dridex | d7cb31b51d497eaac81246a38db0abd05398832fb301cb1b97d1ca979df2a4ca

Analysis

max time kernel
154s
max time network
129s
platform
windows10_x64
resource
win10-en-20210920
submitted
28-09-2021 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7cb31b51d497eaac81246a38db0abd05398832fb301cb1b97d1ca979df2a4ca.dll
Size

2.0MB
MD5

8a6f4fe59b41d74501e04f1b451dc57d
SHA1

064f5eca3efd02c5f40a8c9e7fedb86aa40eeed0
SHA256

d7cb31b51d497eaac81246a38db0abd05398832fb301cb1b97d1ca979df2a4ca
SHA512

4dfb736dc4e967f964d4a8eac22808fd7249fe39500752bf8b2cc9c197107bc6347ba7da07f20dda47b7d7bd14217792a81222e60f7d648918a93f222ab8084c

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2888-120-0x0000000001000000-0x0000000001001000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

slui.exesdclt.exebdechangepin.exe

pid process

4452 slui.exe
4480 sdclt.exe
4572 bdechangepin.exe
Loads dropped DLL 3 IoCs

Processes:

slui.exesdclt.exebdechangepin.exe

pid process

4452 slui.exe
4480 sdclt.exe
4572 bdechangepin.exe

pid	process
4452	slui.exe
4480	sdclt.exe
4572	bdechangepin.exe

pid	process
4452	slui.exe
4480	sdclt.exe
4572	bdechangepin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wjvmqhmsyzhtvy = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\gq1WWre\\sdclt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeslui.exesdclt.exebdechangepin.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdechangepin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
3704	rundll32.exe
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2888

pid	process
2888

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2888 wrote to memory of 4392	2888	slui.exe
PID 2888 wrote to memory of 4392	2888	slui.exe
PID 2888 wrote to memory of 4452	2888	slui.exe
PID 2888 wrote to memory of 4452	2888	slui.exe
PID 2888 wrote to memory of 4384	2888	sdclt.exe
PID 2888 wrote to memory of 4384	2888	sdclt.exe
PID 2888 wrote to memory of 4480	2888	sdclt.exe
PID 2888 wrote to memory of 4480	2888	sdclt.exe
PID 2888 wrote to memory of 4588	2888	bdechangepin.exe
PID 2888 wrote to memory of 4588	2888	bdechangepin.exe
PID 2888 wrote to memory of 4572	2888	bdechangepin.exe
PID 2888 wrote to memory of 4572	2888	bdechangepin.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d7cb31b51d497eaac81246a38db0abd05398832fb301cb1b97d1ca979df2a4ca.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3704

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:4392

C:\Users\Admin\AppData\Local\6dqyHQsL\slui.exe
C:\Users\Admin\AppData\Local\6dqyHQsL\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4452

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:4384

C:\Users\Admin\AppData\Local\Cuqiv\sdclt.exe
C:\Users\Admin\AppData\Local\Cuqiv\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4480

C:\Windows\system32\bdechangepin.exe
C:\Windows\system32\bdechangepin.exe
1⤵
PID:4588

C:\Users\Admin\AppData\Local\UBkwDVRQs\bdechangepin.exe
C:\Users\Admin\AppData\Local\UBkwDVRQs\bdechangepin.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6dqyHQsL\WINBRAND.dll
MD5
099b53cd5e8e938571948cefdbfb9da5

SHA1
dbbbcc975a04fa2e49644d2b9fa6caea723ce572

SHA256
32d78d35a4af34305d6da62e1674d3cafef7069eb80ee73c32f14f4170401e82

SHA512
f9572223f2460843eea8e6f0bfaa4bdf3006bd7c6f3af62ffde0af40e79aed6240ea38a5983d33a2ae90fc6b4311a33c042a3cbe294a1103ed6b6515bd7efb53

Download Submit
C:\Users\Admin\AppData\Local\6dqyHQsL\slui.exe
MD5
f162f859fb38a39f83c049f5480c11eb

SHA1
4090dacb56dbff6a5306e13ff5fa157eca4714a9

SHA256
67daef4a468f00305a44e41b369890fc0d6ed41c509432c6b1402caa1b09b7c5

SHA512
73a7ba851b560caf0a4150ff192c02bcac5475de2f265430e079ce1a20dc25b0f86873bc1dc4db0fc660031aa7c32d03a941ada8afc0bc91c63fb2e9ed8e0d80

Download Submit
C:\Users\Admin\AppData\Local\Cuqiv\WTSAPI32.dll
MD5
f9364298d67bd12c48f21ce2f2b1d775

SHA1
c49679e2a359db0d40933b3de0131ff9cc237a02

SHA256
1d36c4671f90ae918abe62492baa4da018e32e8cf198102d4848f453c6f194e2

SHA512
b29675e90acc3ea3e82ba0e4785c5e9629ae1169bf050649283c8da3cdf0e1fc70b6bf173fdea81b31a496506736b6cb5ea8d990096e6d354ab44bd90083eff3

Download Submit
C:\Users\Admin\AppData\Local\Cuqiv\sdclt.exe
MD5
d583261d1da3e49fa34d0ed9fc550173

SHA1
64d55723f6fec895c7e8b50f42a815b125ce0b29

SHA256
8577ef50c0dd969617fa313ebd927d6e4ca2faae24fa4516f643328a967c5e6a

SHA512
77aceaf9992b40c859c95d6ee6d6b31c06add7a1227f8e2d1fc49245163a8ffdbf347bfdb0cffb400a9550b715cede3941e4c3f0499d0942dc5f7853db5cd0b5

Download Submit
C:\Users\Admin\AppData\Local\UBkwDVRQs\DUI70.dll
MD5
cdbf3a7ea1578c76819c7a299f4e0f3b

SHA1
2a3fb82813677f68ba3267b81ae499769f7f807e

SHA256
c1dc1e07adb40f205b695a47ecfa33acd3617bc800b65803b0d9903b599b9afc

SHA512
8afe3b9790775ff69e2ac64bcb3cb64480090e1e68e0915eb2421b2e992f6c3a3f4a4b78c0fc515d0bd69fd03e4d150e23e9cfedb7384022ea7e9ebc41095e42

Download Submit
C:\Users\Admin\AppData\Local\UBkwDVRQs\bdechangepin.exe
MD5
c1c59d7307da404788e5a4294f671213

SHA1
d7d7d2b898c072ecd1fa1207dfa6277b1b328af8

SHA256
dc5078956ac057a7560285440fbb315db6f2718c1fc6bd88d50b1e49f8f8ad1b

SHA512
d138e672a81f9b957c96d9c236bb6dc5141ebb1c19b1446c7ace1a10bc6522c527a27d969a990fafdae04c03bfe5c664b955d9ac2aa3c8dfc3e282ad81693989

Download Submit
\Users\Admin\AppData\Local\6dqyHQsL\WINBRAND.dll
MD5
099b53cd5e8e938571948cefdbfb9da5

SHA1
dbbbcc975a04fa2e49644d2b9fa6caea723ce572

SHA256
32d78d35a4af34305d6da62e1674d3cafef7069eb80ee73c32f14f4170401e82

SHA512
f9572223f2460843eea8e6f0bfaa4bdf3006bd7c6f3af62ffde0af40e79aed6240ea38a5983d33a2ae90fc6b4311a33c042a3cbe294a1103ed6b6515bd7efb53

Download Submit
\Users\Admin\AppData\Local\Cuqiv\WTSAPI32.dll
MD5
f9364298d67bd12c48f21ce2f2b1d775

SHA1
c49679e2a359db0d40933b3de0131ff9cc237a02

SHA256
1d36c4671f90ae918abe62492baa4da018e32e8cf198102d4848f453c6f194e2

SHA512
b29675e90acc3ea3e82ba0e4785c5e9629ae1169bf050649283c8da3cdf0e1fc70b6bf173fdea81b31a496506736b6cb5ea8d990096e6d354ab44bd90083eff3

Download Submit
\Users\Admin\AppData\Local\UBkwDVRQs\DUI70.dll
MD5
cdbf3a7ea1578c76819c7a299f4e0f3b

SHA1
2a3fb82813677f68ba3267b81ae499769f7f807e

SHA256
c1dc1e07adb40f205b695a47ecfa33acd3617bc800b65803b0d9903b599b9afc

SHA512
8afe3b9790775ff69e2ac64bcb3cb64480090e1e68e0915eb2421b2e992f6c3a3f4a4b78c0fc515d0bd69fd03e4d150e23e9cfedb7384022ea7e9ebc41095e42

Download Submit
memory/2888-144-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-150-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-129-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-121-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-132-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-131-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-133-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-134-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-130-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-135-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-136-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-137-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-138-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-139-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-140-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-142-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-143-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-127-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-145-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-146-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-147-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-148-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-149-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-128-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-151-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-153-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-152-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-156-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-155-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-154-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-141-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-164-0x00007FFBEBDB4560-0x00007FFBEBDB5560-memory.dmp

Filesize
4KB

Download
memory/2888-166-0x00007FFBEBEF0000-0x00007FFBEBEF2000-memory.dmp

Filesize
8KB

Download
memory/2888-120-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/2888-122-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-123-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-124-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-126-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/2888-125-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/3704-119-0x000001735ECA0000-0x000001735ECA7000-memory.dmp

Filesize
28KB

Download
memory/3704-115-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/4452-171-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/4452-167-0x0000000000000000-mapping.dmp

Download
memory/4480-176-0x0000000000000000-mapping.dmp

Download
memory/4572-189-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/4572-185-0x0000000000000000-mapping.dmp

Download