dridex | ae40febb345da3f524772f56d3fda2969ea72e2dcf80605434143ab442ef9cbe

Analysis

max time kernel
158s
max time network
149s
platform
windows10_x64
resource
win10-en
submitted
15-09-2021 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae40febb345da3f524772f56d3fda2969ea72e2dcf80605434143ab442ef9cbe.dll
Size

1.6MB
MD5

2e7ad724c95540d2b2e230167ced5499
SHA1

9700b4997f8d51fa8a81f9b2d31f093b89e46901
SHA256

ae40febb345da3f524772f56d3fda2969ea72e2dcf80605434143ab442ef9cbe
SHA512

b91ba427b9ef81cb30bb72d913093b5a9d3a0543c0a4329e655bd3cd0f93f4d790bc0d8c1df995576f19553cb362306c057c920ebd2db6c82c501279d8331618

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2996-120-0x0000000002760000-0x0000000002761000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

PasswordOnWakeSettingFlyout.exetabcal.exeNetplwiz.exe

pid process

2280 PasswordOnWakeSettingFlyout.exe
752 tabcal.exe
1052 Netplwiz.exe
Loads dropped DLL 3 IoCs

Processes:

PasswordOnWakeSettingFlyout.exetabcal.exeNetplwiz.exe

pid process

2280 PasswordOnWakeSettingFlyout.exe
752 tabcal.exe
1052 Netplwiz.exe

pid	process
2280	PasswordOnWakeSettingFlyout.exe
752	tabcal.exe
1052	Netplwiz.exe

pid	process
2280	PasswordOnWakeSettingFlyout.exe
752	tabcal.exe
1052	Netplwiz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wzmtblrj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\7keDnIdt\\tabcal.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

PasswordOnWakeSettingFlyout.exetabcal.exeNetplwiz.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PasswordOnWakeSettingFlyout.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3340	rundll32.exe
3340	rundll32.exe
3340	rundll32.exe
3340	rundll32.exe
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2996

pid	process
2996

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

pid process

2996
2996
2996
2996
2996
2996
2996
2996
2996
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pid process

2996

pid	process
2996
2996
2996
2996
2996
2996
2996
2996
2996

pid	process
2996

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2996 wrote to memory of 4020	2996	PasswordOnWakeSettingFlyout.exe
PID 2996 wrote to memory of 4020	2996	PasswordOnWakeSettingFlyout.exe
PID 2996 wrote to memory of 2280	2996	PasswordOnWakeSettingFlyout.exe
PID 2996 wrote to memory of 2280	2996	PasswordOnWakeSettingFlyout.exe
PID 2996 wrote to memory of 660	2996	tabcal.exe
PID 2996 wrote to memory of 660	2996	tabcal.exe
PID 2996 wrote to memory of 752	2996	tabcal.exe
PID 2996 wrote to memory of 752	2996	tabcal.exe
PID 2996 wrote to memory of 852	2996	Netplwiz.exe
PID 2996 wrote to memory of 852	2996	Netplwiz.exe
PID 2996 wrote to memory of 1052	2996	Netplwiz.exe
PID 2996 wrote to memory of 1052	2996	Netplwiz.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ae40febb345da3f524772f56d3fda2969ea72e2dcf80605434143ab442ef9cbe.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3340

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
1⤵
PID:4020

C:\Users\Admin\AppData\Local\fj6FcS\PasswordOnWakeSettingFlyout.exe
C:\Users\Admin\AppData\Local\fj6FcS\PasswordOnWakeSettingFlyout.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2280

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:660

C:\Users\Admin\AppData\Local\EvgNOk\tabcal.exe
C:\Users\Admin\AppData\Local\EvgNOk\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:752

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:852

C:\Users\Admin\AppData\Local\MH1cgB77\Netplwiz.exe
C:\Users\Admin\AppData\Local\MH1cgB77\Netplwiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1052

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EvgNOk\HID.DLL
MD5
6b52d4065ecc9118981c1399d4fa81bd

SHA1
8aa6967379ebc45a5d011065b93d2fab3df357b6

SHA256
f1da3d8cbef15168080c744f949b017e704de5d190d69303a1ace60bd5c48175

SHA512
eb588196dba790f04b680bec7d46f0fe9ea3193dda89e0c3ec5494e53dea1ac6de5390b68ee960f601673dc3ff56da55c1df316de093111b6bf420f31104b9db

Download Submit
C:\Users\Admin\AppData\Local\EvgNOk\tabcal.exe
MD5
4e5b6b3059dc055232f4fbd6c4796540

SHA1
9929b2c336e9bf4aacfaa15083224bcd5eff6aae

SHA256
bc0beeda967eecf14940d2105cd179cd0da3843651d183c3ead6df7615c866f1

SHA512
7bdb1eb8c3b84203ae9ef8d58045a5fa32bd2c206f71a3bae14c458b37d265452e183f3fbe0784a8a37fdea661dd5c34d50decbc6a296b9c7a6c353c61152374

Download Submit
C:\Users\Admin\AppData\Local\MH1cgB77\NETPLWIZ.dll
MD5
120e25aa246753992d34deb226db0a93

SHA1
ad714f4a5ed266906ffbcccdf391166382a3cb88

SHA256
3f14cd2ce827a65af5c85c42afecd47dcaf87424b9d4a048aefa33205018a3e7

SHA512
0ce48c21fc1022b070dcb4afc63155fed5f046b9ea00292a56c55d78e8a3075e4dddc9fbe5490016fbb86c1b897287acc478f3db64ceae19e9c2373fa9e2c83c

Download Submit
C:\Users\Admin\AppData\Local\MH1cgB77\Netplwiz.exe
MD5
a5acd80ecb8474371df9ea90c2276572

SHA1
a0fe5331bcb81aef9b0e0839ba0a71c2dcd78a08

SHA256
211ffe401b62de5ece1b863f3ba1c30279bd4b6a294141c80687005227c09388

SHA512
5e75bef5d25195ebf388ad771d713f80b2147348fc617677a9db9f3d94b65b25da332ef25b6790ac74349aeaefc2a18ae3b9573097f098313d0533f6e7ca9165

Download Submit
C:\Users\Admin\AppData\Local\fj6FcS\DUI70.dll
MD5
9a9d8ceb2b4adb997314a05b654404f5

SHA1
e2b41138ad0ed08767d35b36c1c78635aa56b5f9

SHA256
5208e398e5508610defa2808117e8aedc95f1b0eeaefc883c2ccc60faf200d6a

SHA512
dfedac6a661c990cc235c1d9a8d03e0183eba0aa55108f8c19896b4f4fb5c6f1a16dfb018245284d0a46b212474bde125cac58c05e646805c6692e31e52453a7

Download Submit
C:\Users\Admin\AppData\Local\fj6FcS\PasswordOnWakeSettingFlyout.exe
MD5
a81fed73da02db15df427da1cd5f4141

SHA1
f831fc6377a6264be621e23635f22b437129b2ce

SHA256
1afed5b9302a4a4669ac7f966b7cf9fcaab037e94a0b3cabea3631055c97d3a5

SHA512
3c4541160f0f69d1c3a9dc4e67643864493eadb0450426f7f323d87fa7b0c81d96ef2201d33b3421a307171274615e90d4ee8bd07107ff4f75beedec0a2bf156

Download Submit
\Users\Admin\AppData\Local\EvgNOk\HID.DLL
MD5
6b52d4065ecc9118981c1399d4fa81bd

SHA1
8aa6967379ebc45a5d011065b93d2fab3df357b6

SHA256
f1da3d8cbef15168080c744f949b017e704de5d190d69303a1ace60bd5c48175

SHA512
eb588196dba790f04b680bec7d46f0fe9ea3193dda89e0c3ec5494e53dea1ac6de5390b68ee960f601673dc3ff56da55c1df316de093111b6bf420f31104b9db

Download Submit
\Users\Admin\AppData\Local\MH1cgB77\NETPLWIZ.dll
MD5
120e25aa246753992d34deb226db0a93

SHA1
ad714f4a5ed266906ffbcccdf391166382a3cb88

SHA256
3f14cd2ce827a65af5c85c42afecd47dcaf87424b9d4a048aefa33205018a3e7

SHA512
0ce48c21fc1022b070dcb4afc63155fed5f046b9ea00292a56c55d78e8a3075e4dddc9fbe5490016fbb86c1b897287acc478f3db64ceae19e9c2373fa9e2c83c

Download Submit
\Users\Admin\AppData\Local\fj6FcS\DUI70.dll
MD5
9a9d8ceb2b4adb997314a05b654404f5

SHA1
e2b41138ad0ed08767d35b36c1c78635aa56b5f9

SHA256
5208e398e5508610defa2808117e8aedc95f1b0eeaefc883c2ccc60faf200d6a

SHA512
dfedac6a661c990cc235c1d9a8d03e0183eba0aa55108f8c19896b4f4fb5c6f1a16dfb018245284d0a46b212474bde125cac58c05e646805c6692e31e52453a7

Download Submit
memory/752-191-0x0000000140000000-0x0000000140195000-memory.dmp

Filesize
1.6MB

Download
memory/752-187-0x0000000000000000-mapping.dmp

Download
memory/1052-196-0x0000000000000000-mapping.dmp

Download
memory/2280-178-0x0000000000000000-mapping.dmp

Download
memory/2280-182-0x0000000140000000-0x00000001401DA000-memory.dmp

Filesize
1.9MB

Download
memory/2996-149-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-156-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-133-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-134-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-135-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-136-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-137-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-138-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-139-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-140-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-141-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-142-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-143-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-144-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-145-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-146-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-147-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-148-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-131-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-150-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-152-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-153-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-151-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-154-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-155-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-132-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-157-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-158-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-159-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-160-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-161-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-162-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-165-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-166-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-167-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-164-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-130-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-129-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-128-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-127-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-126-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-125-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-124-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-122-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-123-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-121-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-120-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/2996-163-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/2996-175-0x00007FFC289C4560-0x00007FFC289C5560-memory.dmp

Filesize
4KB

Download
memory/2996-177-0x00007FFC28910000-0x00007FFC28920000-memory.dmp

Filesize
64KB

Download
memory/3340-115-0x0000000140000000-0x0000000140194000-memory.dmp

Filesize
1.6MB

Download
memory/3340-119-0x0000013A99720000-0x0000013A99727000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads