Overview

overview

10

Static

static

dridex_mai...in.dll

windows7_x64

10

dridex_mai...in.dll

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    19-04-2021 14:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dridex_main_500545c9760bd316dd59f99cfcc62532ffa929d62e0fdb062ab096f828ab31bc.bin.dll

  • Size

    604KB

  • MD5

    82f65be4ff7e40974bea265c524ddfd9

  • SHA1

    b044b52058c3cde173a06811262913c31f0af3e1

  • SHA256

    500545c9760bd316dd59f99cfcc62532ffa929d62e0fdb062ab096f828ab31bc

  • SHA512

    b0b6e9cb0192f78f42ec6da160a0e070d4b2c6e83f309b6267697f75dd9c484cbaa95ac76ec656d457801482e3372d4cdfdb80260a77dba31aa9ade58de1784c

Score
10/10
dridexbotnetevasionloaderpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Loader 5 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dridex_main_500545c9760bd316dd59f99cfcc62532ffa929d62e0fdb062ab096f828ab31bc.bin.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4044
  • C:\Windows\system32\tcmsetup.exe
    C:\Windows\system32\tcmsetup.exe
    1⤵
      PID:2644
    • C:\Users\Admin\AppData\Local\48gbh\tcmsetup.exe
      C:\Users\Admin\AppData\Local\48gbh\tcmsetup.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3804
    • C:\Windows\system32\CloudStorageWizard.exe
      C:\Windows\system32\CloudStorageWizard.exe
      1⤵
        PID:3176
      • C:\Users\Admin\AppData\Local\pfA3\CloudStorageWizard.exe
        C:\Users\Admin\AppData\Local\pfA3\CloudStorageWizard.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:3892
      • C:\Windows\system32\MDMAppInstaller.exe
        C:\Windows\system32\MDMAppInstaller.exe
        1⤵
          PID:2352
        • C:\Users\Admin\AppData\Local\WHkX7\MDMAppInstaller.exe
          C:\Users\Admin\AppData\Local\WHkX7\MDMAppInstaller.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1948

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\48gbh\TAPI32.dll
          MD5

          bb57ba2605bb9a261fc7f4f0925c0af3

          SHA1

          29cb31b9d1fff39314b4146623ebf977d189c6fe

          SHA256

          60b163fbf3e061a344c3819f45dee9fde5754ffc4e81932e48ad850a028424aa

          SHA512

          af2c1f9145e9c734695aa7d05e8bc3a0ad1e13da5220698b5ae438c3081063afbf78d00cdae0a4b9c3e83610e946b98e58649f08af2f734c37d22881dd8dfdcd

          Download Submit
        • C:\Users\Admin\AppData\Local\48gbh\tcmsetup.exe
          MD5

          2df4ef3fb9a10b575a7c7fbbd3a9ffed

          SHA1

          3e1d2598322e784415265d2ccfa66a025ee080b6

          SHA256

          c0843fbd99489006f95f2fbd39814f9b642212b5af44a553e6359f243250f172

          SHA512

          64b2337d61424cae1d8bc3f7b5db4d2b5524b735b6ac84597644a6c31270d93e3e53fd0512f0b0e75bf6cf05fa74c8eb670e416e75a3e523cb7968754eac55e9

          Download Submit
        • C:\Users\Admin\AppData\Local\WHkX7\MDMAppInstaller.exe
          MD5

          4dd62f5c80e61f360e4178e64bdd9eb2

          SHA1

          0bb999e6fcf480e135f0c2f548beac45bf8388f9

          SHA256

          9487e1da940889f7144de063e6999d1a76a1b93be195ea4f9d32be765e5eba99

          SHA512

          a3bb8133a23680f44e06f7b8c3bcb3630103cde12e21cae3a1292633ffc51cc07f1a220774b85fc8021424e668f2518c6b8ddc0df3a5e4dd10d21e16c7a7091e

          Download Submit
        • C:\Users\Admin\AppData\Local\WHkX7\WTSAPI32.dll
          MD5

          49831f322a7b26ed632b1844b393961d

          SHA1

          8dd36e622004c7af9092a730b01b141fdf1c567a

          SHA256

          09e1aa4314d8e3f88fa0084f70fa9156339a0d749aeba32181b15fde154ab8b9

          SHA512

          3799e64cb972d9667fc6c3ed3a5c57ab2d5db926474eec8eecd926c2b02c6bc2691080684261a3d2cf4f4bab5b9483efa4a7d3b6f0eefb5ba3d7701b4b14fab5

          Download Submit
        • C:\Users\Admin\AppData\Local\pfA3\CloudStorageWizard.exe
          MD5

          b11d2d85645265e5fcb9e5a18a775ba6

          SHA1

          cd7f2899a6c23d63724cb89db0eb3cd09a879240

          SHA256

          be0e80ed36b0b257cf1aebb083934bd8a468ad2535fe5fb3e70c1b7e258143a9

          SHA512

          96835dfab6e2142b21eca1b4ce5744a9aec3b751ca56932a029c54dab5a3099678440100e6b66dcd0b35a56742a59ee0b1b40a46bf8ce22e3d34482cc66ad08a

          Download Submit
        • C:\Users\Admin\AppData\Local\pfA3\DUI70.dll
          MD5

          8b30a1738c8d9e1015d183c08bb5e7be

          SHA1

          4dc645dafc290c9b98920eb4e4728a7fcc0098f1

          SHA256

          ae9fa519caf7ae5a4158c9e8c951af6c2dbf025674dcbcff7cf07f7ea0c93ad3

          SHA512

          4810c5e1fcd57a77e389896f2a33867851f979ce53ee4d060a4ebb21b57b6b4d2ea17b11cc6421fdf00ea388d2cf37a8dc36c7f8be2c2ba7725b68dedba5ed9f

          Download Submit
        • \Users\Admin\AppData\Local\48gbh\TAPI32.dll
          MD5

          bb57ba2605bb9a261fc7f4f0925c0af3

          SHA1

          29cb31b9d1fff39314b4146623ebf977d189c6fe

          SHA256

          60b163fbf3e061a344c3819f45dee9fde5754ffc4e81932e48ad850a028424aa

          SHA512

          af2c1f9145e9c734695aa7d05e8bc3a0ad1e13da5220698b5ae438c3081063afbf78d00cdae0a4b9c3e83610e946b98e58649f08af2f734c37d22881dd8dfdcd

          Download Submit
        • \Users\Admin\AppData\Local\WHkX7\WTSAPI32.dll
          MD5

          49831f322a7b26ed632b1844b393961d

          SHA1

          8dd36e622004c7af9092a730b01b141fdf1c567a

          SHA256

          09e1aa4314d8e3f88fa0084f70fa9156339a0d749aeba32181b15fde154ab8b9

          SHA512

          3799e64cb972d9667fc6c3ed3a5c57ab2d5db926474eec8eecd926c2b02c6bc2691080684261a3d2cf4f4bab5b9483efa4a7d3b6f0eefb5ba3d7701b4b14fab5

          Download Submit
        • \Users\Admin\AppData\Local\pfA3\DUI70.dll
          MD5

          8b30a1738c8d9e1015d183c08bb5e7be

          SHA1

          4dc645dafc290c9b98920eb4e4728a7fcc0098f1

          SHA256

          ae9fa519caf7ae5a4158c9e8c951af6c2dbf025674dcbcff7cf07f7ea0c93ad3

          SHA512

          4810c5e1fcd57a77e389896f2a33867851f979ce53ee4d060a4ebb21b57b6b4d2ea17b11cc6421fdf00ea388d2cf37a8dc36c7f8be2c2ba7725b68dedba5ed9f

          Download Submit
        • memory/1948-159-0x00007FFB90290000-0x00007FFB90332000-memory.dmp
          Filesize

          648KB

          Download
        • memory/1948-155-0x0000000000000000-mapping.dmp
          Download
        • memory/3028-124-0x0000000140000000-0x00000001400A1000-memory.dmp
          Filesize

          644KB

          Download
        • memory/3028-134-0x00007FFB9C5C4320-0x00007FFB9C5C5320-memory.dmp
          Filesize

          4KB

          Download
        • memory/3028-125-0x0000000140000000-0x00000001400A1000-memory.dmp
          Filesize

          644KB

          Download
        • memory/3028-123-0x0000000140000000-0x00000001400A1000-memory.dmp
          Filesize

          644KB

          Download
        • memory/3028-122-0x0000000140000000-0x00000001400A1000-memory.dmp
          Filesize

          644KB

          Download
        • memory/3028-121-0x0000000140000000-0x00000001400A1000-memory.dmp
          Filesize

          644KB

          Download
        • memory/3028-120-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3804-135-0x0000000000000000-mapping.dmp
          Download
        • memory/3804-139-0x00007FFB905A0000-0x00007FFB90643000-memory.dmp
          Filesize

          652KB

          Download
        • memory/3892-145-0x0000000000000000-mapping.dmp
          Download
        • memory/3892-149-0x00007FFB8E460000-0x00007FFB8E547000-memory.dmp
          Filesize

          924KB

          Download
        • memory/4044-114-0x00007FFB905A0000-0x00007FFB90641000-memory.dmp
          Filesize

          644KB

          Download
        • memory/4044-119-0x00000192D81F0000-0x00000192D81F7000-memory.dmp
          Filesize

          28KB

          Download