dridex | 7500211dd9ce4e45664ae07e4eb58ca361c4551f1c2b52d00bb0da547e9cdc2a

Analysis

max time kernel
153s
max time network
85s
platform
windows10_x64
resource
win10v20210408
submitted
28-09-2021 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7500211dd9ce4e45664ae07e4eb58ca361c4551f1c2b52d00bb0da547e9cdc2a.dll
Size

2.0MB
MD5

a75be08d11b5028b6e0fa8be59676599
SHA1

c47a48e04dc10641df07dba7dbbb73602e6615aa
SHA256

7500211dd9ce4e45664ae07e4eb58ca361c4551f1c2b52d00bb0da547e9cdc2a
SHA512

444d9ddbdbfac48953e01df6ed9376a78de22f6ae5d8155e5325a8482c228f96c099985ac4b9fd2e5447090380e535bdad59f59b7ebfa20578cd2038262a53b8

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2644-119-0x0000000000C40000-0x0000000000C41000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesAdvanced.exeslui.exebcastdvr.exe

pid process

3928 SystemPropertiesAdvanced.exe
3568 slui.exe
4044 bcastdvr.exe

pid	process
3928	SystemPropertiesAdvanced.exe
3568	slui.exe
4044	bcastdvr.exe

Drops startup file 3 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Sl
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Sl\SYSDM.CPL
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Sl\SystemPropertiesAdvanced.exe

Loads dropped DLL 3 IoCs

Processes:

SystemPropertiesAdvanced.exeslui.exebcastdvr.exe

pid process

3928 SystemPropertiesAdvanced.exe
3568 slui.exe
4044 bcastdvr.exe

pid	process
3928	SystemPropertiesAdvanced.exe
3568	slui.exe
4044	bcastdvr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rvhohwdqaanc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\0LKX\\slui.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

slui.exebcastdvr.exerundll32.exeSystemPropertiesAdvanced.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bcastdvr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
904	rundll32.exe
904	rundll32.exe
904	rundll32.exe
904	rundll32.exe
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644
2644

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2644

pid	process
2644

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644
Token: SeShutdownPrivilege	2644
Token: SeCreatePagefilePrivilege	2644

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

2644
2644
2644
2644

pid	process
2644
2644
2644
2644

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2644 wrote to memory of 3832	2644	SystemPropertiesAdvanced.exe
PID 2644 wrote to memory of 3832	2644	SystemPropertiesAdvanced.exe
PID 2644 wrote to memory of 3928	2644	SystemPropertiesAdvanced.exe
PID 2644 wrote to memory of 3928	2644	SystemPropertiesAdvanced.exe
PID 2644 wrote to memory of 3936	2644	slui.exe
PID 2644 wrote to memory of 3936	2644	slui.exe
PID 2644 wrote to memory of 3568	2644	slui.exe
PID 2644 wrote to memory of 3568	2644	slui.exe
PID 2644 wrote to memory of 3172	2644	bcastdvr.exe
PID 2644 wrote to memory of 3172	2644	bcastdvr.exe
PID 2644 wrote to memory of 4044	2644	bcastdvr.exe
PID 2644 wrote to memory of 4044	2644	bcastdvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7500211dd9ce4e45664ae07e4eb58ca361c4551f1c2b52d00bb0da547e9cdc2a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:904

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:3832

C:\Users\Admin\AppData\Local\LaF\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\LaF\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3928

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:3936

C:\Users\Admin\AppData\Local\mUXfucn\slui.exe
C:\Users\Admin\AppData\Local\mUXfucn\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3568

C:\Windows\system32\bcastdvr.exe
C:\Windows\system32\bcastdvr.exe
1⤵
PID:3172

C:\Users\Admin\AppData\Local\xhb\bcastdvr.exe
C:\Users\Admin\AppData\Local\xhb\bcastdvr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4044

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\LaF\SYSDM.CPL
MD5
613e879465aca8d34cf95139bffbbcc9

SHA1
fe5dcec6bf1bf5141de2d8916cb73603f3f73cf2

SHA256
ce8afadbca996334bb99fd5d73e4994da0fbb25c35aa6d1b7b8052248fd3404d

SHA512
0c1564661136946bcd8d3b2d654a71494eddebc9677d125ac04fe3684ab2b80c10cee929d58bd8a51f9d7309af0fb1d1c6df4297c2a3a40187dc046885b92277

Download Submit
C:\Users\Admin\AppData\Local\LaF\SystemPropertiesAdvanced.exe
MD5
375b58f4fced878a37108c3e5ad9b20c

SHA1
8a05b43085e2ccf4ad1b041cabb4fe91498e98e5

SHA256
480aa5e419e066e1dd84ae98f07cca9e21e6b72e82f6fbc9b54bbbefbe2f79b9

SHA512
e803d80e72c17cde65190678389182188dd3035465598fd2a89c31f80518a6eda07be06373e133403dbcdb5f076ee4204c5d702524b12ccb6a2ba21e4c815441

Download Submit
C:\Users\Admin\AppData\Local\mUXfucn\WINBRAND.dll
MD5
8dd837e9a4582e9490c81835b48a0b29

SHA1
a1aef9e03e71b9370823882b53f40e82d449d0a9

SHA256
b40512fbdbd8d5c537ecb987748b74fda2140f8a0a28fd50540ef88bedccd8d5

SHA512
c42405717063019fe3a40ede8a9af00c3d0213eecfd8308f03adfe050b16ef09689c585125f28f689823adb59e4d184e4cee80b137be2f563b9fabd1a0ddaf5a

Download Submit
C:\Users\Admin\AppData\Local\mUXfucn\slui.exe
MD5
f162f859fb38a39f83c049f5480c11eb

SHA1
4090dacb56dbff6a5306e13ff5fa157eca4714a9

SHA256
67daef4a468f00305a44e41b369890fc0d6ed41c509432c6b1402caa1b09b7c5

SHA512
73a7ba851b560caf0a4150ff192c02bcac5475de2f265430e079ce1a20dc25b0f86873bc1dc4db0fc660031aa7c32d03a941ada8afc0bc91c63fb2e9ed8e0d80

Download Submit
C:\Users\Admin\AppData\Local\xhb\bcastdvr.exe
MD5
69de59576badcc33ae6bc927aa00a10c

SHA1
5af5b9196ea4e87c3a84cd079a39bdd7f17fc934

SHA256
957f7149ff06f72c3fae4ace1f3de5c96456fba4a558623c726f75ed4fe31234

SHA512
02d4df89a2221b435e490fe1f2e08ffacac1e59a4a631cfe05fe771d35f94a27030233b155bb02c80a74cc63f8f45913d0cd0add7802b1cdfc064e197f5fca90

Download Submit
C:\Users\Admin\AppData\Local\xhb\dxgi.dll
MD5
9e824f1a4b4aaa30b7b49545fddd6bd1

SHA1
ae6561d5d5b0daafb267a0321ae6960c6c1a656d

SHA256
9b8dd32fc7802f7b3327e1743ecc1f3b1a865ef9fb1f09afe954c90eb71b3a5b

SHA512
c86aa73f8a51d1f711c5fa0394cb4803413a3fb3ee2b368efe0c0738de557411f3e78344d208979987c7d500c6c3d8039700907e1d8a7fb29d2405fc18bf8bfa

Download Submit
\Users\Admin\AppData\Local\LaF\SYSDM.CPL
MD5
613e879465aca8d34cf95139bffbbcc9

SHA1
fe5dcec6bf1bf5141de2d8916cb73603f3f73cf2

SHA256
ce8afadbca996334bb99fd5d73e4994da0fbb25c35aa6d1b7b8052248fd3404d

SHA512
0c1564661136946bcd8d3b2d654a71494eddebc9677d125ac04fe3684ab2b80c10cee929d58bd8a51f9d7309af0fb1d1c6df4297c2a3a40187dc046885b92277

Download Submit
\Users\Admin\AppData\Local\mUXfucn\WINBRAND.dll
MD5
8dd837e9a4582e9490c81835b48a0b29

SHA1
a1aef9e03e71b9370823882b53f40e82d449d0a9

SHA256
b40512fbdbd8d5c537ecb987748b74fda2140f8a0a28fd50540ef88bedccd8d5

SHA512
c42405717063019fe3a40ede8a9af00c3d0213eecfd8308f03adfe050b16ef09689c585125f28f689823adb59e4d184e4cee80b137be2f563b9fabd1a0ddaf5a

Download Submit
\Users\Admin\AppData\Local\xhb\dxgi.dll
MD5
9e824f1a4b4aaa30b7b49545fddd6bd1

SHA1
ae6561d5d5b0daafb267a0321ae6960c6c1a656d

SHA256
9b8dd32fc7802f7b3327e1743ecc1f3b1a865ef9fb1f09afe954c90eb71b3a5b

SHA512
c86aa73f8a51d1f711c5fa0394cb4803413a3fb3ee2b368efe0c0738de557411f3e78344d208979987c7d500c6c3d8039700907e1d8a7fb29d2405fc18bf8bfa

Download Submit
memory/904-114-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/904-118-0x000002563E560000-0x000002563E567000-memory.dmp

Filesize
28KB

Download
memory/2644-141-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-146-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-126-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-125-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-127-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-128-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-129-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-130-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-131-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-132-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-133-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-134-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-135-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-137-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-136-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-139-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-138-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-123-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-140-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-142-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-143-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-144-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-145-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-124-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-147-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-148-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-149-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-150-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-152-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-151-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-153-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-154-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-155-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-156-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-157-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-165-0x00007FFAF7564560-0x00007FFAF7565560-memory.dmp

Filesize
4KB

Download
memory/2644-122-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-167-0x00007FFAF76A0000-0x00007FFAF76A2000-memory.dmp

Filesize
8KB

Download
memory/2644-119-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/2644-120-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2644-121-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3568-177-0x0000000000000000-mapping.dmp

Download
memory/3928-172-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/3928-168-0x0000000000000000-mapping.dmp

Download
memory/4044-186-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads