dridex | d594d6c6cd43b07dd9a683a089d03db2c396e2c4472a16a9c89d12c0225d605b

Analysis

max time kernel
150s
max time network
11s
platform
windows7_x64
resource
win7v20201028
submitted
24-11-2020 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XmlLite.dll
Size

1.2MB
MD5

1a72ddab7ae064892517b65c138b6078
SHA1

428521bc64f6ca137f31cc382e97c7619b33169c
SHA256

d594d6c6cd43b07dd9a683a089d03db2c396e2c4472a16a9c89d12c0225d605b
SHA512

39b12f7cc153a19f4f8084614f1ff3023276dc01b1cf88eb4a95eb2210e3e3a378a9aad3cbb7ddc911592e1e9513da954aa1ff9f88a160612b3d6d66012e68e0

Score

10^/10

dridex botnet evasion loader persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 2 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/336-0-0x0000000140000000-0x0000000140086000-memory.dmp	dridex_ldr
behavioral1/memory/1196-3-0x0000000140000000-0x0000000140131000-memory.dmp	dridex_ldr

Executes dropped EXE 3 IoCs

Processes:

winlogon.exeshrpubw.exeDWWIN.EXE

pid process

1484 winlogon.exe
680 shrpubw.exe
564 DWWIN.EXE
Loads dropped DLL 7 IoCs

Processes:

winlogon.exeshrpubw.exeDWWIN.EXE

pid process

1196
1484 winlogon.exe
1196
680 shrpubw.exe
1196
564 DWWIN.EXE
1196

pid	process
1484	winlogon.exe
680	shrpubw.exe
564	DWWIN.EXE

pid	process
1196
1484	winlogon.exe
1196
680	shrpubw.exe
1196
564	DWWIN.EXE
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Aydnxxppg = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-293278959-2699126792-324916226-1000\\w6bS\\shrpubw.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exewinlogon.exeshrpubw.exeDWWIN.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE

Suspicious behavior: EnumeratesProcesses 316 IoCs

Processes:

rundll32.exewinlogon.exe

pid	process
336	rundll32.exe
336	rundll32.exe
336	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1484	winlogon.exe
1484	winlogon.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pid process

1196
1196
1196
1196
1196
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

1196
1196
1196
1196
1196
1196

pid	process
1196
1196
1196
1196
1196

pid	process
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 1492	1196	winlogon.exe
PID 1196 wrote to memory of 1492	1196	winlogon.exe
PID 1196 wrote to memory of 1492	1196	winlogon.exe
PID 1196 wrote to memory of 1484	1196	winlogon.exe
PID 1196 wrote to memory of 1484	1196	winlogon.exe
PID 1196 wrote to memory of 1484	1196	winlogon.exe
PID 1196 wrote to memory of 1520	1196	shrpubw.exe
PID 1196 wrote to memory of 1520	1196	shrpubw.exe
PID 1196 wrote to memory of 1520	1196	shrpubw.exe
PID 1196 wrote to memory of 680	1196	shrpubw.exe
PID 1196 wrote to memory of 680	1196	shrpubw.exe
PID 1196 wrote to memory of 680	1196	shrpubw.exe
PID 1196 wrote to memory of 1728	1196	DWWIN.EXE
PID 1196 wrote to memory of 1728	1196	DWWIN.EXE
PID 1196 wrote to memory of 1728	1196	DWWIN.EXE
PID 1196 wrote to memory of 564	1196	DWWIN.EXE
PID 1196 wrote to memory of 564	1196	DWWIN.EXE
PID 1196 wrote to memory of 564	1196	DWWIN.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\XmlLite.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:336

C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
1⤵
PID:1492

C:\Users\Admin\AppData\Local\wvqR2JL\winlogon.exe
C:\Users\Admin\AppData\Local\wvqR2JL\winlogon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1484

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:1520

C:\Users\Admin\AppData\Local\kSWPMoNT0\shrpubw.exe
C:\Users\Admin\AppData\Local\kSWPMoNT0\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:680

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:1728

C:\Users\Admin\AppData\Local\z5WWIEX\DWWIN.EXE
C:\Users\Admin\AppData\Local\z5WWIEX\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:564

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\kSWPMoNT0\MFC42u.dll
MD5
1efda58fca3b8d57d57e51c9b2932081

SHA1
81681b22e8886aa5ef3048862c4bb642a6aa9ad6

SHA256
31427e2b02421127c6685e67b184251dd55ddda70347ffaf07d52521c1f27b40

SHA512
7f5645c24a3b4d01279229762fd3a4b9d520b1ad12080d818c881bbf5245704c3a10e8e6591e96ad48a0f09e540f014f01a881b1d09e8737bde141d13ad5295e

Download Submit
C:\Users\Admin\AppData\Local\kSWPMoNT0\shrpubw.exe
MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
C:\Users\Admin\AppData\Local\wvqR2JL\WINSTA.dll
MD5
e448cf1b14751fded1a586a02c6b0f7a

SHA1
f85a8c5c326788fd68830fe15b54fd3287ca94f7

SHA256
735973eaa62dd4c78a51ca11613a4e01ba470e65b8187c5d0b7be6486523a522

SHA512
c554aa3ae2e98ee1eb2a9ada6f479cd153abaf73bae08ef8b95ae483ae833422a3536e15f09b196900bd7dede8d0f1bf4a08e8b8fe3207fab3ef3b3f5a4cb34e

Download Submit
C:\Users\Admin\AppData\Local\wvqR2JL\winlogon.exe
MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
C:\Users\Admin\AppData\Local\z5WWIEX\DWWIN.EXE
MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
C:\Users\Admin\AppData\Local\z5WWIEX\wer.dll
MD5
74430120ae01c18c13879a5eeb5314ea

SHA1
29d424212429129b72acae2428e273cbfb346a17

SHA256
967c7cdba36ad4f00df1a4359c60bee786803454eaaf9f1f629ef5f23b1df6cf

SHA512
f1df406e125994a7ad1cf13f48d695af14336126c9c922048c6ce8c743db66ff160e9c2c2d6877bb93d0262eb86c6e221a4a6612f34160febaf18b0d43c74207

Download Submit
\Users\Admin\AppData\Local\kSWPMoNT0\MFC42u.dll
MD5
1efda58fca3b8d57d57e51c9b2932081

SHA1
81681b22e8886aa5ef3048862c4bb642a6aa9ad6

SHA256
31427e2b02421127c6685e67b184251dd55ddda70347ffaf07d52521c1f27b40

SHA512
7f5645c24a3b4d01279229762fd3a4b9d520b1ad12080d818c881bbf5245704c3a10e8e6591e96ad48a0f09e540f014f01a881b1d09e8737bde141d13ad5295e

Download Submit
\Users\Admin\AppData\Local\kSWPMoNT0\shrpubw.exe
MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
\Users\Admin\AppData\Local\wvqR2JL\WINSTA.dll
MD5
e448cf1b14751fded1a586a02c6b0f7a

SHA1
f85a8c5c326788fd68830fe15b54fd3287ca94f7

SHA256
735973eaa62dd4c78a51ca11613a4e01ba470e65b8187c5d0b7be6486523a522

SHA512
c554aa3ae2e98ee1eb2a9ada6f479cd153abaf73bae08ef8b95ae483ae833422a3536e15f09b196900bd7dede8d0f1bf4a08e8b8fe3207fab3ef3b3f5a4cb34e

Download Submit
\Users\Admin\AppData\Local\wvqR2JL\winlogon.exe
MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
\Users\Admin\AppData\Local\z5WWIEX\DWWIN.EXE
MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
\Users\Admin\AppData\Local\z5WWIEX\wer.dll
MD5
74430120ae01c18c13879a5eeb5314ea

SHA1
29d424212429129b72acae2428e273cbfb346a17

SHA256
967c7cdba36ad4f00df1a4359c60bee786803454eaaf9f1f629ef5f23b1df6cf

SHA512
f1df406e125994a7ad1cf13f48d695af14336126c9c922048c6ce8c743db66ff160e9c2c2d6877bb93d0262eb86c6e221a4a6612f34160febaf18b0d43c74207

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\7GkYGv\DWWIN.EXE
MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
memory/336-0-0x0000000140000000-0x0000000140086000-memory.dmp

Filesize
536KB

Download
memory/564-17-0x0000000000000000-mapping.dmp

Download
memory/680-11-0x0000000000000000-mapping.dmp

Download
memory/1196-2-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-3-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1196-1-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/1484-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads