Overview

overview

10

Static

static

decrypted_...in.dll

windows7_x64

10

decrypted_...in.dll

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    111s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    21-01-2021 23:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    decrypted_bot_2c0b93cb34660f8c68ab9e9eae6bd9d4.bin.dll

  • Size

    830KB

  • MD5

    2c0b93cb34660f8c68ab9e9eae6bd9d4

  • SHA1

    5fb68d1c2050e82110914ab57f33e32986220a81

  • SHA256

    bf92d2153b239950b67dd65d31ce2727414a7cff206b09b5b3b5848304239ee4

  • SHA512

    96278319d583a9ddc6acbe7fdc1d23855cc5a82205dc2a344a67737c8177c706b3dc52e6dbb42831c42ea96e20aa0ec9923eac0d3a5694e5e84cdeafa8166131

Score
10/10
dridexbotnetevasionloaderpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Loader 5 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 590 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\decrypted_bot_2c0b93cb34660f8c68ab9e9eae6bd9d4.bin.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:812
  • C:\Windows\system32\SysResetErr.exe
    C:\Windows\system32\SysResetErr.exe
    1⤵
      PID:192
    • C:\Users\Admin\AppData\Local\3kKlofH\SysResetErr.exe
      C:\Users\Admin\AppData\Local\3kKlofH\SysResetErr.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:184
    • C:\Windows\system32\raserver.exe
      C:\Windows\system32\raserver.exe
      1⤵
        PID:2992
      • C:\Users\Admin\AppData\Local\DhAyFIx\raserver.exe
        C:\Users\Admin\AppData\Local\DhAyFIx\raserver.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2272
      • C:\Windows\system32\WFS.exe
        C:\Windows\system32\WFS.exe
        1⤵
          PID:864
        • C:\Users\Admin\AppData\Local\WswVOERM\WFS.exe
          C:\Users\Admin\AppData\Local\WswVOERM\WFS.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1516

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\3kKlofH\DUI70.dll
          MD5

          1c9b7d38b4bd3940880e1907363ec923

          SHA1

          120b49d25386802142dcb195f443a11dcd3794a0

          SHA256

          37921ce534286444332c005a69975b35871250a6ef8014371e145444a0c50cb3

          SHA512

          74d6ecc106e1561a992fb56303a1cedc7ad5bbe9ae78ea0d420fb39941d69cc1e7bd36251225b30d1bf2853d6a0c5fdac8d1290313a4798198803041f71d3039

          Download Submit
        • C:\Users\Admin\AppData\Local\3kKlofH\SysResetErr.exe
          MD5

          432557a19cef7e1c23a4dcc7d148b712

          SHA1

          b26c19de3b32108f8ac9307c30027e635615fc65

          SHA256

          f519aba77298a8c04f3e9c8f5f1b40c8de05e41898f13033f337e13e05d4282a

          SHA512

          542e71740094ea810651901ec23f06c495e0c2d57fae09d6dd9730e11650843ade34eeba0b2816df025179c597825129b3a26a0007c75e10f1a8857340452ff7

          Download Submit
        • C:\Users\Admin\AppData\Local\DhAyFIx\WTSAPI32.dll
          MD5

          f50eea0a4182d103d7d3160153353be2

          SHA1

          4a683beac83d8f4a6378699bb90ec1ef00612aee

          SHA256

          57622df146766ae7f3c42a1c0af64e785737b2f5a440ef33c2e56ecd434b03fd

          SHA512

          705a3c73b23616dd4f150501f7ff0a0d1aec163412059a3ac10d83fd8eea77e2505f58bf7c01f8fa16759a0e8268cfddf4b216cb825a4f620b4f1f19c0145a27

          Download Submit
        • C:\Users\Admin\AppData\Local\DhAyFIx\raserver.exe
          MD5

          71cacb0f5b7b70055fbba02055e503b1

          SHA1

          49e247edcc721fc7329045a8587877b645b7531f

          SHA256

          7a4aa698ea00d4347a1b85a2510c2502fdf23cc5d487079097999be9780f8eb1

          SHA512

          3cce7df2ab1ece95baf888982a0664fb53c1378029dc2aee1c583fc6e9065968074a9f8135988f1b9f50937e3eb69edc118976b61067c3461fe8351535295a18

          Download Submit
        • C:\Users\Admin\AppData\Local\WswVOERM\WFS.exe
          MD5

          f5c1b5e7334f4a7fa393cc68f16eab93

          SHA1

          d17180a8f7be23ebdf04162a8c66a9c3bb18d9c1

          SHA256

          68b593b074f7501cee6a7af0d006a611f413a0d4f22b43c041fcec3815112208

          SHA512

          3656d43322e9ed1da68ff58deeb458c3633c693b1e9b79fc7c557166db6af8cb7d155341742510cf803aeb985dd825c64ecfaa7eda7ccf0952dcb06249a92fc0

          Download Submit
        • C:\Users\Admin\AppData\Local\WswVOERM\WINMM.dll
          MD5

          67816335d12027f09080914295184db7

          SHA1

          6e3ead701e2b6d57613e2e10ff634d2dc2b4ea80

          SHA256

          56be02156176abaa6606e8366c6e44b031c0a0086056228edf1e6b39830763c8

          SHA512

          d7fb89a175a9d4d038aadc05c56c1928de2a114f8cc913be63169004aef40ff7d5bf3a7115ea4d25f901e535ad4379a6a0711001ea5f108f2e1eafe1d886a139

          Download Submit
        • \Users\Admin\AppData\Local\3kKlofH\DUI70.dll
          MD5

          1c9b7d38b4bd3940880e1907363ec923

          SHA1

          120b49d25386802142dcb195f443a11dcd3794a0

          SHA256

          37921ce534286444332c005a69975b35871250a6ef8014371e145444a0c50cb3

          SHA512

          74d6ecc106e1561a992fb56303a1cedc7ad5bbe9ae78ea0d420fb39941d69cc1e7bd36251225b30d1bf2853d6a0c5fdac8d1290313a4798198803041f71d3039

          Download Submit
        • \Users\Admin\AppData\Local\DhAyFIx\WTSAPI32.dll
          MD5

          f50eea0a4182d103d7d3160153353be2

          SHA1

          4a683beac83d8f4a6378699bb90ec1ef00612aee

          SHA256

          57622df146766ae7f3c42a1c0af64e785737b2f5a440ef33c2e56ecd434b03fd

          SHA512

          705a3c73b23616dd4f150501f7ff0a0d1aec163412059a3ac10d83fd8eea77e2505f58bf7c01f8fa16759a0e8268cfddf4b216cb825a4f620b4f1f19c0145a27

          Download Submit
        • \Users\Admin\AppData\Local\WswVOERM\WINMM.dll
          MD5

          67816335d12027f09080914295184db7

          SHA1

          6e3ead701e2b6d57613e2e10ff634d2dc2b4ea80

          SHA256

          56be02156176abaa6606e8366c6e44b031c0a0086056228edf1e6b39830763c8

          SHA512

          d7fb89a175a9d4d038aadc05c56c1928de2a114f8cc913be63169004aef40ff7d5bf3a7115ea4d25f901e535ad4379a6a0711001ea5f108f2e1eafe1d886a139

          Download Submit
        • memory/184-13-0x0000000140000000-0x0000000140129000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/184-9-0x0000000000000000-mapping.dmp
          Download
        • memory/812-2-0x0000000140000000-0x00000001400E3000-memory.dmp
          Filesize

          908KB

          Download
        • memory/812-4-0x0000024A447A0000-0x0000024A447A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/812-3-0x0000000140000000-0x0000000140085000-memory.dmp
          Filesize

          532KB

          Download
        • memory/1516-23-0x0000000000000000-mapping.dmp
          Download
        • memory/1516-27-0x0000000140000000-0x00000001400E5000-memory.dmp
          Filesize

          916KB

          Download
        • memory/2272-20-0x0000000140000000-0x00000001400E4000-memory.dmp
          Filesize

          912KB

          Download
        • memory/2272-16-0x0000000000000000-mapping.dmp
          Download
        • memory/3048-6-0x0000000140000000-0x00000001400E3000-memory.dmp
          Filesize

          908KB

          Download
        • memory/3048-5-0x00000000005D0000-0x00000000005D1000-memory.dmp
          Filesize

          4KB

          Download