dridex | 429ad522901cf382e8dadb952a8663f535f5f42086654dd81da3e6ded31927d3

Analysis

max time kernel
163s
max time network
147s
platform
windows10_x64
resource
win10v20210408
submitted
15-09-2021 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

429ad522901cf382e8dadb952a8663f535f5f42086654dd81da3e6ded31927d3.dll
Size

2.0MB
MD5

2100be187604621fb7833f0c8f4b9afa
SHA1

10eba7fc8a661107b1417c7e3dc35f9fef8654f1
SHA256

429ad522901cf382e8dadb952a8663f535f5f42086654dd81da3e6ded31927d3
SHA512

11c2cadc8203ff6f0da881215422fcd5800c56ef05a0bb4f43dab74f9e8c1b740d178692167dff3aa5eca9f6f1e1a8f02a7c430992861085339fc9a4ad3cc131

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3052-119-0x0000000000500000-0x0000000000501000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

PresentationSettings.exeProximityUxHost.exesppsvc.exe

pid process

2308 PresentationSettings.exe
3960 ProximityUxHost.exe
2552 sppsvc.exe
Loads dropped DLL 3 IoCs

Processes:

PresentationSettings.exeProximityUxHost.exesppsvc.exe

pid process

2308 PresentationSettings.exe
3960 ProximityUxHost.exe
2552 sppsvc.exe

pid	process
2308	PresentationSettings.exe
3960	ProximityUxHost.exe
2552	sppsvc.exe

pid	process
2308	PresentationSettings.exe
3960	ProximityUxHost.exe
2552	sppsvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rvhohwdqaanc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\Recent\\jLt0wbrZkr\\ProximityUxHost.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sppsvc.exerundll32.exePresentationSettings.exeProximityUxHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ProximityUxHost.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052
3052

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3052

pid	process
3052

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052
Token: SeShutdownPrivilege	3052
Token: SeCreatePagefilePrivilege	3052

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

pid process

3052
3052
3052
3052
3052
3052
3052
3052

pid	process
3052
3052
3052
3052
3052
3052
3052
3052

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

description	pid	target process
PID 3052 wrote to memory of 3200	3052	PresentationSettings.exe
PID 3052 wrote to memory of 3200	3052	PresentationSettings.exe
PID 3052 wrote to memory of 2308	3052	PresentationSettings.exe
PID 3052 wrote to memory of 2308	3052	PresentationSettings.exe
PID 3052 wrote to memory of 2672	3052	ProximityUxHost.exe
PID 3052 wrote to memory of 2672	3052	ProximityUxHost.exe
PID 3052 wrote to memory of 3960	3052	ProximityUxHost.exe
PID 3052 wrote to memory of 3960	3052	ProximityUxHost.exe
PID 3052 wrote to memory of 2552	3052	sppsvc.exe
PID 3052 wrote to memory of 2552	3052	sppsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\429ad522901cf382e8dadb952a8663f535f5f42086654dd81da3e6ded31927d3.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1316

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:3200

C:\Users\Admin\AppData\Local\Qru8\PresentationSettings.exe
C:\Users\Admin\AppData\Local\Qru8\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2308

C:\Windows\system32\ProximityUxHost.exe
C:\Windows\system32\ProximityUxHost.exe
1⤵
PID:2672

C:\Users\Admin\AppData\Local\YTaYsmyR\ProximityUxHost.exe
C:\Users\Admin\AppData\Local\YTaYsmyR\ProximityUxHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3960

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:2096

C:\Users\Admin\AppData\Local\tjZ5seBYW\sppsvc.exe
C:\Users\Admin\AppData\Local\tjZ5seBYW\sppsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2552

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Qru8\PresentationSettings.exe
MD5
bd73d1773092998a116df978b49860b7

SHA1
c69255098b8528b88e12a4051fd4e880e8ebe0e7

SHA256
cebf396bdf405225c55ce25b6cac39165fa9cb26ddd52e73392df6ea4ce178ec

SHA512
dc932ddc9e512776ec5e3a09aa136e2a7a9209ab6f5168c5bcf9756f33b4007a88a332d246a1cc96f0097c0c758e03997dad10907e4be1bf2183fa3e049b5611

Download Submit
C:\Users\Admin\AppData\Local\Qru8\WINMM.dll
MD5
dab76d56732e4f49531a04692d39bd71

SHA1
aaa16585a3942b8b4aa05902ffc0137984f3b45c

SHA256
b1bc191a042e02316fb9041929c71ff207c266a1b0e9a4365e5af356fefb48ae

SHA512
88363d7d80a7aa7484922b062858172221430560601148730e8f3777e8fb297f991e4b738fbb4b49d5682febf66256ac2e40034fac332ebecd505766dfe9ec4e

Download Submit
C:\Users\Admin\AppData\Local\YTaYsmyR\DUI70.dll
MD5
9b5c9b1c181199da39e640b9717a457f

SHA1
66220d1516860c2463783d28b1b7dc90e4caa1af

SHA256
d08d3b83a0901293383daada6cb218903f54e6ed3e978bf7d9c1e7424c2a58ed

SHA512
46f44c52889db92ad01ecb8c9b799ca177cb917f0f35c45cfbe7f9f4223204b6d439a30a020853e4a1c78aa72bad4831f46c034837e615d3008ad85632214d03

Download Submit
C:\Users\Admin\AppData\Local\YTaYsmyR\ProximityUxHost.exe
MD5
8a990b37066b57cf2d0ca84c3f7f91da

SHA1
12a5ab083cda21fdb7c92f153f1c200837905618

SHA256
aad97c2832beb45a772c6c99692d0193a3f74562e6cb81c217fd612eae9a646c

SHA512
c53d0163ad2519a4894b6b91849a43491e7955a726f5d223c82fa83119ed8e8fa1449fdcbe6f07abf68b977ebcda736c3516aa487b0621957ccaccfe3193c38d

Download Submit
C:\Users\Admin\AppData\Local\tjZ5seBYW\XmlLite.dll
MD5
9728fbb49530929b743a302f2b5da09a

SHA1
d68f8613eb412a21ac83ca6e2caebb5fc3372d77

SHA256
ec5710271b8361e95bc888137a7d3d78731ffcac5e6cf9b36fbda10d6cfa1554

SHA512
892780b96b579ae64f02d58ad583f98ff46daf7226d1acc8c9cd733b52c4bc160dd0f11eb5826fd3b1e57649d143763bd516d0fac8178aa7e031ed2f38e9adcd

Download Submit
C:\Users\Admin\AppData\Local\tjZ5seBYW\sppsvc.exe
MD5
e910861720de6edfb5cc6158ce3c7e17

SHA1
9b5b7c08da7cf36ca302c6e57cbc8bcfa5a69a9d

SHA256
526ba8eeb9ee5312fec39753d728e05f49ad81132346a354c95d4d4938001e2b

SHA512
e2a34b7e37781072494685ddab68bdb711910ae29f2ee9e05ec514442956047fb5b58ee8606110db48029f40990857184256c53f48910e8e050269f2a7aa0435

Download Submit
\Users\Admin\AppData\Local\Qru8\WINMM.dll
MD5
dab76d56732e4f49531a04692d39bd71

SHA1
aaa16585a3942b8b4aa05902ffc0137984f3b45c

SHA256
b1bc191a042e02316fb9041929c71ff207c266a1b0e9a4365e5af356fefb48ae

SHA512
88363d7d80a7aa7484922b062858172221430560601148730e8f3777e8fb297f991e4b738fbb4b49d5682febf66256ac2e40034fac332ebecd505766dfe9ec4e

Download Submit
\Users\Admin\AppData\Local\YTaYsmyR\DUI70.dll
MD5
9b5c9b1c181199da39e640b9717a457f

SHA1
66220d1516860c2463783d28b1b7dc90e4caa1af

SHA256
d08d3b83a0901293383daada6cb218903f54e6ed3e978bf7d9c1e7424c2a58ed

SHA512
46f44c52889db92ad01ecb8c9b799ca177cb917f0f35c45cfbe7f9f4223204b6d439a30a020853e4a1c78aa72bad4831f46c034837e615d3008ad85632214d03

Download Submit
\Users\Admin\AppData\Local\tjZ5seBYW\XmlLite.dll
MD5
9728fbb49530929b743a302f2b5da09a

SHA1
d68f8613eb412a21ac83ca6e2caebb5fc3372d77

SHA256
ec5710271b8361e95bc888137a7d3d78731ffcac5e6cf9b36fbda10d6cfa1554

SHA512
892780b96b579ae64f02d58ad583f98ff46daf7226d1acc8c9cd733b52c4bc160dd0f11eb5826fd3b1e57649d143763bd516d0fac8178aa7e031ed2f38e9adcd

Download Submit
memory/1316-118-0x000002161B990000-0x000002161B997000-memory.dmp

Filesize
28KB

Download
memory/1316-114-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/2308-162-0x0000000000000000-mapping.dmp

Download
memory/2308-166-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2552-196-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2552-192-0x0000000000000000-mapping.dmp

Download
memory/3052-130-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-157-0x00007FF8ED0E0000-0x00007FF8ED0E2000-memory.dmp

Filesize
8KB

Download
memory/3052-134-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-135-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-136-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-137-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-138-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-139-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-140-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-141-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-142-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-143-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-144-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-145-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-146-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-147-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-155-0x00007FF8ECFA4560-0x00007FF8ECFA5560-memory.dmp

Filesize
4KB

Download
memory/3052-133-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-132-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-123-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-131-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-129-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-128-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-127-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-126-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-119-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/3052-125-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-121-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-124-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-122-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3052-120-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/3960-187-0x0000000140000000-0x000000014023C000-memory.dmp

Filesize
2.2MB

Download
memory/3960-183-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads