dridex | c7df81957b115f26c8fd50231ac26abecb98e85aeddc9331492b1c7ff7e6640f

Analysis

max time kernel
152s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
15-09-2021 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7df81957b115f26c8fd50231ac26abecb98e85aeddc9331492b1c7ff7e6640f.dll
Size

1.5MB
MD5

198fae5aa298ab457d3de1a0544fe063
SHA1

60dc910a2342f96f0132a83e86213d55f01168c7
SHA256

c7df81957b115f26c8fd50231ac26abecb98e85aeddc9331492b1c7ff7e6640f
SHA512

4d8450c3cba80edc044215f4a36643260080cb1d66ba4504fc9b175c84086f829a11502d4120ef8aeb954b052d1fda852bc9fba370d89c70fa8b9eb09374a2a6

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3048-119-0x0000000000AD0000-0x0000000000AD1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

slui.exeembeddedapplauncher.execttune.exe

pid process

4968 slui.exe
4100 embeddedapplauncher.exe
3368 cttune.exe
Loads dropped DLL 3 IoCs

Processes:

slui.exeembeddedapplauncher.execttune.exe

pid process

4968 slui.exe
4100 embeddedapplauncher.exe
3368 cttune.exe

pid	process
4968	slui.exe
4100	embeddedapplauncher.exe
3368	cttune.exe

pid	process
4968	slui.exe
4100	embeddedapplauncher.exe
3368	cttune.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rvhohwdqaanc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\Nme\\embeddedapplauncher.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeslui.exeembeddedapplauncher.execttune.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	embeddedapplauncher.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cttune.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3048

pid	process
3048

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

pid process

3048
3048
3048
3048
3048
3048
3048
3048

pid	process
3048
3048
3048
3048
3048
3048
3048
3048

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3048 wrote to memory of 4952	3048	slui.exe
PID 3048 wrote to memory of 4952	3048	slui.exe
PID 3048 wrote to memory of 4968	3048	slui.exe
PID 3048 wrote to memory of 4968	3048	slui.exe
PID 3048 wrote to memory of 5092	3048	embeddedapplauncher.exe
PID 3048 wrote to memory of 5092	3048	embeddedapplauncher.exe
PID 3048 wrote to memory of 4100	3048	embeddedapplauncher.exe
PID 3048 wrote to memory of 4100	3048	embeddedapplauncher.exe
PID 3048 wrote to memory of 1992	3048	cttune.exe
PID 3048 wrote to memory of 1992	3048	cttune.exe
PID 3048 wrote to memory of 3368	3048	cttune.exe
PID 3048 wrote to memory of 3368	3048	cttune.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c7df81957b115f26c8fd50231ac26abecb98e85aeddc9331492b1c7ff7e6640f.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4648

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:4952

C:\Users\Admin\AppData\Local\KiY\slui.exe
C:\Users\Admin\AppData\Local\KiY\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4968

C:\Windows\system32\embeddedapplauncher.exe
C:\Windows\system32\embeddedapplauncher.exe
1⤵
PID:5092

C:\Users\Admin\AppData\Local\pSqtJg\embeddedapplauncher.exe
C:\Users\Admin\AppData\Local\pSqtJg\embeddedapplauncher.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4100

C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
1⤵
PID:1992

C:\Users\Admin\AppData\Local\QY5u6mzL\cttune.exe
C:\Users\Admin\AppData\Local\QY5u6mzL\cttune.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3368

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\KiY\WTSAPI32.dll
MD5
54e2f69223532bfa6a0b8fa08e69e5b3

SHA1
f72a028e5e56311d108d6095eb1b289f9f2e9a19

SHA256
2b6aff7784ee7bf4c04241823dc2c0b5ebdfef02c975f5617b04aefe805a4654

SHA512
92953d0d6c738a1663ae5c0cfcfd1c0ae4475d0a929ebbd363515332197d6afe902703f6390d042be74308fb1a0e2379224a6fc1a3fccefc3c12317989149e1b

Download Submit
C:\Users\Admin\AppData\Local\KiY\slui.exe
MD5
f162f859fb38a39f83c049f5480c11eb

SHA1
4090dacb56dbff6a5306e13ff5fa157eca4714a9

SHA256
67daef4a468f00305a44e41b369890fc0d6ed41c509432c6b1402caa1b09b7c5

SHA512
73a7ba851b560caf0a4150ff192c02bcac5475de2f265430e079ce1a20dc25b0f86873bc1dc4db0fc660031aa7c32d03a941ada8afc0bc91c63fb2e9ed8e0d80

Download Submit
C:\Users\Admin\AppData\Local\QY5u6mzL\OLEACC.dll
MD5
b60534f7c18e9a22a275a48e7f444a64

SHA1
4380c7dc38deee91d76798159c1743abf1e94e3c

SHA256
20275ae4f8db45194e4904ecd430291339a34b75114d90083e1afa3044d59498

SHA512
aec21d66941d32cbd2d2b2c1720cf8ec4ed90738638a44fbbc0ebf4b6f8747c9be3b5767fd877fffd68c88f5e1b131454bb12913611a21fb9be94c93120b4fdf

Download Submit
C:\Users\Admin\AppData\Local\QY5u6mzL\cttune.exe
MD5
887390cd049aedae8c83df04c85cb20d

SHA1
99402bf01ac3f8cbbd0f91259dae2d0366f5b3dd

SHA256
634a828bbd959e42e5804e3ea1426c3dc575ba4c2a0551ed3c153d823f2da423

SHA512
6541bc8f2987da431b9435cecb085898ebd9d2496d04472b14d31f69df1653f8e77b95906e2b0e38e7df022b3bb58f1180f5ca42213fbf4dbbafc28d26d0f108

Download Submit
C:\Users\Admin\AppData\Local\pSqtJg\WTSAPI32.dll
MD5
4b8f804f5ddac7e54daa722d158998b2

SHA1
baacc0b7f14231e956f15e118a0a79ed66e32128

SHA256
d7591bc97f8bbf168a878a5cec30b517e10bdd3f6d8f002e4d3ab92ad4da4fae

SHA512
4121b5f7a278824ee394b94c0e9eadb761e84725342320cd0c9b2cbc7a26da1006896062678084387107b8debc025e09d49809c0c16f6512ab78fb543c4265b3

Download Submit
C:\Users\Admin\AppData\Local\pSqtJg\embeddedapplauncher.exe
MD5
372475cd2d5658a529c83cbe159dd4ce

SHA1
be8496491da2bbb3f06bfdf4ffe80285a7f891d9

SHA256
708d78211be2333cab7658a99b02ae81014475973dea05d92115a8bc91965024

SHA512
88f138678d8f8aae8bc0ac429744f8aad4a76187c0dd4367c03d9ed21ae132edae0109849570d49b47918ccac6fe671a896f64ef723e4e275a723b2c6e050028

Download Submit
\Users\Admin\AppData\Local\KiY\WTSAPI32.dll
MD5
54e2f69223532bfa6a0b8fa08e69e5b3

SHA1
f72a028e5e56311d108d6095eb1b289f9f2e9a19

SHA256
2b6aff7784ee7bf4c04241823dc2c0b5ebdfef02c975f5617b04aefe805a4654

SHA512
92953d0d6c738a1663ae5c0cfcfd1c0ae4475d0a929ebbd363515332197d6afe902703f6390d042be74308fb1a0e2379224a6fc1a3fccefc3c12317989149e1b

Download Submit
\Users\Admin\AppData\Local\QY5u6mzL\OLEACC.dll
MD5
b60534f7c18e9a22a275a48e7f444a64

SHA1
4380c7dc38deee91d76798159c1743abf1e94e3c

SHA256
20275ae4f8db45194e4904ecd430291339a34b75114d90083e1afa3044d59498

SHA512
aec21d66941d32cbd2d2b2c1720cf8ec4ed90738638a44fbbc0ebf4b6f8747c9be3b5767fd877fffd68c88f5e1b131454bb12913611a21fb9be94c93120b4fdf

Download Submit
\Users\Admin\AppData\Local\pSqtJg\WTSAPI32.dll
MD5
4b8f804f5ddac7e54daa722d158998b2

SHA1
baacc0b7f14231e956f15e118a0a79ed66e32128

SHA256
d7591bc97f8bbf168a878a5cec30b517e10bdd3f6d8f002e4d3ab92ad4da4fae

SHA512
4121b5f7a278824ee394b94c0e9eadb761e84725342320cd0c9b2cbc7a26da1006896062678084387107b8debc025e09d49809c0c16f6512ab78fb543c4265b3

Download Submit
memory/3048-145-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-149-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-129-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-130-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-131-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-132-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-123-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-134-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-135-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-133-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-136-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-137-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-138-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-139-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-140-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-141-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-142-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-143-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-144-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-119-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/3048-146-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-147-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-148-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-128-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-150-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-151-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-152-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-153-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-154-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-155-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-156-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-157-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-165-0x00007FFA78514560-0x00007FFA78515560-memory.dmp

Filesize
4KB

Download
memory/3048-121-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-127-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-126-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-122-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-125-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-176-0x00007FFA78460000-0x00007FFA78470000-memory.dmp

Filesize
64KB

Download
memory/3048-120-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3048-124-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3368-186-0x0000000000000000-mapping.dmp

Download
memory/4100-177-0x0000000000000000-mapping.dmp

Download
memory/4648-114-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/4648-118-0x000001CD72260000-0x000001CD72267000-memory.dmp

Filesize
28KB

Download
memory/4968-171-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/4968-167-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads