dridex | ec089cbe284c5a1297a9a4fbbfe11fca160b09140072b67a4b556931119e2c72

Analysis

max time kernel
150s
max time network
122s
platform
windows10_x64
resource
win10v20210408
submitted
15-09-2021 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec089cbe284c5a1297a9a4fbbfe11fca160b09140072b67a4b556931119e2c72.dll
Size

2.0MB
MD5

1f87f8356cb8da7291397bdedb616d62
SHA1

c94d9e204cd92b18012ba8a1da2bdd650b7c5809
SHA256

ec089cbe284c5a1297a9a4fbbfe11fca160b09140072b67a4b556931119e2c72
SHA512

9fadef2951dd4ffc02900b9baeaa8c4ee343d0582d338ae119d29268c196dee121b6d4708f0a1844f487c6750416a8030edfda0a8bd85dd80225e7bc2a23f150

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2988-119-0x0000000000B90000-0x0000000000B91000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

ddodiag.exeFileHistory.exerecdisc.exe

pid process

1432 ddodiag.exe
1928 FileHistory.exe
2352 recdisc.exe
Loads dropped DLL 3 IoCs

Processes:

ddodiag.exeFileHistory.exerecdisc.exe

pid process

1432 ddodiag.exe
1928 FileHistory.exe
2352 recdisc.exe

pid	process
1432	ddodiag.exe
1928	FileHistory.exe
2352	recdisc.exe

pid	process
1432	ddodiag.exe
1928	FileHistory.exe
2352	recdisc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rvhohwdqaanc = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\zjEvSOuc06\\FileHistory.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeddodiag.exeFileHistory.exerecdisc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FileHistory.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	recdisc.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
572	rundll32.exe
572	rundll32.exe
572	rundll32.exe
572	rundll32.exe
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2988

pid	process
2988

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2988
Token: SeCreatePagefilePrivilege	2988
Token: SeShutdownPrivilege	2988
Token: SeCreatePagefilePrivilege	2988
Token: SeShutdownPrivilege	2988
Token: SeCreatePagefilePrivilege	2988
Token: SeShutdownPrivilege	2988
Token: SeCreatePagefilePrivilege	2988

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

pid process

2988
2988
2988
2988
2988
2988
2988
2988

pid	process
2988
2988
2988
2988
2988
2988
2988
2988

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2988 wrote to memory of 1424	2988	ddodiag.exe
PID 2988 wrote to memory of 1424	2988	ddodiag.exe
PID 2988 wrote to memory of 1432	2988	ddodiag.exe
PID 2988 wrote to memory of 1432	2988	ddodiag.exe
PID 2988 wrote to memory of 1824	2988	FileHistory.exe
PID 2988 wrote to memory of 1824	2988	FileHistory.exe
PID 2988 wrote to memory of 1928	2988	FileHistory.exe
PID 2988 wrote to memory of 1928	2988	FileHistory.exe
PID 2988 wrote to memory of 2144	2988	recdisc.exe
PID 2988 wrote to memory of 2144	2988	recdisc.exe
PID 2988 wrote to memory of 2352	2988	recdisc.exe
PID 2988 wrote to memory of 2352	2988	recdisc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ec089cbe284c5a1297a9a4fbbfe11fca160b09140072b67a4b556931119e2c72.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:572

C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
1⤵
PID:1424

C:\Users\Admin\AppData\Local\MZ5s\ddodiag.exe
C:\Users\Admin\AppData\Local\MZ5s\ddodiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1432

C:\Windows\system32\FileHistory.exe
C:\Windows\system32\FileHistory.exe
1⤵
PID:1824

C:\Users\Admin\AppData\Local\80N0JEeF\FileHistory.exe
C:\Users\Admin\AppData\Local\80N0JEeF\FileHistory.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1928

C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
1⤵
PID:2144

C:\Users\Admin\AppData\Local\sd8p0N3kn\recdisc.exe
C:\Users\Admin\AppData\Local\sd8p0N3kn\recdisc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2352

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\80N0JEeF\FileHistory.exe
MD5
2735b1264f7cb991b3f0d8b5c98b456f

SHA1
2e26a23c047632e985ea9bc64e92687930828156

SHA256
ca54111e88b368c117fe3168dddb5f383b17beac9290ee35d19cd307060d46e9

SHA512
e869426232e2f2bfab72d041423703d293674fd9b3519a0254bee6eacccecb9626398f7eeaeefbcf887a1524d0fb53c6209038b0faeab800b00a766f39e4a816

Download Submit
C:\Users\Admin\AppData\Local\80N0JEeF\UxTheme.dll
MD5
e72894598a7a7bc6e92a9244771bd451

SHA1
d705b6058833a80f094b4a8c48eb7a0c4c41e7c5

SHA256
2e4d9bd5b63264334982b1be78263bfaa4f4d1c6ebb1bccebaa7d7d55df161f3

SHA512
15ac143b19b8467519cc2f6883b042e7b59d9eb64ffa57b95da90f763425f886140ad0f229f80a73ed959b299740328a1095b2a2eae24ca3cd1d178359ee4da7

Download Submit
C:\Users\Admin\AppData\Local\MZ5s\XmlLite.dll
MD5
670fac78656554deb654115bfcdef4e8

SHA1
2b529bae26f9bd011bfbccf4c6c2f3af013f4766

SHA256
44f8837a4b0ee3af2f1e75870005e0bf5e9b5464d1da23aa51673e5cf7770741

SHA512
fc2bd87a8ef048caf77cc6ec714d7228d4bb398531432aba924d51f811dd3c8945dab9ace9eced2fe07de0aac9f2c31978ab32b36314cb636e60ce706fb5cd60

Download Submit
C:\Users\Admin\AppData\Local\MZ5s\ddodiag.exe
MD5
ee569315bff1241a0dc3c7f03405459a

SHA1
93d96e68f251f47b0886301d9ee97620509379dd

SHA256
bea4eb76e40b43645905903b7ece43496f150974c17166cdcd2396d607d1e28a

SHA512
79782da92d927c2c963119fd5517bc7ea18bbc9ff70f8bd8b1e58857aef1d5cd45be0b3a1b87e00bcf05d2def63cbb71716987ee368f81a62df2cc9bca36eae0

Download Submit
C:\Users\Admin\AppData\Local\sd8p0N3kn\ReAgent.dll
MD5
90b62576c8b898b37d2abc32dc2e6f35

SHA1
95e8f425be3e8d08026835f1de6d4646fbfbe288

SHA256
5eaf51f9eca1af2d26ce62269d6cbafbd7d33da64072b1218eb19f13011d982a

SHA512
9a0c2705b1f523f2f25e8935bfaa97fd1deade2b2fc4a201b963a9f32fe41aebec14eb92089c270ad51d5472ac9e217fa9bcf9100124093fb13bb78cc5f090f1

Download Submit
C:\Users\Admin\AppData\Local\sd8p0N3kn\recdisc.exe
MD5
d1028c10d2c261d3470df8ff6347981b

SHA1
04a99956e99b8dbed380df60e0812e92685b6ca9

SHA256
063e57b52257fda4cfa15c98a84f3461a9fb1c9d39e6ab55eae41a793a4d852b

SHA512
80922e37cdfe69d5390f8a5bf8f0aab98407d40549c8972c33c6b9ef15b38962887ef4637c81c248ba7ee649bfe20f318358359140d879f7e2820e135e11a9c3

Download Submit
\Users\Admin\AppData\Local\80N0JEeF\UxTheme.dll
MD5
e72894598a7a7bc6e92a9244771bd451

SHA1
d705b6058833a80f094b4a8c48eb7a0c4c41e7c5

SHA256
2e4d9bd5b63264334982b1be78263bfaa4f4d1c6ebb1bccebaa7d7d55df161f3

SHA512
15ac143b19b8467519cc2f6883b042e7b59d9eb64ffa57b95da90f763425f886140ad0f229f80a73ed959b299740328a1095b2a2eae24ca3cd1d178359ee4da7

Download Submit
\Users\Admin\AppData\Local\MZ5s\XmlLite.dll
MD5
670fac78656554deb654115bfcdef4e8

SHA1
2b529bae26f9bd011bfbccf4c6c2f3af013f4766

SHA256
44f8837a4b0ee3af2f1e75870005e0bf5e9b5464d1da23aa51673e5cf7770741

SHA512
fc2bd87a8ef048caf77cc6ec714d7228d4bb398531432aba924d51f811dd3c8945dab9ace9eced2fe07de0aac9f2c31978ab32b36314cb636e60ce706fb5cd60

Download Submit
\Users\Admin\AppData\Local\sd8p0N3kn\ReAgent.dll
MD5
90b62576c8b898b37d2abc32dc2e6f35

SHA1
95e8f425be3e8d08026835f1de6d4646fbfbe288

SHA256
5eaf51f9eca1af2d26ce62269d6cbafbd7d33da64072b1218eb19f13011d982a

SHA512
9a0c2705b1f523f2f25e8935bfaa97fd1deade2b2fc4a201b963a9f32fe41aebec14eb92089c270ad51d5472ac9e217fa9bcf9100124093fb13bb78cc5f090f1

Download Submit
memory/572-114-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/572-118-0x0000025F27290000-0x0000025F27297000-memory.dmp

Filesize
28KB

Download
memory/1432-177-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1432-173-0x0000000000000000-mapping.dmp

Download
memory/1928-183-0x0000000000000000-mapping.dmp

Download
memory/2352-189-0x0000000000000000-mapping.dmp

Download
memory/2988-142-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-150-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-130-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-131-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-132-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-133-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-134-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-135-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-136-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-137-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-138-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-123-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-139-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-140-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-141-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-128-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-143-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-144-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-145-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-146-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-147-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-148-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-149-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-129-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-151-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-152-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-153-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-154-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-155-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-156-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-157-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-158-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-159-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-160-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-161-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-162-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-163-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-171-0x00007FFB6BCB4560-0x00007FFB6BCB5560-memory.dmp

Filesize
4KB

Download
memory/2988-180-0x00007FFB6BC00000-0x00007FFB6BC10000-memory.dmp

Filesize
64KB

Download
memory/2988-127-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-126-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-125-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-124-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-122-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-120-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-121-0x0000000140000000-0x00000001401F7000-memory.dmp

Filesize
2.0MB

Download
memory/2988-119-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads