Overview

overview

10

Static

static

2c32f681c7...e1.dll

windows7_x64

10

2c32f681c7...e1.dll

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    26-11-2021 09:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c32f681c7821bdbcb2038414964456759d7fb48d656ceb200f0eff871e1eae1.dll

  • Size

    1.3MB

  • MD5

    b6b41e427a208e21b75fdff54a69e35c

  • SHA1

    ee4fbf79a3ed6ed84741800f3dc401f4ae844c8d

  • SHA256

    2c32f681c7821bdbcb2038414964456759d7fb48d656ceb200f0eff871e1eae1

  • SHA512

    30c76b52f842840e47ca0fe8e265b2a6330d82290aef3bb230ff8ff22d705e10b6850612bc17e22fd2c6fc5f590f6e1066a4f332b800fd6bccec6250337eb4fd

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Drops startup file 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2c32f681c7821bdbcb2038414964456759d7fb48d656ceb200f0eff871e1eae1.dll
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:1988
  • C:\Windows\system32\cttune.exe
    C:\Windows\system32\cttune.exe
    1⤵
      PID:1384
    • C:\Users\Admin\AppData\Local\DFLzO\cttune.exe
      C:\Users\Admin\AppData\Local\DFLzO\cttune.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: GetForegroundWindowSpam
      PID:824
    • C:\Windows\system32\rdrleakdiag.exe
      C:\Windows\system32\rdrleakdiag.exe
      1⤵
        PID:1884
      • C:\Users\Admin\AppData\Local\ekpip3\rdrleakdiag.exe
        C:\Users\Admin\AppData\Local\ekpip3\rdrleakdiag.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: GetForegroundWindowSpam
        PID:1892
      • C:\Windows\system32\StikyNot.exe
        C:\Windows\system32\StikyNot.exe
        1⤵
          PID:1504
        • C:\Users\Admin\AppData\Local\VkgQd2u8v\StikyNot.exe
          C:\Users\Admin\AppData\Local\VkgQd2u8v\StikyNot.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious behavior: GetForegroundWindowSpam
          PID:1304

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\DFLzO\UxTheme.dll
          MD5

          1be34922c08b247dd3ddceac1b8a742d

          SHA1

          a701f285291c830c3ca6d1c7b9859c6b930a15e2

          SHA256

          c20d3d06cb067361cd49395e239923b88199238bcf2746a383b924c1aa2c1674

          SHA512

          50d84e5baaafb56476f3c1a9709f56dfa21cde4600198934d2be146e908f3be847d65b42e739183a9477c07e9c60b4b29d7cdfbdc78c9c30f519cb40a1b6c6d9

          Download Submit
        • C:\Users\Admin\AppData\Local\DFLzO\cttune.exe
          MD5

          7116848fd23e6195fcbbccdf83ce9af4

          SHA1

          35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

          SHA256

          39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

          SHA512

          e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

          Download Submit
        • C:\Users\Admin\AppData\Local\VkgQd2u8v\StikyNot.exe
          MD5

          b22cb67919ebad88b0e8bb9cda446010

          SHA1

          423a794d26d96d9f812d76d75fa89bffdc07d468

          SHA256

          2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

          SHA512

          f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

          Download Submit
        • C:\Users\Admin\AppData\Local\VkgQd2u8v\UxTheme.dll
          MD5

          5d23652a79ac835a50212257d8d2f55e

          SHA1

          51d9cc5de4121daab80df554781dadb9146d6522

          SHA256

          10ebe1a240b4386bf5d362c64a1412c8893e7b6d57416717b868840cb914ca4e

          SHA512

          e1c77baed81a08b55fbed1f32cd465c01282f05ffd75067bc1c86ac90607f53bedde890b89452f7687a75f24e67a2237bc0a231145a2f91ff398b4a197060bfc

          Download Submit
        • C:\Users\Admin\AppData\Local\ekpip3\rdrleakdiag.exe
          MD5

          5e058566af53848541fa23fba4bb5b81

          SHA1

          769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

          SHA256

          ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

          SHA512

          352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

          Download Submit
        • C:\Users\Admin\AppData\Local\ekpip3\wer.dll
          MD5

          916a2173397088a57ab23b394c17bfbb

          SHA1

          a6cb7285d360423a3d77dd7a7462c6df49d536f9

          SHA256

          e21727cf9a851277b7ead7e4e1212c53e9a762ddb66dab3d94fe18fd309db8b6

          SHA512

          26a43989426414c1f386239c0852aaf96586159fc5b9c930fb4b3e4cb7f806e3566eab748de150acc7a51464d8b561058c4ab8e6ec0e15e9ab66b7ec1aac0bcc

          Download Submit
        • \Users\Admin\AppData\Local\DFLzO\UxTheme.dll
          MD5

          1be34922c08b247dd3ddceac1b8a742d

          SHA1

          a701f285291c830c3ca6d1c7b9859c6b930a15e2

          SHA256

          c20d3d06cb067361cd49395e239923b88199238bcf2746a383b924c1aa2c1674

          SHA512

          50d84e5baaafb56476f3c1a9709f56dfa21cde4600198934d2be146e908f3be847d65b42e739183a9477c07e9c60b4b29d7cdfbdc78c9c30f519cb40a1b6c6d9

          Download Submit
        • \Users\Admin\AppData\Local\DFLzO\cttune.exe
          MD5

          7116848fd23e6195fcbbccdf83ce9af4

          SHA1

          35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

          SHA256

          39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

          SHA512

          e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

          Download Submit
        • \Users\Admin\AppData\Local\VkgQd2u8v\StikyNot.exe
          MD5

          b22cb67919ebad88b0e8bb9cda446010

          SHA1

          423a794d26d96d9f812d76d75fa89bffdc07d468

          SHA256

          2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

          SHA512

          f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

          Download Submit
        • \Users\Admin\AppData\Local\VkgQd2u8v\UxTheme.dll
          MD5

          5d23652a79ac835a50212257d8d2f55e

          SHA1

          51d9cc5de4121daab80df554781dadb9146d6522

          SHA256

          10ebe1a240b4386bf5d362c64a1412c8893e7b6d57416717b868840cb914ca4e

          SHA512

          e1c77baed81a08b55fbed1f32cd465c01282f05ffd75067bc1c86ac90607f53bedde890b89452f7687a75f24e67a2237bc0a231145a2f91ff398b4a197060bfc

          Download Submit
        • \Users\Admin\AppData\Local\ekpip3\rdrleakdiag.exe
          MD5

          5e058566af53848541fa23fba4bb5b81

          SHA1

          769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

          SHA256

          ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

          SHA512

          352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

          Download Submit
        • \Users\Admin\AppData\Local\ekpip3\wer.dll
          MD5

          916a2173397088a57ab23b394c17bfbb

          SHA1

          a6cb7285d360423a3d77dd7a7462c6df49d536f9

          SHA256

          e21727cf9a851277b7ead7e4e1212c53e9a762ddb66dab3d94fe18fd309db8b6

          SHA512

          26a43989426414c1f386239c0852aaf96586159fc5b9c930fb4b3e4cb7f806e3566eab748de150acc7a51464d8b561058c4ab8e6ec0e15e9ab66b7ec1aac0bcc

          Download Submit
        • \Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\YvViyisImR\StikyNot.exe
          MD5

          b22cb67919ebad88b0e8bb9cda446010

          SHA1

          423a794d26d96d9f812d76d75fa89bffdc07d468

          SHA256

          2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

          SHA512

          f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

          Download Submit
        • memory/824-87-0x0000000140000000-0x0000000140146000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/824-82-0x0000000000000000-mapping.dmp
          Download
        • memory/1212-66-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1212-73-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1212-68-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1212-80-0x0000000077DF0000-0x0000000077DF2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1212-74-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1212-70-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1212-71-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1212-69-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1212-72-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1212-67-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1212-60-0x0000000002A30000-0x0000000002A31000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1212-61-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1212-65-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1212-64-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1212-63-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1212-62-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/1304-99-0x0000000000000000-mapping.dmp
          Download
        • memory/1892-91-0x0000000000000000-mapping.dmp
          Download
        • memory/1988-55-0x000007FEFC4C1000-0x000007FEFC4C3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1988-59-0x0000000000100000-0x0000000000107000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1988-56-0x0000000140000000-0x0000000140145000-memory.dmp
          Filesize

          1.3MB

          Download