dridex | f3cb52645012aeef6b8146b69407c71e6db6ba38a2c10e59e9a5ed02245f4158

Analysis

max time kernel
159s
max time network
140s
platform
windows7_x64
resource
win7-en
submitted
15-09-2021 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3cb52645012aeef6b8146b69407c71e6db6ba38a2c10e59e9a5ed02245f4158.dll
Size

1.7MB
MD5

501fd7d1abf6fb55680bd56912948fa9
SHA1

7b6c0dd84c92de73d5555aaf81094a6a13528b97
SHA256

f3cb52645012aeef6b8146b69407c71e6db6ba38a2c10e59e9a5ed02245f4158
SHA512

b8c7058daa27cb5f9b48e81f2bc8f412ceb5590d5f7f2695bd6785d8c18c6e4de1bf44324a2da3f9a7ed4b6da28d215866a79274df11de827f258ddfb210a58e

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1204-57-0x0000000002A80000-0x0000000002A81000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

wextract.exemfpmp.exerecdisc.exe

pid process

1900 wextract.exe
1912 mfpmp.exe
1284 recdisc.exe
Loads dropped DLL 7 IoCs

Processes:

wextract.exemfpmp.exerecdisc.exe

pid process

1204
1900 wextract.exe
1204
1912 mfpmp.exe
1204
1284 recdisc.exe
1204

pid	process
1900	wextract.exe
1912	mfpmp.exe
1284	recdisc.exe

pid	process
1204
1900	wextract.exe
1204
1912	mfpmp.exe
1204
1284	recdisc.exe
1204

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gtdwm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\7a4bvXh5nW\\mfpmp.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

mfpmp.exerecdisc.exewextract.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	recdisc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
1540	regsvr32.exe
1540	regsvr32.exe
1540	regsvr32.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1204
Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

pid process

1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
Suspicious use of SendNotifyMessage 30 IoCs

Processes:

pid process

1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

pid	process
1204

pid	process
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

pid	process
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1204 wrote to memory of 856	1204	wextract.exe
PID 1204 wrote to memory of 856	1204	wextract.exe
PID 1204 wrote to memory of 856	1204	wextract.exe
PID 1204 wrote to memory of 1900	1204	wextract.exe
PID 1204 wrote to memory of 1900	1204	wextract.exe
PID 1204 wrote to memory of 1900	1204	wextract.exe
PID 1204 wrote to memory of 316	1204	mfpmp.exe
PID 1204 wrote to memory of 316	1204	mfpmp.exe
PID 1204 wrote to memory of 316	1204	mfpmp.exe
PID 1204 wrote to memory of 1912	1204	mfpmp.exe
PID 1204 wrote to memory of 1912	1204	mfpmp.exe
PID 1204 wrote to memory of 1912	1204	mfpmp.exe
PID 1204 wrote to memory of 1300	1204	recdisc.exe
PID 1204 wrote to memory of 1300	1204	recdisc.exe
PID 1204 wrote to memory of 1300	1204	recdisc.exe
PID 1204 wrote to memory of 1284	1204	recdisc.exe
PID 1204 wrote to memory of 1284	1204	recdisc.exe
PID 1204 wrote to memory of 1284	1204	recdisc.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f3cb52645012aeef6b8146b69407c71e6db6ba38a2c10e59e9a5ed02245f4158.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1540

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:856

C:\Users\Admin\AppData\Local\XoBiuzci0\wextract.exe
C:\Users\Admin\AppData\Local\XoBiuzci0\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1900

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:316

C:\Users\Admin\AppData\Local\JJYsDSpF\mfpmp.exe
C:\Users\Admin\AppData\Local\JJYsDSpF\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1912

C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
1⤵
PID:1300

C:\Users\Admin\AppData\Local\KVaX6WV\recdisc.exe
C:\Users\Admin\AppData\Local\KVaX6WV\recdisc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1284

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\JJYsDSpF\MFPlat.DLL
MD5
4f9bb207a4df8dcd421229d492b4c23a

SHA1
eb6294e67fb9150725478fa670d249c45cd78635

SHA256
1eb8b0232c6cff39b4f96770b34ce93daada746994180202ad3536e92d1a7403

SHA512
0edd8d4a67746a86404bffe343005a589dac3b405ca673c911e639731e5e14c772f134c3b614de09a13bb0b16130bfcea730739de638927fdb3c8b119c555162

Download Submit
C:\Users\Admin\AppData\Local\JJYsDSpF\mfpmp.exe
MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
C:\Users\Admin\AppData\Local\KVaX6WV\recdisc.exe
MD5
f3b306179f1840c0813dc6771b018358

SHA1
dec7ce3c13f7a684cb52ae6007c99cf03afef005

SHA256
dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

SHA512
9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

Download Submit
C:\Users\Admin\AppData\Local\XoBiuzci0\VERSION.dll
MD5
bb54c65a588f1b88c7ab94eb9d6a1299

SHA1
df6081854652f27539b7cfd5426c3e78f5baf811

SHA256
20de5063354f88f47eb7552dccb5dc091184a5a857b053dcb30a65f05a76b1d8

SHA512
67ca86ef1c845e303aa7f181d8b95fc98e5679a745511ad2e32124325cfc66c6cd547c2fa5ebe09844409af53e17ee8853093c32be6974ecd55235bae31d0408

Download Submit
C:\Users\Admin\AppData\Local\XoBiuzci0\wextract.exe
MD5
1ea6500c25a80e8bdb65099c509af993

SHA1
6a090ef561feb4ae1c6794de5b19c5e893c4aafc

SHA256
99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

SHA512
b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

Download Submit
\Users\Admin\AppData\Local\JJYsDSpF\MFPlat.DLL
MD5
4f9bb207a4df8dcd421229d492b4c23a

SHA1
eb6294e67fb9150725478fa670d249c45cd78635

SHA256
1eb8b0232c6cff39b4f96770b34ce93daada746994180202ad3536e92d1a7403

SHA512
0edd8d4a67746a86404bffe343005a589dac3b405ca673c911e639731e5e14c772f134c3b614de09a13bb0b16130bfcea730739de638927fdb3c8b119c555162

Download Submit
\Users\Admin\AppData\Local\JJYsDSpF\mfpmp.exe
MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
\Users\Admin\AppData\Local\KVaX6WV\ReAgent.dll
MD5
2395b71e88b59c0984b0cf6b9c19b66d

SHA1
0a65af9d5916e8210de8331bece641c28e5df35a

SHA256
6d9acf5b3fd26b9007f8649bc1ebb6cc3e99a720c4640a42d22890a7a1bd12f4

SHA512
5059799bd424a81fd9d2d94ad482f9332b7034182a727a8d52260fa3ae1b87cb4397fddca6dc9769c088f5a85e70cfb57130111a3844dd3903fc34d6bb4ae343

Download Submit
\Users\Admin\AppData\Local\KVaX6WV\recdisc.exe
MD5
f3b306179f1840c0813dc6771b018358

SHA1
dec7ce3c13f7a684cb52ae6007c99cf03afef005

SHA256
dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

SHA512
9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

Download Submit
\Users\Admin\AppData\Local\XoBiuzci0\VERSION.dll
MD5
bb54c65a588f1b88c7ab94eb9d6a1299

SHA1
df6081854652f27539b7cfd5426c3e78f5baf811

SHA256
20de5063354f88f47eb7552dccb5dc091184a5a857b053dcb30a65f05a76b1d8

SHA512
67ca86ef1c845e303aa7f181d8b95fc98e5679a745511ad2e32124325cfc66c6cd547c2fa5ebe09844409af53e17ee8853093c32be6974ecd55235bae31d0408

Download Submit
\Users\Admin\AppData\Local\XoBiuzci0\wextract.exe
MD5
1ea6500c25a80e8bdb65099c509af993

SHA1
6a090ef561feb4ae1c6794de5b19c5e893c4aafc

SHA256
99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

SHA512
b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\kAMfdDkn\recdisc.exe
MD5
f3b306179f1840c0813dc6771b018358

SHA1
dec7ce3c13f7a684cb52ae6007c99cf03afef005

SHA256
dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

SHA512
9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

Download Submit
memory/1204-82-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-92-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-63-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-62-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-60-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-59-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-58-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-76-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-75-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-74-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-73-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-81-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-86-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-85-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-84-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-83-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-57-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/1204-80-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-79-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-78-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-77-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-94-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-93-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-64-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-91-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-90-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-89-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-88-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-87-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-100-0x0000000077A80000-0x0000000077A82000-memory.dmp

Filesize
8KB

Download
memory/1204-65-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-61-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-66-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-67-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-68-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-72-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-69-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-70-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1204-71-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1284-117-0x0000000000000000-mapping.dmp

Download
memory/1540-53-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/1540-56-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/1540-54-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1900-107-0x0000000140000000-0x00000001401AC000-memory.dmp

Filesize
1.7MB

Download
memory/1900-102-0x0000000000000000-mapping.dmp

Download
memory/1912-110-0x0000000000000000-mapping.dmp

Download
memory/1912-114-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads