dridex | b07aff83880c9d5315322e289018077face4c3992f81cf08d56ac2602e212385

Analysis

max time kernel
153s
max time network
43s
platform
windows7_x64
resource
win7v20210408
submitted
15-09-2021 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b07aff83880c9d5315322e289018077face4c3992f81cf08d56ac2602e212385.dll
Size

1.8MB
MD5

0378e8aa3da2d2434de4c4cf4438a0fe
SHA1

97ae668529c07298a492503ff2eb601467796ee6
SHA256

b07aff83880c9d5315322e289018077face4c3992f81cf08d56ac2602e212385
SHA512

891c81fc4b756779365ee51a6f0a29e4bcfaccbcc551d321117e0b7ad787bf878d6c77c8a2880e22ad3de9923f5b1e229dae799dccf52f350dfc07388e8a6403

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1352-64-0x0000000002700000-0x0000000002701000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

wusa.execttune.exemspaint.exe

pid process

1436 wusa.exe
680 cttune.exe
1504 mspaint.exe
Loads dropped DLL 7 IoCs

Processes:

wusa.execttune.exemspaint.exe

pid process

1352
1436 wusa.exe
1352
680 cttune.exe
1352
1504 mspaint.exe
1352

pid	process
1436	wusa.exe
680	cttune.exe
1504	mspaint.exe

pid	process
1352
1436	wusa.exe
1352
680	cttune.exe
1352
1504	mspaint.exe
1352

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Axiifu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\Low\\B9DF2T~1\\cttune.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exewusa.execttune.exemspaint.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wusa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cttune.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1968	rundll32.exe
1968	rundll32.exe
1968	rundll32.exe
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1352
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pid process

1352
1352
1352
1352
1352
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

pid process

1352
1352
1352
1352
1352
1352
1352

pid	process
1352

pid	process
1352
1352
1352
1352
1352

pid	process
1352
1352
1352
1352
1352
1352
1352

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1352 wrote to memory of 612	1352	wusa.exe
PID 1352 wrote to memory of 612	1352	wusa.exe
PID 1352 wrote to memory of 612	1352	wusa.exe
PID 1352 wrote to memory of 1436	1352	wusa.exe
PID 1352 wrote to memory of 1436	1352	wusa.exe
PID 1352 wrote to memory of 1436	1352	wusa.exe
PID 1352 wrote to memory of 1376	1352	cttune.exe
PID 1352 wrote to memory of 1376	1352	cttune.exe
PID 1352 wrote to memory of 1376	1352	cttune.exe
PID 1352 wrote to memory of 680	1352	cttune.exe
PID 1352 wrote to memory of 680	1352	cttune.exe
PID 1352 wrote to memory of 680	1352	cttune.exe
PID 1352 wrote to memory of 1616	1352	mspaint.exe
PID 1352 wrote to memory of 1616	1352	mspaint.exe
PID 1352 wrote to memory of 1616	1352	mspaint.exe
PID 1352 wrote to memory of 1504	1352	mspaint.exe
PID 1352 wrote to memory of 1504	1352	mspaint.exe
PID 1352 wrote to memory of 1504	1352	mspaint.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b07aff83880c9d5315322e289018077face4c3992f81cf08d56ac2602e212385.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1968

C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe
1⤵
PID:612

C:\Users\Admin\AppData\Local\IXxajPY5\wusa.exe
C:\Users\Admin\AppData\Local\IXxajPY5\wusa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1436

C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
1⤵
PID:1376

C:\Users\Admin\AppData\Local\9SZO4dp\cttune.exe
C:\Users\Admin\AppData\Local\9SZO4dp\cttune.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:680

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:1616

C:\Users\Admin\AppData\Local\LWfqo\mspaint.exe
C:\Users\Admin\AppData\Local\LWfqo\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1504

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9SZO4dp\UxTheme.dll
MD5
3af2d095cba8d796ed9d4173303342d3

SHA1
179437cd6927461c2655ad6acca2b96c725f71c7

SHA256
4d9ce91ce7c4f099a04973ee36ba82421ca9c6f22cfd39444c538cf8e05b80b6

SHA512
f0ea77926d5a6cb827f27594ad46e8aaa96bbbe5ba97524200d8ea98c0682d1fbf062ea5937dc93951d41845f9c4386c49f6430e55f99feae2228b02ba669a9c

Download Submit
C:\Users\Admin\AppData\Local\9SZO4dp\cttune.exe
MD5
7116848fd23e6195fcbbccdf83ce9af4

SHA1
35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

SHA256
39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

SHA512
e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

Download Submit
C:\Users\Admin\AppData\Local\IXxajPY5\WTSAPI32.dll
MD5
04461baa5efade786953d8b3164c7e38

SHA1
9840ed5f688404665dd5d8324183b661cd5e19cc

SHA256
7ef5dcda643a9f4133595c2c5e8d91b3024be06dc0c45a06752328fe439bb660

SHA512
361c1472d8ec69fdba182c859c130cfb6888f90bd2e18a3635ac77ee306566ab219b38cd8963fa6d8cdf2267499d772ca5613fdfe63f886cfdee96e10c3fa237

Download Submit
C:\Users\Admin\AppData\Local\IXxajPY5\wusa.exe
MD5
c15b3d813f4382ade98f1892350f21c7

SHA1
a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

SHA256
8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

SHA512
6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

Download Submit
C:\Users\Admin\AppData\Local\LWfqo\MFC42u.dll
MD5
03d9352c43ceb97403433567e20078a4

SHA1
42cc64d5c13411532354a0bdb31a6d7096fd802f

SHA256
14bd78698ffb85b0efcf1aafa3ec8f5d46895fe7484cf74f3823f0f5ddc7448f

SHA512
c60040f5377891765341bebf8af2ded915f693935f321f986b7ea8ed8aa4e50523abaad0d75c119d01d895267467679864a548bc5242792bf4fdecc3f8804933

Download Submit
C:\Users\Admin\AppData\Local\LWfqo\mspaint.exe
MD5
458f4590f80563eb2a0a72709bfc2bd9

SHA1
3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

SHA256
ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

SHA512
e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

Download Submit
\Users\Admin\AppData\Local\9SZO4dp\UxTheme.dll
MD5
3af2d095cba8d796ed9d4173303342d3

SHA1
179437cd6927461c2655ad6acca2b96c725f71c7

SHA256
4d9ce91ce7c4f099a04973ee36ba82421ca9c6f22cfd39444c538cf8e05b80b6

SHA512
f0ea77926d5a6cb827f27594ad46e8aaa96bbbe5ba97524200d8ea98c0682d1fbf062ea5937dc93951d41845f9c4386c49f6430e55f99feae2228b02ba669a9c

Download Submit
\Users\Admin\AppData\Local\9SZO4dp\cttune.exe
MD5
7116848fd23e6195fcbbccdf83ce9af4

SHA1
35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

SHA256
39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

SHA512
e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

Download Submit
\Users\Admin\AppData\Local\IXxajPY5\WTSAPI32.dll
MD5
04461baa5efade786953d8b3164c7e38

SHA1
9840ed5f688404665dd5d8324183b661cd5e19cc

SHA256
7ef5dcda643a9f4133595c2c5e8d91b3024be06dc0c45a06752328fe439bb660

SHA512
361c1472d8ec69fdba182c859c130cfb6888f90bd2e18a3635ac77ee306566ab219b38cd8963fa6d8cdf2267499d772ca5613fdfe63f886cfdee96e10c3fa237

Download Submit
\Users\Admin\AppData\Local\IXxajPY5\wusa.exe
MD5
c15b3d813f4382ade98f1892350f21c7

SHA1
a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

SHA256
8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

SHA512
6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

Download Submit
\Users\Admin\AppData\Local\LWfqo\MFC42u.dll
MD5
03d9352c43ceb97403433567e20078a4

SHA1
42cc64d5c13411532354a0bdb31a6d7096fd802f

SHA256
14bd78698ffb85b0efcf1aafa3ec8f5d46895fe7484cf74f3823f0f5ddc7448f

SHA512
c60040f5377891765341bebf8af2ded915f693935f321f986b7ea8ed8aa4e50523abaad0d75c119d01d895267467679864a548bc5242792bf4fdecc3f8804933

Download Submit
\Users\Admin\AppData\Local\LWfqo\mspaint.exe
MD5
458f4590f80563eb2a0a72709bfc2bd9

SHA1
3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

SHA256
ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

SHA512
e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\0oeAIVt\mspaint.exe
MD5
458f4590f80563eb2a0a72709bfc2bd9

SHA1
3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

SHA256
ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

SHA512
e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

Download Submit
memory/680-122-0x0000000000000000-mapping.dmp

Download
memory/1352-77-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-100-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-62-0x00000000026D0000-0x00000000026E0000-memory.dmp

Filesize
64KB

Download
memory/1352-76-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-75-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-74-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-73-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-72-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-71-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-86-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-85-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-84-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-87-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-88-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-89-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-90-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-91-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-92-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-93-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-94-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-95-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-96-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-97-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-98-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-99-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-78-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-101-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-102-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-103-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-104-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-105-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-106-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-112-0x0000000077B30000-0x0000000077B32000-memory.dmp

Filesize
8KB

Download
memory/1352-79-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-64-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1352-80-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-81-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-82-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-68-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-69-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-83-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-70-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-65-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-66-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1352-67-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1436-118-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp

Filesize
8KB

Download
memory/1436-119-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/1436-114-0x0000000000000000-mapping.dmp

Download
memory/1504-130-0x0000000000000000-mapping.dmp

Download
memory/1504-135-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/1968-63-0x00000000001C0000-0x00000000001C7000-memory.dmp

Filesize
28KB

Download
memory/1968-60-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads