dridex | 1bc4755b2828092f30c53c4099d2a1b118d1a68686a82b7c11ef12c6ae93f8d4

Resubmissions

Analysis

max time kernel
151s
max time network
120s
platform
windows7_x64
resource
win7
submitted
14-07-2020 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DUI70.dll
Size

1.2MB
MD5

ca7f847ac49ea5ec058b9455bacbb326
SHA1

9ea5760c8d7b2f1a479901677338e487e62aaad0
SHA256

1bc4755b2828092f30c53c4099d2a1b118d1a68686a82b7c11ef12c6ae93f8d4
SHA512

5e57d36b700f030c977213899b2d5e4421abcaf54a41ccb336067e52f779066916b58ff1c81441be8c4e69240106569d40371b6ba862e6d89cbeda1cc65d6818

Score

10^/10

dridex botnet evasion loader persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1208-2-0x0000000140000000-0x0000000140138000-memory.dmp	dridex_ldr

Dridex Loader 'dmod' strings 1 IoCs

Detects 'dmod' strings in Dridex loader.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1208-2-0x0000000140000000-0x0000000140138000-memory.dmp	dridex_ldr_dmod

Executes dropped EXE 3 IoCs

Processes:

consent.exeDeviceDisplayObjectProvider.exerekeywiz.exe

pid process

1616 consent.exe
1160 DeviceDisplayObjectProvider.exe
1536 rekeywiz.exe
Loads dropped DLL 7 IoCs

Processes:

consent.exeDeviceDisplayObjectProvider.exerekeywiz.exe

pid process

1208
1616 consent.exe
1208
1160 DeviceDisplayObjectProvider.exe
1208
1536 rekeywiz.exe
1208

pid	process
1616	consent.exe
1160	DeviceDisplayObjectProvider.exe
1536	rekeywiz.exe

pid	process
1208
1616	consent.exe
1208
1160	DeviceDisplayObjectProvider.exe
1208
1536	rekeywiz.exe
1208

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vpubrqhrepmzp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\EYs\\DeviceDisplayObjectProvider.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.execonsent.exeDeviceDisplayObjectProvider.exerekeywiz.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	consent.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceDisplayObjectProvider.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rekeywiz.exe

Suspicious behavior: EnumeratesProcesses 586 IoCs

Processes:

rundll32.exe

pid	process
608	rundll32.exe
608	rundll32.exe
608	rundll32.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1208
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pid process

1208
1208
1208
1208
1208
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1208
1208
1208
1208

description	pid	process
Token: SeShutdownPrivilege	1208

pid	process
1208
1208
1208
1208
1208

pid	process
1208
1208
1208
1208

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1208 wrote to memory of 1000	1208	consent.exe
PID 1208 wrote to memory of 1000	1208	consent.exe
PID 1208 wrote to memory of 1000	1208	consent.exe
PID 1208 wrote to memory of 1616	1208	consent.exe
PID 1208 wrote to memory of 1616	1208	consent.exe
PID 1208 wrote to memory of 1616	1208	consent.exe
PID 1208 wrote to memory of 836	1208	DeviceDisplayObjectProvider.exe
PID 1208 wrote to memory of 836	1208	DeviceDisplayObjectProvider.exe
PID 1208 wrote to memory of 836	1208	DeviceDisplayObjectProvider.exe
PID 1208 wrote to memory of 1160	1208	DeviceDisplayObjectProvider.exe
PID 1208 wrote to memory of 1160	1208	DeviceDisplayObjectProvider.exe
PID 1208 wrote to memory of 1160	1208	DeviceDisplayObjectProvider.exe
PID 1208 wrote to memory of 1052	1208	rekeywiz.exe
PID 1208 wrote to memory of 1052	1208	rekeywiz.exe
PID 1208 wrote to memory of 1052	1208	rekeywiz.exe
PID 1208 wrote to memory of 1536	1208	rekeywiz.exe
PID 1208 wrote to memory of 1536	1208	rekeywiz.exe
PID 1208 wrote to memory of 1536	1208	rekeywiz.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DUI70.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:608

C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
1⤵
PID:1000

C:\Users\Admin\AppData\Local\Q6V\consent.exe
C:\Users\Admin\AppData\Local\Q6V\consent.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1616

C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
1⤵
PID:836

C:\Users\Admin\AppData\Local\aSsZKmcgT\DeviceDisplayObjectProvider.exe
C:\Users\Admin\AppData\Local\aSsZKmcgT\DeviceDisplayObjectProvider.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1160

C:\Windows\system32\rekeywiz.exe
C:\Windows\system32\rekeywiz.exe
1⤵
PID:1052

C:\Users\Admin\AppData\Local\wzr4ag4AO\rekeywiz.exe
C:\Users\Admin\AppData\Local\wzr4ag4AO\rekeywiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Q6V\WTSAPI32.dll

MD5
7eb25f0e320a2cbf4ad859ea215ec15a

SHA1
6d1b0a99e26e2a65a4ed76cd5a5405524486b8a7

SHA256
9d79141d948a96bac36a68df27cced3147c2be9bd1776ca7df650f9cf87abfde

SHA512
c73661b1e4216a0658d9e54bc56a7807cc4b56ee96d050830c9112f90da1452791992200fb6fbe7750bbcb54a1484a7432c545e4ef0acc9c17cfe9a0fd413d5d

Download Submit
C:\Users\Admin\AppData\Local\Q6V\consent.exe

MD5
0b5511674394666e9d221f8681b2c2e6

SHA1
6e4e720dfc424a12383f0b8194e4477e3bc346dc

SHA256
ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

SHA512
00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

Download Submit
C:\Users\Admin\AppData\Local\aSsZKmcgT\DeviceDisplayObjectProvider.exe

MD5
7e2eb3a4ae11190ef4c8a9b9a9123234

SHA1
72e98687a8d28614e2131c300403c2822856e865

SHA256
8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

SHA512
18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

Download Submit
C:\Users\Admin\AppData\Local\aSsZKmcgT\XmlLite.dll

MD5
62ee402d5d9a16bdbbd572df7d9fa34d

SHA1
cb6ab33cc8f548dc9be573f04a3a5fb7ec172f94

SHA256
82a04fdc58ea48f51c4de6b4b67804c1d80087d493f15d616fec38f7ebed2c6f

SHA512
31f9541ad24a7a37ac26c0e43a91f79a07009ca34369d228a259a80e7eb1b7d92059eed4c5f198e85f26a1a6189ca288f602c7f4d94c5515f7c5042644b673f1

Download Submit
C:\Users\Admin\AppData\Local\wzr4ag4AO\rekeywiz.exe

MD5
767c75767b00ccfd41a547bb7b2adfff

SHA1
91890853a5476def402910e6507417d400c0d3cb

SHA256
bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

SHA512
f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

Download Submit
C:\Users\Admin\AppData\Local\wzr4ag4AO\slc.dll

MD5
cc9804a3a8458070670a3d139805734a

SHA1
a6a31cfe5a5eeb69b24d17d4a82b0cd5dfdc839b

SHA256
f6edbdfc3f886330a722a9dcec092494b7940f50cb5b89e2c9d5c031423c345a

SHA512
679ab34524c7854e534e8f3f34bb720c52a8162f42ecf09e4a19f9c4ddd620d568524bacc39817c1aed30f43fde93935f23d46b188478762bc8799ebffae24c4

Download Submit
\Users\Admin\AppData\Local\Q6V\WTSAPI32.dll

MD5
7eb25f0e320a2cbf4ad859ea215ec15a

SHA1
6d1b0a99e26e2a65a4ed76cd5a5405524486b8a7

SHA256
9d79141d948a96bac36a68df27cced3147c2be9bd1776ca7df650f9cf87abfde

SHA512
c73661b1e4216a0658d9e54bc56a7807cc4b56ee96d050830c9112f90da1452791992200fb6fbe7750bbcb54a1484a7432c545e4ef0acc9c17cfe9a0fd413d5d

Download Submit
\Users\Admin\AppData\Local\Q6V\consent.exe

MD5
0b5511674394666e9d221f8681b2c2e6

SHA1
6e4e720dfc424a12383f0b8194e4477e3bc346dc

SHA256
ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

SHA512
00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

Download Submit
\Users\Admin\AppData\Local\aSsZKmcgT\DeviceDisplayObjectProvider.exe

MD5
7e2eb3a4ae11190ef4c8a9b9a9123234

SHA1
72e98687a8d28614e2131c300403c2822856e865

SHA256
8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

SHA512
18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

Download Submit
\Users\Admin\AppData\Local\aSsZKmcgT\XmlLite.dll

MD5
62ee402d5d9a16bdbbd572df7d9fa34d

SHA1
cb6ab33cc8f548dc9be573f04a3a5fb7ec172f94

SHA256
82a04fdc58ea48f51c4de6b4b67804c1d80087d493f15d616fec38f7ebed2c6f

SHA512
31f9541ad24a7a37ac26c0e43a91f79a07009ca34369d228a259a80e7eb1b7d92059eed4c5f198e85f26a1a6189ca288f602c7f4d94c5515f7c5042644b673f1

Download Submit
\Users\Admin\AppData\Local\wzr4ag4AO\rekeywiz.exe

MD5
767c75767b00ccfd41a547bb7b2adfff

SHA1
91890853a5476def402910e6507417d400c0d3cb

SHA256
bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

SHA512
f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

Download Submit
\Users\Admin\AppData\Local\wzr4ag4AO\slc.dll

MD5
cc9804a3a8458070670a3d139805734a

SHA1
a6a31cfe5a5eeb69b24d17d4a82b0cd5dfdc839b

SHA256
f6edbdfc3f886330a722a9dcec092494b7940f50cb5b89e2c9d5c031423c345a

SHA512
679ab34524c7854e534e8f3f34bb720c52a8162f42ecf09e4a19f9c4ddd620d568524bacc39817c1aed30f43fde93935f23d46b188478762bc8799ebffae24c4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\hz6uSvn9L\rekeywiz.exe

MD5
767c75767b00ccfd41a547bb7b2adfff

SHA1
91890853a5476def402910e6507417d400c0d3cb

SHA256
bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

SHA512
f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

Download Submit
memory/1160-9-0x0000000000000000-mapping.dmp

Download
memory/1208-0-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/1208-2-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1208-1-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1536-14-0x0000000000000000-mapping.dmp

Download
memory/1616-4-0x0000000000000000-mapping.dmp

Download