dridex | f921d637a8212541c053e6ec00886786677a24b560bd165bb44c1d42ac5c5c87

Analysis

max time kernel
161s
max time network
161s
platform
windows10_x64
resource
win10-en
submitted
15-09-2021 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f921d637a8212541c053e6ec00886786677a24b560bd165bb44c1d42ac5c5c87.dll
Size

2.0MB
MD5

069741e389e86705c473bc269b12c626
SHA1

4fbf73178acfdf076fc553b5e235ba74c914cdc5
SHA256

f921d637a8212541c053e6ec00886786677a24b560bd165bb44c1d42ac5c5c87
SHA512

a72d9100552f038bf49832cc328e49b847942548927ed6e25b1dd6bc44c0e9e30d1f5c81c4ad6d4af28bd2243e04d60f8ead9e0209a775300763f1771210c9ef

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3036-120-0x00000000014C0000-0x00000000014C1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SppExtComObj.ExeBdeUISrv.exewusa.exe

pid process

1404 SppExtComObj.Exe
4064 BdeUISrv.exe
2516 wusa.exe
Loads dropped DLL 3 IoCs

Processes:

SppExtComObj.ExeBdeUISrv.exewusa.exe

pid process

1404 SppExtComObj.Exe
4064 BdeUISrv.exe
2516 wusa.exe

pid	process
1404	SppExtComObj.Exe
4064	BdeUISrv.exe
2516	wusa.exe

pid	process
1404	SppExtComObj.Exe
4064	BdeUISrv.exe
2516	wusa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wzmtblrj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\NF90fQy0\\BdeUISrv.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSppExtComObj.ExeBdeUISrv.exewusa.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.Exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BdeUISrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wusa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3964	rundll32.exe
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3036

pid	process
3036

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

pid process

3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pid process

3036
3036
3036

pid	process
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036

pid	process
3036
3036
3036

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3036 wrote to memory of 1220	3036	SppExtComObj.Exe
PID 3036 wrote to memory of 1220	3036	SppExtComObj.Exe
PID 3036 wrote to memory of 1404	3036	SppExtComObj.Exe
PID 3036 wrote to memory of 1404	3036	SppExtComObj.Exe
PID 3036 wrote to memory of 1952	3036	BdeUISrv.exe
PID 3036 wrote to memory of 1952	3036	BdeUISrv.exe
PID 3036 wrote to memory of 4064	3036	BdeUISrv.exe
PID 3036 wrote to memory of 4064	3036	BdeUISrv.exe
PID 3036 wrote to memory of 2380	3036	wusa.exe
PID 3036 wrote to memory of 2380	3036	wusa.exe
PID 3036 wrote to memory of 2516	3036	wusa.exe
PID 3036 wrote to memory of 2516	3036	wusa.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f921d637a8212541c053e6ec00886786677a24b560bd165bb44c1d42ac5c5c87.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3964

C:\Windows\system32\SppExtComObj.Exe
C:\Windows\system32\SppExtComObj.Exe
1⤵
PID:1220

C:\Users\Admin\AppData\Local\hrZQns\SppExtComObj.Exe
C:\Users\Admin\AppData\Local\hrZQns\SppExtComObj.Exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1404

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:1952

C:\Users\Admin\AppData\Local\3Z2ZTl\BdeUISrv.exe
C:\Users\Admin\AppData\Local\3Z2ZTl\BdeUISrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4064

C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe
1⤵
PID:2380

C:\Users\Admin\AppData\Local\D8a3FvquW\wusa.exe
C:\Users\Admin\AppData\Local\D8a3FvquW\wusa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2516

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3Z2ZTl\BdeUISrv.exe
MD5
bbdabce7ba28eb67c325fa99125d56e0

SHA1
332ea58882149d629057e8a8004a48d1bb1d6180

SHA256
9c3fe14fc4ab8e385c3baae1d5a04a66c3ee645d278b182039fa45a6c99b4994

SHA512
fd3a22baac2689f8e009cb7845aa6ca7dd4a7ba4f1956758945cdd68dfc7045e4da62cf846a4a0b507d9be3753eb68b94fe375bf01dc698017b107ff26ebd93e

Download Submit
C:\Users\Admin\AppData\Local\3Z2ZTl\WTSAPI32.dll
MD5
737aa0cacd80445255cb1fed1322228b

SHA1
4c278922cda63e5ca2fec77a247d6c3c943c75a4

SHA256
87fc315fb812b5f78a56b1b4e38790de60eef2cb9b9033b86c327ea40e46a149

SHA512
40ff39393c780092e87f2ba3c309b63ddf25a3d66fdf30e4a4fe00f3031cddb2fad05c276c548458eabec58abcc1fae27ef3f82b522137d3167f703edb83e8df

Download Submit
C:\Users\Admin\AppData\Local\D8a3FvquW\dpx.dll
MD5
5b8c1a23be283bc62e905ec4983df67b

SHA1
f1f0161303d9a3606d875648740c67929869f972

SHA256
28b631921cf7c4a8019639434046393f77cd6473ab822ee77582759eee193097

SHA512
50b6e32cecbd2df339e9c6e2490a2f44b3c37e6d814b597c3890cf1df1b7f9bd773d9262e25c32b307d4879152ed851d554d294963357cc998e0ea3afe93360f

Download Submit
C:\Users\Admin\AppData\Local\D8a3FvquW\wusa.exe
MD5
808ee0ed0ebebe64832bf7fbe034d23a

SHA1
30d23c3e8f4705d2e720deecfc7544d78a2857a5

SHA256
44a7409999c9b75e6473c8f4395a1335fd65e002bcfea94cf8af2734c0993f9e

SHA512
8356ac02e92407e5061db4e5945c870f8f69839d208e504e739c28b87bea7c049fdd3dbc9dd62b659d1caee82a028776ae0824182f8329010cf9e521259a8e4c

Download Submit
C:\Users\Admin\AppData\Local\hrZQns\ACTIVEDS.dll
MD5
fef25f63c26ad65bdc1378caa13bce22

SHA1
9d696f8afaeefada582bc4b1f277b35516729bf9

SHA256
7c53e8c54821398d825c16a82e28a08026fbbe4f467f1aeeaaabded4182a939a

SHA512
821c16c751a2d4ff705cf2348480453c154cfcfefe34da43fc0d01d69c1d2d849e8c0a289b10c66a3dd2653cc4b3db88ab35c0843d74dfa50f328836a007e7f8

Download Submit
C:\Users\Admin\AppData\Local\hrZQns\SppExtComObj.Exe
MD5
923824efa9f60f1ef53a467253941553

SHA1
6405859f261189d3dc15e6fa8040fc2cb23c6499

SHA256
28b704870730b01d31e24a51502fd4bfcf23f15d2f482ea4aadc12da0f5f8065

SHA512
8bc7eba28740aa2b569ce8cf57e4a5fc7230efe8251dc7d00b50a1ea7c560266d1970e48a7b1900c75eac3267ff9542fe420abd5a1e2b27380d6c4ab748eb3c3

Download Submit
\Users\Admin\AppData\Local\3Z2ZTl\WTSAPI32.dll
MD5
737aa0cacd80445255cb1fed1322228b

SHA1
4c278922cda63e5ca2fec77a247d6c3c943c75a4

SHA256
87fc315fb812b5f78a56b1b4e38790de60eef2cb9b9033b86c327ea40e46a149

SHA512
40ff39393c780092e87f2ba3c309b63ddf25a3d66fdf30e4a4fe00f3031cddb2fad05c276c548458eabec58abcc1fae27ef3f82b522137d3167f703edb83e8df

Download Submit
\Users\Admin\AppData\Local\D8a3FvquW\dpx.dll
MD5
5b8c1a23be283bc62e905ec4983df67b

SHA1
f1f0161303d9a3606d875648740c67929869f972

SHA256
28b631921cf7c4a8019639434046393f77cd6473ab822ee77582759eee193097

SHA512
50b6e32cecbd2df339e9c6e2490a2f44b3c37e6d814b597c3890cf1df1b7f9bd773d9262e25c32b307d4879152ed851d554d294963357cc998e0ea3afe93360f

Download Submit
\Users\Admin\AppData\Local\hrZQns\ACTIVEDS.dll
MD5
fef25f63c26ad65bdc1378caa13bce22

SHA1
9d696f8afaeefada582bc4b1f277b35516729bf9

SHA256
7c53e8c54821398d825c16a82e28a08026fbbe4f467f1aeeaaabded4182a939a

SHA512
821c16c751a2d4ff705cf2348480453c154cfcfefe34da43fc0d01d69c1d2d849e8c0a289b10c66a3dd2653cc4b3db88ab35c0843d74dfa50f328836a007e7f8

Download Submit
memory/1404-169-0x0000000000000000-mapping.dmp

Download
memory/1404-173-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/2516-195-0x0000000000000000-mapping.dmp

Download
memory/3036-142-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-149-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-133-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-121-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-134-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-135-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-136-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-137-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-139-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-138-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-140-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-141-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-120-0x00000000014C0000-0x00000000014C1000-memory.dmp

Filesize
4KB

Download
memory/3036-143-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-144-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-145-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-146-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-147-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-148-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-132-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-150-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-151-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-152-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-160-0x00007FFF60B44560-0x00007FFF60B45560-memory.dmp

Filesize
4KB

Download
memory/3036-163-0x00007FFF60C80000-0x00007FFF60C82000-memory.dmp

Filesize
8KB

Download
memory/3036-131-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-130-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-129-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-128-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-127-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-122-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-126-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-125-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-124-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3036-123-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3964-115-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3964-119-0x000001B30A860000-0x000001B30A867000-memory.dmp

Filesize
28KB

Download
memory/4064-186-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads