dridex | 4ed7566f8b70e42f52615a3c06512b10c6b3feef33627a82cdef1f054aa4cc75

Resubmissions

Analysis

max time kernel
150s
max time network
95s
platform
windows10_x64
resource
win10
submitted
06-08-2020 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VERSION.dll
Size

972KB
MD5

07b6339df2acddd30de436999071fc4b
SHA1

2550d842be80b811afa930384c0db06908bc1011
SHA256

4ed7566f8b70e42f52615a3c06512b10c6b3feef33627a82cdef1f054aa4cc75
SHA512

ef2b54af64064f6fdd4224b3b283e9e6b76d8d92a01d6e9044d016bbf2b2b295f4ed66a48d389a08ed4fc3d72a843f7ed32f43f91280658f897b2ad078324586

Score

10^/10

dridex botnet evasion loader persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 2 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral2/memory/4016-0-0x0000000140000000-0x000000014008D000-memory.dmp	dridex_ldr
behavioral2/memory/3000-3-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_ldr

Dridex Loader 'dmod' strings 2 IoCs

Detects 'dmod' strings in Dridex loader.

botnet loader

Processes:

resource	yara_rule
behavioral2/memory/4016-0-0x0000000140000000-0x000000014008D000-memory.dmp	dridex_ldr_dmod
behavioral2/memory/3000-3-0x0000000140000000-0x00000001400F3000-memory.dmp	dridex_ldr_dmod

Executes dropped EXE 3 IoCs

Processes:

PasswordOnWakeSettingFlyout.exeDeviceEnroller.exemsinfo32.exe

pid process

3164 PasswordOnWakeSettingFlyout.exe
3112 DeviceEnroller.exe
636 msinfo32.exe
Loads dropped DLL 3 IoCs

Processes:

PasswordOnWakeSettingFlyout.exeDeviceEnroller.exemsinfo32.exe

pid process

3164 PasswordOnWakeSettingFlyout.exe
3112 DeviceEnroller.exe
636 msinfo32.exe

pid	process
3164	PasswordOnWakeSettingFlyout.exe
3112	DeviceEnroller.exe
636	msinfo32.exe

pid	process
3164	PasswordOnWakeSettingFlyout.exe
3112	DeviceEnroller.exe
636	msinfo32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jqhowtig = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\4OB37K~1\\DEVICE~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msinfo32.exerundll32.exePasswordOnWakeSettingFlyout.exeDeviceEnroller.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PasswordOnWakeSettingFlyout.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceEnroller.exe

Suspicious behavior: EnumeratesProcesses 638 IoCs

Processes:

rundll32.exe

pid	process
4016	rundll32.exe
4016	rundll32.exe
4016	rundll32.exe
4016	rundll32.exe
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3000
Token: SeCreatePagefilePrivilege	3000
Token: SeShutdownPrivilege	3000
Token: SeCreatePagefilePrivilege	3000
Token: SeShutdownPrivilege	3000
Token: SeCreatePagefilePrivilege	3000

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3000 wrote to memory of 3388	3000	PasswordOnWakeSettingFlyout.exe
PID 3000 wrote to memory of 3388	3000	PasswordOnWakeSettingFlyout.exe
PID 3000 wrote to memory of 3164	3000	PasswordOnWakeSettingFlyout.exe
PID 3000 wrote to memory of 3164	3000	PasswordOnWakeSettingFlyout.exe
PID 3000 wrote to memory of 968	3000	DeviceEnroller.exe
PID 3000 wrote to memory of 968	3000	DeviceEnroller.exe
PID 3000 wrote to memory of 3112	3000	DeviceEnroller.exe
PID 3000 wrote to memory of 3112	3000	DeviceEnroller.exe
PID 3000 wrote to memory of 632	3000	msinfo32.exe
PID 3000 wrote to memory of 632	3000	msinfo32.exe
PID 3000 wrote to memory of 636	3000	msinfo32.exe
PID 3000 wrote to memory of 636	3000	msinfo32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\VERSION.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
1⤵
PID:3388

C:\Users\Admin\AppData\Local\gvs\PasswordOnWakeSettingFlyout.exe
C:\Users\Admin\AppData\Local\gvs\PasswordOnWakeSettingFlyout.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3164

C:\Windows\system32\DeviceEnroller.exe
C:\Windows\system32\DeviceEnroller.exe
1⤵
PID:968

C:\Users\Admin\AppData\Local\KS6N\DeviceEnroller.exe
C:\Users\Admin\AppData\Local\KS6N\DeviceEnroller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3112

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:632

C:\Users\Admin\AppData\Local\fqH\msinfo32.exe
C:\Users\Admin\AppData\Local\fqH\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:636

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\KS6N\DeviceEnroller.exe
MD5
bd732a3a065f5cca6df003a7ca78bb35

SHA1
449d027d933fdd530a6a27d7c2132f98ee56374a

SHA256
fd5f32939c8de2d80a6f2481268313b5151c21c474c61635c92d2b8ea436955e

SHA512
d1cd727841522be31e979484cdea467501693e1a3bab2fabc72510c73698353c960f7d2c16be9a4406d804da2b2ad7da58827a630f9616ebe296cae481103701

Download Submit
C:\Users\Admin\AppData\Local\KS6N\XmlLite.dll
MD5
c02db5d4a25252f71667d9dcd1fce1db

SHA1
774f1aa3f49ab9cff300851f03b4d0dd839d7e2e

SHA256
1ef9d83c4196539a87bbdfbf0b202f23ebd0a9c7fd2e413feefe379ffed88627

SHA512
f8aef40c18f77d360a48e09948decd7cc3ba6048648629d2a9764f44bd8895be299e82c9a8fee5529eeb39488b90629b963af2b3cb0e5ea7e7defe150c891858

Download Submit
C:\Users\Admin\AppData\Local\fqH\SLC.dll
MD5
9d833334b03085db8d5f334402c4f424

SHA1
e4b71125cf9714e0d8ebc6af68a81b3f291cea6d

SHA256
4e12ea00690e57fb4210968565c05926b5a8cacd5eb350ec6c9915704a14677f

SHA512
1e0a1f89dcff144654c6036e6641ea7804949e9f993fc0dc167a68bb55e6d7104d8b98dd78945ac8c17858a05c6658b458b535870c95c2f02dcc72311f9715c0

Download Submit
C:\Users\Admin\AppData\Local\fqH\msinfo32.exe
MD5
255861c59cdfbf86c03560d39a92932a

SHA1
18353cb8a58d25ab62687b69fee44d007b994f19

SHA256
57aeba5f7f9de579f3c334e7e013114f6b2257b810b2fc8c1f96331ad1c4909c

SHA512
f695394f344f07036684dc4ba4ba011bc0b5b0b27898c82714cbd072c6218870234deb18044c00bf3fda618480e4e517cba50d577c228a63ee3e2676029e430b

Download Submit
C:\Users\Admin\AppData\Local\gvs\DUI70.dll
MD5
28766fd0dabd5b446007c86a2cc0aa22

SHA1
0b3b29780dca84027146b8bd4b0e4658b0377030

SHA256
bd9ac14d44acae22bdb2b3dbd24f542579da7fd825d929c26d3145b36e427bda

SHA512
a94733fae002e76b654d78c279a79125d8232b15583aa011d8bf057d7444b6265c8ee8e539b71489dd1b909970ed283938ced5089535d6ce835d8d08503151b5

Download Submit
C:\Users\Admin\AppData\Local\gvs\PasswordOnWakeSettingFlyout.exe
MD5
a81fed73da02db15df427da1cd5f4141

SHA1
f831fc6377a6264be621e23635f22b437129b2ce

SHA256
1afed5b9302a4a4669ac7f966b7cf9fcaab037e94a0b3cabea3631055c97d3a5

SHA512
3c4541160f0f69d1c3a9dc4e67643864493eadb0450426f7f323d87fa7b0c81d96ef2201d33b3421a307171274615e90d4ee8bd07107ff4f75beedec0a2bf156

Download Submit
\Users\Admin\AppData\Local\KS6N\XmlLite.dll
MD5
c02db5d4a25252f71667d9dcd1fce1db

SHA1
774f1aa3f49ab9cff300851f03b4d0dd839d7e2e

SHA256
1ef9d83c4196539a87bbdfbf0b202f23ebd0a9c7fd2e413feefe379ffed88627

SHA512
f8aef40c18f77d360a48e09948decd7cc3ba6048648629d2a9764f44bd8895be299e82c9a8fee5529eeb39488b90629b963af2b3cb0e5ea7e7defe150c891858

Download Submit
\Users\Admin\AppData\Local\fqH\SLC.dll
MD5
9d833334b03085db8d5f334402c4f424

SHA1
e4b71125cf9714e0d8ebc6af68a81b3f291cea6d

SHA256
4e12ea00690e57fb4210968565c05926b5a8cacd5eb350ec6c9915704a14677f

SHA512
1e0a1f89dcff144654c6036e6641ea7804949e9f993fc0dc167a68bb55e6d7104d8b98dd78945ac8c17858a05c6658b458b535870c95c2f02dcc72311f9715c0

Download Submit
\Users\Admin\AppData\Local\gvs\DUI70.dll
MD5
28766fd0dabd5b446007c86a2cc0aa22

SHA1
0b3b29780dca84027146b8bd4b0e4658b0377030

SHA256
bd9ac14d44acae22bdb2b3dbd24f542579da7fd825d929c26d3145b36e427bda

SHA512
a94733fae002e76b654d78c279a79125d8232b15583aa011d8bf057d7444b6265c8ee8e539b71489dd1b909970ed283938ced5089535d6ce835d8d08503151b5

Download Submit
memory/636-14-0x0000000000000000-mapping.dmp

Download
memory/3000-3-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3000-2-0x0000000140000000-0x00000001400F3000-memory.dmp

Filesize
972KB

Download
memory/3000-1-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/3112-9-0x0000000000000000-mapping.dmp

Download
memory/3164-4-0x0000000000000000-mapping.dmp

Download
memory/4016-0-0x0000000140000000-0x000000014008D000-memory.dmp

Filesize
564KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads