dridex | f3cb52645012aeef6b8146b69407c71e6db6ba38a2c10e59e9a5ed02245f4158

Analysis

max time kernel
160s
max time network
136s
platform
windows10_x64
resource
win10-en
submitted
15-09-2021 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3cb52645012aeef6b8146b69407c71e6db6ba38a2c10e59e9a5ed02245f4158.dll
Size

1.7MB
MD5

501fd7d1abf6fb55680bd56912948fa9
SHA1

7b6c0dd84c92de73d5555aaf81094a6a13528b97
SHA256

f3cb52645012aeef6b8146b69407c71e6db6ba38a2c10e59e9a5ed02245f4158
SHA512

b8c7058daa27cb5f9b48e81f2bc8f412ceb5590d5f7f2695bd6785d8c18c6e4de1bf44324a2da3f9a7ed4b6da28d215866a79274df11de827f258ddfb210a58e

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3008-121-0x00000000032F0000-0x00000000032F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

systemreset.exewscript.exeEhStorAuthn.exe

pid process

5096 systemreset.exe
4132 wscript.exe
3788 EhStorAuthn.exe
Loads dropped DLL 3 IoCs

Processes:

systemreset.exewscript.exeEhStorAuthn.exe

pid process

5096 systemreset.exe
4132 wscript.exe
3788 EhStorAuthn.exe

pid	process
5096	systemreset.exe
4132	wscript.exe
3788	EhStorAuthn.exe

pid	process
5096	systemreset.exe
4132	wscript.exe
3788	EhStorAuthn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wzmtblrj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\ePTIRr\\wscript.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

systemreset.exewscript.exeEhStorAuthn.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	systemreset.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
4716	regsvr32.exe
4716	regsvr32.exe
4716	regsvr32.exe
4716	regsvr32.exe
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3008

pid	process
3008

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008
Token: SeShutdownPrivilege	3008
Token: SeCreatePagefilePrivilege	3008

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pid process

3008
3008
3008
3008
3008
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pid process

3008

pid	process
3008
3008
3008
3008
3008

pid	process
3008

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3008 wrote to memory of 5088	3008	systemreset.exe
PID 3008 wrote to memory of 5088	3008	systemreset.exe
PID 3008 wrote to memory of 5096	3008	systemreset.exe
PID 3008 wrote to memory of 5096	3008	systemreset.exe
PID 3008 wrote to memory of 1960	3008	wscript.exe
PID 3008 wrote to memory of 1960	3008	wscript.exe
PID 3008 wrote to memory of 4132	3008	wscript.exe
PID 3008 wrote to memory of 4132	3008	wscript.exe
PID 3008 wrote to memory of 3644	3008	EhStorAuthn.exe
PID 3008 wrote to memory of 3644	3008	EhStorAuthn.exe
PID 3008 wrote to memory of 3788	3008	EhStorAuthn.exe
PID 3008 wrote to memory of 3788	3008	EhStorAuthn.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f3cb52645012aeef6b8146b69407c71e6db6ba38a2c10e59e9a5ed02245f4158.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4716

C:\Windows\system32\systemreset.exe
C:\Windows\system32\systemreset.exe
1⤵
PID:5088

C:\Users\Admin\AppData\Local\OuFlb\systemreset.exe
C:\Users\Admin\AppData\Local\OuFlb\systemreset.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5096

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:1960

C:\Users\Admin\AppData\Local\N49vrc\wscript.exe
C:\Users\Admin\AppData\Local\N49vrc\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4132

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:3644

C:\Users\Admin\AppData\Local\1x8P\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\1x8P\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3788

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1x8P\EhStorAuthn.exe
MD5
118b5c1b372cb01ce63d5eaa2358633b

SHA1
3c51c58c5e17c435e004dc08b16cf9609229281c

SHA256
0c92e6ef942d548686bcfc277fef5b830d79e04a42efc358045f8a170a218d30

SHA512
33ac3b760ac48544885a3edc4bc04d4dd37786109cb2016f4aabfc3ab02b1140dc43963474a54c5cd808a41b3755f0e6cb9cc1e2ebd4e86fd2d2c5973ff8401e

Download Submit
C:\Users\Admin\AppData\Local\1x8P\UxTheme.dll
MD5
4f3cebca28e8057870dabd8f383e0a37

SHA1
069608343224c3df0d201bae8ad56586c9aeb5a1

SHA256
30e2adc9090f2a99ffb6873026d2a542a463eb33a3fdf9d55ab98a4daae48150

SHA512
bd868c027a83834e068c0170ded564a2f0782571235179eee59dbad1dbd270c3f555dff35950073053cd3ff1b82fca04c16e788d3336079ec383107c02d0b86e

Download Submit
C:\Users\Admin\AppData\Local\N49vrc\VERSION.dll
MD5
c3a9a6f0f9e77288bdf817a48f9540df

SHA1
7f26f97e7fab90982e6bf8d1893e4e7f1d1e25a2

SHA256
feddb21f2c89bcd99e8b4c2d23b92f52e754106837486f0615bf2f533dc5262f

SHA512
d8448f52e32a7989231398cbeffe2e6bd86cf3cd553dc8ccbd31c49b538615c1da1fcde1777b148dc77ec206a4fa59318d8a7fa707b07407e899ed0828ff2041

Download Submit
C:\Users\Admin\AppData\Local\N49vrc\wscript.exe
MD5
dd97f7527d1536afbff5bced8508661f

SHA1
c7e44c13ec4ca775630932c54afe1d5c9a0fe631

SHA256
c08432dc60c9ef7b12a41b0c73e6d716c220b4e9a4eda45c9072d1c81d910c55

SHA512
f06127f72fb5daae836644beb61e9d800db4a1915be9bebf8a6de7b3221135fe759d51b0ffddc5783acb50ca71d08996174fb4983c207727265ee63dd4487f37

Download Submit
C:\Users\Admin\AppData\Local\OuFlb\DUI70.dll
MD5
625f93bb446165d9b5161cbadf997869

SHA1
52b4de9d614067f43dba301270a3f56215caf18c

SHA256
9c0fe58925a997be6f75abf48477cce9c8e9c1142d0100352299ef80b4546cd9

SHA512
0ed72c2a7a61f66681ea7dee50dd0fd818a8ba5271ad683fd6e9cbb53e29bbf5eba030ea7ce8932a83ddb9797b95c4a1f34195dd739a8b892ece29ca78021384

Download Submit
C:\Users\Admin\AppData\Local\OuFlb\systemreset.exe
MD5
edf120755c3c58b7e2f2ea085ccc2298

SHA1
5d23a67059805426c5dcf28ece05b4b95b8bd5b6

SHA256
fcbe3646ae132221337f6a2823550f79ce6f2a20e54bdb33ea0fde0f6c6dec7e

SHA512
9d55fb581e33fcdef904d80c1671ad42479598ed39f32ffe25e81a792c2d7257dfe7f83cdbe47c466e53e23a9aa8541cc194f80f39762fd79253ec1cadf41eb0

Download Submit
\Users\Admin\AppData\Local\1x8P\UxTheme.dll
MD5
4f3cebca28e8057870dabd8f383e0a37

SHA1
069608343224c3df0d201bae8ad56586c9aeb5a1

SHA256
30e2adc9090f2a99ffb6873026d2a542a463eb33a3fdf9d55ab98a4daae48150

SHA512
bd868c027a83834e068c0170ded564a2f0782571235179eee59dbad1dbd270c3f555dff35950073053cd3ff1b82fca04c16e788d3336079ec383107c02d0b86e

Download Submit
\Users\Admin\AppData\Local\N49vrc\VERSION.dll
MD5
c3a9a6f0f9e77288bdf817a48f9540df

SHA1
7f26f97e7fab90982e6bf8d1893e4e7f1d1e25a2

SHA256
feddb21f2c89bcd99e8b4c2d23b92f52e754106837486f0615bf2f533dc5262f

SHA512
d8448f52e32a7989231398cbeffe2e6bd86cf3cd553dc8ccbd31c49b538615c1da1fcde1777b148dc77ec206a4fa59318d8a7fa707b07407e899ed0828ff2041

Download Submit
\Users\Admin\AppData\Local\OuFlb\DUI70.dll
MD5
625f93bb446165d9b5161cbadf997869

SHA1
52b4de9d614067f43dba301270a3f56215caf18c

SHA256
9c0fe58925a997be6f75abf48477cce9c8e9c1142d0100352299ef80b4546cd9

SHA512
0ed72c2a7a61f66681ea7dee50dd0fd818a8ba5271ad683fd6e9cbb53e29bbf5eba030ea7ce8932a83ddb9797b95c4a1f34195dd739a8b892ece29ca78021384

Download Submit
memory/3008-147-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-151-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-130-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-131-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-132-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-133-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-134-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-135-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-136-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-137-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-138-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-139-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-140-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-141-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-142-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-143-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-144-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-145-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-146-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-121-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/3008-148-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-149-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-150-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-129-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-152-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-153-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-154-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-155-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-156-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-157-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-158-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-166-0x00007FFB59534560-0x00007FFB59535560-memory.dmp

Filesize
4KB

Download
memory/3008-168-0x00007FFB59670000-0x00007FFB59672000-memory.dmp

Filesize
8KB

Download
memory/3008-123-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-122-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-128-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-127-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-124-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-125-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3008-126-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/3788-187-0x0000000000000000-mapping.dmp

Download
memory/4132-178-0x0000000000000000-mapping.dmp

Download
memory/4132-182-0x0000000140000000-0x00000001401AC000-memory.dmp

Filesize
1.7MB

Download
memory/4716-116-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/4716-120-0x0000000001110000-0x0000000001117000-memory.dmp

Filesize
28KB

Download
memory/5096-173-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/5096-169-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads