dridex | ae40febb345da3f524772f56d3fda2969ea72e2dcf80605434143ab442ef9cbe

Analysis

max time kernel
152s
max time network
41s
platform
windows7_x64
resource
win7v20210408
submitted
15-09-2021 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae40febb345da3f524772f56d3fda2969ea72e2dcf80605434143ab442ef9cbe.dll
Size

1.6MB
MD5

2e7ad724c95540d2b2e230167ced5499
SHA1

9700b4997f8d51fa8a81f9b2d31f093b89e46901
SHA256

ae40febb345da3f524772f56d3fda2969ea72e2dcf80605434143ab442ef9cbe
SHA512

b91ba427b9ef81cb30bb72d913093b5a9d3a0543c0a4329e655bd3cd0f93f4d790bc0d8c1df995576f19553cb362306c057c920ebd2db6c82c501279d8331618

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1252-63-0x0000000002A30000-0x0000000002A31000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

notepad.exewscript.execalc.exe

pid process

820 notepad.exe
1940 wscript.exe
1584 calc.exe
Loads dropped DLL 8 IoCs

Processes:

notepad.exewscript.execalc.exe

pid process

1252
820 notepad.exe
1252
1252
1940 wscript.exe
1252
1584 calc.exe
1252

pid	process
820	notepad.exe
1940	wscript.exe
1584	calc.exe

pid	process
1252
820	notepad.exe
1252
1252
1940	wscript.exe
1252
1584	calc.exe
1252

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Axiifu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\85j\\wscript.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

wscript.execalc.exerundll32.exenotepad.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	calc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1100	rundll32.exe
1100	rundll32.exe
1100	rundll32.exe
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1252
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1252
1252
1252
1252
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1252
1252
1252
1252

pid	process
1252

pid	process
1252
1252
1252
1252

pid	process
1252
1252
1252
1252

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1252 wrote to memory of 896	1252	notepad.exe
PID 1252 wrote to memory of 896	1252	notepad.exe
PID 1252 wrote to memory of 896	1252	notepad.exe
PID 1252 wrote to memory of 820	1252	notepad.exe
PID 1252 wrote to memory of 820	1252	notepad.exe
PID 1252 wrote to memory of 820	1252	notepad.exe
PID 1252 wrote to memory of 1484	1252	wscript.exe
PID 1252 wrote to memory of 1484	1252	wscript.exe
PID 1252 wrote to memory of 1484	1252	wscript.exe
PID 1252 wrote to memory of 1940	1252	wscript.exe
PID 1252 wrote to memory of 1940	1252	wscript.exe
PID 1252 wrote to memory of 1940	1252	wscript.exe
PID 1252 wrote to memory of 1924	1252	calc.exe
PID 1252 wrote to memory of 1924	1252	calc.exe
PID 1252 wrote to memory of 1924	1252	calc.exe
PID 1252 wrote to memory of 1584	1252	calc.exe
PID 1252 wrote to memory of 1584	1252	calc.exe
PID 1252 wrote to memory of 1584	1252	calc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ae40febb345da3f524772f56d3fda2969ea72e2dcf80605434143ab442ef9cbe.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1100

C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
1⤵
PID:896

C:\Users\Admin\AppData\Local\FUkB9RPGl\notepad.exe
C:\Users\Admin\AppData\Local\FUkB9RPGl\notepad.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:820

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:1484

C:\Users\Admin\AppData\Local\LOjZ\wscript.exe
C:\Users\Admin\AppData\Local\LOjZ\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1940

C:\Windows\system32\calc.exe
C:\Windows\system32\calc.exe
1⤵
PID:1924

C:\Users\Admin\AppData\Local\hF8c\calc.exe
C:\Users\Admin\AppData\Local\hF8c\calc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1584

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FUkB9RPGl\VERSION.dll
MD5
24c0bc1ba94ed48470ca370c20c74418

SHA1
a359fd3bbe8d1bb561ee4dcce8288b6cffe25462

SHA256
afef7deeb9a9fa1871c3674427944aa6ee1f14fc4d68f6abeb4447ba9564794f

SHA512
64041cad746a4444a7c48f8a0b2b1adca3adb40ef9384b56afaf2a2b259838d1661b9f15ac4f73868a15f694ef44a4ffe21e035f4bf79173607ea2cded6a2e4b

Download Submit
C:\Users\Admin\AppData\Local\FUkB9RPGl\notepad.exe
MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
C:\Users\Admin\AppData\Local\LOjZ\VERSION.dll
MD5
ad1dced2ab89e0fd9f63841812e8262f

SHA1
2de7d56831765e1db4132f9f1ed3c1557eba73f3

SHA256
99a75d13403a6af723bc8c5063472598f82feb9c7d651c714e9736dbb83b079b

SHA512
5c921eede6e7525483765f4570162c7b2f8010ab65c736de41775f6ab2a7323b135883ad71cc2bb7270847a1373f79df33927d49d8bc24399ab4f28f28bd5867

Download Submit
C:\Users\Admin\AppData\Local\LOjZ\wscript.exe
MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
C:\Users\Admin\AppData\Local\hF8c\WINMM.dll
MD5
3aff453eb6c8f4d3e8ab1bf79bd9cda7

SHA1
c23ad47c843d475ec5447bd8084525dc957ada51

SHA256
c889d50c8237be60041d7ab55bbdf57ad75878fb6092eaf426284d689a5a61b5

SHA512
a9fdb3886bb9e555a5b435938ab2c6151121664b812647902a5493b233f5d0a04d0b7ede4079b392cc890c27b8b3dd8e106eff3789a3676644724091ab98fa54

Download Submit
C:\Users\Admin\AppData\Local\hF8c\calc.exe
MD5
10e4a1d2132ccb5c6759f038cdb6f3c9

SHA1
42d36eeb2140441b48287b7cd30b38105986d68f

SHA256
c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

SHA512
9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

Download Submit
\Users\Admin\AppData\Local\FUkB9RPGl\VERSION.dll
MD5
24c0bc1ba94ed48470ca370c20c74418

SHA1
a359fd3bbe8d1bb561ee4dcce8288b6cffe25462

SHA256
afef7deeb9a9fa1871c3674427944aa6ee1f14fc4d68f6abeb4447ba9564794f

SHA512
64041cad746a4444a7c48f8a0b2b1adca3adb40ef9384b56afaf2a2b259838d1661b9f15ac4f73868a15f694ef44a4ffe21e035f4bf79173607ea2cded6a2e4b

Download Submit
\Users\Admin\AppData\Local\FUkB9RPGl\notepad.exe
MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
\Users\Admin\AppData\Local\LOjZ\VERSION.dll
MD5
ad1dced2ab89e0fd9f63841812e8262f

SHA1
2de7d56831765e1db4132f9f1ed3c1557eba73f3

SHA256
99a75d13403a6af723bc8c5063472598f82feb9c7d651c714e9736dbb83b079b

SHA512
5c921eede6e7525483765f4570162c7b2f8010ab65c736de41775f6ab2a7323b135883ad71cc2bb7270847a1373f79df33927d49d8bc24399ab4f28f28bd5867

Download Submit
\Users\Admin\AppData\Local\LOjZ\wscript.exe
MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\LOjZ\wscript.exe
MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\hF8c\WINMM.dll
MD5
3aff453eb6c8f4d3e8ab1bf79bd9cda7

SHA1
c23ad47c843d475ec5447bd8084525dc957ada51

SHA256
c889d50c8237be60041d7ab55bbdf57ad75878fb6092eaf426284d689a5a61b5

SHA512
a9fdb3886bb9e555a5b435938ab2c6151121664b812647902a5493b233f5d0a04d0b7ede4079b392cc890c27b8b3dd8e106eff3789a3676644724091ab98fa54

Download Submit
\Users\Admin\AppData\Local\hF8c\calc.exe
MD5
10e4a1d2132ccb5c6759f038cdb6f3c9

SHA1
42d36eeb2140441b48287b7cd30b38105986d68f

SHA256
c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

SHA512
9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\BM\calc.exe
MD5
10e4a1d2132ccb5c6759f038cdb6f3c9

SHA1
42d36eeb2140441b48287b7cd30b38105986d68f

SHA256
c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

SHA512
9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

Download Submit
memory/820-123-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/820-120-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp

Filesize
8KB

Download
memory/820-118-0x0000000000000000-mapping.dmp

Download
memory/1100-62-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/1100-60-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-78-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-104-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-82-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-83-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-84-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-85-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-86-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-88-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-87-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-89-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-90-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-91-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-92-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-93-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-94-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-95-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-97-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-96-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-98-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-99-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-100-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-101-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-102-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-103-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-105-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-81-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-106-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-107-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-108-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-109-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-110-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-116-0x0000000077320000-0x0000000077322000-memory.dmp

Filesize
8KB

Download
memory/1252-80-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-79-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-77-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-76-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-75-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-72-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-74-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-73-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-63-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/1252-70-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-71-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-69-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-68-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-67-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-65-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-66-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1252-64-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/1584-134-0x0000000000000000-mapping.dmp

Download
memory/1584-139-0x0000000140000000-0x0000000140196000-memory.dmp

Filesize
1.6MB

Download
memory/1940-127-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads