dridex | 69af86da86fc2f9639f010e0b729b1c2ce33a272d199aeedc4c873d98a2b83b4

Analysis

max time kernel
151s
max time network
58s
platform
windows7_x64
resource
win7v20210408
submitted
28-09-2021 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69af86da86fc2f9639f010e0b729b1c2ce33a272d199aeedc4c873d98a2b83b4.dll
Size

2.0MB
MD5

784adf3295b7eafe53aa80da302b1b5d
SHA1

c79da77a4d00ec47594e007f9a174de43b5028d3
SHA256

69af86da86fc2f9639f010e0b729b1c2ce33a272d199aeedc4c873d98a2b83b4
SHA512

3fbc71e7f7de7526acd525f98fc18c8af2cef28a44e0b08b0f789f758ca96ce4c631d94b76c85513c2954ea9fa0dd6bbcbf07143ab86861a720b89a018a29860

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1180-62-0x00000000037B0000-0x00000000037B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

WindowsAnytimeUpgradeResults.exeperfmon.exeDevicePairingWizard.exe

pid process

768 WindowsAnytimeUpgradeResults.exe
1456 perfmon.exe
1220 DevicePairingWizard.exe
Loads dropped DLL 7 IoCs

Processes:

WindowsAnytimeUpgradeResults.exeperfmon.exeDevicePairingWizard.exe

pid process

1180
768 WindowsAnytimeUpgradeResults.exe
1180
1456 perfmon.exe
1180
1220 DevicePairingWizard.exe
1180

pid	process
768	WindowsAnytimeUpgradeResults.exe
1456	perfmon.exe
1220	DevicePairingWizard.exe

pid	process
1180
768	WindowsAnytimeUpgradeResults.exe
1180
1456	perfmon.exe
1180
1220	DevicePairingWizard.exe
1180

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Axiifu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\6vJHNR\\perfmon.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeWindowsAnytimeUpgradeResults.exeperfmon.exeDevicePairingWizard.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsAnytimeUpgradeResults.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1696	rundll32.exe
1696	rundll32.exe
1696	rundll32.exe
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1180
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pid process

1180
1180
1180
1180
1180
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

1180
1180
1180
1180
1180
1180

pid	process
1180

pid	process
1180
1180
1180
1180
1180

pid	process
1180
1180
1180
1180
1180
1180

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1180 wrote to memory of 332	1180	WindowsAnytimeUpgradeResults.exe
PID 1180 wrote to memory of 332	1180	WindowsAnytimeUpgradeResults.exe
PID 1180 wrote to memory of 332	1180	WindowsAnytimeUpgradeResults.exe
PID 1180 wrote to memory of 768	1180	WindowsAnytimeUpgradeResults.exe
PID 1180 wrote to memory of 768	1180	WindowsAnytimeUpgradeResults.exe
PID 1180 wrote to memory of 768	1180	WindowsAnytimeUpgradeResults.exe
PID 1180 wrote to memory of 572	1180	perfmon.exe
PID 1180 wrote to memory of 572	1180	perfmon.exe
PID 1180 wrote to memory of 572	1180	perfmon.exe
PID 1180 wrote to memory of 1456	1180	perfmon.exe
PID 1180 wrote to memory of 1456	1180	perfmon.exe
PID 1180 wrote to memory of 1456	1180	perfmon.exe
PID 1180 wrote to memory of 1384	1180	DevicePairingWizard.exe
PID 1180 wrote to memory of 1384	1180	DevicePairingWizard.exe
PID 1180 wrote to memory of 1384	1180	DevicePairingWizard.exe
PID 1180 wrote to memory of 1220	1180	DevicePairingWizard.exe
PID 1180 wrote to memory of 1220	1180	DevicePairingWizard.exe
PID 1180 wrote to memory of 1220	1180	DevicePairingWizard.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\69af86da86fc2f9639f010e0b729b1c2ce33a272d199aeedc4c873d98a2b83b4.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1696

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
1⤵
PID:332

C:\Users\Admin\AppData\Local\4vcWIkC\WindowsAnytimeUpgradeResults.exe
C:\Users\Admin\AppData\Local\4vcWIkC\WindowsAnytimeUpgradeResults.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:768

C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
1⤵
PID:572

C:\Users\Admin\AppData\Local\Y77p2v\perfmon.exe
C:\Users\Admin\AppData\Local\Y77p2v\perfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1456

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:1384

C:\Users\Admin\AppData\Local\xG8\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\xG8\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1220

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4vcWIkC\DUI70.dll
MD5
73a3d0132a3cf361898e7227a2eecf46

SHA1
22ef47dc1cf35e50ef37f61adcefa3f51e3ae45c

SHA256
688aefab069757476d7ffe27f8e15d80bd8914bab1a9543b728f656299e08a72

SHA512
37b5b98bd6cec199b9314b65de0645f753f6684124a1050725c518ff37a60a02a759538b7d8ca6703cfb2a902f5a6fb70dae456cc9f9265426cd6f8ca6be9508

Download Submit
C:\Users\Admin\AppData\Local\4vcWIkC\WindowsAnytimeUpgradeResults.exe
MD5
6f3f29905f0ec4ce22c1fd8acbf6c6de

SHA1
68bdfefe549dfa6262ad659f1578f3e87d862773

SHA256
e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b

SHA512
16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

Download Submit
C:\Users\Admin\AppData\Local\Y77p2v\Secur32.dll
MD5
b450f9877ac32e8092654ca0fd662d39

SHA1
07cd10b58f139d77cb4f604e7b25b607bb6fb3f7

SHA256
957819da7f684fa448113088a1ca903022655cdc954e05f3c37f02b9ad2c9360

SHA512
fce0215533eadaa65a1869271886df9fc2591b3e7a802a8e0b9791da13838b61a0a1d41d056db37ce01f8f20aae1c43688140db7a27db8f6ff65f7dea429a891

Download Submit
C:\Users\Admin\AppData\Local\Y77p2v\perfmon.exe
MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
C:\Users\Admin\AppData\Local\xG8\DevicePairingWizard.exe
MD5
9728725678f32e84575e0cd2d2c58e9b

SHA1
dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

SHA256
d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

SHA512
a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

Download Submit
C:\Users\Admin\AppData\Local\xG8\MFC42u.dll
MD5
137df002776cf86571205aec4a5ae8d4

SHA1
a56288d683330ce5c38f5c1b7734d349e47ad3d9

SHA256
e5735164983dd9a535f8d05b50c519c49178c64156746cc7a95c91262ebbb5b7

SHA512
ffa37d3050577b08efbbeb8039b3fc40cf5324fbf5ae3702a1f24de04aaec9d31328a783a75b8a9e593fa919ac48d7e74d4f1c39bc0ae47803dbb2f303454f7c

Download Submit
\Users\Admin\AppData\Local\4vcWIkC\DUI70.dll
MD5
73a3d0132a3cf361898e7227a2eecf46

SHA1
22ef47dc1cf35e50ef37f61adcefa3f51e3ae45c

SHA256
688aefab069757476d7ffe27f8e15d80bd8914bab1a9543b728f656299e08a72

SHA512
37b5b98bd6cec199b9314b65de0645f753f6684124a1050725c518ff37a60a02a759538b7d8ca6703cfb2a902f5a6fb70dae456cc9f9265426cd6f8ca6be9508

Download Submit
\Users\Admin\AppData\Local\4vcWIkC\WindowsAnytimeUpgradeResults.exe
MD5
6f3f29905f0ec4ce22c1fd8acbf6c6de

SHA1
68bdfefe549dfa6262ad659f1578f3e87d862773

SHA256
e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b

SHA512
16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

Download Submit
\Users\Admin\AppData\Local\Y77p2v\Secur32.dll
MD5
b450f9877ac32e8092654ca0fd662d39

SHA1
07cd10b58f139d77cb4f604e7b25b607bb6fb3f7

SHA256
957819da7f684fa448113088a1ca903022655cdc954e05f3c37f02b9ad2c9360

SHA512
fce0215533eadaa65a1869271886df9fc2591b3e7a802a8e0b9791da13838b61a0a1d41d056db37ce01f8f20aae1c43688140db7a27db8f6ff65f7dea429a891

Download Submit
\Users\Admin\AppData\Local\Y77p2v\perfmon.exe
MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
\Users\Admin\AppData\Local\xG8\DevicePairingWizard.exe
MD5
9728725678f32e84575e0cd2d2c58e9b

SHA1
dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

SHA256
d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

SHA512
a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

Download Submit
\Users\Admin\AppData\Local\xG8\MFC42u.dll
MD5
137df002776cf86571205aec4a5ae8d4

SHA1
a56288d683330ce5c38f5c1b7734d349e47ad3d9

SHA256
e5735164983dd9a535f8d05b50c519c49178c64156746cc7a95c91262ebbb5b7

SHA512
ffa37d3050577b08efbbeb8039b3fc40cf5324fbf5ae3702a1f24de04aaec9d31328a783a75b8a9e593fa919ac48d7e74d4f1c39bc0ae47803dbb2f303454f7c

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\F7RBUR3H\3AoEuRzC\DevicePairingWizard.exe
MD5
9728725678f32e84575e0cd2d2c58e9b

SHA1
dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

SHA256
d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

SHA512
a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

Download Submit
memory/768-103-0x0000000000000000-mapping.dmp

Download
memory/768-107-0x0000000140000000-0x000000014022D000-memory.dmp

Filesize
2.2MB

Download
memory/1180-88-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-101-0x0000000077270000-0x0000000077272000-memory.dmp

Filesize
8KB

Download
memory/1180-91-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-89-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-95-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-93-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-94-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-87-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-86-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-83-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-84-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-81-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-79-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-77-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-76-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-75-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-72-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-71-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-69-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-68-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-65-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-92-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-90-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-62-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/1180-85-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-82-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-80-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-78-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-63-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-74-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-73-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-70-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-67-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-64-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1180-66-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1220-118-0x0000000000000000-mapping.dmp

Download
memory/1220-122-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1456-115-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1456-114-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

Filesize
8KB

Download
memory/1456-110-0x0000000000000000-mapping.dmp

Download
memory/1696-59-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/1696-61-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads