dridex | ae087f890f576dca43d22b3c527b5008547dacd68dfd61440c99370051cc853b

Analysis

max time kernel
150s
max time network
92s
platform
windows10_x64
resource
win10v20210408
submitted
28-09-2021 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae087f890f576dca43d22b3c527b5008547dacd68dfd61440c99370051cc853b.dll
Size

2.0MB
MD5

dc4fca98a02c5cc7ee5f565c56915c86
SHA1

4cecd255d9176fff8d0ca18cd3dabd690ce02fbf
SHA256

ae087f890f576dca43d22b3c527b5008547dacd68dfd61440c99370051cc853b
SHA512

4954ed3d7ac9fcca73623f1d24a8aaa4ca88727a58a45382e897966311909d0c8d43d709d828e0d3211f6c478ee1ca2bf5970c476c5485a949f5cfbf033e9875

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3024-119-0x0000000002640000-0x0000000002641000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

systemreset.exeprintfilterpipelinesvc.exerecdisc.exe

pid process

2528 systemreset.exe
3988 printfilterpipelinesvc.exe
3584 recdisc.exe
Loads dropped DLL 4 IoCs

Processes:

systemreset.exeprintfilterpipelinesvc.exerecdisc.exe

pid process

2528 systemreset.exe
2528 systemreset.exe
3988 printfilterpipelinesvc.exe
3584 recdisc.exe

pid	process
2528	systemreset.exe
3988	printfilterpipelinesvc.exe
3584	recdisc.exe

pid	process
2528	systemreset.exe
2528	systemreset.exe
3988	printfilterpipelinesvc.exe
3584	recdisc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rvhohwdqaanc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\UProof\\HU7U\\printfilterpipelinesvc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

recdisc.exerundll32.exesystemreset.exeprintfilterpipelinesvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	recdisc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	systemreset.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	printfilterpipelinesvc.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
664	rundll32.exe
664	rundll32.exe
664	rundll32.exe
664	rundll32.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3024

pid	process
3024

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

pid process

3024
3024
3024
3024
3024
3024
3024
3024

pid	process
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3024 wrote to memory of 2480	3024	systemreset.exe
PID 3024 wrote to memory of 2480	3024	systemreset.exe
PID 3024 wrote to memory of 2528	3024	systemreset.exe
PID 3024 wrote to memory of 2528	3024	systemreset.exe
PID 3024 wrote to memory of 3960	3024	printfilterpipelinesvc.exe
PID 3024 wrote to memory of 3960	3024	printfilterpipelinesvc.exe
PID 3024 wrote to memory of 3988	3024	printfilterpipelinesvc.exe
PID 3024 wrote to memory of 3988	3024	printfilterpipelinesvc.exe
PID 3024 wrote to memory of 3972	3024	recdisc.exe
PID 3024 wrote to memory of 3972	3024	recdisc.exe
PID 3024 wrote to memory of 3584	3024	recdisc.exe
PID 3024 wrote to memory of 3584	3024	recdisc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ae087f890f576dca43d22b3c527b5008547dacd68dfd61440c99370051cc853b.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:664

C:\Windows\system32\systemreset.exe
C:\Windows\system32\systemreset.exe
1⤵
PID:2480

C:\Users\Admin\AppData\Local\fziDgw\systemreset.exe
C:\Users\Admin\AppData\Local\fziDgw\systemreset.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2528

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe
1⤵
PID:3960

C:\Users\Admin\AppData\Local\WzDu\printfilterpipelinesvc.exe
C:\Users\Admin\AppData\Local\WzDu\printfilterpipelinesvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3988

C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
1⤵
PID:3972

C:\Users\Admin\AppData\Local\StOqjFW\recdisc.exe
C:\Users\Admin\AppData\Local\StOqjFW\recdisc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\StOqjFW\ReAgent.dll
MD5
6c9f24a82044291f4755fd5cf6866b2f

SHA1
37dffefd253502362a34293252855ed4ced4a8d7

SHA256
4232334231324a27f24e2a81c093ae3fc8222ceb695b97f20054d6d529890751

SHA512
a78bc3b139b6ad81270ff12666cf4466235eea3139c3d41c0c062ca9ac3f7677a05e26dab57add3c806b3c01fdb836dda888f9070cfc444e7b43f440962c8c0b

Download Submit
C:\Users\Admin\AppData\Local\StOqjFW\recdisc.exe
MD5
d1028c10d2c261d3470df8ff6347981b

SHA1
04a99956e99b8dbed380df60e0812e92685b6ca9

SHA256
063e57b52257fda4cfa15c98a84f3461a9fb1c9d39e6ab55eae41a793a4d852b

SHA512
80922e37cdfe69d5390f8a5bf8f0aab98407d40549c8972c33c6b9ef15b38962887ef4637c81c248ba7ee649bfe20f318358359140d879f7e2820e135e11a9c3

Download Submit
C:\Users\Admin\AppData\Local\WzDu\XmlLite.dll
MD5
6aff6e5bab3e9c53830b61f412c25464

SHA1
9b279a5fe1db7dbd38646466c8d65f69a0323408

SHA256
5c66ed71fe2398d703f5e4b43667e66b4c32d025978dbe6498f4d582a1de823a

SHA512
5c7ab00cea3d6068f710bb7e34001ae5e55900966c2c1e0918e719e955d23634db9190f5bd8c0221d4bce819c3c0ee9f62dcebe715e69aeaf9e46787ac4f3101

Download Submit
C:\Users\Admin\AppData\Local\WzDu\printfilterpipelinesvc.exe
MD5
3f759db69d6016c286bd25f10e4b6e0c

SHA1
e2243c1e27b9a0b68e550e1775aa75f3bafd5286

SHA256
eeb432af61d3157153cc6683ae4ffbb44b306ed0b980911be2891358048dc7c7

SHA512
67f0cf128a048139b5ceb0b6fb88498076b60d5822fe807fe1ab0d1856e74096d3625cb824a80066b6a27ae0929c44164fc6e8e56cfc18b04e25ebcd51d948ac

Download Submit
C:\Users\Admin\AppData\Local\fziDgw\VERSION.dll
MD5
259864d0e007a1f6eba03116f62c8612

SHA1
d4859b4e08fdf9f784f53e4c6604b89cc9ab6964

SHA256
5dbee535b4ab48a3532c10d16d1131601f78ac0fc0d90fc7346b5c76553c769b

SHA512
57aa910866c2e4a237c4e37c328228a70dc0c5c4d22135cc99d8a38cf17045a4a6c343bb10f539de69ad15b889c6794e99e399bbe07d0f5911e20ad086bd49ae

Download Submit
C:\Users\Admin\AppData\Local\fziDgw\systemreset.exe
MD5
edf120755c3c58b7e2f2ea085ccc2298

SHA1
5d23a67059805426c5dcf28ece05b4b95b8bd5b6

SHA256
fcbe3646ae132221337f6a2823550f79ce6f2a20e54bdb33ea0fde0f6c6dec7e

SHA512
9d55fb581e33fcdef904d80c1671ad42479598ed39f32ffe25e81a792c2d7257dfe7f83cdbe47c466e53e23a9aa8541cc194f80f39762fd79253ec1cadf41eb0

Download Submit
\Users\Admin\AppData\Local\StOqjFW\ReAgent.dll
MD5
6c9f24a82044291f4755fd5cf6866b2f

SHA1
37dffefd253502362a34293252855ed4ced4a8d7

SHA256
4232334231324a27f24e2a81c093ae3fc8222ceb695b97f20054d6d529890751

SHA512
a78bc3b139b6ad81270ff12666cf4466235eea3139c3d41c0c062ca9ac3f7677a05e26dab57add3c806b3c01fdb836dda888f9070cfc444e7b43f440962c8c0b

Download Submit
\Users\Admin\AppData\Local\WzDu\XmlLite.dll
MD5
6aff6e5bab3e9c53830b61f412c25464

SHA1
9b279a5fe1db7dbd38646466c8d65f69a0323408

SHA256
5c66ed71fe2398d703f5e4b43667e66b4c32d025978dbe6498f4d582a1de823a

SHA512
5c7ab00cea3d6068f710bb7e34001ae5e55900966c2c1e0918e719e955d23634db9190f5bd8c0221d4bce819c3c0ee9f62dcebe715e69aeaf9e46787ac4f3101

Download Submit
\Users\Admin\AppData\Local\fziDgw\VERSION.dll
MD5
259864d0e007a1f6eba03116f62c8612

SHA1
d4859b4e08fdf9f784f53e4c6604b89cc9ab6964

SHA256
5dbee535b4ab48a3532c10d16d1131601f78ac0fc0d90fc7346b5c76553c769b

SHA512
57aa910866c2e4a237c4e37c328228a70dc0c5c4d22135cc99d8a38cf17045a4a6c343bb10f539de69ad15b889c6794e99e399bbe07d0f5911e20ad086bd49ae

Download Submit
\Users\Admin\AppData\Local\fziDgw\VERSION.dll
MD5
259864d0e007a1f6eba03116f62c8612

SHA1
d4859b4e08fdf9f784f53e4c6604b89cc9ab6964

SHA256
5dbee535b4ab48a3532c10d16d1131601f78ac0fc0d90fc7346b5c76553c769b

SHA512
57aa910866c2e4a237c4e37c328228a70dc0c5c4d22135cc99d8a38cf17045a4a6c343bb10f539de69ad15b889c6794e99e399bbe07d0f5911e20ad086bd49ae

Download Submit
memory/664-118-0x000001A1D23C0000-0x000001A1D23C7000-memory.dmp

Filesize
28KB

Download
memory/664-114-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2528-170-0x0000000000000000-mapping.dmp

Download
memory/2528-175-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/3024-140-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-149-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-128-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-129-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-130-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-131-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-132-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-133-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-134-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-135-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-136-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-137-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-138-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-139-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-126-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-141-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-142-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-144-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-143-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-145-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-146-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-147-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-148-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-127-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-150-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-151-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-152-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-153-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-154-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-156-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-157-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-125-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-155-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-158-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-159-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-167-0x00007FFAEC644560-0x00007FFAEC645560-memory.dmp

Filesize
4KB

Download
memory/3024-169-0x00007FFAEC780000-0x00007FFAEC782000-memory.dmp

Filesize
8KB

Download
memory/3024-119-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/3024-124-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-123-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-122-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-120-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3024-121-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3584-189-0x0000000000000000-mapping.dmp

Download
memory/3988-180-0x0000000000000000-mapping.dmp

Download