Overview

overview

10

Static

static

3

5f40fbec74...bN.dll

windows7-x64

10

5f40fbec74...bN.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-01-2025 04:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f40fbec7483c678b7c827fd03e09068b8d95072ad350f27915c4e40889da7bbN.dll

  • Size

    788KB

  • MD5

    69de4bfc31cfc35a3dad7ed9eee22670

  • SHA1

    69d8d4ba7eb29d52a748e065491396ce182831f2

  • SHA256

    5f40fbec7483c678b7c827fd03e09068b8d95072ad350f27915c4e40889da7bb

  • SHA512

    c993ff43d75b5ba6c616df1e408268c788542c61c277038fd84db93553334c2b54de3d3bff1aed2464eb4e593be2b809003b28531b4a9016b0f76e163a3d36fa

  • SSDEEP

    12288:ibP23onr2XV7KrPqgmNiQhDOy4/AT4r/E16K1QS/lsHAGHdDvRQ2sd1gqQ:ibe42XV7KWgmjDR/T4a/Mdjm

Score
10/10
dridexbotnetevasionpayloadpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f40fbec7483c678b7c827fd03e09068b8d95072ad350f27915c4e40889da7bbN.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4768
  • C:\Windows\system32\BdeUISrv.exe
    C:\Windows\system32\BdeUISrv.exe
    1⤵
      PID:1116
    • C:\Users\Admin\AppData\Local\ISSWk1R\BdeUISrv.exe
      C:\Users\Admin\AppData\Local\ISSWk1R\BdeUISrv.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:4376
    • C:\Windows\system32\osk.exe
      C:\Windows\system32\osk.exe
      1⤵
        PID:1972
      • C:\Users\Admin\AppData\Local\ZqcWCiJ\osk.exe
        C:\Users\Admin\AppData\Local\ZqcWCiJ\osk.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3504
      • C:\Windows\system32\DevicePairingWizard.exe
        C:\Windows\system32\DevicePairingWizard.exe
        1⤵
          PID:872
        • C:\Users\Admin\AppData\Local\NkSOma\DevicePairingWizard.exe
          C:\Users\Admin\AppData\Local\NkSOma\DevicePairingWizard.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:2844

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\ISSWk1R\BdeUISrv.exe
          Filesize

          54KB

          MD5

          8595075667ff2c9a9f9e2eebc62d8f53

          SHA1

          c48b54e571f05d4e21d015bb3926c2129f19191a

          SHA256

          20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db

          SHA512

          080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

          Download Submit

        • C:\Users\Admin\AppData\Local\ISSWk1R\WTSAPI32.dll
          Filesize

          792KB

          MD5

          09023cba61b74c5194cfc5a3b3360117

          SHA1

          1c0bddea446477fa3e192c82a60c677e188d940e

          SHA256

          9476a70df57574bbc753a0553fa50478ea977094ce890b01e2b389094b9ed0b8

          SHA512

          b6bcc637211f9950fcaedcf62689768ccd922f1b4ac5e5264dc65829b7fe1f885760dbb27a73c35508cb63b165f77165cadda0484cac481bde9bddc165ca4e5f

          Download Submit

        • C:\Users\Admin\AppData\Local\NkSOma\DevicePairingWizard.exe
          Filesize

          93KB

          MD5

          d0e40a5a0c7dad2d6e5040d7fbc37533

          SHA1

          b0eabbd37a97a1abcd90bd56394f5c45585699eb

          SHA256

          2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

          SHA512

          1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

          Download Submit

        • C:\Users\Admin\AppData\Local\NkSOma\MFC42u.dll
          Filesize

          816KB

          MD5

          fc711e8725021386393d508eec05cec4

          SHA1

          4d4537d464f04c81c7a93c266c3027bf1044671f

          SHA256

          f854322e319e218639ace0f974c117e5ab1888b895002f99d500aac3a81c0ad9

          SHA512

          05e71f2bf8198197feb8541186ccb9833ec725a8fd09129e9269049928032a7d1af01ec5c55db5133da96c71a5554bce5a5100ddb821f276267a5e60d897eb60

          Download Submit

        • C:\Users\Admin\AppData\Local\ZqcWCiJ\DUI70.dll
          Filesize

          1.0MB

          MD5

          d845de79b11f720debe6c65c9955f87d

          SHA1

          c3b08a976c3dbb3ae409326749a79dc339a525f9

          SHA256

          05de8ffd018bb32b2db15ec87aa68f9f26901093a3a7fb8505b2c593b911342d

          SHA512

          99c50d8280906920cf40598af34bd3e32af77d078e01d5dc3d9ab5f70a04524720561c0d489f774f387032400e9fd821fc86663e1856fd653b6c2b3c3053a572

          Download Submit

        • C:\Users\Admin\AppData\Local\ZqcWCiJ\osk.exe
          Filesize

          638KB

          MD5

          745f2df5beed97b8c751df83938cb418

          SHA1

          2f9fc33b1bf28e0f14fd75646a7b427ddbe14d25

          SHA256

          f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51

          SHA512

          2125d021e6f45a81bd75c9129f4b098ad9aa15c25d270051f4da42458a9737bff44d6adf17aa1f2547715d159fb621829f7cd3b9d42f1521c919549cc7deb228

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Womuvunldsugi.lnk
          Filesize

          1KB

          MD5

          e55e2d80209852e67932b542b3023265

          SHA1

          ee506ee99c872251944db5e768f4c04e2e8aaa9c

          SHA256

          8d920e04960c1b66d5d4855b2ebfed2fdd88a0af09f37c53f57ba8f3604d5959

          SHA512

          ee7ac648ad1468c58930f7c5821f58ee7a6ce8c44c3e0d7e0cdba307cd249e59dd74aea34950db324d3171f8421641298f5d409566897b6019efca6952985cf6

          Download Submit

        • memory/2844-80-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/2844-79-0x0000016402580000-0x0000016402587000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2844-85-0x0000000140000000-0x00000001400CC000-memory.dmp

          Filesize

          816KB

          Download

        • memory/3504-68-0x0000000140000000-0x000000014010B000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3504-62-0x0000000140000000-0x000000014010B000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3504-65-0x000001B6E9AF0000-0x000001B6E9AF7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3520-23-0x0000000140000000-0x00000001400C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/3520-27-0x0000000002660000-0x0000000002667000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3520-5-0x00007FFEE2EBA000-0x00007FFEE2EBB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3520-34-0x0000000140000000-0x00000001400C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/3520-14-0x0000000140000000-0x00000001400C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/3520-13-0x0000000140000000-0x00000001400C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/3520-10-0x0000000140000000-0x00000001400C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/3520-9-0x0000000140000000-0x00000001400C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/3520-8-0x0000000140000000-0x00000001400C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/3520-7-0x0000000140000000-0x00000001400C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/3520-12-0x0000000140000000-0x00000001400C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/3520-4-0x00000000026A0000-0x00000000026A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3520-36-0x0000000140000000-0x00000001400C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/3520-16-0x0000000140000000-0x00000001400C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/3520-11-0x0000000140000000-0x00000001400C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/3520-26-0x00007FFEE42E0000-0x00007FFEE42F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4376-45-0x0000000140000000-0x00000001400C6000-memory.dmp

          Filesize

          792KB

          Download

        • memory/4376-50-0x00000155AF790000-0x00000155AF797000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4376-51-0x0000000140000000-0x00000001400C6000-memory.dmp

          Filesize

          792KB

          Download

        • memory/4768-15-0x0000000140000000-0x00000001400C5000-memory.dmp

          Filesize

          788KB

          Download

        • memory/4768-0-0x00000248A6840000-0x00000248A6847000-memory.dmp

          Filesize

          28KB

          Download

        • memory/4768-1-0x0000000140000000-0x00000001400C5000-memory.dmp

          Filesize

          788KB

          Download