dridex | eda8c025e5f5f67ae92bee0ed77113e18f60e9465f43fc43e00664f5bea7c32d

Analysis

max time kernel
156s
max time network
60s
platform
windows7_x64
resource
win7v20210408
submitted
28-09-2021 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eda8c025e5f5f67ae92bee0ed77113e18f60e9465f43fc43e00664f5bea7c32d.dll
Size

2.1MB
MD5

5edd6ba336c4de29f55cadfd2167a67e
SHA1

af181a8f3fe25a515a8fe2a02559e5daceecf976
SHA256

eda8c025e5f5f67ae92bee0ed77113e18f60e9465f43fc43e00664f5bea7c32d
SHA512

01b133fad6f564e6736d5f7297284da9aa8cc67a1c28a57b7b7eb1989ee049318377df85fbbeda9f777c0d955f07706743dc2becc3994bf9727a8d040067f5d5

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1196-63-0x0000000001C90000-0x0000000001C91000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

fveprompt.exePresentationSettings.exelpksetup.exe

pid process

572 fveprompt.exe
1428 PresentationSettings.exe
1984 lpksetup.exe
Loads dropped DLL 7 IoCs

Processes:

fveprompt.exePresentationSettings.exelpksetup.exe

pid process

1196
572 fveprompt.exe
1196
1428 PresentationSettings.exe
1196
1984 lpksetup.exe
1196

pid	process
572	fveprompt.exe
1428	PresentationSettings.exe
1984	lpksetup.exe

pid	process
1196
572	fveprompt.exe
1196
1428	PresentationSettings.exe
1196
1984	lpksetup.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Axiifu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\jG26T\\PRESEN~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exefveprompt.exePresentationSettings.exelpksetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fveprompt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lpksetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1292	rundll32.exe
1292	rundll32.exe
1292	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1196
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pid process

1196
1196
1196
1196
1196
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

1196
1196
1196
1196
1196
1196

pid	process
1196

pid	process
1196
1196
1196
1196
1196

pid	process
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 1632	1196	fveprompt.exe
PID 1196 wrote to memory of 1632	1196	fveprompt.exe
PID 1196 wrote to memory of 1632	1196	fveprompt.exe
PID 1196 wrote to memory of 572	1196	fveprompt.exe
PID 1196 wrote to memory of 572	1196	fveprompt.exe
PID 1196 wrote to memory of 572	1196	fveprompt.exe
PID 1196 wrote to memory of 632	1196	PresentationSettings.exe
PID 1196 wrote to memory of 632	1196	PresentationSettings.exe
PID 1196 wrote to memory of 632	1196	PresentationSettings.exe
PID 1196 wrote to memory of 1428	1196	PresentationSettings.exe
PID 1196 wrote to memory of 1428	1196	PresentationSettings.exe
PID 1196 wrote to memory of 1428	1196	PresentationSettings.exe
PID 1196 wrote to memory of 1996	1196	lpksetup.exe
PID 1196 wrote to memory of 1996	1196	lpksetup.exe
PID 1196 wrote to memory of 1996	1196	lpksetup.exe
PID 1196 wrote to memory of 1984	1196	lpksetup.exe
PID 1196 wrote to memory of 1984	1196	lpksetup.exe
PID 1196 wrote to memory of 1984	1196	lpksetup.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\eda8c025e5f5f67ae92bee0ed77113e18f60e9465f43fc43e00664f5bea7c32d.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1292

C:\Windows\system32\fveprompt.exe
C:\Windows\system32\fveprompt.exe
1⤵
PID:1632

C:\Users\Admin\AppData\Local\fybA2a51V\fveprompt.exe
C:\Users\Admin\AppData\Local\fybA2a51V\fveprompt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:572

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:632

C:\Users\Admin\AppData\Local\PIR2IKT\PresentationSettings.exe
C:\Users\Admin\AppData\Local\PIR2IKT\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1428

C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
1⤵
PID:1996

C:\Users\Admin\AppData\Local\ps5wbHnpH\lpksetup.exe
C:\Users\Admin\AppData\Local\ps5wbHnpH\lpksetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1984

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PIR2IKT\PresentationSettings.exe
MD5
a6f8d318f6041334889481b472000081

SHA1
b8cf08ec17b30c8811f2514246fcdff62731dd58

SHA256
208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

SHA512
60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

Download Submit
C:\Users\Admin\AppData\Local\PIR2IKT\Secur32.dll
MD5
ab4dea22545c8014044a03508116cfa5

SHA1
cb6ddfddbb391ae020908f2a327bb87ceed5be60

SHA256
c3e374d89e25d9d045ff5c394245bc055e175da9f06033c8af354f4c4579f5bf

SHA512
abaddc9a2e2d7895c64b949b9bfdaa7f99a6eb5d867f02382a31d4ac63bd9ef0b04cb6da96f9b66c435155fb7bc1d151e5796d0c82565db88d92a19747a61268

Download Submit
C:\Users\Admin\AppData\Local\fybA2a51V\fveprompt.exe
MD5
dc2c44a23b2cd52bd53accf389ae14b2

SHA1
e36c7b6f328aa2ab2f52478169c52c1916f04b5f

SHA256
7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

SHA512
ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

Download Submit
C:\Users\Admin\AppData\Local\fybA2a51V\slc.dll
MD5
8d80510f51baf049b41dab002f6512e7

SHA1
a4159eb2f3be17b1f8dc01b4b2aec1cee83b38cd

SHA256
e5a31d62378376099700aa01693597f0fbfd45f637f5013a77d8469ebfacd226

SHA512
ab5ad4a9641b897609acbaa4244a20d3db96fddab8f608409b81194ffd82860e03cce95b2c174f6fdb6c120e19f50eae387fbfd7cfc27d2f4e36855f33e19e8d

Download Submit
C:\Users\Admin\AppData\Local\ps5wbHnpH\lpksetup.exe
MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
C:\Users\Admin\AppData\Local\ps5wbHnpH\slc.dll
MD5
846049ef413a7d5291ab5f4b0d847e5a

SHA1
ddc5207d0823d8fbc1ed544e93359ed73d95810a

SHA256
b2da0ae534108b563ad03203608819bdfc8b870d6c5d9f2c501b34b4d4c1cbb6

SHA512
7f0b9732100ec5dc31b3a0ef8b9bbcbd4d6ea24798aa5109defd34de8537e987543b41afe9bed7e0924e05d59fc2f8947760fef5cccae64e40e6d7865097d848

Download Submit
\Users\Admin\AppData\Local\PIR2IKT\PresentationSettings.exe
MD5
a6f8d318f6041334889481b472000081

SHA1
b8cf08ec17b30c8811f2514246fcdff62731dd58

SHA256
208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

SHA512
60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

Download Submit
\Users\Admin\AppData\Local\PIR2IKT\Secur32.dll
MD5
ab4dea22545c8014044a03508116cfa5

SHA1
cb6ddfddbb391ae020908f2a327bb87ceed5be60

SHA256
c3e374d89e25d9d045ff5c394245bc055e175da9f06033c8af354f4c4579f5bf

SHA512
abaddc9a2e2d7895c64b949b9bfdaa7f99a6eb5d867f02382a31d4ac63bd9ef0b04cb6da96f9b66c435155fb7bc1d151e5796d0c82565db88d92a19747a61268

Download Submit
\Users\Admin\AppData\Local\fybA2a51V\fveprompt.exe
MD5
dc2c44a23b2cd52bd53accf389ae14b2

SHA1
e36c7b6f328aa2ab2f52478169c52c1916f04b5f

SHA256
7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

SHA512
ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

Download Submit
\Users\Admin\AppData\Local\fybA2a51V\slc.dll
MD5
8d80510f51baf049b41dab002f6512e7

SHA1
a4159eb2f3be17b1f8dc01b4b2aec1cee83b38cd

SHA256
e5a31d62378376099700aa01693597f0fbfd45f637f5013a77d8469ebfacd226

SHA512
ab5ad4a9641b897609acbaa4244a20d3db96fddab8f608409b81194ffd82860e03cce95b2c174f6fdb6c120e19f50eae387fbfd7cfc27d2f4e36855f33e19e8d

Download Submit
\Users\Admin\AppData\Local\ps5wbHnpH\lpksetup.exe
MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
\Users\Admin\AppData\Local\ps5wbHnpH\slc.dll
MD5
846049ef413a7d5291ab5f4b0d847e5a

SHA1
ddc5207d0823d8fbc1ed544e93359ed73d95810a

SHA256
b2da0ae534108b563ad03203608819bdfc8b870d6c5d9f2c501b34b4d4c1cbb6

SHA512
7f0b9732100ec5dc31b3a0ef8b9bbcbd4d6ea24798aa5109defd34de8537e987543b41afe9bed7e0924e05d59fc2f8947760fef5cccae64e40e6d7865097d848

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\EZ\lpksetup.exe
MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
memory/572-122-0x0000000140000000-0x0000000140212000-memory.dmp

Filesize
2.1MB

Download
memory/572-119-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

Filesize
8KB

Download
memory/572-117-0x0000000000000000-mapping.dmp

Download
memory/1196-78-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-84-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-79-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-80-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-81-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-82-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-88-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-97-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-96-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-95-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-94-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-93-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-92-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-91-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-90-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-89-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-87-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-98-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-103-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-102-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-101-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-100-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-99-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-86-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-85-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-63-0x0000000001C90000-0x0000000001C91000-memory.dmp

Filesize
4KB

Download
memory/1196-83-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-104-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-106-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-105-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-109-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-108-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-107-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-115-0x0000000077CC0000-0x0000000077CC2000-memory.dmp

Filesize
8KB

Download
memory/1196-77-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-71-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-72-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/1196-76-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-75-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-74-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-73-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-69-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-70-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-68-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-64-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-65-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-66-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1196-67-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1292-60-0x0000000140000000-0x0000000140211000-memory.dmp

Filesize
2.1MB

Download
memory/1292-62-0x0000000000330000-0x0000000000337000-memory.dmp

Filesize
28KB

Download
memory/1428-125-0x0000000000000000-mapping.dmp

Download
memory/1984-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads