dridex | ae087f890f576dca43d22b3c527b5008547dacd68dfd61440c99370051cc853b

Analysis

max time kernel
151s
max time network
138s
platform
windows7_x64
resource
win7-en-20210920
submitted
28-09-2021 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae087f890f576dca43d22b3c527b5008547dacd68dfd61440c99370051cc853b.dll
Size

2.0MB
MD5

dc4fca98a02c5cc7ee5f565c56915c86
SHA1

4cecd255d9176fff8d0ca18cd3dabd690ce02fbf
SHA256

ae087f890f576dca43d22b3c527b5008547dacd68dfd61440c99370051cc853b
SHA512

4954ed3d7ac9fcca73623f1d24a8aaa4ca88727a58a45382e897966311909d0c8d43d709d828e0d3211f6c478ee1ca2bf5970c476c5485a949f5cfbf033e9875

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1216-57-0x00000000029E0000-0x00000000029E1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

fvenotify.exeunregmp2.exewermgr.exe

pid process

552 fvenotify.exe
828 unregmp2.exe
1244 wermgr.exe
Loads dropped DLL 7 IoCs

Processes:

fvenotify.exeunregmp2.exewermgr.exe

pid process

1216
552 fvenotify.exe
1216
828 unregmp2.exe
1216
1244 wermgr.exe
1216

pid	process
552	fvenotify.exe
828	unregmp2.exe
1244	wermgr.exe

pid	process
1216
552	fvenotify.exe
1216
828	unregmp2.exe
1216
1244	wermgr.exe
1216

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wbbdywj = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\mqC\\unregmp2.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

unregmp2.exewermgr.exerundll32.exefvenotify.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unregmp2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wermgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fvenotify.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1296	rundll32.exe
1296	rundll32.exe
1296	rundll32.exe
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1216
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1216
1216
1216
1216
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

1216
1216
1216
1216
1216
1216

pid	process
1216

pid	process
1216
1216
1216
1216

pid	process
1216
1216
1216
1216
1216
1216

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1216 wrote to memory of 1820	1216	fvenotify.exe
PID 1216 wrote to memory of 1820	1216	fvenotify.exe
PID 1216 wrote to memory of 1820	1216	fvenotify.exe
PID 1216 wrote to memory of 552	1216	fvenotify.exe
PID 1216 wrote to memory of 552	1216	fvenotify.exe
PID 1216 wrote to memory of 552	1216	fvenotify.exe
PID 1216 wrote to memory of 400	1216	unregmp2.exe
PID 1216 wrote to memory of 400	1216	unregmp2.exe
PID 1216 wrote to memory of 400	1216	unregmp2.exe
PID 1216 wrote to memory of 828	1216	unregmp2.exe
PID 1216 wrote to memory of 828	1216	unregmp2.exe
PID 1216 wrote to memory of 828	1216	unregmp2.exe
PID 1216 wrote to memory of 1032	1216	wermgr.exe
PID 1216 wrote to memory of 1032	1216	wermgr.exe
PID 1216 wrote to memory of 1032	1216	wermgr.exe
PID 1216 wrote to memory of 1244	1216	wermgr.exe
PID 1216 wrote to memory of 1244	1216	wermgr.exe
PID 1216 wrote to memory of 1244	1216	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ae087f890f576dca43d22b3c527b5008547dacd68dfd61440c99370051cc853b.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1296

C:\Windows\system32\fvenotify.exe
C:\Windows\system32\fvenotify.exe
1⤵
PID:1820

C:\Users\Admin\AppData\Local\flF\fvenotify.exe
C:\Users\Admin\AppData\Local\flF\fvenotify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:552

C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
1⤵
PID:400

C:\Users\Admin\AppData\Local\tPTzixovb\unregmp2.exe
C:\Users\Admin\AppData\Local\tPTzixovb\unregmp2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:828

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
1⤵
PID:1032

C:\Users\Admin\AppData\Local\8hgXEIi6\wermgr.exe
C:\Users\Admin\AppData\Local\8hgXEIi6\wermgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1244

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8hgXEIi6\wer.dll
MD5
e3af22c4a9231b79588357a88587bad1

SHA1
ff1cd534597c84d5f521dafb6d9bcfa54d340324

SHA256
9bcbc320e816483057413ad2963bea23f24e176b278ccb7a708a501faf479f5c

SHA512
dd2b0bbadbe3ae863bc23fa58d3bd96a9862d8a921d7e36c1d98e359195cbaa5abf81fbd8e6fdb816298c619278610d0c3e7d003badb2d9c2756b52beca55d33

Download Submit
C:\Users\Admin\AppData\Local\8hgXEIi6\wermgr.exe
MD5
41df7355a5a907e2c1d7804ec028965d

SHA1
453263d230c6317eb4a2eb3aceeec1bbcf5e153d

SHA256
207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861

SHA512
59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

Download Submit
C:\Users\Admin\AppData\Local\flF\fvenotify.exe
MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
C:\Users\Admin\AppData\Local\flF\slc.dll
MD5
2759a4d2891b951e92d7f6ca826b821f

SHA1
10dc4f138c4803a4d607c6fa655f0e1f37d579d9

SHA256
10994b717cbfe9e2a084677847b02e1c8f9f042b6a0a56fa0a69e89190bd9b10

SHA512
e21a9f1a7c318541765cd5c458088113e6bfff9e03e14be789b216fa2b910d4fe100dc9fac1535130e8f01fa7e5d4bdf0b186898613b84b5124ada4656a9505b

Download Submit
C:\Users\Admin\AppData\Local\tPTzixovb\slc.dll
MD5
c4b950e2e17f4c81dfd272dfea48f453

SHA1
e9e54e1ddfd2dca6ee6c1ac753c02504f220dbd3

SHA256
1f98c722a8cba1c4073e4bba0902ec49f8c0e8b82953a033f0949735efe1d57f

SHA512
7751677c65ff55106683b1add12e223b9cd16e166913fad5277cc73db792d232639bd3dc62bef606f804aad193c71352787bdecb187a4f6016d742963d1cb56d

Download Submit
C:\Users\Admin\AppData\Local\tPTzixovb\unregmp2.exe
MD5
64b328d52dfc8cda123093e3f6e4c37c

SHA1
f68f45b21b911906f3aa982e64504e662a92e5ab

SHA256
7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

SHA512
e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

Download Submit
\Users\Admin\AppData\Local\8hgXEIi6\wer.dll
MD5
e3af22c4a9231b79588357a88587bad1

SHA1
ff1cd534597c84d5f521dafb6d9bcfa54d340324

SHA256
9bcbc320e816483057413ad2963bea23f24e176b278ccb7a708a501faf479f5c

SHA512
dd2b0bbadbe3ae863bc23fa58d3bd96a9862d8a921d7e36c1d98e359195cbaa5abf81fbd8e6fdb816298c619278610d0c3e7d003badb2d9c2756b52beca55d33

Download Submit
\Users\Admin\AppData\Local\8hgXEIi6\wermgr.exe
MD5
41df7355a5a907e2c1d7804ec028965d

SHA1
453263d230c6317eb4a2eb3aceeec1bbcf5e153d

SHA256
207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861

SHA512
59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

Download Submit
\Users\Admin\AppData\Local\flF\fvenotify.exe
MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
\Users\Admin\AppData\Local\flF\slc.dll
MD5
2759a4d2891b951e92d7f6ca826b821f

SHA1
10dc4f138c4803a4d607c6fa655f0e1f37d579d9

SHA256
10994b717cbfe9e2a084677847b02e1c8f9f042b6a0a56fa0a69e89190bd9b10

SHA512
e21a9f1a7c318541765cd5c458088113e6bfff9e03e14be789b216fa2b910d4fe100dc9fac1535130e8f01fa7e5d4bdf0b186898613b84b5124ada4656a9505b

Download Submit
\Users\Admin\AppData\Local\tPTzixovb\slc.dll
MD5
c4b950e2e17f4c81dfd272dfea48f453

SHA1
e9e54e1ddfd2dca6ee6c1ac753c02504f220dbd3

SHA256
1f98c722a8cba1c4073e4bba0902ec49f8c0e8b82953a033f0949735efe1d57f

SHA512
7751677c65ff55106683b1add12e223b9cd16e166913fad5277cc73db792d232639bd3dc62bef606f804aad193c71352787bdecb187a4f6016d742963d1cb56d

Download Submit
\Users\Admin\AppData\Local\tPTzixovb\unregmp2.exe
MD5
64b328d52dfc8cda123093e3f6e4c37c

SHA1
f68f45b21b911906f3aa982e64504e662a92e5ab

SHA256
7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

SHA512
e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\4nWNQJNJRZU\wermgr.exe
MD5
41df7355a5a907e2c1d7804ec028965d

SHA1
453263d230c6317eb4a2eb3aceeec1bbcf5e153d

SHA256
207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861

SHA512
59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

Download Submit
memory/552-110-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/552-105-0x0000000000000000-mapping.dmp

Download
memory/552-107-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/828-113-0x0000000000000000-mapping.dmp

Download
memory/1216-84-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-67-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-95-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-93-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-92-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-91-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-90-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-89-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-88-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-87-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-86-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-85-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-83-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-82-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-81-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-80-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-79-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-78-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-77-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-73-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-72-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-71-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-70-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-96-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-66-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-65-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-103-0x0000000077260000-0x0000000077262000-memory.dmp

Filesize
8KB

Download
memory/1216-97-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-94-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-57-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/1216-74-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-75-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-76-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-68-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-69-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-64-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-61-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-63-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-62-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-60-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-59-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1216-58-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1244-120-0x0000000000000000-mapping.dmp

Download
memory/1296-54-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1296-56-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads