dridex | b72dbcea16a99c7cf96d57c7c11835947931ec4ac0f59f8385b1ec5196023960

Analysis

max time kernel
161s
max time network
163s
platform
windows10_x64
resource
win10-en
submitted
15-09-2021 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b72dbcea16a99c7cf96d57c7c11835947931ec4ac0f59f8385b1ec5196023960.dll
Size

1.6MB
MD5

28effb727f36d3661308d8bf169add30
SHA1

b7723476227e80c23c17580b5e2aa1b403410a30
SHA256

b72dbcea16a99c7cf96d57c7c11835947931ec4ac0f59f8385b1ec5196023960
SHA512

fdadebea5c2a7e314f90761db5e60dfb0b64898e01274f3101c0dc4665e1faefc977bfd7ab254b91eaa4620e91940e140cec72f463b134f2a93e21b5f927a89d

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2532-120-0x0000000000700000-0x0000000000701000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

DeviceEnroller.exeDevicePairingWizard.exeSndVol.exe

pid process

3488 DeviceEnroller.exe
3260 DevicePairingWizard.exe
508 SndVol.exe
Loads dropped DLL 3 IoCs

Processes:

DeviceEnroller.exeDevicePairingWizard.exeSndVol.exe

pid process

3488 DeviceEnroller.exe
3260 DevicePairingWizard.exe
508 SndVol.exe

pid	process
3488	DeviceEnroller.exe
3260	DevicePairingWizard.exe
508	SndVol.exe

pid	process
3488	DeviceEnroller.exe
3260	DevicePairingWizard.exe
508	SndVol.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wzmtblrj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\a8Ofggu4\\DevicePairingWizard.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SndVol.exerundll32.exeDeviceEnroller.exeDevicePairingWizard.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceEnroller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4732	rundll32.exe
4732	rundll32.exe
4732	rundll32.exe
4732	rundll32.exe
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532
2532

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2532

pid	process
2532

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2532
Token: SeCreatePagefilePrivilege	2532
Token: SeShutdownPrivilege	2532
Token: SeCreatePagefilePrivilege	2532
Token: SeShutdownPrivilege	2532
Token: SeCreatePagefilePrivilege	2532
Token: SeShutdownPrivilege	2532
Token: SeCreatePagefilePrivilege	2532

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

pid process

2532
2532
2532
2532
2532
2532
2532
2532
2532
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pid process

2532

pid	process
2532
2532
2532
2532
2532
2532
2532
2532
2532

pid	process
2532

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2532 wrote to memory of 3556	2532	DeviceEnroller.exe
PID 2532 wrote to memory of 3556	2532	DeviceEnroller.exe
PID 2532 wrote to memory of 3488	2532	DeviceEnroller.exe
PID 2532 wrote to memory of 3488	2532	DeviceEnroller.exe
PID 2532 wrote to memory of 3656	2532	DevicePairingWizard.exe
PID 2532 wrote to memory of 3656	2532	DevicePairingWizard.exe
PID 2532 wrote to memory of 3260	2532	DevicePairingWizard.exe
PID 2532 wrote to memory of 3260	2532	DevicePairingWizard.exe
PID 2532 wrote to memory of 4340	2532	SndVol.exe
PID 2532 wrote to memory of 4340	2532	SndVol.exe
PID 2532 wrote to memory of 508	2532	SndVol.exe
PID 2532 wrote to memory of 508	2532	SndVol.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b72dbcea16a99c7cf96d57c7c11835947931ec4ac0f59f8385b1ec5196023960.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4732

C:\Windows\system32\DeviceEnroller.exe
C:\Windows\system32\DeviceEnroller.exe
1⤵
PID:3556

C:\Users\Admin\AppData\Local\9NsOdcWqn\DeviceEnroller.exe
C:\Users\Admin\AppData\Local\9NsOdcWqn\DeviceEnroller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3488

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:3656

C:\Users\Admin\AppData\Local\AsPzXw6z\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\AsPzXw6z\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3260

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:4340

C:\Users\Admin\AppData\Local\yZUb3\SndVol.exe
C:\Users\Admin\AppData\Local\yZUb3\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:508

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9NsOdcWqn\DeviceEnroller.exe
MD5
bd732a3a065f5cca6df003a7ca78bb35

SHA1
449d027d933fdd530a6a27d7c2132f98ee56374a

SHA256
fd5f32939c8de2d80a6f2481268313b5151c21c474c61635c92d2b8ea436955e

SHA512
d1cd727841522be31e979484cdea467501693e1a3bab2fabc72510c73698353c960f7d2c16be9a4406d804da2b2ad7da58827a630f9616ebe296cae481103701

Download Submit
C:\Users\Admin\AppData\Local\9NsOdcWqn\XmlLite.dll
MD5
53344538b9a59371700661b3de8af595

SHA1
19c20b2cea6cc3f4abb39b50731c4a7057708774

SHA256
7ebe0b099422bc17112e9bdcd5565327cea1d9235aed7c82435093d61b7477a0

SHA512
9120c20e4969f3bc21dee182bb7662e9b68c39e1c39a008686a373f0f21a51fdf6879091affcfc65abeeaab71bb86cd1aadfce77d2f8e29bacc5b8cf52bae111

Download Submit
C:\Users\Admin\AppData\Local\AsPzXw6z\DevicePairingWizard.exe
MD5
50d2e0183f1a3f4eb6897158ac6c6dc9

SHA1
39da481fb5ae670a4334652fefce7f5ea8842863

SHA256
9d9dadbf467fd2174356b82712fbcc691f643d5d8ec3d245145c2dc1f281e597

SHA512
1664661cbb271bd808ad0612ac1c5be521dd624bad9bc0a954f76237d82f3685566d76d928374afccc867b3b237e98c42ac600af8183f68ee1826294781053cd

Download Submit
C:\Users\Admin\AppData\Local\AsPzXw6z\MFC42u.dll
MD5
529dfc35c316106e171d03952754250f

SHA1
bb087b20042bc6808e9a496bf5a8c45dc732ced1

SHA256
0b1d7dfea64ba91af78accfcd54554278d08d20fce6a0de8179cb87a610d766c

SHA512
dc0741463bd8daf4dbc6ef5c8a39cb6dd1a178461c9a151676c872676878622bdaffeaabe22be847262e176953bd6622ca2f267fc14a098b50156b59a5391f15

Download Submit
C:\Users\Admin\AppData\Local\yZUb3\SndVol.exe
MD5
27205270f880954ac16dbe3436a8699a

SHA1
c94dee99c7a19f85be8feef0019969b972894437

SHA256
9520ffcee5ece79190dcccc9020e212d43aa6f58e2e633e2a5ed701e909abb6f

SHA512
5e9cbc33cb583c93db4df7781c8960185703da554db81b31087545cc82d4eaf7a3d94aa7aff2b9c999446c621896c264940f0b1c1b4ba0e71cb09ab3dcc6b44b

Download Submit
C:\Users\Admin\AppData\Local\yZUb3\dwmapi.dll
MD5
837e49f99dcd87110b633c634e39cbf1

SHA1
951956a1c3ac2fa63ddcfcd29fc2486a7f67025d

SHA256
8dbe2a65d6a8f995a7cc70cbeb56bc7038132da365adb197dfeeac6a9a105ae2

SHA512
6139cb02dd7f936f01d9593e36d576f3c6153c80391464a982761f7a33f18e688804565f70c62cd2e3c8015f18b31ec6c81912f1d7a6577867575eee8015974c

Download Submit
\Users\Admin\AppData\Local\9NsOdcWqn\XmlLite.dll
MD5
53344538b9a59371700661b3de8af595

SHA1
19c20b2cea6cc3f4abb39b50731c4a7057708774

SHA256
7ebe0b099422bc17112e9bdcd5565327cea1d9235aed7c82435093d61b7477a0

SHA512
9120c20e4969f3bc21dee182bb7662e9b68c39e1c39a008686a373f0f21a51fdf6879091affcfc65abeeaab71bb86cd1aadfce77d2f8e29bacc5b8cf52bae111

Download Submit
\Users\Admin\AppData\Local\AsPzXw6z\MFC42u.dll
MD5
529dfc35c316106e171d03952754250f

SHA1
bb087b20042bc6808e9a496bf5a8c45dc732ced1

SHA256
0b1d7dfea64ba91af78accfcd54554278d08d20fce6a0de8179cb87a610d766c

SHA512
dc0741463bd8daf4dbc6ef5c8a39cb6dd1a178461c9a151676c872676878622bdaffeaabe22be847262e176953bd6622ca2f267fc14a098b50156b59a5391f15

Download Submit
\Users\Admin\AppData\Local\yZUb3\dwmapi.dll
MD5
837e49f99dcd87110b633c634e39cbf1

SHA1
951956a1c3ac2fa63ddcfcd29fc2486a7f67025d

SHA256
8dbe2a65d6a8f995a7cc70cbeb56bc7038132da365adb197dfeeac6a9a105ae2

SHA512
6139cb02dd7f936f01d9593e36d576f3c6153c80391464a982761f7a33f18e688804565f70c62cd2e3c8015f18b31ec6c81912f1d7a6577867575eee8015974c

Download Submit
memory/508-195-0x0000000000000000-mapping.dmp

Download
memory/2532-149-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-155-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-129-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-130-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-131-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-132-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-133-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-134-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-135-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-136-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-137-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-138-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-140-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-141-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-142-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-139-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-143-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-144-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-145-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-146-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-147-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-148-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-128-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-150-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-151-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-152-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-154-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-127-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-153-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-156-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-157-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-158-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-160-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-161-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-159-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-162-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-163-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-164-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-165-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-166-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-174-0x00007FF8AA884560-0x00007FF8AA885560-memory.dmp

Filesize
4KB

Download
memory/2532-176-0x00007FF8AA9C0000-0x00007FF8AA9C2000-memory.dmp

Filesize
8KB

Download
memory/2532-120-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2532-121-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-122-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-126-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-125-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-124-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/2532-123-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/3260-190-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3260-186-0x0000000000000000-mapping.dmp

Download
memory/3488-181-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/3488-177-0x0000000000000000-mapping.dmp

Download
memory/4732-115-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/4732-119-0x0000019A5FB00000-0x0000019A5FB07000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads