dridex | 1bc4755b2828092f30c53c4099d2a1b118d1a68686a82b7c11ef12c6ae93f8d4

Resubmissions

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7
submitted
06-08-2020 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DUI70.dll
Size

1.2MB
MD5

ca7f847ac49ea5ec058b9455bacbb326
SHA1

9ea5760c8d7b2f1a479901677338e487e62aaad0
SHA256

1bc4755b2828092f30c53c4099d2a1b118d1a68686a82b7c11ef12c6ae93f8d4
SHA512

5e57d36b700f030c977213899b2d5e4421abcaf54a41ccb336067e52f779066916b58ff1c81441be8c4e69240106569d40371b6ba862e6d89cbeda1cc65d6818

Score

10^/10

dridex botnet evasion loader persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 2 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/892-0-0x0000000140000000-0x000000014008D000-memory.dmp	dridex_ldr
behavioral1/memory/1264-3-0x0000000140000000-0x0000000140138000-memory.dmp	dridex_ldr

Dridex Loader 'dmod' strings 2 IoCs

Detects 'dmod' strings in Dridex loader.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/892-0-0x0000000140000000-0x000000014008D000-memory.dmp	dridex_ldr_dmod
behavioral1/memory/1264-3-0x0000000140000000-0x0000000140138000-memory.dmp	dridex_ldr_dmod

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesHardware.exefvenotify.exespreview.exe

pid process

112 SystemPropertiesHardware.exe
360 fvenotify.exe
1524 spreview.exe
Loads dropped DLL 7 IoCs

Processes:

SystemPropertiesHardware.exefvenotify.exespreview.exe

pid process

1264
112 SystemPropertiesHardware.exe
1264
360 fvenotify.exe
1264
1524 spreview.exe
1264

pid	process
112	SystemPropertiesHardware.exe
360	fvenotify.exe
1524	spreview.exe

pid	process
1264
112	SystemPropertiesHardware.exe
1264
360	fvenotify.exe
1264
1524	spreview.exe
1264

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vpubrqhrepmzp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\2Wfjp\\fvenotify.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesHardware.exefvenotify.exespreview.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fvenotify.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spreview.exe

Suspicious behavior: EnumeratesProcesses 619 IoCs

Processes:

rundll32.exe

pid	process
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1264
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1264
Token: SeShutdownPrivilege 1264
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pid process

1264
1264
1264
1264
1264
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1264
1264
1264
1264

pid	process
1264

description	pid	process
Token: SeShutdownPrivilege	1264
Token: SeShutdownPrivilege	1264

pid	process
1264
1264
1264
1264
1264

pid	process
1264
1264
1264
1264

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1264 wrote to memory of 108	1264	SystemPropertiesHardware.exe
PID 1264 wrote to memory of 108	1264	SystemPropertiesHardware.exe
PID 1264 wrote to memory of 108	1264	SystemPropertiesHardware.exe
PID 1264 wrote to memory of 112	1264	SystemPropertiesHardware.exe
PID 1264 wrote to memory of 112	1264	SystemPropertiesHardware.exe
PID 1264 wrote to memory of 112	1264	SystemPropertiesHardware.exe
PID 1264 wrote to memory of 744	1264	fvenotify.exe
PID 1264 wrote to memory of 744	1264	fvenotify.exe
PID 1264 wrote to memory of 744	1264	fvenotify.exe
PID 1264 wrote to memory of 360	1264	fvenotify.exe
PID 1264 wrote to memory of 360	1264	fvenotify.exe
PID 1264 wrote to memory of 360	1264	fvenotify.exe
PID 1264 wrote to memory of 1528	1264	spreview.exe
PID 1264 wrote to memory of 1528	1264	spreview.exe
PID 1264 wrote to memory of 1528	1264	spreview.exe
PID 1264 wrote to memory of 1524	1264	spreview.exe
PID 1264 wrote to memory of 1524	1264	spreview.exe
PID 1264 wrote to memory of 1524	1264	spreview.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DUI70.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:892

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:108

C:\Users\Admin\AppData\Local\zOhyypD\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\zOhyypD\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:112

C:\Windows\system32\fvenotify.exe
C:\Windows\system32\fvenotify.exe
1⤵
PID:744

C:\Users\Admin\AppData\Local\2N0iKa3\fvenotify.exe
C:\Users\Admin\AppData\Local\2N0iKa3\fvenotify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:360

C:\Windows\system32\spreview.exe
C:\Windows\system32\spreview.exe
1⤵
PID:1528

C:\Users\Admin\AppData\Local\2wqLpT9q\spreview.exe
C:\Users\Admin\AppData\Local\2wqLpT9q\spreview.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1524

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2N0iKa3\fvenotify.exe
MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
C:\Users\Admin\AppData\Local\2N0iKa3\slc.dll
MD5
f23f62fff709739a0a5188a244b61910

SHA1
e5463b73ed878d23d023a119fb46fcadfc9e1f54

SHA256
3c8402c1634c15c851e2de93c0ef0ec89e75a1ab475b89f0daf864e8869cbd69

SHA512
1cc82221f088ef3578fe48663cfc3f7a2694fd2188afd3e5a6ee7ffbdb562fca013561211dda051a0af73d04bf8075ac51d54f7ef8b323853414f74c1e579142

Download Submit
C:\Users\Admin\AppData\Local\2wqLpT9q\spreview.exe
MD5
704cd4cac010e8e6d8de9b778ed17773

SHA1
81856abf70640f102b8b3defe2cf65669fe8e165

SHA256
4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

SHA512
b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

Download Submit
C:\Users\Admin\AppData\Local\2wqLpT9q\sqmapi.dll
MD5
16dee71e6d230569f23da87d3c6c398b

SHA1
11adde0454fc755fe1460cfb2b8310fd64d67e28

SHA256
441c07bc7c03471939181bd07998b3aeb7c2b265173389fb48a633bbd5198365

SHA512
96e5eaf3707897bfb0373df8faf8f24c75493a4b539ee255ebaec44f4ded69b71ccebe2f234b5f1b93e0eb27e22be3343962f386083c5b5bd2bda45b83e48237

Download Submit
C:\Users\Admin\AppData\Local\zOhyypD\SYSDM.CPL
MD5
f0a252901f76e53c844bc60b0aa86f82

SHA1
4dec99aaefc5d60afb911e9f5422400e6e33b764

SHA256
d213755b08c96005fafb251df3ec56e84f5ebd73f8ae49ccfae6ee8baaa7636d

SHA512
b821523c8af9707bb7b63b7a765b24588518f17f5bbed7adf4cac55f7afaf59c28d56e242bf76b47b243d4973051994e34cd8f6f8767812cfb2b7916807808f2

Download Submit
C:\Users\Admin\AppData\Local\zOhyypD\SystemPropertiesHardware.exe
MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
\Users\Admin\AppData\Local\2N0iKa3\fvenotify.exe
MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
\Users\Admin\AppData\Local\2N0iKa3\slc.dll
MD5
f23f62fff709739a0a5188a244b61910

SHA1
e5463b73ed878d23d023a119fb46fcadfc9e1f54

SHA256
3c8402c1634c15c851e2de93c0ef0ec89e75a1ab475b89f0daf864e8869cbd69

SHA512
1cc82221f088ef3578fe48663cfc3f7a2694fd2188afd3e5a6ee7ffbdb562fca013561211dda051a0af73d04bf8075ac51d54f7ef8b323853414f74c1e579142

Download Submit
\Users\Admin\AppData\Local\2wqLpT9q\spreview.exe
MD5
704cd4cac010e8e6d8de9b778ed17773

SHA1
81856abf70640f102b8b3defe2cf65669fe8e165

SHA256
4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

SHA512
b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

Download Submit
\Users\Admin\AppData\Local\2wqLpT9q\sqmapi.dll
MD5
16dee71e6d230569f23da87d3c6c398b

SHA1
11adde0454fc755fe1460cfb2b8310fd64d67e28

SHA256
441c07bc7c03471939181bd07998b3aeb7c2b265173389fb48a633bbd5198365

SHA512
96e5eaf3707897bfb0373df8faf8f24c75493a4b539ee255ebaec44f4ded69b71ccebe2f234b5f1b93e0eb27e22be3343962f386083c5b5bd2bda45b83e48237

Download Submit
\Users\Admin\AppData\Local\zOhyypD\SYSDM.CPL
MD5
f0a252901f76e53c844bc60b0aa86f82

SHA1
4dec99aaefc5d60afb911e9f5422400e6e33b764

SHA256
d213755b08c96005fafb251df3ec56e84f5ebd73f8ae49ccfae6ee8baaa7636d

SHA512
b821523c8af9707bb7b63b7a765b24588518f17f5bbed7adf4cac55f7afaf59c28d56e242bf76b47b243d4973051994e34cd8f6f8767812cfb2b7916807808f2

Download Submit
\Users\Admin\AppData\Local\zOhyypD\SystemPropertiesHardware.exe
MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\P2iMVanG17\spreview.exe
MD5
704cd4cac010e8e6d8de9b778ed17773

SHA1
81856abf70640f102b8b3defe2cf65669fe8e165

SHA256
4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

SHA512
b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

Download Submit
memory/112-5-0x0000000000000000-mapping.dmp

Download
memory/360-11-0x0000000000000000-mapping.dmp

Download
memory/892-0-0x0000000140000000-0x000000014008D000-memory.dmp

Filesize
564KB

Download
memory/1264-3-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1264-2-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1264-1-0x0000000006190000-0x0000000006191000-memory.dmp

Filesize
4KB

Download
memory/1524-17-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads