dridex | ee40f35c8018e116d43f08fd0b17a8e822bc7673e6077dba7b081ffc4e920976

Analysis

max time kernel
164s
max time network
163s
platform
windows10_x64
resource
win10-en
submitted
15-09-2021 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee40f35c8018e116d43f08fd0b17a8e822bc7673e6077dba7b081ffc4e920976.dll
Size

1.7MB
MD5

1b03ff9a540d4d00792149f5d2b1dfc8
SHA1

52f80e3f8976a9795c24e80103d160828a424818
SHA256

ee40f35c8018e116d43f08fd0b17a8e822bc7673e6077dba7b081ffc4e920976
SHA512

0b76ab83042fd76991a9063a67936e130d97fce0d9fe1b5dcd1ae3c02a9e2e2125546ff2e151e3dbce6a3f21c0111e6855a369dbf7468fd737239346a7c7835b

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3036-120-0x00000000006A0000-0x00000000006A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

EaseOfAccessDialog.exeFileHistory.exepwcreator.exe

pid process

1636 EaseOfAccessDialog.exe
2128 FileHistory.exe
2604 pwcreator.exe
Loads dropped DLL 3 IoCs

Processes:

EaseOfAccessDialog.exeFileHistory.exepwcreator.exe

pid process

1636 EaseOfAccessDialog.exe
2128 FileHistory.exe
2604 pwcreator.exe

pid	process
1636	EaseOfAccessDialog.exe
2128	FileHistory.exe
2604	pwcreator.exe

pid	process
1636	EaseOfAccessDialog.exe
2128	FileHistory.exe
2604	pwcreator.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wzmtblrj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\ETKQNL~1\\FILEHI~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeEaseOfAccessDialog.exeFileHistory.exepwcreator.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EaseOfAccessDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FileHistory.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pwcreator.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
404	rundll32.exe
404	rundll32.exe
404	rundll32.exe
404	rundll32.exe
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3036

pid	process
3036

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036
Token: SeShutdownPrivilege	3036
Token: SeCreatePagefilePrivilege	3036

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

pid process

3036
3036
3036
3036
3036
3036
3036
3036
3036
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pid process

3036

pid	process
3036
3036
3036
3036
3036
3036
3036
3036
3036

pid	process
3036

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3036 wrote to memory of 1532	3036	EaseOfAccessDialog.exe
PID 3036 wrote to memory of 1532	3036	EaseOfAccessDialog.exe
PID 3036 wrote to memory of 1636	3036	EaseOfAccessDialog.exe
PID 3036 wrote to memory of 1636	3036	EaseOfAccessDialog.exe
PID 3036 wrote to memory of 2084	3036	FileHistory.exe
PID 3036 wrote to memory of 2084	3036	FileHistory.exe
PID 3036 wrote to memory of 2128	3036	FileHistory.exe
PID 3036 wrote to memory of 2128	3036	FileHistory.exe
PID 3036 wrote to memory of 2544	3036	pwcreator.exe
PID 3036 wrote to memory of 2544	3036	pwcreator.exe
PID 3036 wrote to memory of 2604	3036	pwcreator.exe
PID 3036 wrote to memory of 2604	3036	pwcreator.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ee40f35c8018e116d43f08fd0b17a8e822bc7673e6077dba7b081ffc4e920976.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:404

C:\Windows\system32\EaseOfAccessDialog.exe
C:\Windows\system32\EaseOfAccessDialog.exe
1⤵
PID:1532

C:\Users\Admin\AppData\Local\agLS5l\EaseOfAccessDialog.exe
C:\Users\Admin\AppData\Local\agLS5l\EaseOfAccessDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1636

C:\Windows\system32\FileHistory.exe
C:\Windows\system32\FileHistory.exe
1⤵
PID:2084

C:\Users\Admin\AppData\Local\Dae\FileHistory.exe
C:\Users\Admin\AppData\Local\Dae\FileHistory.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2128

C:\Windows\system32\pwcreator.exe
C:\Windows\system32\pwcreator.exe
1⤵
PID:2544

C:\Users\Admin\AppData\Local\w3Cfo\pwcreator.exe
C:\Users\Admin\AppData\Local\w3Cfo\pwcreator.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2604

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Dae\FileHistory.exe
MD5
2735b1264f7cb991b3f0d8b5c98b456f

SHA1
2e26a23c047632e985ea9bc64e92687930828156

SHA256
ca54111e88b368c117fe3168dddb5f383b17beac9290ee35d19cd307060d46e9

SHA512
e869426232e2f2bfab72d041423703d293674fd9b3519a0254bee6eacccecb9626398f7eeaeefbcf887a1524d0fb53c6209038b0faeab800b00a766f39e4a816

Download Submit
C:\Users\Admin\AppData\Local\Dae\UxTheme.dll
MD5
2325c9d2e9811c946d2ca3ec9f6725e0

SHA1
4fa3f7b2f357972b1a103ab48221906756147181

SHA256
31a8d42b43c0df1300bdb6d13de91a5dc157643d655ec5fc1efbd070170efbc3

SHA512
e7beec0b89aa40e8fec293f371ba804af7519a2e2f18e72f777aa696a49559aaac44f9c754c518a575ed619b69c24cc62c3e5683e9a9c90a9eaa3bcd69bd19bb

Download Submit
C:\Users\Admin\AppData\Local\agLS5l\EaseOfAccessDialog.exe
MD5
7eea1db3812b97249530920bb6984f1b

SHA1
64a217bb388459aee06f2e838404f5136faaee4d

SHA256
45d3a9f983aa6307ecba03bd5c8fe1dcaa510753178c8a126b55c565b7cf01c5

SHA512
911d60bb9780b9dda5e7f5cdc791d2c90fc161504d24a6d66a5f3c78dc3c2d30b5222247d4372486ba3c784a53a09a67c953aad7410e9a53c58fd49298bf421d

Download Submit
C:\Users\Admin\AppData\Local\agLS5l\OLEACC.dll
MD5
31445510432bc37c28e5f651b8e2f028

SHA1
baf49634c65e42947ed2b38c793206b9289b7937

SHA256
a4cc1d6dc34c9bdb943833ce8597ab314642f63ea332cecde2d216b45f15d197

SHA512
caf65689027011cf5736c648015bc0f27c869877b822643d4e2d968ddb778e649a93a41cb75a7e98d4daa4d8b8085bd7f374719de48c262945e8e46bdc1fbfa8

Download Submit
C:\Users\Admin\AppData\Local\w3Cfo\WINBRAND.dll
MD5
efb62a95b33385aae12364b3da9cddba

SHA1
58b9ecad9553f41068eb08ea5f5755b9889d2403

SHA256
5f3ecf8e42de755a8d50fb9ffd05d3e1a507f629c998e73be4472310bcf1ab61

SHA512
5ffce6a8b29a649a8042ef6b690df37376f9ed9173cfa5e3261c3c23ec6a685aa4284c72ae543ca394074eddaed0d1d8313b3baed035ea7ea078139c677afc20

Download Submit
C:\Users\Admin\AppData\Local\w3Cfo\pwcreator.exe
MD5
5a9ef500a0436e893542fca5e8876c9c

SHA1
bf8f802f67cf5f42ad6375b5159b4b2d8c5759a4

SHA256
a0af92d50e18376d996a3bfeb9e43cc8d2ea8385646542ea850c777850d588df

SHA512
ffda4df212242e87d399ddcd72fa99b14f0d18abcfdb6c69df65ce345e8c94f2c1fccb323252af5cb18a28abeef0b148c106631ec778a522f82b392c0547fdc8

Download Submit
\Users\Admin\AppData\Local\Dae\UxTheme.dll
MD5
2325c9d2e9811c946d2ca3ec9f6725e0

SHA1
4fa3f7b2f357972b1a103ab48221906756147181

SHA256
31a8d42b43c0df1300bdb6d13de91a5dc157643d655ec5fc1efbd070170efbc3

SHA512
e7beec0b89aa40e8fec293f371ba804af7519a2e2f18e72f777aa696a49559aaac44f9c754c518a575ed619b69c24cc62c3e5683e9a9c90a9eaa3bcd69bd19bb

Download Submit
\Users\Admin\AppData\Local\agLS5l\OLEACC.dll
MD5
31445510432bc37c28e5f651b8e2f028

SHA1
baf49634c65e42947ed2b38c793206b9289b7937

SHA256
a4cc1d6dc34c9bdb943833ce8597ab314642f63ea332cecde2d216b45f15d197

SHA512
caf65689027011cf5736c648015bc0f27c869877b822643d4e2d968ddb778e649a93a41cb75a7e98d4daa4d8b8085bd7f374719de48c262945e8e46bdc1fbfa8

Download Submit
\Users\Admin\AppData\Local\w3Cfo\WINBRAND.dll
MD5
efb62a95b33385aae12364b3da9cddba

SHA1
58b9ecad9553f41068eb08ea5f5755b9889d2403

SHA256
5f3ecf8e42de755a8d50fb9ffd05d3e1a507f629c998e73be4472310bcf1ab61

SHA512
5ffce6a8b29a649a8042ef6b690df37376f9ed9173cfa5e3261c3c23ec6a685aa4284c72ae543ca394074eddaed0d1d8313b3baed035ea7ea078139c677afc20

Download Submit
memory/404-115-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/404-119-0x000001D5D65A0000-0x000001D5D65A7000-memory.dmp

Filesize
28KB

Download
memory/1636-177-0x0000000140000000-0x00000001401BE000-memory.dmp

Filesize
1.7MB

Download
memory/1636-173-0x0000000000000000-mapping.dmp

Download
memory/2128-184-0x0000000000000000-mapping.dmp

Download
memory/2604-190-0x0000000000000000-mapping.dmp

Download
memory/3036-143-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-149-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-130-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-131-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-132-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-133-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-134-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-135-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-137-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-138-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-139-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-140-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-142-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-128-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-141-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-144-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-136-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-145-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-146-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-147-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-148-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-129-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-150-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-151-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-153-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-154-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-152-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-155-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-156-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-158-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-127-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-126-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-125-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-124-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-122-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-123-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-121-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-120-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/3036-157-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-160-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-159-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/3036-168-0x00007FFD48774560-0x00007FFD48775560-memory.dmp

Filesize
4KB

Download
memory/3036-170-0x00007FFD488B0000-0x00007FFD488B2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads