dridex | f025f6648a7f6974197106d60dd007b7fd8d07b64ba344a45a3a13d4f27a36fe

Analysis

max time kernel
163s
max time network
165s
platform
windows10_x64
resource
win10-en
submitted
15-09-2021 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f025f6648a7f6974197106d60dd007b7fd8d07b64ba344a45a3a13d4f27a36fe.dll
Size

1.9MB
MD5

1e9b0b70cdf360d0b18e097519ff669c
SHA1

d7f826da60ef7e74c9989f5e7dc94bd51bf5a4cb
SHA256

f025f6648a7f6974197106d60dd007b7fd8d07b64ba344a45a3a13d4f27a36fe
SHA512

98553a13caec28389568e21b9f5d24e5f6afcfafec20fec564ed0d54c42d7db6c534f0a7e781c95b0040c1b149dd3e833fceb978131c4e7b0efee6436798628b

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2372-120-0x0000000002450000-0x0000000002451000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemSettingsRemoveDevice.exeSystemSettingsRemoveDevice.exeSystemPropertiesComputerName.exe

pid process

512 SystemSettingsRemoveDevice.exe
728 SystemSettingsRemoveDevice.exe
692 SystemPropertiesComputerName.exe
Loads dropped DLL 3 IoCs

Processes:

SystemSettingsRemoveDevice.exeSystemSettingsRemoveDevice.exeSystemPropertiesComputerName.exe

pid process

512 SystemSettingsRemoveDevice.exe
728 SystemSettingsRemoveDevice.exe
692 SystemPropertiesComputerName.exe

pid	process
512	SystemSettingsRemoveDevice.exe
728	SystemSettingsRemoveDevice.exe
692	SystemPropertiesComputerName.exe

pid	process
512	SystemSettingsRemoveDevice.exe
728	SystemSettingsRemoveDevice.exe
692	SystemPropertiesComputerName.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wzmtblrj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\Sxysq7T\\SystemSettingsRemoveDevice.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemSettingsRemoveDevice.exeSystemSettingsRemoveDevice.exeSystemPropertiesComputerName.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemSettingsRemoveDevice.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemSettingsRemoveDevice.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4032	rundll32.exe
4032	rundll32.exe
4032	rundll32.exe
4032	rundll32.exe
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372
2372

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2372

pid	process
2372

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372
Token: SeShutdownPrivilege	2372
Token: SeCreatePagefilePrivilege	2372

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

pid process

2372
2372
2372
2372
2372
2372
2372
2372
2372
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pid process

2372

pid	process
2372
2372
2372
2372
2372
2372
2372
2372
2372

pid	process
2372

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2372 wrote to memory of 3936	2372	SystemSettingsRemoveDevice.exe
PID 2372 wrote to memory of 3936	2372	SystemSettingsRemoveDevice.exe
PID 2372 wrote to memory of 512	2372	SystemSettingsRemoveDevice.exe
PID 2372 wrote to memory of 512	2372	SystemSettingsRemoveDevice.exe
PID 2372 wrote to memory of 3244	2372	SystemSettingsRemoveDevice.exe
PID 2372 wrote to memory of 3244	2372	SystemSettingsRemoveDevice.exe
PID 2372 wrote to memory of 728	2372	SystemSettingsRemoveDevice.exe
PID 2372 wrote to memory of 728	2372	SystemSettingsRemoveDevice.exe
PID 2372 wrote to memory of 620	2372	SystemPropertiesComputerName.exe
PID 2372 wrote to memory of 620	2372	SystemPropertiesComputerName.exe
PID 2372 wrote to memory of 692	2372	SystemPropertiesComputerName.exe
PID 2372 wrote to memory of 692	2372	SystemPropertiesComputerName.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f025f6648a7f6974197106d60dd007b7fd8d07b64ba344a45a3a13d4f27a36fe.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4032

C:\Windows\system32\SystemSettingsRemoveDevice.exe
C:\Windows\system32\SystemSettingsRemoveDevice.exe
1⤵
PID:3936

C:\Users\Admin\AppData\Local\3XGuHara\SystemSettingsRemoveDevice.exe
C:\Users\Admin\AppData\Local\3XGuHara\SystemSettingsRemoveDevice.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:512

C:\Windows\system32\SystemSettingsRemoveDevice.exe
C:\Windows\system32\SystemSettingsRemoveDevice.exe
1⤵
PID:3244

C:\Users\Admin\AppData\Local\XO3q\SystemSettingsRemoveDevice.exe
C:\Users\Admin\AppData\Local\XO3q\SystemSettingsRemoveDevice.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:728

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:620

C:\Users\Admin\AppData\Local\duIWL\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\duIWL\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:692

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3XGuHara\DUI70.dll
MD5
3f5900731661598f6898ee79a201b265

SHA1
e67566f4c4ffe2671d9998feb610d18fa5c30aa6

SHA256
efa6ffc9bb9671f426c258eeb83c6d8d7dcb010cbb9b2e2b8fcb83a544676809

SHA512
a3ecd7cfac9a7e146273cbffd389c74d82ba301e195641f5b305ff79561541f9d9992741cae8223b3819a11846111dce0cfcd792df9b0bb88d694368c6de4e1c

Download Submit
C:\Users\Admin\AppData\Local\3XGuHara\SystemSettingsRemoveDevice.exe
MD5
1771b590ef3596cb28d87d24314203bc

SHA1
f85e8e74e1f418924876691a0aa264bb3d78b490

SHA256
2fe587993ce955611c501bafb188e9c3ff15d360d5f066970da87e65645206cc

SHA512
388fa0ca89ee7bd5f3ef6fca149a3606864ffecbe2cf6ca16a216007caf388e040c29492686c0161519c6ac13e650108ba97183dbd1083d4c11f7eae1d4e002c

Download Submit
C:\Users\Admin\AppData\Local\XO3q\DUI70.dll
MD5
d47ea01dfcb8cbdff5dbb462d062cf76

SHA1
9500e5d80d2979dd973c0f247aa36706eac89693

SHA256
929d1ec998a34a174a6dad5ba0d2ffe12578977388ae6a73be0a8401051c8b02

SHA512
4aaecd9ba7146df56cb7a5a688f179a17c3b2f5729010e1b23bc096d292a812a757935cb2d4e076fdeceae66c4c9b5d8cd0c746cf70ae02faf2ce025ef6016ec

Download Submit
C:\Users\Admin\AppData\Local\XO3q\SystemSettingsRemoveDevice.exe
MD5
1771b590ef3596cb28d87d24314203bc

SHA1
f85e8e74e1f418924876691a0aa264bb3d78b490

SHA256
2fe587993ce955611c501bafb188e9c3ff15d360d5f066970da87e65645206cc

SHA512
388fa0ca89ee7bd5f3ef6fca149a3606864ffecbe2cf6ca16a216007caf388e040c29492686c0161519c6ac13e650108ba97183dbd1083d4c11f7eae1d4e002c

Download Submit
C:\Users\Admin\AppData\Local\duIWL\SYSDM.CPL
MD5
9e21bf8d9febd67345d52452f8769e39

SHA1
f1e26ad9a2bc99d129179acdcb476fecff75a297

SHA256
d98bcc44b4e7824cd5652f2d92a44600b689ff439bc257928be159c477ef0799

SHA512
9e348d457f74ee34f2363d94234adf54b3cf2f3358f4f01c99aa7ec7b9a2bce597d83781e95bf9cf0dad2c0c9e2e854555b753012dad32f3482098c78b8967d4

Download Submit
C:\Users\Admin\AppData\Local\duIWL\SystemPropertiesComputerName.exe
MD5
d2d62d055f517f71b0fd9a649727ff6c

SHA1
43f627215d57e0396ad74e9b0ed4bd29f60fca33

SHA256
222d3d4f7c8f64beb0a0007120b4411c2040c50e1d376420228151bdd230fe7d

SHA512
f46e02a465425a148fcd4be5fda0889c412eeab4c50abf9874b3ee02af83c96403167c99aa57961e1c631a5a7a5070e8a1c363688581ff83ed176b4206564cd0

Download Submit
\Users\Admin\AppData\Local\3XGuHara\DUI70.dll
MD5
3f5900731661598f6898ee79a201b265

SHA1
e67566f4c4ffe2671d9998feb610d18fa5c30aa6

SHA256
efa6ffc9bb9671f426c258eeb83c6d8d7dcb010cbb9b2e2b8fcb83a544676809

SHA512
a3ecd7cfac9a7e146273cbffd389c74d82ba301e195641f5b305ff79561541f9d9992741cae8223b3819a11846111dce0cfcd792df9b0bb88d694368c6de4e1c

Download Submit
\Users\Admin\AppData\Local\XO3q\DUI70.dll
MD5
d47ea01dfcb8cbdff5dbb462d062cf76

SHA1
9500e5d80d2979dd973c0f247aa36706eac89693

SHA256
929d1ec998a34a174a6dad5ba0d2ffe12578977388ae6a73be0a8401051c8b02

SHA512
4aaecd9ba7146df56cb7a5a688f179a17c3b2f5729010e1b23bc096d292a812a757935cb2d4e076fdeceae66c4c9b5d8cd0c746cf70ae02faf2ce025ef6016ec

Download Submit
\Users\Admin\AppData\Local\duIWL\SYSDM.CPL
MD5
9e21bf8d9febd67345d52452f8769e39

SHA1
f1e26ad9a2bc99d129179acdcb476fecff75a297

SHA256
d98bcc44b4e7824cd5652f2d92a44600b689ff439bc257928be159c477ef0799

SHA512
9e348d457f74ee34f2363d94234adf54b3cf2f3358f4f01c99aa7ec7b9a2bce597d83781e95bf9cf0dad2c0c9e2e854555b753012dad32f3482098c78b8967d4

Download Submit
memory/512-158-0x0000000000000000-mapping.dmp

Download
memory/512-162-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/692-176-0x0000000000000000-mapping.dmp

Download
memory/692-180-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/728-167-0x0000000000000000-mapping.dmp

Download
memory/2372-129-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-147-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-134-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-136-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-137-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-135-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-138-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-139-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-140-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-141-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-142-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-144-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-145-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-146-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-143-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-133-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-155-0x00007FF934304560-0x00007FF934305560-memory.dmp

Filesize
4KB

Download
memory/2372-157-0x00007FF934250000-0x00007FF934260000-memory.dmp

Filesize
64KB

Download
memory/2372-132-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-131-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-130-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-120-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/2372-128-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-127-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-126-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-125-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-121-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-124-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-123-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2372-122-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/4032-115-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/4032-119-0x000002857CD20000-0x000002857CD27000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads