dridex | e84a6be9a0be2072e7cad77b66e433bcb87035dae75e86ca982d26fe37186458

Analysis

max time kernel
150s
max time network
110s
platform
windows10_x64
resource
win10v20201028
submitted
22-01-2021 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dridex.dll
Size

672KB
MD5

5decc1ceb1b5a1a1a26a7049ab860f67
SHA1

02219e55c686e80e405a8132cb0a4fb77bef3b4a
SHA256

e84a6be9a0be2072e7cad77b66e433bcb87035dae75e86ca982d26fe37186458
SHA512

3fb6cee0c6ab75ac53d0cd1cb6362e93d94d068e71df24feb699c318d47692e8752cfca4022c97e3675caaf821acf1aa5405cb738c148b85a7ae2343c315be52

Score

10^/10

dridex botnet evasion loader persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 4 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral2/memory/724-3-0x0000000140000000-0x0000000140085000-memory.dmp	dridex_ldr
behavioral2/memory/724-2-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_ldr
behavioral2/memory/3840-13-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_ldr
behavioral2/memory/2640-20-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_ldr

Executes dropped EXE 3 IoCs

Processes:

PresentationSettings.exeiexpress.exeSystemSettingsAdminFlows.exe

pid process

3840 PresentationSettings.exe
2640 iexpress.exe
1168 SystemSettingsAdminFlows.exe
Loads dropped DLL 3 IoCs

Processes:

PresentationSettings.exeiexpress.exeSystemSettingsAdminFlows.exe

pid process

3840 PresentationSettings.exe
2640 iexpress.exe
1168 SystemSettingsAdminFlows.exe

pid	process
3840	PresentationSettings.exe
2640	iexpress.exe
1168	SystemSettingsAdminFlows.exe

pid	process
3840	PresentationSettings.exe
2640	iexpress.exe
1168	SystemSettingsAdminFlows.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qmufso = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\xABz7t1\\iexpress.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemSettingsAdminFlows.exerundll32.exePresentationSettings.exeiexpress.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemSettingsAdminFlows.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 595 IoCs

Processes:

rundll32.exe

pid	process
724	rundll32.exe
724	rundll32.exe
724	rundll32.exe
724	rundll32.exe
724	rundll32.exe
724	rundll32.exe
724	rundll32.exe
724	rundll32.exe
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3028

pid	process
3028

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

pid process

3028
3028
3028
3028
3028
3028
3028
3028
Suspicious use of SendNotifyMessage 22 IoCs

Processes:

pid process

3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3028

pid	process
3028
3028
3028
3028
3028
3028
3028
3028

pid	process
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028

pid	process
3028

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3028 wrote to memory of 1364	3028	PresentationSettings.exe
PID 3028 wrote to memory of 1364	3028	PresentationSettings.exe
PID 3028 wrote to memory of 3840	3028	PresentationSettings.exe
PID 3028 wrote to memory of 3840	3028	PresentationSettings.exe
PID 3028 wrote to memory of 644	3028	iexpress.exe
PID 3028 wrote to memory of 644	3028	iexpress.exe
PID 3028 wrote to memory of 2640	3028	iexpress.exe
PID 3028 wrote to memory of 2640	3028	iexpress.exe
PID 3028 wrote to memory of 1340	3028	SystemSettingsAdminFlows.exe
PID 3028 wrote to memory of 1340	3028	SystemSettingsAdminFlows.exe
PID 3028 wrote to memory of 1168	3028	SystemSettingsAdminFlows.exe
PID 3028 wrote to memory of 1168	3028	SystemSettingsAdminFlows.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dridex.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:724

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:1364

C:\Users\Admin\AppData\Local\6h6Nwvjbt\PresentationSettings.exe
C:\Users\Admin\AppData\Local\6h6Nwvjbt\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3840

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:644

C:\Users\Admin\AppData\Local\gg9tHVws\iexpress.exe
C:\Users\Admin\AppData\Local\gg9tHVws\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2640

C:\Windows\system32\SystemSettingsAdminFlows.exe
C:\Windows\system32\SystemSettingsAdminFlows.exe
1⤵
PID:1340

C:\Users\Admin\AppData\Local\0wfkj5Z\SystemSettingsAdminFlows.exe
C:\Users\Admin\AppData\Local\0wfkj5Z\SystemSettingsAdminFlows.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1168

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0wfkj5Z\SystemSettingsAdminFlows.exe
MD5
ed20a50080dc6977c774b42810f6c94c

SHA1
a3a6fbf9a10b67b7b5bf6ef1fb0912483ff68ba4

SHA256
fd537b9a6dd9349a98d19d2023fb6de8a0cb6e7e2e230dcc3fc2621eca024f5d

SHA512
0cdd7b145567c78a6800e47819d6d2c370fdac1fdb92cf726cad6c588a38b44a69f101dc470eb64745938fb47615d28c0d1215755eef7d3a739c9f39a24d7d8e

Download Submit
C:\Users\Admin\AppData\Local\0wfkj5Z\newdev.dll
MD5
404ba54176d6a02bc7f57e886ae8b324

SHA1
de1efaca260a4460347de2ef7468a704409ad3cc

SHA256
499186f28811335f1af9592cbe607b2e900473e5a9e78dbc4e5fede822540a67

SHA512
e7e8c02f9ace2051bf4c7202821c6c39400a5820429d6c2a4813e6811d497cf4cb6a168e95374425fe8a49130908b3465fb7d14e5f5cf026a20a0fc3d14202a0

Download Submit
C:\Users\Admin\AppData\Local\6h6Nwvjbt\PresentationSettings.exe
MD5
bd73d1773092998a116df978b49860b7

SHA1
c69255098b8528b88e12a4051fd4e880e8ebe0e7

SHA256
cebf396bdf405225c55ce25b6cac39165fa9cb26ddd52e73392df6ea4ce178ec

SHA512
dc932ddc9e512776ec5e3a09aa136e2a7a9209ab6f5168c5bcf9756f33b4007a88a332d246a1cc96f0097c0c758e03997dad10907e4be1bf2183fa3e049b5611

Download Submit
C:\Users\Admin\AppData\Local\6h6Nwvjbt\WINMM.dll
MD5
0f63061a94b4101efc27aedbac514549

SHA1
252b639288616fe449e2feb258c840af1f4a79ce

SHA256
88b707e70166407bef540d36f7d57c6f69370cf311fa0084bf06fd6ecb6c85d0

SHA512
a59f9e14159f8eafee8eb03e69574e17640e51b2b7f0ae55fe2ba393767e7f4843020a264832e63dca03a2c99427f16af6eb422f02bf68b1571801b89539be2f

Download Submit
C:\Users\Admin\AppData\Local\gg9tHVws\VERSION.dll
MD5
2a59c13ef827b77108a5b10c233c8c52

SHA1
01b391b0024df7d0a2973f02502994d51a1a87ba

SHA256
6fc6646198630616e09823dde910a76d59066dcf9df84bce9f07b012d4baf186

SHA512
da583babd3332343eeddd55049c7b1b35c0caf84c0ece6a190f203ef4aabfce3ef6f640faf539c92aa4e29f66589bd9bba986092dbdd0d14a49ecb19679dec92

Download Submit
C:\Users\Admin\AppData\Local\gg9tHVws\iexpress.exe
MD5
673b6274252dec0bab375e9fb2d8dd5b

SHA1
3c072e2eddf4ce9a1ad0dfa25d4e558c1bd50483

SHA256
2d981e5e4860ad9b51cfeedff6d1cfcb609b91c35173980fcde245ae5534e8d9

SHA512
5a8f317ed013ee3851ffeb04f75005f6f6df8d549d9bc4cce24d63c48f88f759443a5c8c50f185de23da730c7609232483d4aa25b637c55748a4af9e3e27b42c

Download Submit
\Users\Admin\AppData\Local\0wfkj5Z\newdev.dll
MD5
404ba54176d6a02bc7f57e886ae8b324

SHA1
de1efaca260a4460347de2ef7468a704409ad3cc

SHA256
499186f28811335f1af9592cbe607b2e900473e5a9e78dbc4e5fede822540a67

SHA512
e7e8c02f9ace2051bf4c7202821c6c39400a5820429d6c2a4813e6811d497cf4cb6a168e95374425fe8a49130908b3465fb7d14e5f5cf026a20a0fc3d14202a0

Download Submit
\Users\Admin\AppData\Local\6h6Nwvjbt\WINMM.dll
MD5
0f63061a94b4101efc27aedbac514549

SHA1
252b639288616fe449e2feb258c840af1f4a79ce

SHA256
88b707e70166407bef540d36f7d57c6f69370cf311fa0084bf06fd6ecb6c85d0

SHA512
a59f9e14159f8eafee8eb03e69574e17640e51b2b7f0ae55fe2ba393767e7f4843020a264832e63dca03a2c99427f16af6eb422f02bf68b1571801b89539be2f

Download Submit
\Users\Admin\AppData\Local\gg9tHVws\VERSION.dll
MD5
2a59c13ef827b77108a5b10c233c8c52

SHA1
01b391b0024df7d0a2973f02502994d51a1a87ba

SHA256
6fc6646198630616e09823dde910a76d59066dcf9df84bce9f07b012d4baf186

SHA512
da583babd3332343eeddd55049c7b1b35c0caf84c0ece6a190f203ef4aabfce3ef6f640faf539c92aa4e29f66589bd9bba986092dbdd0d14a49ecb19679dec92

Download Submit
memory/724-3-0x0000000140000000-0x0000000140085000-memory.dmp

Filesize
532KB

Download
memory/724-4-0x000001EB88420000-0x000001EB88427000-memory.dmp

Filesize
28KB

Download
memory/724-2-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1168-23-0x0000000000000000-mapping.dmp

Download
memory/2640-16-0x0000000000000000-mapping.dmp

Download
memory/2640-20-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/3028-6-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/3028-5-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/3840-13-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/3840-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads