dridex | 4bbd6db4f6bdad3bbcb134c53fb0886197c2880f9e9dd7a630707dbf333623f4

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-en-20210920
submitted
28-09-2021 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bbd6db4f6bdad3bbcb134c53fb0886197c2880f9e9dd7a630707dbf333623f4.dll
Size

1.4MB
MD5

ed37656551984cf5c1196d88c282e4aa
SHA1

1475e0b8fd14a3a13160dc8ab28d228f3027c8b9
SHA256

4bbd6db4f6bdad3bbcb134c53fb0886197c2880f9e9dd7a630707dbf333623f4
SHA512

71c2f7bc62fbc229d8b73e76cd216d34215af55f609b5040024d0674cd6cbe6b25f807ba98f0fa1cecca3e990ba34b7641bf0b6d99d200bee6b455e6801d6515

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1360-56-0x00000000026F0000-0x00000000026F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesHardware.exeBitLockerWizard.execonsent.exe

pid process

524 SystemPropertiesHardware.exe
1492 BitLockerWizard.exe
1648 consent.exe
Loads dropped DLL 7 IoCs

Processes:

SystemPropertiesHardware.exeBitLockerWizard.execonsent.exe

pid process

1360
524 SystemPropertiesHardware.exe
1360
1492 BitLockerWizard.exe
1360
1648 consent.exe
1360

pid	process
524	SystemPropertiesHardware.exe
1492	BitLockerWizard.exe
1648	consent.exe

pid	process
1360
524	SystemPropertiesHardware.exe
1360
1492	BitLockerWizard.exe
1360
1648	consent.exe
1360

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wbbdywj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\m6RmaNbRbp\\BitLockerWizard.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesHardware.exeBitLockerWizard.execonsent.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	consent.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1128	rundll32.exe
1128	rundll32.exe
1128	rundll32.exe
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1360
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1360
1360
1360
1360
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

1360
1360
1360
1360
1360
1360

pid	process
1360

pid	process
1360
1360
1360
1360

pid	process
1360
1360
1360
1360
1360
1360

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1360 wrote to memory of 1736	1360	SystemPropertiesHardware.exe
PID 1360 wrote to memory of 1736	1360	SystemPropertiesHardware.exe
PID 1360 wrote to memory of 1736	1360	SystemPropertiesHardware.exe
PID 1360 wrote to memory of 524	1360	SystemPropertiesHardware.exe
PID 1360 wrote to memory of 524	1360	SystemPropertiesHardware.exe
PID 1360 wrote to memory of 524	1360	SystemPropertiesHardware.exe
PID 1360 wrote to memory of 364	1360	BitLockerWizard.exe
PID 1360 wrote to memory of 364	1360	BitLockerWizard.exe
PID 1360 wrote to memory of 364	1360	BitLockerWizard.exe
PID 1360 wrote to memory of 1492	1360	BitLockerWizard.exe
PID 1360 wrote to memory of 1492	1360	BitLockerWizard.exe
PID 1360 wrote to memory of 1492	1360	BitLockerWizard.exe
PID 1360 wrote to memory of 1612	1360	consent.exe
PID 1360 wrote to memory of 1612	1360	consent.exe
PID 1360 wrote to memory of 1612	1360	consent.exe
PID 1360 wrote to memory of 1648	1360	consent.exe
PID 1360 wrote to memory of 1648	1360	consent.exe
PID 1360 wrote to memory of 1648	1360	consent.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4bbd6db4f6bdad3bbcb134c53fb0886197c2880f9e9dd7a630707dbf333623f4.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1128

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:1736

C:\Users\Admin\AppData\Local\8xwl3bD\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\8xwl3bD\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:524

C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
1⤵
PID:364

C:\Users\Admin\AppData\Local\0uqbb3Y\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\0uqbb3Y\BitLockerWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1492

C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
1⤵
PID:1612

C:\Users\Admin\AppData\Local\yCjPLZ\consent.exe
C:\Users\Admin\AppData\Local\yCjPLZ\consent.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1648

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0uqbb3Y\BitLockerWizard.exe
MD5
08a761595ad21d152db2417d6fdb239a

SHA1
d84c1bc2e8c9afce9fb79916df9bca169f93a936

SHA256
ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

SHA512
8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

Download Submit
C:\Users\Admin\AppData\Local\0uqbb3Y\FVEWIZ.dll
MD5
5ae51dd63d39175780ff285bc2005bfb

SHA1
5825e63bdf8850e7b7e202936ff43f73c1acd1ca

SHA256
d37ee195edf06b0842d97924ad088d998628c603d4699b90e34cd614b2fab26d

SHA512
7e1f3950895f94d6cdbb89da776231cf6c2d6dd122a49cfcfab2fb77bc44543cf9bcbdbd158368db5184b91a67f37abd3362642d4802610151afd7a297e6bc5f

Download Submit
C:\Users\Admin\AppData\Local\8xwl3bD\SYSDM.CPL
MD5
638b1d83220b30e40822d39ff9519622

SHA1
2b998922053d19a7337e72d9874a595ff054ef66

SHA256
4b4d5831d88e507ba1f61492b011c9d5c5a05e52d20c66326165713c8967d90f

SHA512
63f39ab9205dd1401b603e022c21fce80bcb981372827646dbffa7ca4de2c6f5b60569cf985621bb13a36bd4634f4cc5506c3eaec83540a9ee73c6d8c45a38cb

Download Submit
C:\Users\Admin\AppData\Local\8xwl3bD\SystemPropertiesHardware.exe
MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
C:\Users\Admin\AppData\Local\yCjPLZ\WINMM.dll
MD5
4760dc7d2777b1ca56a8044d22d0aa3a

SHA1
89a16bc22d37b8a5b83a3d9f217dcf35b7cf6d61

SHA256
854ead7ebb802592123d7000b9497d429c509f5a572965d3cd77f1caf4a167eb

SHA512
52d26b1770ba8176d1585533e3b46d42d5ae68d13a0a38c2cec56650b5aaacbf7c0234bf0ff2bb5b4b6c6cd6c8c3d33476b3cf0a1e26f6f5e037af7508e20738

Download Submit
C:\Users\Admin\AppData\Local\yCjPLZ\consent.exe
MD5
0b5511674394666e9d221f8681b2c2e6

SHA1
6e4e720dfc424a12383f0b8194e4477e3bc346dc

SHA256
ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

SHA512
00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

Download Submit
\Users\Admin\AppData\Local\0uqbb3Y\BitLockerWizard.exe
MD5
08a761595ad21d152db2417d6fdb239a

SHA1
d84c1bc2e8c9afce9fb79916df9bca169f93a936

SHA256
ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

SHA512
8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

Download Submit
\Users\Admin\AppData\Local\0uqbb3Y\FVEWIZ.dll
MD5
5ae51dd63d39175780ff285bc2005bfb

SHA1
5825e63bdf8850e7b7e202936ff43f73c1acd1ca

SHA256
d37ee195edf06b0842d97924ad088d998628c603d4699b90e34cd614b2fab26d

SHA512
7e1f3950895f94d6cdbb89da776231cf6c2d6dd122a49cfcfab2fb77bc44543cf9bcbdbd158368db5184b91a67f37abd3362642d4802610151afd7a297e6bc5f

Download Submit
\Users\Admin\AppData\Local\8xwl3bD\SYSDM.CPL
MD5
638b1d83220b30e40822d39ff9519622

SHA1
2b998922053d19a7337e72d9874a595ff054ef66

SHA256
4b4d5831d88e507ba1f61492b011c9d5c5a05e52d20c66326165713c8967d90f

SHA512
63f39ab9205dd1401b603e022c21fce80bcb981372827646dbffa7ca4de2c6f5b60569cf985621bb13a36bd4634f4cc5506c3eaec83540a9ee73c6d8c45a38cb

Download Submit
\Users\Admin\AppData\Local\8xwl3bD\SystemPropertiesHardware.exe
MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
\Users\Admin\AppData\Local\yCjPLZ\WINMM.dll
MD5
4760dc7d2777b1ca56a8044d22d0aa3a

SHA1
89a16bc22d37b8a5b83a3d9f217dcf35b7cf6d61

SHA256
854ead7ebb802592123d7000b9497d429c509f5a572965d3cd77f1caf4a167eb

SHA512
52d26b1770ba8176d1585533e3b46d42d5ae68d13a0a38c2cec56650b5aaacbf7c0234bf0ff2bb5b4b6c6cd6c8c3d33476b3cf0a1e26f6f5e037af7508e20738

Download Submit
\Users\Admin\AppData\Local\yCjPLZ\consent.exe
MD5
0b5511674394666e9d221f8681b2c2e6

SHA1
6e4e720dfc424a12383f0b8194e4477e3bc346dc

SHA256
ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

SHA512
00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\STPTa8G\consent.exe
MD5
0b5511674394666e9d221f8681b2c2e6

SHA1
6e4e720dfc424a12383f0b8194e4477e3bc346dc

SHA256
ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

SHA512
00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

Download Submit
memory/524-101-0x0000000000000000-mapping.dmp

Download
memory/524-105-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/1128-55-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/1128-53-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-91-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-58-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-89-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-86-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-85-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-84-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-82-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-81-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-80-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-78-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-76-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-75-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-71-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-70-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-69-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-67-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-65-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-64-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-63-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-61-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-60-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-90-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-57-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-99-0x0000000076FE0000-0x0000000076FE2000-memory.dmp

Filesize
8KB

Download
memory/1360-93-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-92-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-88-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-87-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-83-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-79-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-77-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-56-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/1360-74-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-73-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-72-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-68-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-59-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-66-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1360-62-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1492-108-0x0000000000000000-mapping.dmp

Download
memory/1648-115-0x0000000000000000-mapping.dmp

Download
memory/1648-119-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmp

Filesize
8KB

Download
memory/1648-120-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads