Overview

overview

10

Static

static

dridex_mai...in.dll

windows7_x64

10

dridex_mai...in.dll

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    12s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    19-04-2021 14:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dridex_main_500545c9760bd316dd59f99cfcc62532ffa929d62e0fdb062ab096f828ab31bc.bin.dll

  • Size

    604KB

  • MD5

    82f65be4ff7e40974bea265c524ddfd9

  • SHA1

    b044b52058c3cde173a06811262913c31f0af3e1

  • SHA256

    500545c9760bd316dd59f99cfcc62532ffa929d62e0fdb062ab096f828ab31bc

  • SHA512

    b0b6e9cb0192f78f42ec6da160a0e070d4b2c6e83f309b6267697f75dd9c484cbaa95ac76ec656d457801482e3372d4cdfdb80260a77dba31aa9ade58de1784c

Score
10/10
dridexbotnetevasionloaderpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Loader 4 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dridex_main_500545c9760bd316dd59f99cfcc62532ffa929d62e0fdb062ab096f828ab31bc.bin.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1100
  • C:\Windows\system32\TpmInit.exe
    C:\Windows\system32\TpmInit.exe
    1⤵
      PID:1264
    • C:\Users\Admin\AppData\Local\m5D52\TpmInit.exe
      C:\Users\Admin\AppData\Local\m5D52\TpmInit.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      PID:856
    • C:\Windows\system32\SystemPropertiesComputerName.exe
      C:\Windows\system32\SystemPropertiesComputerName.exe
      1⤵
        PID:576
      • C:\Users\Admin\AppData\Local\CPfdGW\SystemPropertiesComputerName.exe
        C:\Users\Admin\AppData\Local\CPfdGW\SystemPropertiesComputerName.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: EnumeratesProcesses
        PID:748
      • C:\Windows\system32\notepad.exe
        C:\Windows\system32\notepad.exe
        1⤵
          PID:800
        • C:\Users\Admin\AppData\Local\vWD10n\notepad.exe
          C:\Users\Admin\AppData\Local\vWD10n\notepad.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:612

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\CPfdGW\SYSDM.CPL
          MD5

          16da2a4b2738849968cc06ff87e32459

          SHA1

          e68d544f2e2bac09775aa3a02b3e3b2fa94693ee

          SHA256

          8b03df1d7c2201c66deae756be448307c7b73044ee140d89030b813ed1ca290a

          SHA512

          24ffea2721b40a7fefa59a1d0a84a5985beae70a6e670ef98adc8d627efac0ab27be23786d8a23582baefda8c893ed08f31392f38c572689866c7a4bcc2af637

          Download Submit
        • C:\Users\Admin\AppData\Local\CPfdGW\SystemPropertiesComputerName.exe
          MD5

          bd889683916aa93e84e1a75802918acf

          SHA1

          5ee66571359178613a4256a7470c2c3e6dd93cfa

          SHA256

          0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

          SHA512

          9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

          Download Submit
        • C:\Users\Admin\AppData\Local\m5D52\ACTIVEDS.dll
          MD5

          aef1ea92d0622d390ad850f7b809583d

          SHA1

          73d0081bf5d4ceafef5f39a4865cc1b1542d6188

          SHA256

          36d2aed62471f5909b7df083cdfdfeb33491461d56d8b3d146da7eb56d71889b

          SHA512

          5c5006c57a5a0258837e98f864e63b1131e25c7947be35cb448c95fbd1f3a716a7e1b3b0d83fc332571250b29391965df8b1699393b4315ad9500b456d4428a2

          Download Submit
        • C:\Users\Admin\AppData\Local\m5D52\TpmInit.exe
          MD5

          8b5eb38e08a678afa129e23129ca1e6d

          SHA1

          a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

          SHA256

          4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

          SHA512

          a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

          Download Submit
        • C:\Users\Admin\AppData\Local\vWD10n\VERSION.dll
          MD5

          c0099cc6fa0da919a6bea929009d85de

          SHA1

          632b0db03d02c8f75ed451318831098270ff8b16

          SHA256

          09f9bfd368ced9074557a4947b8ab2becef4f0fd59e4fe4afa59aba9c5815c68

          SHA512

          f7c058568a3549d7649e185a56f26edda6a8cf447f60d13300078c5de9ff097a112e0d301c5fcbf9c42951a619c2b5b669c14d12624d26e8b76d4dc4c1216745

          Download Submit
        • C:\Users\Admin\AppData\Local\vWD10n\notepad.exe
          MD5

          f2c7bb8acc97f92e987a2d4087d021b1

          SHA1

          7eb0139d2175739b3ccb0d1110067820be6abd29

          SHA256

          142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

          SHA512

          2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

          Download Submit
        • \Users\Admin\AppData\Local\CPfdGW\SYSDM.CPL
          MD5

          16da2a4b2738849968cc06ff87e32459

          SHA1

          e68d544f2e2bac09775aa3a02b3e3b2fa94693ee

          SHA256

          8b03df1d7c2201c66deae756be448307c7b73044ee140d89030b813ed1ca290a

          SHA512

          24ffea2721b40a7fefa59a1d0a84a5985beae70a6e670ef98adc8d627efac0ab27be23786d8a23582baefda8c893ed08f31392f38c572689866c7a4bcc2af637

          Download Submit
        • \Users\Admin\AppData\Local\CPfdGW\SystemPropertiesComputerName.exe
          MD5

          bd889683916aa93e84e1a75802918acf

          SHA1

          5ee66571359178613a4256a7470c2c3e6dd93cfa

          SHA256

          0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

          SHA512

          9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

          Download Submit
        • \Users\Admin\AppData\Local\m5D52\ACTIVEDS.dll
          MD5

          aef1ea92d0622d390ad850f7b809583d

          SHA1

          73d0081bf5d4ceafef5f39a4865cc1b1542d6188

          SHA256

          36d2aed62471f5909b7df083cdfdfeb33491461d56d8b3d146da7eb56d71889b

          SHA512

          5c5006c57a5a0258837e98f864e63b1131e25c7947be35cb448c95fbd1f3a716a7e1b3b0d83fc332571250b29391965df8b1699393b4315ad9500b456d4428a2

          Download Submit
        • \Users\Admin\AppData\Local\m5D52\TpmInit.exe
          MD5

          8b5eb38e08a678afa129e23129ca1e6d

          SHA1

          a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

          SHA256

          4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

          SHA512

          a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

          Download Submit
        • \Users\Admin\AppData\Local\vWD10n\VERSION.dll
          MD5

          c0099cc6fa0da919a6bea929009d85de

          SHA1

          632b0db03d02c8f75ed451318831098270ff8b16

          SHA256

          09f9bfd368ced9074557a4947b8ab2becef4f0fd59e4fe4afa59aba9c5815c68

          SHA512

          f7c058568a3549d7649e185a56f26edda6a8cf447f60d13300078c5de9ff097a112e0d301c5fcbf9c42951a619c2b5b669c14d12624d26e8b76d4dc4c1216745

          Download Submit
        • \Users\Admin\AppData\Local\vWD10n\notepad.exe
          MD5

          f2c7bb8acc97f92e987a2d4087d021b1

          SHA1

          7eb0139d2175739b3ccb0d1110067820be6abd29

          SHA256

          142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

          SHA512

          2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

          Download Submit
        • \Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\OaHMGMUUNL\notepad.exe
          MD5

          f2c7bb8acc97f92e987a2d4087d021b1

          SHA1

          7eb0139d2175739b3ccb0d1110067820be6abd29

          SHA256

          142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

          SHA512

          2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

          Download Submit
        • memory/612-93-0x0000000000000000-mapping.dmp
          Download
        • memory/748-84-0x0000000000000000-mapping.dmp
          Download
        • memory/748-89-0x000007FEF6C60000-0x000007FEF6D02000-memory.dmp
          Filesize

          648KB

          Download
        • memory/856-75-0x0000000000000000-mapping.dmp
          Download
        • memory/856-77-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/856-80-0x000007FEF6D90000-0x000007FEF6E32000-memory.dmp
          Filesize

          648KB

          Download
        • memory/1100-62-0x00000000000B0000-0x00000000000B7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1100-60-0x000007FEF69C0000-0x000007FEF6A61000-memory.dmp
          Filesize

          644KB

          Download
        • memory/1352-67-0x0000000140000000-0x00000001400A1000-memory.dmp
          Filesize

          644KB

          Download
        • memory/1352-63-0x0000000003A10000-0x0000000003A11000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1352-65-0x0000000140000000-0x00000001400A1000-memory.dmp
          Filesize

          644KB

          Download
        • memory/1352-64-0x0000000140000000-0x00000001400A1000-memory.dmp
          Filesize

          644KB

          Download
        • memory/1352-68-0x0000000140000000-0x00000001400A1000-memory.dmp
          Filesize

          644KB

          Download
        • memory/1352-66-0x0000000140000000-0x00000001400A1000-memory.dmp
          Filesize

          644KB

          Download