dridex | 4ed7566f8b70e42f52615a3c06512b10c6b3feef33627a82cdef1f054aa4cc75

Resubmissions

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7
submitted
14-07-2020 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VERSION.dll
Size

972KB
MD5

07b6339df2acddd30de436999071fc4b
SHA1

2550d842be80b811afa930384c0db06908bc1011
SHA256

4ed7566f8b70e42f52615a3c06512b10c6b3feef33627a82cdef1f054aa4cc75
SHA512

ef2b54af64064f6fdd4224b3b283e9e6b76d8d92a01d6e9044d016bbf2b2b295f4ed66a48d389a08ed4fc3d72a843f7ed32f43f91280658f897b2ad078324586

Score

10^/10

dridex botnet evasion loader persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1228-2-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_ldr

Dridex Loader 'dmod' strings 1 IoCs

Detects 'dmod' strings in Dridex loader.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1228-2-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_ldr_dmod

Executes dropped EXE 3 IoCs

Processes:

vmicsvc.exeVaultSysUi.exexpsrchvw.exe

pid process

1044 vmicsvc.exe
1508 VaultSysUi.exe
1768 xpsrchvw.exe
Loads dropped DLL 8 IoCs

Processes:

vmicsvc.exeVaultSysUi.exexpsrchvw.exe

pid process

1228
1044 vmicsvc.exe
1228
1228
1508 VaultSysUi.exe
1228
1768 xpsrchvw.exe
1228

pid	process
1044	vmicsvc.exe
1508	VaultSysUi.exe
1768	xpsrchvw.exe

pid	process
1228
1044	vmicsvc.exe
1228
1228
1508	VaultSysUi.exe
1228
1768	xpsrchvw.exe
1228

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vpubrqhrepmzp = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\FLASHP~1\\sys\\KlP\\VAULTS~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exevmicsvc.exeVaultSysUi.exexpsrchvw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vmicsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VaultSysUi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xpsrchvw.exe

Suspicious behavior: EnumeratesProcesses 622 IoCs

Processes:

rundll32.exe

pid	process
1496	rundll32.exe
1496	rundll32.exe
1496	rundll32.exe
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pid process

1228
1228
1228
1228
1228
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1228
1228
1228
1228

pid	process
1228
1228
1228
1228
1228

pid	process
1228
1228
1228
1228

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1228 wrote to memory of 324	1228	vmicsvc.exe
PID 1228 wrote to memory of 324	1228	vmicsvc.exe
PID 1228 wrote to memory of 324	1228	vmicsvc.exe
PID 1228 wrote to memory of 1044	1228	vmicsvc.exe
PID 1228 wrote to memory of 1044	1228	vmicsvc.exe
PID 1228 wrote to memory of 1044	1228	vmicsvc.exe
PID 1228 wrote to memory of 1520	1228	VaultSysUi.exe
PID 1228 wrote to memory of 1520	1228	VaultSysUi.exe
PID 1228 wrote to memory of 1520	1228	VaultSysUi.exe
PID 1228 wrote to memory of 1508	1228	VaultSysUi.exe
PID 1228 wrote to memory of 1508	1228	VaultSysUi.exe
PID 1228 wrote to memory of 1508	1228	VaultSysUi.exe
PID 1228 wrote to memory of 1812	1228	xpsrchvw.exe
PID 1228 wrote to memory of 1812	1228	xpsrchvw.exe
PID 1228 wrote to memory of 1812	1228	xpsrchvw.exe
PID 1228 wrote to memory of 1768	1228	xpsrchvw.exe
PID 1228 wrote to memory of 1768	1228	xpsrchvw.exe
PID 1228 wrote to memory of 1768	1228	xpsrchvw.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VERSION.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1496

C:\Windows\system32\vmicsvc.exe
C:\Windows\system32\vmicsvc.exe
1⤵
PID:324

C:\Users\Admin\AppData\Local\EJVDtL\vmicsvc.exe
C:\Users\Admin\AppData\Local\EJVDtL\vmicsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1044

C:\Windows\system32\VaultSysUi.exe
C:\Windows\system32\VaultSysUi.exe
1⤵
PID:1520

C:\Users\Admin\AppData\Local\NoA\VaultSysUi.exe
C:\Users\Admin\AppData\Local\NoA\VaultSysUi.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1508

C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
1⤵
PID:1812

C:\Users\Admin\AppData\Local\3LlFKaD\xpsrchvw.exe
C:\Users\Admin\AppData\Local\3LlFKaD\xpsrchvw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3LlFKaD\WINMM.dll

MD5
7f9455685cf18115c2d6f460cd3f816e

SHA1
7957afec4d51a504426e71a1c65489f2542f2428

SHA256
1f89d73f2f622e5af25662ff0d7b7e792da53021b40acdc1d6ddf2b2cd30e088

SHA512
8d9be0b24b1f5907ecb4fa7a4bb429daa6fe5ff50f336539c8974c8caa062a01901b4060616c4f1cff4e7bdcd9e37cf3babb1aa002de89f43e3c0d7744150125

Download Submit
C:\Users\Admin\AppData\Local\3LlFKaD\xpsrchvw.exe

MD5
492cb6a624d5dad73ee0294b5db37dd6

SHA1
e74806af04a5147ccabfb5b167eb95a0177c43b3

SHA256
ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

SHA512
63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

Download Submit
C:\Users\Admin\AppData\Local\EJVDtL\ACTIVEDS.dll

MD5
d0cb849dba0f5003423174a6d40fe23e

SHA1
3071e56ebe196017b4f7966a64d41f61bd967251

SHA256
aa62cb6975ae257c2298890e1f37de6c088280bf44bdc408632b5997ef886b33

SHA512
0834faf7dcf4359d37b53fbcf8f1ed0a25f4b42f72444d8dc40b22f8b90840304b4e150e79074cc0dcb104d991b736dc7b9e16a307a60cb3e38789401b771393

Download Submit
C:\Users\Admin\AppData\Local\EJVDtL\vmicsvc.exe

MD5
79e14b291ca96a02f1eb22bd721deccd

SHA1
4c8dbff611acd8a92cd2280239f78bebd2a9947e

SHA256
d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

SHA512
f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

Download Submit
C:\Users\Admin\AppData\Local\NoA\VaultSysUi.exe

MD5
f40ef105d94350d36c799ee23f7fec0f

SHA1
ee3a5cfe8b807e1c1718a27eb97fa134360816e3

SHA256
eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

SHA512
f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

Download Submit
C:\Users\Admin\AppData\Local\NoA\credui.dll

MD5
b269b3e2fb5c4926fd5b1252ed256733

SHA1
1a4f51c92dacc1a16beff950998d3ab5ec22adab

SHA256
6f95cafd4f2471b64076c18e8870705371ea574661b578ce629cac303b89a8d8

SHA512
cbe3bb680b1dd32a6dd7cd1b5e18454a818649aa64a129f6d098116d3f0cf2c8adb62e01fe57811db1278121915e320a49ee07074268f872c269b98e8cefc81a

Download Submit
\Users\Admin\AppData\Local\3LlFKaD\WINMM.dll

MD5
7f9455685cf18115c2d6f460cd3f816e

SHA1
7957afec4d51a504426e71a1c65489f2542f2428

SHA256
1f89d73f2f622e5af25662ff0d7b7e792da53021b40acdc1d6ddf2b2cd30e088

SHA512
8d9be0b24b1f5907ecb4fa7a4bb429daa6fe5ff50f336539c8974c8caa062a01901b4060616c4f1cff4e7bdcd9e37cf3babb1aa002de89f43e3c0d7744150125

Download Submit
\Users\Admin\AppData\Local\3LlFKaD\xpsrchvw.exe

MD5
492cb6a624d5dad73ee0294b5db37dd6

SHA1
e74806af04a5147ccabfb5b167eb95a0177c43b3

SHA256
ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

SHA512
63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

Download Submit
\Users\Admin\AppData\Local\EJVDtL\ACTIVEDS.dll

MD5
d0cb849dba0f5003423174a6d40fe23e

SHA1
3071e56ebe196017b4f7966a64d41f61bd967251

SHA256
aa62cb6975ae257c2298890e1f37de6c088280bf44bdc408632b5997ef886b33

SHA512
0834faf7dcf4359d37b53fbcf8f1ed0a25f4b42f72444d8dc40b22f8b90840304b4e150e79074cc0dcb104d991b736dc7b9e16a307a60cb3e38789401b771393

Download Submit
\Users\Admin\AppData\Local\EJVDtL\vmicsvc.exe

MD5
79e14b291ca96a02f1eb22bd721deccd

SHA1
4c8dbff611acd8a92cd2280239f78bebd2a9947e

SHA256
d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

SHA512
f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

Download Submit
\Users\Admin\AppData\Local\NoA\VaultSysUi.exe

MD5
f40ef105d94350d36c799ee23f7fec0f

SHA1
ee3a5cfe8b807e1c1718a27eb97fa134360816e3

SHA256
eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

SHA512
f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

Download Submit
\Users\Admin\AppData\Local\NoA\VaultSysUi.exe

MD5
f40ef105d94350d36c799ee23f7fec0f

SHA1
ee3a5cfe8b807e1c1718a27eb97fa134360816e3

SHA256
eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

SHA512
f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

Download Submit
\Users\Admin\AppData\Local\NoA\credui.dll

MD5
b269b3e2fb5c4926fd5b1252ed256733

SHA1
1a4f51c92dacc1a16beff950998d3ab5ec22adab

SHA256
6f95cafd4f2471b64076c18e8870705371ea574661b578ce629cac303b89a8d8

SHA512
cbe3bb680b1dd32a6dd7cd1b5e18454a818649aa64a129f6d098116d3f0cf2c8adb62e01fe57811db1278121915e320a49ee07074268f872c269b98e8cefc81a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\8uN2e\xpsrchvw.exe

MD5
492cb6a624d5dad73ee0294b5db37dd6

SHA1
e74806af04a5147ccabfb5b167eb95a0177c43b3

SHA256
ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

SHA512
63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

Download Submit
memory/1044-4-0x0000000000000000-mapping.dmp

Download
memory/1228-0-0x0000000005D90000-0x0000000005D91000-memory.dmp

Filesize
4KB

Download
memory/1228-2-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/1228-1-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/1508-10-0x0000000000000000-mapping.dmp

Download
memory/1768-15-0x0000000000000000-mapping.dmp

Download