dridex | 2c1cbd4e7a27c47468c2e806e5559c3680f1cd6497c33a65c0a565fe8bab1add

Analysis

max time kernel
151s
max time network
153s
platform
windows10_x64
resource
win10v20210408
submitted
28-09-2021 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c1cbd4e7a27c47468c2e806e5559c3680f1cd6497c33a65c0a565fe8bab1add.dll
Size

2.0MB
MD5

24628d042b24ccca20dfc18374ee15c1
SHA1

0deb91aa0e4c63080d71db61bfed0c7a5fb967ca
SHA256

2c1cbd4e7a27c47468c2e806e5559c3680f1cd6497c33a65c0a565fe8bab1add
SHA512

dd3c8457810dc1f17d1ea38be7d8884a89fd668a1b8b3d3d41f221e3997ef434e23a716433e7b214503e10649dba4830a1bf648c5a8dd23ff494d49a6d10aa23

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2224-119-0x0000000000770000-0x0000000000771000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

xpsrchvw.exeSystemPropertiesDataExecutionPrevention.exemsinfo32.exe

pid process

68 xpsrchvw.exe
1360 SystemPropertiesDataExecutionPrevention.exe
2212 msinfo32.exe
Loads dropped DLL 3 IoCs

Processes:

xpsrchvw.exeSystemPropertiesDataExecutionPrevention.exemsinfo32.exe

pid process

68 xpsrchvw.exe
1360 SystemPropertiesDataExecutionPrevention.exe
2212 msinfo32.exe

pid	process
68	xpsrchvw.exe
1360	SystemPropertiesDataExecutionPrevention.exe
2212	msinfo32.exe

pid	process
68	xpsrchvw.exe
1360	SystemPropertiesDataExecutionPrevention.exe
2212	msinfo32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rvhohwdqaanc = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\NATIVE~1\\NRrNrIgc\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exexpsrchvw.exeSystemPropertiesDataExecutionPrevention.exemsinfo32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xpsrchvw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesDataExecutionPrevention.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
580	rundll32.exe
580	rundll32.exe
580	rundll32.exe
580	rundll32.exe
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2224

pid	process
2224

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2224
Token: SeCreatePagefilePrivilege	2224
Token: SeShutdownPrivilege	2224
Token: SeCreatePagefilePrivilege	2224
Token: SeShutdownPrivilege	2224
Token: SeCreatePagefilePrivilege	2224
Token: SeShutdownPrivilege	2224
Token: SeCreatePagefilePrivilege	2224
Token: SeShutdownPrivilege	2224
Token: SeCreatePagefilePrivilege	2224
Token: SeShutdownPrivilege	2224
Token: SeCreatePagefilePrivilege	2224
Token: SeShutdownPrivilege	2224
Token: SeCreatePagefilePrivilege	2224
Token: SeShutdownPrivilege	2224
Token: SeCreatePagefilePrivilege	2224
Token: SeShutdownPrivilege	2224
Token: SeCreatePagefilePrivilege	2224
Token: SeShutdownPrivilege	2224
Token: SeCreatePagefilePrivilege	2224
Token: SeShutdownPrivilege	2224
Token: SeCreatePagefilePrivilege	2224
Token: SeShutdownPrivilege	2224
Token: SeCreatePagefilePrivilege	2224

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

pid process

2224
2224
2224
2224
2224
2224
2224
2224
2224
2224
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

2224
2224

pid	process
2224
2224
2224
2224
2224
2224
2224
2224
2224
2224

pid	process
2224
2224

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2224 wrote to memory of 432	2224	xpsrchvw.exe
PID 2224 wrote to memory of 432	2224	xpsrchvw.exe
PID 2224 wrote to memory of 68	2224	xpsrchvw.exe
PID 2224 wrote to memory of 68	2224	xpsrchvw.exe
PID 2224 wrote to memory of 1308	2224	SystemPropertiesDataExecutionPrevention.exe
PID 2224 wrote to memory of 1308	2224	SystemPropertiesDataExecutionPrevention.exe
PID 2224 wrote to memory of 1360	2224	SystemPropertiesDataExecutionPrevention.exe
PID 2224 wrote to memory of 1360	2224	SystemPropertiesDataExecutionPrevention.exe
PID 2224 wrote to memory of 1776	2224	msinfo32.exe
PID 2224 wrote to memory of 1776	2224	msinfo32.exe
PID 2224 wrote to memory of 2212	2224	msinfo32.exe
PID 2224 wrote to memory of 2212	2224	msinfo32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c1cbd4e7a27c47468c2e806e5559c3680f1cd6497c33a65c0a565fe8bab1add.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:580

C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
1⤵
PID:432

C:\Users\Admin\AppData\Local\kYTiR\xpsrchvw.exe
C:\Users\Admin\AppData\Local\kYTiR\xpsrchvw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:68

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
1⤵
PID:1308

C:\Users\Admin\AppData\Local\1R0a6ZaI\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\1R0a6ZaI\SystemPropertiesDataExecutionPrevention.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1360

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:1776

C:\Users\Admin\AppData\Local\T8TnC2qzx\msinfo32.exe
C:\Users\Admin\AppData\Local\T8TnC2qzx\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2212

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1R0a6ZaI\SYSDM.CPL
MD5
690fea3444fc52275d0770df544f4901

SHA1
81fd982692cc353e505b2f41dc4ea1b06ccae44e

SHA256
2aa196917bafbb99e97e6cbfdc32bc3fda1ff481113975b15965e68c5de93560

SHA512
c9b7c542464d71a49ca49b26467a6b982a09d964b27fe0a6c31a0c283a71bbe020502c2cc671e16d2f96d4b627de63ba38c3496120c1fcb81e078c48eff3bb0e

Download Submit
C:\Users\Admin\AppData\Local\1R0a6ZaI\SystemPropertiesDataExecutionPrevention.exe
MD5
4403602563fa270edfef477bed37c25f

SHA1
5179a5556d609192408d152c4070e90abadac723

SHA256
39b7b0b6c3ae14856c2509b9dc5322c2ba8d79bcf6bda10416467304897cf963

SHA512
2c6845dac6c3f1478b97e783da6244a2cd7dc5f4fb71d80348cb7b605cfa17376f258f76f30ad05f99653e05f84c25ec3a66e6988e4be4ce86d7cf503891a7ef

Download Submit
C:\Users\Admin\AppData\Local\T8TnC2qzx\SLC.dll
MD5
7eb87da0f647395d34c757c326ef6c59

SHA1
bdf855c0bc3575be9797cd3175dbd340490a4d8e

SHA256
ff6d68e648e2aa495de02f778a4b27ca1e794475369e1b8e9ecd3a16851ced97

SHA512
57719320978d4185eb859d65539d8fbb053445d7e54a5f350f79caef7d9ee2fe9e590cf97c9898e8613636be996face48c240207fd2361bf2d7088d1fc8ada03

Download Submit
C:\Users\Admin\AppData\Local\T8TnC2qzx\msinfo32.exe
MD5
255861c59cdfbf86c03560d39a92932a

SHA1
18353cb8a58d25ab62687b69fee44d007b994f19

SHA256
57aeba5f7f9de579f3c334e7e013114f6b2257b810b2fc8c1f96331ad1c4909c

SHA512
f695394f344f07036684dc4ba4ba011bc0b5b0b27898c82714cbd072c6218870234deb18044c00bf3fda618480e4e517cba50d577c228a63ee3e2676029e430b

Download Submit
C:\Users\Admin\AppData\Local\kYTiR\WINMM.dll
MD5
6ae39a984d465e5c0de4ebb6f03d7954

SHA1
5310408ac5e70ef325e83ad39cbe285c37b17a39

SHA256
4098db3110d1fd39b17d212b1e1f071e14c37594872457813db7112b9323874a

SHA512
647825677ec192549bdc0f6c911793b8ea856a5d638aa40c786c00c91271ec2259172094c6fc68b9f0b94c0b1ff0153217a8e92902c1cb87dd21a24571a98a2a

Download Submit
C:\Users\Admin\AppData\Local\kYTiR\xpsrchvw.exe
MD5
ca268b5a709c8fd984c1130919fcae5d

SHA1
9a7f22ce3341737257086a04f23c893830df2a93

SHA256
ded8b0ca8d89dda1ab809dc60a83abbbdb9cf0d9b477d98816525b4828cb4b44

SHA512
355104444345d09c3012524eaf1b56f1de6da34284e8b0ae8d3e1df0465df8d181f100bdac00d728fd57d6e6a67b6bca1257591007c7931f0ba9c433cc3ae0bc

Download Submit
\Users\Admin\AppData\Local\1R0a6ZaI\SYSDM.CPL
MD5
690fea3444fc52275d0770df544f4901

SHA1
81fd982692cc353e505b2f41dc4ea1b06ccae44e

SHA256
2aa196917bafbb99e97e6cbfdc32bc3fda1ff481113975b15965e68c5de93560

SHA512
c9b7c542464d71a49ca49b26467a6b982a09d964b27fe0a6c31a0c283a71bbe020502c2cc671e16d2f96d4b627de63ba38c3496120c1fcb81e078c48eff3bb0e

Download Submit
\Users\Admin\AppData\Local\T8TnC2qzx\SLC.dll
MD5
7eb87da0f647395d34c757c326ef6c59

SHA1
bdf855c0bc3575be9797cd3175dbd340490a4d8e

SHA256
ff6d68e648e2aa495de02f778a4b27ca1e794475369e1b8e9ecd3a16851ced97

SHA512
57719320978d4185eb859d65539d8fbb053445d7e54a5f350f79caef7d9ee2fe9e590cf97c9898e8613636be996face48c240207fd2361bf2d7088d1fc8ada03

Download Submit
\Users\Admin\AppData\Local\kYTiR\WINMM.dll
MD5
6ae39a984d465e5c0de4ebb6f03d7954

SHA1
5310408ac5e70ef325e83ad39cbe285c37b17a39

SHA256
4098db3110d1fd39b17d212b1e1f071e14c37594872457813db7112b9323874a

SHA512
647825677ec192549bdc0f6c911793b8ea856a5d638aa40c786c00c91271ec2259172094c6fc68b9f0b94c0b1ff0153217a8e92902c1cb87dd21a24571a98a2a

Download Submit
memory/68-171-0x0000000000000000-mapping.dmp

Download
memory/68-175-0x0000000140000000-0x000000014020C000-memory.dmp

Filesize
2.0MB

Download
memory/580-114-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/580-118-0x0000017B16400000-0x0000017B16407000-memory.dmp

Filesize
28KB

Download
memory/1360-180-0x0000000000000000-mapping.dmp

Download
memory/1360-184-0x0000000140000000-0x000000014020B000-memory.dmp

Filesize
2.0MB

Download
memory/2212-189-0x0000000000000000-mapping.dmp

Download
memory/2224-147-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-154-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-135-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-136-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-137-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-138-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-139-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-140-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-141-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-142-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-143-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-144-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-145-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-146-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-133-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-148-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-149-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-150-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-151-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-152-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-153-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-134-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-156-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-155-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-157-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-158-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-160-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-159-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-168-0x00007FFA2E834560-0x00007FFA2E835560-memory.dmp

Filesize
4KB

Download
memory/2224-170-0x00007FFA2E780000-0x00007FFA2E790000-memory.dmp

Filesize
64KB

Download
memory/2224-132-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-131-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-130-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-129-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-128-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-123-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-127-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-126-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-125-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-124-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-122-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-120-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-121-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2224-119-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads