Overview

overview

10

Static

static

decrypted_...in.dll

windows7_x64

10

decrypted_...in.dll

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    22-01-2021 01:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    decrypted_bot_e2043c53a5f8383d9b640c101eb3ad1f.bin.dll

  • Size

    656KB

  • MD5

    e2043c53a5f8383d9b640c101eb3ad1f

  • SHA1

    ad8eb04e9c6eed46a66edf2f41b42e2699d2fd01

  • SHA256

    b3182eb3fd2cb783925e57f6b8db3c5f720c872961c4c08af23fbe9fe13be8cb

  • SHA512

    e47a0a4f6f65e219a56455452de2be4b46d7e7486153e45eb672d8d1a563fcabba1dab1d243656f28ae98ca2a0b2a7408609e8e18d58faafc448680aa8f4af9c

Score
10/10
dridexbotnetevasionloaderpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Loader 2 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Modifies registry class 150 IoCs
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of AdjustPrivilegeToken 247 IoCs
  • Suspicious use of FindShellTrayWindow 214 IoCs
  • Suspicious use of SendNotifyMessage 412 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\decrypted_bot_e2043c53a5f8383d9b640c101eb3ad1f.bin.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\decrypted_bot_e2043c53a5f8383d9b640c101eb3ad1f.bin.dll,#1
      2⤵
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:1632
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2040
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:584
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1824
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1672
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1668
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1876
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:372
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1700
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    PID:1544
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies registry class
    PID:2000
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies registry class
    PID:912
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies registry class
    PID:2044
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
      PID:816
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies registry class
      PID:1200
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies registry class
      PID:1464
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies registry class
      PID:436
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies registry class
      PID:988
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies registry class
      PID:1224
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies registry class
      PID:600
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies registry class
      PID:1168
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies registry class
      PID:1688
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies registry class
      PID:1412
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies registry class
      PID:1528
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies registry class
      PID:1952
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies registry class
      PID:1600
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies registry class
      PID:1904
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies registry class
      PID:1176
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies registry class
      PID:1428
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies registry class
      PID:1932
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies registry class
      PID:1280

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1632-2-0x0000000000000000-mapping.dmp
      Download
    • memory/1632-3-0x00000000760D1000-0x00000000760D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1632-4-0x00000000749F0000-0x0000000074A97000-memory.dmp
      Filesize

      668KB

      Download
    • memory/1632-5-0x00000000749F0000-0x0000000074A5B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/1632-7-0x0000000000250000-0x0000000000256000-memory.dmp
      Filesize

      24KB

      Download
    • memory/2040-6-0x000007FEFBEE1000-0x000007FEFBEE3000-memory.dmp
      Filesize

      8KB

      Download