dridex | 69af86da86fc2f9639f010e0b729b1c2ce33a272d199aeedc4c873d98a2b83b4

Analysis

max time kernel
152s
max time network
152s
platform
windows10_x64
resource
win10-en-20210920
submitted
28-09-2021 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69af86da86fc2f9639f010e0b729b1c2ce33a272d199aeedc4c873d98a2b83b4.dll
Size

2.0MB
MD5

784adf3295b7eafe53aa80da302b1b5d
SHA1

c79da77a4d00ec47594e007f9a174de43b5028d3
SHA256

69af86da86fc2f9639f010e0b729b1c2ce33a272d199aeedc4c873d98a2b83b4
SHA512

3fbc71e7f7de7526acd525f98fc18c8af2cef28a44e0b08b0f789f758ca96ce4c631d94b76c85513c2954ea9fa0dd6bbcbf07143ab86861a720b89a018a29860

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3036-120-0x0000000000DC0000-0x0000000000DC1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

raserver.exeSystemPropertiesProtection.exePresentationHost.exe

pid process

1808 raserver.exe
1352 SystemPropertiesProtection.exe
1100 PresentationHost.exe
Loads dropped DLL 4 IoCs

Processes:

raserver.exeSystemPropertiesProtection.exePresentationHost.exe

pid process

1808 raserver.exe
1352 SystemPropertiesProtection.exe
1100 PresentationHost.exe
1100 PresentationHost.exe

pid	process
1808	raserver.exe
1352	SystemPropertiesProtection.exe
1100	PresentationHost.exe

pid	process
1808	raserver.exe
1352	SystemPropertiesProtection.exe
1100	PresentationHost.exe
1100	PresentationHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wjvmqhmsyzhtvy = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Templates\\1CiX9r2Va8\\SystemPropertiesProtection.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeraserver.exeSystemPropertiesProtection.exePresentationHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
2112	rundll32.exe
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3036

pid	process
3036

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3036 wrote to memory of 2252	3036	raserver.exe
PID 3036 wrote to memory of 2252	3036	raserver.exe
PID 3036 wrote to memory of 1808	3036	raserver.exe
PID 3036 wrote to memory of 1808	3036	raserver.exe
PID 3036 wrote to memory of 1344	3036	SystemPropertiesProtection.exe
PID 3036 wrote to memory of 1344	3036	SystemPropertiesProtection.exe
PID 3036 wrote to memory of 1352	3036	SystemPropertiesProtection.exe
PID 3036 wrote to memory of 1352	3036	SystemPropertiesProtection.exe
PID 3036 wrote to memory of 1312	3036	PresentationHost.exe
PID 3036 wrote to memory of 1312	3036	PresentationHost.exe
PID 3036 wrote to memory of 1100	3036	PresentationHost.exe
PID 3036 wrote to memory of 1100	3036	PresentationHost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\69af86da86fc2f9639f010e0b729b1c2ce33a272d199aeedc4c873d98a2b83b4.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2112

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:2252

C:\Users\Admin\AppData\Local\9aWmq\raserver.exe
C:\Users\Admin\AppData\Local\9aWmq\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1808

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:1344

C:\Users\Admin\AppData\Local\nL2CEu\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\nL2CEu\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1352

C:\Windows\system32\PresentationHost.exe
C:\Windows\system32\PresentationHost.exe
1⤵
PID:1312

C:\Users\Admin\AppData\Local\xlofqz1u\PresentationHost.exe
C:\Users\Admin\AppData\Local\xlofqz1u\PresentationHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1100

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9aWmq\WTSAPI32.dll
MD5
004c9a765f8287180cb28fb23471cf4c

SHA1
c2ac6a15adb5965f9580ad4fba8bf8f8c8835748

SHA256
d8f11f08fd5b1e32546ceb0a87d608e5ef2a3975d3ffc2b5f77c291562956cf4

SHA512
77d5ea3902112f7b8b67aed1d9419775939e334ad55ca23d36c62e875523171fa13c8701fe1ecd047320855644f67590208b6b170d992272be24dbc042c0449c

Download Submit
C:\Users\Admin\AppData\Local\9aWmq\raserver.exe
MD5
71cacb0f5b7b70055fbba02055e503b1

SHA1
49e247edcc721fc7329045a8587877b645b7531f

SHA256
7a4aa698ea00d4347a1b85a2510c2502fdf23cc5d487079097999be9780f8eb1

SHA512
3cce7df2ab1ece95baf888982a0664fb53c1378029dc2aee1c583fc6e9065968074a9f8135988f1b9f50937e3eb69edc118976b61067c3461fe8351535295a18

Download Submit
C:\Users\Admin\AppData\Local\nL2CEu\SYSDM.CPL
MD5
7b310336cd61ec536c9c6d0150a22627

SHA1
b26a2a828b7d44833b16334b106d2bb62d4eadc4

SHA256
32150d4bc6af6aebcd82a99add8a8cff74c26e09a96a8efccbfa6b5e0aa616b0

SHA512
706274970c158edd964c4d276e762090505cdbc152b8a9066632dee1f92683758482563b44597597d008cb8b03975a13589b6cd8c7a303464b069ffdfa7f0cdf

Download Submit
C:\Users\Admin\AppData\Local\nL2CEu\SystemPropertiesProtection.exe
MD5
37cc1b52d2032ec2546dc917a94167b4

SHA1
b5d0c21df373f323d5c9459a937a2aeaa66150ef

SHA256
d4b843ae6d94dfe8835925c4ec9ff42529bbb8fe3552cd5e819d8f332c24a884

SHA512
53f793900085e8e5c879876bd99043178cdf8f943df3d5c7faf9560abc6ae016bd208e393d7b66d7283a1d2363bf24e894c31b205db1065f900b8552cc809b2e

Download Submit
C:\Users\Admin\AppData\Local\xlofqz1u\PresentationHost.exe
MD5
7009b2746734a3538e7735cf24f3c93b

SHA1
f994c53697e0d9b6ab2b5d5dd5f31fafa30109b1

SHA256
d0011ec1f0e14a3c6a515df997268a851c98722472f21c03b0fdc6477f14fdb7

SHA512
7934cc17f7bbb6ec8b0f3fb4c775b21885693eaf3e332de97b14f294dac7a189801eeb6165dfc04e2a9aa019c444a9af65d498926fe9dc0c4fc1b71ba272f89b

Download Submit
C:\Users\Admin\AppData\Local\xlofqz1u\VERSION.dll
MD5
1d572284b2a6d4135017fc039873181d

SHA1
737afd21ffa91891182a4d55f149212d3f4576fb

SHA256
712e2b2f3350ee9c1bca676e8afae43ee7ce75d7a4a94a20f34ea3b877245638

SHA512
ef7f3a7124e91272a5573196d948bd75cbf634438a60f3c1887ada5ce781e6f7b8c02ab3935e31233c3656458200b0a4fc9911ac61d18df49190ff3cd49a9d54

Download Submit
\Users\Admin\AppData\Local\9aWmq\WTSAPI32.dll
MD5
004c9a765f8287180cb28fb23471cf4c

SHA1
c2ac6a15adb5965f9580ad4fba8bf8f8c8835748

SHA256
d8f11f08fd5b1e32546ceb0a87d608e5ef2a3975d3ffc2b5f77c291562956cf4

SHA512
77d5ea3902112f7b8b67aed1d9419775939e334ad55ca23d36c62e875523171fa13c8701fe1ecd047320855644f67590208b6b170d992272be24dbc042c0449c

Download Submit
\Users\Admin\AppData\Local\nL2CEu\SYSDM.CPL
MD5
7b310336cd61ec536c9c6d0150a22627

SHA1
b26a2a828b7d44833b16334b106d2bb62d4eadc4

SHA256
32150d4bc6af6aebcd82a99add8a8cff74c26e09a96a8efccbfa6b5e0aa616b0

SHA512
706274970c158edd964c4d276e762090505cdbc152b8a9066632dee1f92683758482563b44597597d008cb8b03975a13589b6cd8c7a303464b069ffdfa7f0cdf

Download Submit
\Users\Admin\AppData\Local\xlofqz1u\VERSION.dll
MD5
1d572284b2a6d4135017fc039873181d

SHA1
737afd21ffa91891182a4d55f149212d3f4576fb

SHA256
712e2b2f3350ee9c1bca676e8afae43ee7ce75d7a4a94a20f34ea3b877245638

SHA512
ef7f3a7124e91272a5573196d948bd75cbf634438a60f3c1887ada5ce781e6f7b8c02ab3935e31233c3656458200b0a4fc9911ac61d18df49190ff3cd49a9d54

Download Submit
\Users\Admin\AppData\Local\xlofqz1u\VERSION.dll
MD5
1d572284b2a6d4135017fc039873181d

SHA1
737afd21ffa91891182a4d55f149212d3f4576fb

SHA256
712e2b2f3350ee9c1bca676e8afae43ee7ce75d7a4a94a20f34ea3b877245638

SHA512
ef7f3a7124e91272a5573196d948bd75cbf634438a60f3c1887ada5ce781e6f7b8c02ab3935e31233c3656458200b0a4fc9911ac61d18df49190ff3cd49a9d54

Download Submit
memory/1100-187-0x000001D6BEEA0000-0x000001D6BF09A000-memory.dmp

Filesize
2.0MB

Download
memory/1100-182-0x0000000000000000-mapping.dmp

Download
memory/1352-173-0x0000000000000000-mapping.dmp

Download
memory/1808-168-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1808-164-0x0000000000000000-mapping.dmp

Download
memory/2112-115-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/2112-119-0x000001D09CD10000-0x000001D09CD17000-memory.dmp

Filesize
28KB

Download
memory/3036-131-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-141-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-138-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-139-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-140-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-142-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-143-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-144-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-145-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-146-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-147-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-148-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-149-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-150-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-151-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-152-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-153-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-137-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-136-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-161-0x00007FF84F614560-0x00007FF84F615560-memory.dmp

Filesize
4KB

Download
memory/3036-163-0x00007FF84F560000-0x00007FF84F570000-memory.dmp

Filesize
64KB

Download
memory/3036-135-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-134-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-133-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-132-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-130-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-129-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-128-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-127-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-126-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-125-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-124-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-122-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-123-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-121-0x0000000140000000-0x00000001401F9000-memory.dmp

Filesize
2.0MB

Download
memory/3036-120-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads