dridex | 2f8c8a12a31d244689c70b428031eb90f3b791323ab6dfa45e2a3d5921877991

Analysis

max time kernel
151s
max time network
130s
platform
windows7_x64
resource
win7-en-20210920
submitted
28-09-2021 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f8c8a12a31d244689c70b428031eb90f3b791323ab6dfa45e2a3d5921877991.dll
Size

2.2MB
MD5

31058530a762dc9f9bb34d28203f5314
SHA1

28c5d0fc080868ebb37050a565796f19a48eee87
SHA256

2f8c8a12a31d244689c70b428031eb90f3b791323ab6dfa45e2a3d5921877991
SHA512

25d0a92ea515cd45e6a9dac030e39a30e72a64cf7eb6473daa35ad7cf5bc9db272c7511bd2675907091a8f06993d15511c9d13bf1d60edbf221629c235e57282

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1384-56-0x00000000025B0000-0x00000000025B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

ComputerDefaults.exeBitLockerWizard.exedwm.exe

pid process

1076 ComputerDefaults.exe
748 BitLockerWizard.exe
1828 dwm.exe
Loads dropped DLL 7 IoCs

Processes:

ComputerDefaults.exeBitLockerWizard.exedwm.exe

pid process

1384
1076 ComputerDefaults.exe
1384
748 BitLockerWizard.exe
1384
1828 dwm.exe
1384

pid	process
1076	ComputerDefaults.exe
748	BitLockerWizard.exe
1828	dwm.exe

pid	process
1384
1076	ComputerDefaults.exe
1384
748	BitLockerWizard.exe
1384
1828	dwm.exe
1384

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wbbdywj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3456797065-1076791440-4146276586-1000\\7dkZMle\\BitLockerWizard.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeComputerDefaults.exeBitLockerWizard.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ComputerDefaults.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2012	rundll32.exe
2012	rundll32.exe
2012	rundll32.exe
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1384
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1384
1384
1384
1384
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

1384
1384
1384
1384
1384
1384

pid	process
1384

pid	process
1384
1384
1384
1384

pid	process
1384
1384
1384
1384
1384
1384

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1384 wrote to memory of 1176	1384	ComputerDefaults.exe
PID 1384 wrote to memory of 1176	1384	ComputerDefaults.exe
PID 1384 wrote to memory of 1176	1384	ComputerDefaults.exe
PID 1384 wrote to memory of 1076	1384	ComputerDefaults.exe
PID 1384 wrote to memory of 1076	1384	ComputerDefaults.exe
PID 1384 wrote to memory of 1076	1384	ComputerDefaults.exe
PID 1384 wrote to memory of 676	1384	BitLockerWizard.exe
PID 1384 wrote to memory of 676	1384	BitLockerWizard.exe
PID 1384 wrote to memory of 676	1384	BitLockerWizard.exe
PID 1384 wrote to memory of 748	1384	BitLockerWizard.exe
PID 1384 wrote to memory of 748	1384	BitLockerWizard.exe
PID 1384 wrote to memory of 748	1384	BitLockerWizard.exe
PID 1384 wrote to memory of 1052	1384	dwm.exe
PID 1384 wrote to memory of 1052	1384	dwm.exe
PID 1384 wrote to memory of 1052	1384	dwm.exe
PID 1384 wrote to memory of 1828	1384	dwm.exe
PID 1384 wrote to memory of 1828	1384	dwm.exe
PID 1384 wrote to memory of 1828	1384	dwm.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f8c8a12a31d244689c70b428031eb90f3b791323ab6dfa45e2a3d5921877991.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2012

C:\Windows\system32\ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
1⤵
PID:1176

C:\Users\Admin\AppData\Local\GrE8tIOBu\ComputerDefaults.exe
C:\Users\Admin\AppData\Local\GrE8tIOBu\ComputerDefaults.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1076

C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
1⤵
PID:676

C:\Users\Admin\AppData\Local\sfMmTvhO\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\sfMmTvhO\BitLockerWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:748

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:1052

C:\Users\Admin\AppData\Local\a0CmcYQNE\dwm.exe
C:\Users\Admin\AppData\Local\a0CmcYQNE\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1828

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GrE8tIOBu\ComputerDefaults.exe
MD5
86bd981f55341273753ac42ea200a81e

SHA1
14fe410efc9aeb0a905b984ac27719ff0dd10ea7

SHA256
40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

SHA512
49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

Download Submit
C:\Users\Admin\AppData\Local\GrE8tIOBu\appwiz.cpl
MD5
bf2ae63e7811c86756d2b8675d8c776f

SHA1
fa837d1ef17bf92e3e97b70a663890d3abc713e7

SHA256
48dfa8b8c70f9844bd0ef2ad69805c30ccf1247eaffb9cac46e74f8cd8938146

SHA512
8a48b69a9b7a316b028ce9143d4b5561845f9e03b96c37437d7682a54211a2ae3996e2accc8101fd4fe9fc34e7671c63f4d3a36b4e37d5efbf73465c6f3d510c

Download Submit
C:\Users\Admin\AppData\Local\a0CmcYQNE\UxTheme.dll
MD5
0e1fb6537f292e756f503e8d2c95a806

SHA1
e135bbaad9127fbbbec1ceed5a26e89cdb18db4f

SHA256
2df36fca640ab0f354b190820358082bf1fd107831f3da7de9933b2ea96f1dac

SHA512
b450b053bea5d8a860a55b3d3cf61a4779c397421b0ed708b86487c6310ed876b8c0367cafa053966cd638256b3a66329b8c635c607c9449884a4a0283730833

Download Submit
C:\Users\Admin\AppData\Local\a0CmcYQNE\dwm.exe
MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
C:\Users\Admin\AppData\Local\sfMmTvhO\BitLockerWizard.exe
MD5
08a761595ad21d152db2417d6fdb239a

SHA1
d84c1bc2e8c9afce9fb79916df9bca169f93a936

SHA256
ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

SHA512
8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

Download Submit
C:\Users\Admin\AppData\Local\sfMmTvhO\FVEWIZ.dll
MD5
3f00c28078f312b325d476f0ef8ce994

SHA1
17b3631fbd8619009c90452b6da71bdaaee1e563

SHA256
503b00becb9f271f0548520ea478a3ce09ce1393d102b25631fb84229cef53ea

SHA512
20c87cfe20b8b15eb123ea370146e6c89bfdef6782cde963818ce55c0a72fe85e7e32b25a666c377c92b7b92fc2fe42db0b92c01b07bab3864f8f0b9ba510a0b

Download Submit
\Users\Admin\AppData\Local\GrE8tIOBu\ComputerDefaults.exe
MD5
86bd981f55341273753ac42ea200a81e

SHA1
14fe410efc9aeb0a905b984ac27719ff0dd10ea7

SHA256
40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

SHA512
49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

Download Submit
\Users\Admin\AppData\Local\GrE8tIOBu\appwiz.cpl
MD5
bf2ae63e7811c86756d2b8675d8c776f

SHA1
fa837d1ef17bf92e3e97b70a663890d3abc713e7

SHA256
48dfa8b8c70f9844bd0ef2ad69805c30ccf1247eaffb9cac46e74f8cd8938146

SHA512
8a48b69a9b7a316b028ce9143d4b5561845f9e03b96c37437d7682a54211a2ae3996e2accc8101fd4fe9fc34e7671c63f4d3a36b4e37d5efbf73465c6f3d510c

Download Submit
\Users\Admin\AppData\Local\a0CmcYQNE\UxTheme.dll
MD5
0e1fb6537f292e756f503e8d2c95a806

SHA1
e135bbaad9127fbbbec1ceed5a26e89cdb18db4f

SHA256
2df36fca640ab0f354b190820358082bf1fd107831f3da7de9933b2ea96f1dac

SHA512
b450b053bea5d8a860a55b3d3cf61a4779c397421b0ed708b86487c6310ed876b8c0367cafa053966cd638256b3a66329b8c635c607c9449884a4a0283730833

Download Submit
\Users\Admin\AppData\Local\a0CmcYQNE\dwm.exe
MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
\Users\Admin\AppData\Local\sfMmTvhO\BitLockerWizard.exe
MD5
08a761595ad21d152db2417d6fdb239a

SHA1
d84c1bc2e8c9afce9fb79916df9bca169f93a936

SHA256
ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

SHA512
8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

Download Submit
\Users\Admin\AppData\Local\sfMmTvhO\FVEWIZ.dll
MD5
3f00c28078f312b325d476f0ef8ce994

SHA1
17b3631fbd8619009c90452b6da71bdaaee1e563

SHA256
503b00becb9f271f0548520ea478a3ce09ce1393d102b25631fb84229cef53ea

SHA512
20c87cfe20b8b15eb123ea370146e6c89bfdef6782cde963818ce55c0a72fe85e7e32b25a666c377c92b7b92fc2fe42db0b92c01b07bab3864f8f0b9ba510a0b

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\0nh59xr\dwm.exe
MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
memory/748-119-0x0000000000000000-mapping.dmp

Download
memory/1076-116-0x0000000140000000-0x000000014023E000-memory.dmp

Filesize
2.2MB

Download
memory/1076-112-0x0000000000000000-mapping.dmp

Download
memory/1384-90-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-101-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-73-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-59-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-74-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-75-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-77-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-79-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-80-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-81-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-82-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-78-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-83-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-84-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-85-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-86-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-87-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-88-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-56-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1384-91-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-92-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-95-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-97-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-99-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-100-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-103-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-104-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-72-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-102-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-98-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-96-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-93-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-94-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-89-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-76-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-110-0x00000000773C0000-0x00000000773C2000-memory.dmp

Filesize
8KB

Download
memory/1384-71-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-60-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-70-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-64-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-68-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-69-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-67-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-66-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-65-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-63-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-62-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-57-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-61-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1384-58-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1828-126-0x0000000000000000-mapping.dmp

Download
memory/2012-53-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/2012-55-0x0000000000430000-0x0000000000437000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads