0x00007FFDAD330000-0x00007FFDAD340000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3592-35-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3592-8-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3592-7-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3592-6-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3592-5-0x00007FFDAB54A000-0x00007FFDAB54B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3592-10-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3592-11-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3592-13-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3592-24-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3592-25-0x00007FFDAD340000-0x00007FFDAD350000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3592-9-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3592-3-0x0000000002A60000-0x0000000002A61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3592-16-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3592-15-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3592-23-0x0000000001080000-0x0000000001087000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3592-14-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3592-12-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3996-0-0x00007FFD9EEE0000-0x00007FFD9EF87000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3996-38-0x00007FFD9EEE0000-0x00007FFD9EF87000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3996-2-0x0000028B7A8B0000-0x0000028B7A8B7000-memory.dmp

          Filesize

          28KB

          Download