Overview

overview

10

Static

static

decrypted_...in.dll

windows7_x64

10

decrypted_...in.dll

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    21-01-2021 23:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    decrypted_bot_2c0b93cb34660f8c68ab9e9eae6bd9d4.bin.dll

  • Size

    830KB

  • MD5

    2c0b93cb34660f8c68ab9e9eae6bd9d4

  • SHA1

    5fb68d1c2050e82110914ab57f33e32986220a81

  • SHA256

    bf92d2153b239950b67dd65d31ce2727414a7cff206b09b5b3b5848304239ee4

  • SHA512

    96278319d583a9ddc6acbe7fdc1d23855cc5a82205dc2a344a67737c8177c706b3dc52e6dbb42831c42ea96e20aa0ec9923eac0d3a5694e5e84cdeafa8166131

Score
10/10
dridexbotnetevasionloaderpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Loader 4 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 342 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\decrypted_bot_2c0b93cb34660f8c68ab9e9eae6bd9d4.bin.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1336
  • C:\Windows\system32\mspaint.exe
    C:\Windows\system32\mspaint.exe
    1⤵
      PID:676
    • C:\Users\Admin\AppData\Local\K4XuEs\mspaint.exe
      C:\Users\Admin\AppData\Local\K4XuEs\mspaint.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:912
    • C:\Windows\system32\recdisc.exe
      C:\Windows\system32\recdisc.exe
      1⤵
        PID:1636
      • C:\Users\Admin\AppData\Local\pLhB\recdisc.exe
        C:\Users\Admin\AppData\Local\pLhB\recdisc.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:432
      • C:\Windows\system32\BdeUISrv.exe
        C:\Windows\system32\BdeUISrv.exe
        1⤵
          PID:960
        • C:\Users\Admin\AppData\Local\RZdeANl1\BdeUISrv.exe
          C:\Users\Admin\AppData\Local\RZdeANl1\BdeUISrv.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:668

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\K4XuEs\WINMM.dll
          MD5

          a165eca0eacbe75c48cac87b00a8b25f

          SHA1

          1e02557e2cd5a6c29c59aaa75208f30d6023b227

          SHA256

          cb7c2db6ceabb30797d73cd7ef6597fe7231157fa6a6b15501412881263d65b4

          SHA512

          a24257ad3cf232e7d2f5c3ec2371ad6bae0c778d951fcec13e7178ce0869e59a1103d4c3feba9a6cedb45b192eb8cb8e12730c3e9211b30e723ef310cd2dd03a

          Download Submit
        • C:\Users\Admin\AppData\Local\K4XuEs\mspaint.exe
          MD5

          458f4590f80563eb2a0a72709bfc2bd9

          SHA1

          3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

          SHA256

          ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

          SHA512

          e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

          Download Submit
        • C:\Users\Admin\AppData\Local\RZdeANl1\BdeUISrv.exe
          MD5

          1da6b19be5d4949c868a264bc5e74206

          SHA1

          d5ee86ba03a03ef8c93d93accafe40461084c839

          SHA256

          00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

          SHA512

          9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

          Download Submit
        • C:\Users\Admin\AppData\Local\RZdeANl1\WTSAPI32.dll
          MD5

          de5584a529acd80b46acdf5ffcd930f7

          SHA1

          4ecfec3d63fc5929123b3caa4ed2cabca8f708bf

          SHA256

          f196678df5366e95d6d79201abd11729930c20dcfdc725e1f446c880c62118ee

          SHA512

          9a5a3488bf149636ab7e50d9c8429f28b17cc519a89579ef11c37cc3c1e47b34b4ede72d518c4ef7d968ae8ddeb42ab1289fa1a06b88212c5c1e6a1d098b0e21

          Download Submit
        • C:\Users\Admin\AppData\Local\pLhB\ReAgent.dll
          MD5

          57a446cad30328ccb53da381985527bd

          SHA1

          b30804b5d2afa321a9a83b7dd8064d7383f5fbc4

          SHA256

          aaadaba1d44192bfdef5a057d2e002af09077b3d79b9db5f51706c4f5c476a09

          SHA512

          4559a4e07891bcdb064249e3e9b1db7f90494ea3631665ca4a326ad0783343683c7d8d5d912ed95f802300b94c7d246d1f8738b400f7d3508c02a7f4fd34c188

          Download Submit
        • C:\Users\Admin\AppData\Local\pLhB\recdisc.exe
          MD5

          f3b306179f1840c0813dc6771b018358

          SHA1

          dec7ce3c13f7a684cb52ae6007c99cf03afef005

          SHA256

          dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

          SHA512

          9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

          Download Submit
        • \Users\Admin\AppData\Local\K4XuEs\WINMM.dll
          MD5

          a165eca0eacbe75c48cac87b00a8b25f

          SHA1

          1e02557e2cd5a6c29c59aaa75208f30d6023b227

          SHA256

          cb7c2db6ceabb30797d73cd7ef6597fe7231157fa6a6b15501412881263d65b4

          SHA512

          a24257ad3cf232e7d2f5c3ec2371ad6bae0c778d951fcec13e7178ce0869e59a1103d4c3feba9a6cedb45b192eb8cb8e12730c3e9211b30e723ef310cd2dd03a

          Download Submit
        • \Users\Admin\AppData\Local\K4XuEs\mspaint.exe
          MD5

          458f4590f80563eb2a0a72709bfc2bd9

          SHA1

          3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

          SHA256

          ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

          SHA512

          e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

          Download Submit
        • \Users\Admin\AppData\Local\RZdeANl1\BdeUISrv.exe
          MD5

          1da6b19be5d4949c868a264bc5e74206

          SHA1

          d5ee86ba03a03ef8c93d93accafe40461084c839

          SHA256

          00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

          SHA512

          9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

          Download Submit
        • \Users\Admin\AppData\Local\RZdeANl1\WTSAPI32.dll
          MD5

          de5584a529acd80b46acdf5ffcd930f7

          SHA1

          4ecfec3d63fc5929123b3caa4ed2cabca8f708bf

          SHA256

          f196678df5366e95d6d79201abd11729930c20dcfdc725e1f446c880c62118ee

          SHA512

          9a5a3488bf149636ab7e50d9c8429f28b17cc519a89579ef11c37cc3c1e47b34b4ede72d518c4ef7d968ae8ddeb42ab1289fa1a06b88212c5c1e6a1d098b0e21

          Download Submit
        • \Users\Admin\AppData\Local\pLhB\ReAgent.dll
          MD5

          57a446cad30328ccb53da381985527bd

          SHA1

          b30804b5d2afa321a9a83b7dd8064d7383f5fbc4

          SHA256

          aaadaba1d44192bfdef5a057d2e002af09077b3d79b9db5f51706c4f5c476a09

          SHA512

          4559a4e07891bcdb064249e3e9b1db7f90494ea3631665ca4a326ad0783343683c7d8d5d912ed95f802300b94c7d246d1f8738b400f7d3508c02a7f4fd34c188

          Download Submit
        • \Users\Admin\AppData\Local\pLhB\recdisc.exe
          MD5

          f3b306179f1840c0813dc6771b018358

          SHA1

          dec7ce3c13f7a684cb52ae6007c99cf03afef005

          SHA256

          dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

          SHA512

          9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

          Download Submit
        • \Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\NiGD2E\BdeUISrv.exe
          MD5

          1da6b19be5d4949c868a264bc5e74206

          SHA1

          d5ee86ba03a03ef8c93d93accafe40461084c839

          SHA256

          00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

          SHA512

          9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

          Download Submit
        • memory/432-19-0x0000000000000000-mapping.dmp
          Download
        • memory/432-24-0x0000000140000000-0x00000001400E4000-memory.dmp
          Filesize

          912KB

          Download
        • memory/668-28-0x0000000000000000-mapping.dmp
          Download
        • memory/912-15-0x0000000140000000-0x00000001400E5000-memory.dmp
          Filesize

          916KB

          Download
        • memory/912-12-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/912-10-0x0000000000000000-mapping.dmp
          Download
        • memory/1244-6-0x0000000140000000-0x00000001400E3000-memory.dmp
          Filesize

          908KB

          Download
        • memory/1244-5-0x0000000002BB0000-0x0000000002BB1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1336-2-0x0000000140000000-0x00000001400E3000-memory.dmp
          Filesize

          908KB

          Download
        • memory/1336-4-0x0000000000390000-0x0000000000397000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1336-3-0x0000000140000000-0x0000000140085000-memory.dmp
          Filesize

          532KB

          Download