dridex | 2f8c8a12a31d244689c70b428031eb90f3b791323ab6dfa45e2a3d5921877991

Analysis

max time kernel
156s
max time network
154s
platform
windows10_x64
resource
win10v20210408
submitted
28-09-2021 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f8c8a12a31d244689c70b428031eb90f3b791323ab6dfa45e2a3d5921877991.dll
Size

2.2MB
MD5

31058530a762dc9f9bb34d28203f5314
SHA1

28c5d0fc080868ebb37050a565796f19a48eee87
SHA256

2f8c8a12a31d244689c70b428031eb90f3b791323ab6dfa45e2a3d5921877991
SHA512

25d0a92ea515cd45e6a9dac030e39a30e72a64cf7eb6473daa35ad7cf5bc9db272c7511bd2675907091a8f06993d15511c9d13bf1d60edbf221629c235e57282

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3032-119-0x0000000000E30000-0x0000000000E31000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

mfpmp.exeBdeUISrv.exeembeddedapplauncher.exe

pid process

1252 mfpmp.exe
2592 BdeUISrv.exe
2120 embeddedapplauncher.exe
Loads dropped DLL 3 IoCs

Processes:

mfpmp.exeBdeUISrv.exeembeddedapplauncher.exe

pid process

1252 mfpmp.exe
2592 BdeUISrv.exe
2120 embeddedapplauncher.exe

pid	process
1252	mfpmp.exe
2592	BdeUISrv.exe
2120	embeddedapplauncher.exe

pid	process
1252	mfpmp.exe
2592	BdeUISrv.exe
2120	embeddedapplauncher.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rvhohwdqaanc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\0P\\BdeUISrv.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemfpmp.exeBdeUISrv.exeembeddedapplauncher.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BdeUISrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	embeddedapplauncher.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
396	rundll32.exe
396	rundll32.exe
396	rundll32.exe
396	rundll32.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3032

pid	process
3032

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032
Token: SeShutdownPrivilege	3032
Token: SeCreatePagefilePrivilege	3032

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

pid process

3032
3032
3032
3032
3032
3032
3032
3032

pid	process
3032
3032
3032
3032
3032
3032
3032
3032

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3032 wrote to memory of 3208	3032	mfpmp.exe
PID 3032 wrote to memory of 3208	3032	mfpmp.exe
PID 3032 wrote to memory of 1252	3032	mfpmp.exe
PID 3032 wrote to memory of 1252	3032	mfpmp.exe
PID 3032 wrote to memory of 3396	3032	BdeUISrv.exe
PID 3032 wrote to memory of 3396	3032	BdeUISrv.exe
PID 3032 wrote to memory of 2592	3032	BdeUISrv.exe
PID 3032 wrote to memory of 2592	3032	BdeUISrv.exe
PID 3032 wrote to memory of 656	3032	embeddedapplauncher.exe
PID 3032 wrote to memory of 656	3032	embeddedapplauncher.exe
PID 3032 wrote to memory of 2120	3032	embeddedapplauncher.exe
PID 3032 wrote to memory of 2120	3032	embeddedapplauncher.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f8c8a12a31d244689c70b428031eb90f3b791323ab6dfa45e2a3d5921877991.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:396

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:3208

C:\Users\Admin\AppData\Local\bdTm\mfpmp.exe
C:\Users\Admin\AppData\Local\bdTm\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1252

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:3396

C:\Users\Admin\AppData\Local\Hf4K2Bt\BdeUISrv.exe
C:\Users\Admin\AppData\Local\Hf4K2Bt\BdeUISrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2592

C:\Windows\system32\embeddedapplauncher.exe
C:\Windows\system32\embeddedapplauncher.exe
1⤵
PID:656

C:\Users\Admin\AppData\Local\DoXHtioxl\embeddedapplauncher.exe
C:\Users\Admin\AppData\Local\DoXHtioxl\embeddedapplauncher.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2120

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DoXHtioxl\WTSAPI32.dll
MD5
63b0a85a9054db29526dbe5b3c8e51aa

SHA1
094da0704d3a21ef2df7a2afcd1f99b44ee14d40

SHA256
f700a362cc32c9d176e88abb1443fb468f6fd53d7d57f2ca78438a5a8a72c757

SHA512
720ffdc298ea96be62a3e947c16fcebc8c796075a83b4c5cceca68008c934f0eaa803111faccc6fb497b5e75042c3eda79fe625085b882673f864dc53c248fec

Download Submit
C:\Users\Admin\AppData\Local\DoXHtioxl\embeddedapplauncher.exe
MD5
372475cd2d5658a529c83cbe159dd4ce

SHA1
be8496491da2bbb3f06bfdf4ffe80285a7f891d9

SHA256
708d78211be2333cab7658a99b02ae81014475973dea05d92115a8bc91965024

SHA512
88f138678d8f8aae8bc0ac429744f8aad4a76187c0dd4367c03d9ed21ae132edae0109849570d49b47918ccac6fe671a896f64ef723e4e275a723b2c6e050028

Download Submit
C:\Users\Admin\AppData\Local\Hf4K2Bt\BdeUISrv.exe
MD5
bbdabce7ba28eb67c325fa99125d56e0

SHA1
332ea58882149d629057e8a8004a48d1bb1d6180

SHA256
9c3fe14fc4ab8e385c3baae1d5a04a66c3ee645d278b182039fa45a6c99b4994

SHA512
fd3a22baac2689f8e009cb7845aa6ca7dd4a7ba4f1956758945cdd68dfc7045e4da62cf846a4a0b507d9be3753eb68b94fe375bf01dc698017b107ff26ebd93e

Download Submit
C:\Users\Admin\AppData\Local\Hf4K2Bt\WTSAPI32.dll
MD5
1f33326f3cc7ef0de63af0b49bedc75a

SHA1
d1103d58711f54627c56751a70693d54fcc16e3d

SHA256
53da3ab3f2004a162ceecdaee7cf7fe731e80976b080453caa96cafe153dcba9

SHA512
1f2eb93f1ef7edbf6da19407e604a9d7bce4078c8a969a7504af1eb963b833895c4fbee7cc75576f9252c851421c09525413acc9b4d59c3087e510318128fc04

Download Submit
C:\Users\Admin\AppData\Local\bdTm\MFPlat.DLL
MD5
34b9e5efedaa92261f9902293d45cd41

SHA1
f5f8d99584a1afb7a18c5278702cd532f328d842

SHA256
5c153d746c388a59498c361fe3c2bef719bfce60a05b07ffec29fc4db7bca7cc

SHA512
0a04d2a66898df2c2a763d9f73db2d6b1dc41d7d8cc19ecd4b4b37bc69e69c7ebc1a8e8e2f4f414f6b39fcf5bb718f880d6c4427a7b4728da60ecda17b0dd0b6

Download Submit
C:\Users\Admin\AppData\Local\bdTm\mfpmp.exe
MD5
0a51780965f4a75557ac6b1a710a7c7b

SHA1
30e7be939ada607cbafd07261da463396878f4f5

SHA256
45b8b316c617f703af064aafab9a35c465d5f7835b758995e82ac0dedbaad037

SHA512
e62c2252b66809cca9e7f625392ef09891eba1eec3c210798684a9c71a9c5315598ca259c8ebd09af5d8aaf94261fca91f30bd0dd22a917d5287e9443ae18326

Download Submit
\Users\Admin\AppData\Local\DoXHtioxl\WTSAPI32.dll
MD5
63b0a85a9054db29526dbe5b3c8e51aa

SHA1
094da0704d3a21ef2df7a2afcd1f99b44ee14d40

SHA256
f700a362cc32c9d176e88abb1443fb468f6fd53d7d57f2ca78438a5a8a72c757

SHA512
720ffdc298ea96be62a3e947c16fcebc8c796075a83b4c5cceca68008c934f0eaa803111faccc6fb497b5e75042c3eda79fe625085b882673f864dc53c248fec

Download Submit
\Users\Admin\AppData\Local\Hf4K2Bt\WTSAPI32.dll
MD5
1f33326f3cc7ef0de63af0b49bedc75a

SHA1
d1103d58711f54627c56751a70693d54fcc16e3d

SHA256
53da3ab3f2004a162ceecdaee7cf7fe731e80976b080453caa96cafe153dcba9

SHA512
1f2eb93f1ef7edbf6da19407e604a9d7bce4078c8a969a7504af1eb963b833895c4fbee7cc75576f9252c851421c09525413acc9b4d59c3087e510318128fc04

Download Submit
\Users\Admin\AppData\Local\bdTm\MFPlat.DLL
MD5
34b9e5efedaa92261f9902293d45cd41

SHA1
f5f8d99584a1afb7a18c5278702cd532f328d842

SHA256
5c153d746c388a59498c361fe3c2bef719bfce60a05b07ffec29fc4db7bca7cc

SHA512
0a04d2a66898df2c2a763d9f73db2d6b1dc41d7d8cc19ecd4b4b37bc69e69c7ebc1a8e8e2f4f414f6b39fcf5bb718f880d6c4427a7b4728da60ecda17b0dd0b6

Download Submit
memory/396-118-0x00000251CD880000-0x00000251CD887000-memory.dmp

Filesize
28KB

Download
memory/396-114-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/1252-184-0x0000000140000000-0x000000014023F000-memory.dmp

Filesize
2.2MB

Download
memory/1252-178-0x0000000000000000-mapping.dmp

Download
memory/2120-197-0x0000000000000000-mapping.dmp

Download
memory/2592-192-0x0000000140000000-0x000000014023E000-memory.dmp

Filesize
2.2MB

Download
memory/2592-188-0x0000000000000000-mapping.dmp

Download
memory/3032-144-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-153-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-130-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-131-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-132-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-133-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-134-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-136-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-135-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-137-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-138-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-139-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-140-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-141-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-142-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-143-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-128-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-146-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-145-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-147-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-148-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-149-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-150-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-151-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-152-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-129-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-155-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-154-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-156-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-157-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-158-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-159-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-161-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-160-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-162-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-163-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-164-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-127-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-126-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-125-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-124-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-122-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-123-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-121-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-120-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-119-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3032-165-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-166-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-167-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3032-175-0x00007FFFB9C44560-0x00007FFFB9C45560-memory.dmp

Filesize
4KB

Download
memory/3032-177-0x00007FFFB9D80000-0x00007FFFB9D82000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads