dridex | 96705595655fd817156073e3d3efde3338e24c3afaef13e517153ae4b5218fc9

Analysis

max time kernel
152s
max time network
146s
platform
windows10_x64
resource
win10-en-20210920
submitted
28-09-2021 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96705595655fd817156073e3d3efde3338e24c3afaef13e517153ae4b5218fc9.dll
Size

2.1MB
MD5

f8295446e335b679641637334c99242d
SHA1

18b9a40791f1a52c70507b29d0b631510f2e33c6
SHA256

96705595655fd817156073e3d3efde3338e24c3afaef13e517153ae4b5218fc9
SHA512

82b140666adcf81d786ef650a4eeae44a133c23593e2ccb14a1bd0b262084dd937d2fe6546fd691ba859b376becbfc4f18e57459d8e9e6b2e20654cc227fd1b7

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3028-120-0x0000000000E70000-0x0000000000E71000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

LockScreenContentServer.exemsra.exewscript.exe

pid process

1120 LockScreenContentServer.exe
3068 msra.exe
4068 wscript.exe

pid	process
1120	LockScreenContentServer.exe
3068	msra.exe
4068	wscript.exe

Drops startup file 3 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\tWYb6
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\tWYb6\DUI70.dll
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\tWYb6\LockScreenContentServer.exe

Loads dropped DLL 3 IoCs

Processes:

LockScreenContentServer.exemsra.exewscript.exe

pid process

1120 LockScreenContentServer.exe
3068 msra.exe
4068 wscript.exe

pid	process
1120	LockScreenContentServer.exe
3068	msra.exe
4068	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wjvmqhmsyzhtvy = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Spelling\\en-US\\GIAxWR\\msra.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeLockScreenContentServer.exemsra.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LockScreenContentServer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
2060	rundll32.exe
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3028

pid	process
3028

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3028 wrote to memory of 944	3028	LockScreenContentServer.exe
PID 3028 wrote to memory of 944	3028	LockScreenContentServer.exe
PID 3028 wrote to memory of 1120	3028	LockScreenContentServer.exe
PID 3028 wrote to memory of 1120	3028	LockScreenContentServer.exe
PID 3028 wrote to memory of 3184	3028	msra.exe
PID 3028 wrote to memory of 3184	3028	msra.exe
PID 3028 wrote to memory of 3068	3028	msra.exe
PID 3028 wrote to memory of 3068	3028	msra.exe
PID 3028 wrote to memory of 3536	3028	wscript.exe
PID 3028 wrote to memory of 3536	3028	wscript.exe
PID 3028 wrote to memory of 4068	3028	wscript.exe
PID 3028 wrote to memory of 4068	3028	wscript.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\96705595655fd817156073e3d3efde3338e24c3afaef13e517153ae4b5218fc9.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2060

C:\Windows\system32\LockScreenContentServer.exe
C:\Windows\system32\LockScreenContentServer.exe
1⤵
PID:944

C:\Users\Admin\AppData\Local\KUa9\LockScreenContentServer.exe
C:\Users\Admin\AppData\Local\KUa9\LockScreenContentServer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1120

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:3184

C:\Users\Admin\AppData\Local\9Tq\msra.exe
C:\Users\Admin\AppData\Local\9Tq\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3068

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:3536

C:\Users\Admin\AppData\Local\YufE0dczo\wscript.exe
C:\Users\Admin\AppData\Local\YufE0dczo\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9Tq\UxTheme.dll
MD5
9f1e8706fc12185337e4cc3fe774a084

SHA1
ec49b31c0f0e0b22cd1ddc0877cfc37b8448cfae

SHA256
e43f767a3f9a81649606a26b55cb1c7cb3f06324d43d89aa3402c7ee410d04b0

SHA512
51b93f3507effd21b1a8d37f633d75da18489f734239d8a0cf78ea2aafaa79552fbc6ec9cb54618f6f248afd3081d6d6aeb7180fb340b7178ddfa9946475a88e

Download Submit
C:\Users\Admin\AppData\Local\9Tq\msra.exe
MD5
b00eb640229462c7080dc17e5805dfc9

SHA1
28b438b47d145b17c94cbec39b204ced6eccb5f1

SHA256
529378155b8aa91ff47d1f015c96a373fdb12acef3811d2f8a7e3dff67fded3b

SHA512
e962f71be1f25787710b8cb92453bcc19ff38921d01b2c892a4c61bfa09959377a73a95a02c0a62b1c93aaef7d9b4a43c196ca76ac7c7327abe85340bf94b6d2

Download Submit
C:\Users\Admin\AppData\Local\KUa9\DUI70.dll
MD5
29ad5071e5d846f9ab05d0248f65bc04

SHA1
22238928c5ceceb5ef2c037ca7771b760a204109

SHA256
d086634c2f93f0b071e90c4f9ccee14bd9d438e442db8233373178ab6e8b794d

SHA512
fb8f15f82f513efd3470fe843c564f23cd5ef241679cb2cdccc6884c042846ee245e50978776a1faf9d39d09c2f844a2e1af48c01639119106ef5c876028a099

Download Submit
C:\Users\Admin\AppData\Local\KUa9\LockScreenContentServer.exe
MD5
583914a93db0413668eadd743fd5fb1c

SHA1
8b95be0ad348f0aabfcceac3148109ef12e8a978

SHA256
ec09ee1b2bb981335ea9db3ac031fbbc3ed74f9294d734a5799fb0d75e423583

SHA512
2f5c22cc3f557c65c876e8a943c7b3dec92d5c0b5219ab2410a334f42e442ef08d0c7b1c5c0797b83a17578a25ce70aa631a15be7ec6a6ea8a8d865dca0b9cd4

Download Submit
C:\Users\Admin\AppData\Local\YufE0dczo\VERSION.dll
MD5
39904b04c6f7833435958251f14aa017

SHA1
543226d9e7f4af24b69b976a77e419b1bd0d796c

SHA256
0109096c348244e89440504cc0034396827dbeb52ff8489e6d129e1cc618661e

SHA512
60f4eba555e64a2a9c02ac5b2c1e65dec9292fab6fbb7ec5b2095e8442ea9ec86b66261cedad6fd07d21737f9e35cd341ae71c408da0c7803c615c25bd99beab

Download Submit
C:\Users\Admin\AppData\Local\YufE0dczo\wscript.exe
MD5
dd97f7527d1536afbff5bced8508661f

SHA1
c7e44c13ec4ca775630932c54afe1d5c9a0fe631

SHA256
c08432dc60c9ef7b12a41b0c73e6d716c220b4e9a4eda45c9072d1c81d910c55

SHA512
f06127f72fb5daae836644beb61e9d800db4a1915be9bebf8a6de7b3221135fe759d51b0ffddc5783acb50ca71d08996174fb4983c207727265ee63dd4487f37

Download Submit
\Users\Admin\AppData\Local\9Tq\UxTheme.dll
MD5
9f1e8706fc12185337e4cc3fe774a084

SHA1
ec49b31c0f0e0b22cd1ddc0877cfc37b8448cfae

SHA256
e43f767a3f9a81649606a26b55cb1c7cb3f06324d43d89aa3402c7ee410d04b0

SHA512
51b93f3507effd21b1a8d37f633d75da18489f734239d8a0cf78ea2aafaa79552fbc6ec9cb54618f6f248afd3081d6d6aeb7180fb340b7178ddfa9946475a88e

Download Submit
\Users\Admin\AppData\Local\KUa9\DUI70.dll
MD5
29ad5071e5d846f9ab05d0248f65bc04

SHA1
22238928c5ceceb5ef2c037ca7771b760a204109

SHA256
d086634c2f93f0b071e90c4f9ccee14bd9d438e442db8233373178ab6e8b794d

SHA512
fb8f15f82f513efd3470fe843c564f23cd5ef241679cb2cdccc6884c042846ee245e50978776a1faf9d39d09c2f844a2e1af48c01639119106ef5c876028a099

Download Submit
\Users\Admin\AppData\Local\YufE0dczo\VERSION.dll
MD5
39904b04c6f7833435958251f14aa017

SHA1
543226d9e7f4af24b69b976a77e419b1bd0d796c

SHA256
0109096c348244e89440504cc0034396827dbeb52ff8489e6d129e1cc618661e

SHA512
60f4eba555e64a2a9c02ac5b2c1e65dec9292fab6fbb7ec5b2095e8442ea9ec86b66261cedad6fd07d21737f9e35cd341ae71c408da0c7803c615c25bd99beab

Download Submit
memory/1120-187-0x0000000000000000-mapping.dmp

Download
memory/2060-115-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2060-119-0x000001D4CFB70000-0x000001D4CFB77000-memory.dmp

Filesize
28KB

Download
memory/3028-149-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-154-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-123-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-128-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-129-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-130-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-131-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-132-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-133-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-134-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-135-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-136-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-137-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-138-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-139-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-140-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-142-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-141-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-143-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-144-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-145-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-146-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-147-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-148-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-126-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-150-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-151-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-152-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-153-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-127-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-155-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-156-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-157-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-159-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-158-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-160-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-161-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-162-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-163-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-164-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-165-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-166-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-167-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-168-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-169-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-170-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-171-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-172-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-173-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-175-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-176-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-174-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-186-0x00007FFED63C0000-0x00007FFED63D0000-memory.dmp

Filesize
64KB

Download
memory/3028-120-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/3028-125-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-124-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-122-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3028-121-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3068-196-0x0000000000000000-mapping.dmp

Download
memory/4068-205-0x0000000000000000-mapping.dmp

Download