dridex | bf9ad9586d3a1594e627b0e4c13615cc806d8f73be0ac8fa8b79e08436ac503d

Analysis

max time kernel
161s
max time network
167s
platform
windows10_x64
resource
win10-en
submitted
15-09-2021 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf9ad9586d3a1594e627b0e4c13615cc806d8f73be0ac8fa8b79e08436ac503d.dll
Size

1.7MB
MD5

0d4820d7d8af4fd62be7375b1529f047
SHA1

6bdbde14cf1bfc55c70c1e6c75e4290f11676f3f
SHA256

bf9ad9586d3a1594e627b0e4c13615cc806d8f73be0ac8fa8b79e08436ac503d
SHA512

7e647cf441b51898c4ee3e1cc6047b7cae3e6cfe1f09b4034cb7628869b8b1288617b65a76a517d3580b42f8214eb0acb6ab4b6edea031c47bfb46da3ded99c8

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3040-120-0x00000000011C0000-0x00000000011C1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

DisplaySwitch.exeTaskmgr.exeSystemPropertiesPerformance.exe

pid process

5096 DisplaySwitch.exe
3568 Taskmgr.exe
3016 SystemPropertiesPerformance.exe
Loads dropped DLL 3 IoCs

Processes:

DisplaySwitch.exeTaskmgr.exeSystemPropertiesPerformance.exe

pid process

5096 DisplaySwitch.exe
3568 Taskmgr.exe
3016 SystemPropertiesPerformance.exe

pid	process
5096	DisplaySwitch.exe
3568	Taskmgr.exe
3016	SystemPropertiesPerformance.exe

pid	process
5096	DisplaySwitch.exe
3568	Taskmgr.exe
3016	SystemPropertiesPerformance.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wzmtblrj = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\92tVRK\\Taskmgr.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeDisplaySwitch.exeTaskmgr.exeSystemPropertiesPerformance.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4772	rundll32.exe
4772	rundll32.exe
4772	rundll32.exe
4772	rundll32.exe
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3040

pid	process
3040

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

pid process

3040
3040
3040
3040
3040
3040
3040
3040
3040
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pid process

3040

pid	process
3040
3040
3040
3040
3040
3040
3040
3040
3040

pid	process
3040

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3040 wrote to memory of 5084	3040	DisplaySwitch.exe
PID 3040 wrote to memory of 5084	3040	DisplaySwitch.exe
PID 3040 wrote to memory of 5096	3040	DisplaySwitch.exe
PID 3040 wrote to memory of 5096	3040	DisplaySwitch.exe
PID 3040 wrote to memory of 3724	3040	Taskmgr.exe
PID 3040 wrote to memory of 3724	3040	Taskmgr.exe
PID 3040 wrote to memory of 3568	3040	Taskmgr.exe
PID 3040 wrote to memory of 3568	3040	Taskmgr.exe
PID 3040 wrote to memory of 3028	3040	SystemPropertiesPerformance.exe
PID 3040 wrote to memory of 3028	3040	SystemPropertiesPerformance.exe
PID 3040 wrote to memory of 3016	3040	SystemPropertiesPerformance.exe
PID 3040 wrote to memory of 3016	3040	SystemPropertiesPerformance.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bf9ad9586d3a1594e627b0e4c13615cc806d8f73be0ac8fa8b79e08436ac503d.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4772

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:5084

C:\Users\Admin\AppData\Local\RRda\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\RRda\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5096

C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\Taskmgr.exe
1⤵
PID:3724

C:\Users\Admin\AppData\Local\mIDsNAD\Taskmgr.exe
C:\Users\Admin\AppData\Local\mIDsNAD\Taskmgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3568

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:3028

C:\Users\Admin\AppData\Local\3CMD\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\3CMD\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3016

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3CMD\SYSDM.CPL
MD5
725f040c13b34481ab84866d6645eb4f

SHA1
e78af39982b892759df4239258aac10338d96fb0

SHA256
64f90f368bb26055c7ca82e2ea35f2c796781540393054799f93fbc2654710a6

SHA512
4555c26e502cc7f483c5171b253df09c540d6a624b717c89662dca273bf4419fcf83348ce523e42c907162fe58210591acf3766976083bf2337879a4012aed25

Download Submit
C:\Users\Admin\AppData\Local\3CMD\SystemPropertiesPerformance.exe
MD5
0a23dbe5f3926280d0eeef6e35b8e603

SHA1
3023d1eaef3944a8487c18672af1d562114b9f5f

SHA256
24482d0a1972e7424e50de2aeb37d6f0d8a05e3f09afe4a0c7354817193a2d40

SHA512
ef7c1f4fe4d20f47f4d8576df86cdd14f89e35a88e1253f27a0432e4963885acede7622e350116135f0f90eb2eaea60cba5f0612c127cb495e5e4f54333126f4

Download Submit
C:\Users\Admin\AppData\Local\RRda\DisplaySwitch.exe
MD5
9e139d8cdf910f624c4cb0a63cbab22d

SHA1
14b7259a609fddb0c561e1154dac638fa0db06b3

SHA256
3374874744179d8f880791ff4373736d9bb93ae3275be6ff26b296b4d8b9619c

SHA512
d2c7521cc65c92da10a337303f5902560f3dc30ba0dfb959196337d4dcbc13a2ef69de7e7cfdc5e983affc3fc6938a485ef8ead0cf1c485aa0893c667fe08357

Download Submit
C:\Users\Admin\AppData\Local\RRda\UxTheme.dll
MD5
755e8e792b3fefa4f85a62e3be57c62e

SHA1
98ee03b1e07d209e69f11354648c08587c91b0f1

SHA256
d2e76705573dd0d88efbb02984d8fd341886d8836f59948bb57e49209be0f9bc

SHA512
a922c60fb28ed0d670170f4dad0dd4c9ed144026e22d6ba77035ad5248f18b1109b5e637efcda99eec8b600e2339ded2e1c6d406ac36aa32abf81183989b9c5c

Download Submit
C:\Users\Admin\AppData\Local\mIDsNAD\DUser.dll
MD5
4a76019277e7084fdb54b55ae017a459

SHA1
b0ae49af5e21cfb5bfadc13ed95db2114976351b

SHA256
6036b7ac8ce9f51c23114340279c2e941431b88fd794bda0397796ca7614aabf

SHA512
af285c8f549eca155cfef57eb0f18c72c208c19417549df44cfa646d08e12c33b2bc0fc25dd5b6ae81e01575d6044a12e5edddca7570573450692adf735faab9

Download Submit
C:\Users\Admin\AppData\Local\mIDsNAD\Taskmgr.exe
MD5
d3ef2efc7232674315e0573e464e8aa7

SHA1
237ee3acc4743d05858056e09147a071b6e956e7

SHA256
feecaba50bc95bd6540e5a075693d6dc961a9d5ef86f1bfb38f7bcde6e757472

SHA512
1e03b1ad8059c28bfaa42f63626f2025cf1659266323255871a90b5ef2db9ab754ba4ffe9abe37bf3f5d92e494231c5fb81ba4d893f3a9833c2a5edf23825cc5

Download Submit
\Users\Admin\AppData\Local\3CMD\SYSDM.CPL
MD5
725f040c13b34481ab84866d6645eb4f

SHA1
e78af39982b892759df4239258aac10338d96fb0

SHA256
64f90f368bb26055c7ca82e2ea35f2c796781540393054799f93fbc2654710a6

SHA512
4555c26e502cc7f483c5171b253df09c540d6a624b717c89662dca273bf4419fcf83348ce523e42c907162fe58210591acf3766976083bf2337879a4012aed25

Download Submit
\Users\Admin\AppData\Local\RRda\UxTheme.dll
MD5
755e8e792b3fefa4f85a62e3be57c62e

SHA1
98ee03b1e07d209e69f11354648c08587c91b0f1

SHA256
d2e76705573dd0d88efbb02984d8fd341886d8836f59948bb57e49209be0f9bc

SHA512
a922c60fb28ed0d670170f4dad0dd4c9ed144026e22d6ba77035ad5248f18b1109b5e637efcda99eec8b600e2339ded2e1c6d406ac36aa32abf81183989b9c5c

Download Submit
\Users\Admin\AppData\Local\mIDsNAD\DUser.dll
MD5
4a76019277e7084fdb54b55ae017a459

SHA1
b0ae49af5e21cfb5bfadc13ed95db2114976351b

SHA256
6036b7ac8ce9f51c23114340279c2e941431b88fd794bda0397796ca7614aabf

SHA512
af285c8f549eca155cfef57eb0f18c72c208c19417549df44cfa646d08e12c33b2bc0fc25dd5b6ae81e01575d6044a12e5edddca7570573450692adf735faab9

Download Submit
memory/3016-194-0x0000000000000000-mapping.dmp

Download
memory/3040-149-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-153-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-130-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-131-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-132-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-133-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-134-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-135-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-136-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-137-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-138-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-139-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-141-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-142-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-143-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-144-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-145-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-146-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-147-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-148-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-120-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/3040-140-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-150-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-151-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-152-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-129-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-154-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-157-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-158-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-159-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-160-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-156-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-161-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-155-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-169-0x00007FFBA1CE4560-0x00007FFBA1CE5560-memory.dmp

Filesize
4KB

Download
memory/3040-121-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-128-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-174-0x00007FFBA1E20000-0x00007FFBA1E22000-memory.dmp

Filesize
8KB

Download
memory/3040-127-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-126-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-122-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-124-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-123-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3040-125-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/3568-185-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/3568-181-0x0000000000000000-mapping.dmp

Download
memory/4772-115-0x0000000140000000-0x00000001401BF000-memory.dmp

Filesize
1.7MB

Download
memory/4772-119-0x0000028B33EC0000-0x0000028B33EC7000-memory.dmp

Filesize
28KB

Download
memory/5096-176-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5096-171-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads