dridex | 4bbd6db4f6bdad3bbcb134c53fb0886197c2880f9e9dd7a630707dbf333623f4

Analysis

max time kernel
151s
max time network
153s
platform
windows10_x64
resource
win10-en-20210920
submitted
28-09-2021 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bbd6db4f6bdad3bbcb134c53fb0886197c2880f9e9dd7a630707dbf333623f4.dll
Size

1.4MB
MD5

ed37656551984cf5c1196d88c282e4aa
SHA1

1475e0b8fd14a3a13160dc8ab28d228f3027c8b9
SHA256

4bbd6db4f6bdad3bbcb134c53fb0886197c2880f9e9dd7a630707dbf333623f4
SHA512

71c2f7bc62fbc229d8b73e76cd216d34215af55f609b5040024d0674cd6cbe6b25f807ba98f0fa1cecca3e990ba34b7641bf0b6d99d200bee6b455e6801d6515

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/392-120-0x00000000003A0000-0x00000000003A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

FXSCOVER.exedpapimig.exePasswordOnWakeSettingFlyout.exe

pid process

1156 FXSCOVER.exe
1264 dpapimig.exe
816 PasswordOnWakeSettingFlyout.exe
Loads dropped DLL 3 IoCs

Processes:

FXSCOVER.exedpapimig.exePasswordOnWakeSettingFlyout.exe

pid process

1156 FXSCOVER.exe
1264 dpapimig.exe
816 PasswordOnWakeSettingFlyout.exe

pid	process
1156	FXSCOVER.exe
1264	dpapimig.exe
816	PasswordOnWakeSettingFlyout.exe

pid	process
1156	FXSCOVER.exe
1264	dpapimig.exe
816	PasswordOnWakeSettingFlyout.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wjvmqhmsyzhtvy = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\yxVtacfv\\dpapimig.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeFXSCOVER.exedpapimig.exePasswordOnWakeSettingFlyout.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpapimig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PasswordOnWakeSettingFlyout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2404	rundll32.exe
2404	rundll32.exe
2404	rundll32.exe
2404	rundll32.exe
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392
392

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

392

pid	process
392

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 392 wrote to memory of 1292	392	FXSCOVER.exe
PID 392 wrote to memory of 1292	392	FXSCOVER.exe
PID 392 wrote to memory of 1156	392	FXSCOVER.exe
PID 392 wrote to memory of 1156	392	FXSCOVER.exe
PID 392 wrote to memory of 1296	392	dpapimig.exe
PID 392 wrote to memory of 1296	392	dpapimig.exe
PID 392 wrote to memory of 1264	392	dpapimig.exe
PID 392 wrote to memory of 1264	392	dpapimig.exe
PID 392 wrote to memory of 2912	392	PasswordOnWakeSettingFlyout.exe
PID 392 wrote to memory of 2912	392	PasswordOnWakeSettingFlyout.exe
PID 392 wrote to memory of 816	392	PasswordOnWakeSettingFlyout.exe
PID 392 wrote to memory of 816	392	PasswordOnWakeSettingFlyout.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4bbd6db4f6bdad3bbcb134c53fb0886197c2880f9e9dd7a630707dbf333623f4.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2404

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:1292

C:\Users\Admin\AppData\Local\QrN\FXSCOVER.exe
C:\Users\Admin\AppData\Local\QrN\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1156

C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
1⤵
PID:1296

C:\Users\Admin\AppData\Local\w023UfLev\dpapimig.exe
C:\Users\Admin\AppData\Local\w023UfLev\dpapimig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1264

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
1⤵
PID:2912

C:\Users\Admin\AppData\Local\ZWS\PasswordOnWakeSettingFlyout.exe
C:\Users\Admin\AppData\Local\ZWS\PasswordOnWakeSettingFlyout.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\QrN\FXSCOVER.exe
MD5
fd8a15f70619a553acd265264c3e435d

SHA1
394f6a1db57b502eb5196d9276d1c00afc791663

SHA256
b9eec80e92a71b7405db190ac0d1fc177ba3d1f97411c43328a340d30a9d71a4

SHA512
af30027401e97a69aa57847c00c73ccafd4113e58349efd9addf5e7c3a5809f5ff35430d181844c5acd0abba947ff9acb450ff3e0383ef7c187bd9b7808a8799

Download Submit
C:\Users\Admin\AppData\Local\QrN\MFC42u.dll
MD5
e70002880b6b56d76865fee21041e8bf

SHA1
4af00282871486156e6f69aa653e430f3bd6ac0b

SHA256
feca840095762a3409107fab0f2dd99843c7ea1c220f9c498f2be486fbb2a5c8

SHA512
aa336e4915869b1ca586e915b6d6c10c41a4eff679cd4b2b20aa3f072a1a6c344a32fab979b30008ac38984f7353e387925322f3d5233cb51adf4150356cdf65

Download Submit
C:\Users\Admin\AppData\Local\ZWS\PasswordOnWakeSettingFlyout.exe
MD5
a81fed73da02db15df427da1cd5f4141

SHA1
f831fc6377a6264be621e23635f22b437129b2ce

SHA256
1afed5b9302a4a4669ac7f966b7cf9fcaab037e94a0b3cabea3631055c97d3a5

SHA512
3c4541160f0f69d1c3a9dc4e67643864493eadb0450426f7f323d87fa7b0c81d96ef2201d33b3421a307171274615e90d4ee8bd07107ff4f75beedec0a2bf156

Download Submit
C:\Users\Admin\AppData\Local\ZWS\UxTheme.dll
MD5
93342bc0f7bbb5599b91221eada8926b

SHA1
89067d42bc38dc8f770e8dfc37842f46476cd5e8

SHA256
87472a84b29232c8a0fce533eb9236862ad521fc40aef66c069425589fd2d69c

SHA512
ce26e919aca719e5937dfa1fc906e9db8abd151957ba9af7b70c1a47a538da8786c05b2642bcf408e9330a0a54f609aa22dc0afaa60220d186839f7284843eb2

Download Submit
C:\Users\Admin\AppData\Local\w023UfLev\DUI70.dll
MD5
ae4e2a1f7e94efc138354824c7b6b258

SHA1
a5c531bf317c1a5d254fd0aa99590ca2dc7950ab

SHA256
7225b41a08e0314d1bd808c83931c7020f6864146383e161a123c4fb170fc0d4

SHA512
04e76ede45c21b8b64a78d12713cdc85224888a5efacc7f353d9cf2185a5ce3277560a5a1a17e6c5e4ac85a0adb349a871e53598d15c1d24fcfa68252f4e5099

Download Submit
C:\Users\Admin\AppData\Local\w023UfLev\dpapimig.exe
MD5
a210dd05d1e941a1ec04b134f39ef036

SHA1
86b5493ecf8f456ae56ede4b013b934b892572e0

SHA256
3912f380049e362ca875ccb4fe064621197f0df999b35c593de382cf0c852988

SHA512
9648ed1088af13717479f4739ecdfd604b463582fe3a9db43761b446c61e93856309fd1f8c993962d426af566497b9c8f7eaa3a5af069a7a0f8fde8424111bf8

Download Submit
\Users\Admin\AppData\Local\QrN\MFC42u.dll
MD5
e70002880b6b56d76865fee21041e8bf

SHA1
4af00282871486156e6f69aa653e430f3bd6ac0b

SHA256
feca840095762a3409107fab0f2dd99843c7ea1c220f9c498f2be486fbb2a5c8

SHA512
aa336e4915869b1ca586e915b6d6c10c41a4eff679cd4b2b20aa3f072a1a6c344a32fab979b30008ac38984f7353e387925322f3d5233cb51adf4150356cdf65

Download Submit
\Users\Admin\AppData\Local\ZWS\UxTheme.dll
MD5
93342bc0f7bbb5599b91221eada8926b

SHA1
89067d42bc38dc8f770e8dfc37842f46476cd5e8

SHA256
87472a84b29232c8a0fce533eb9236862ad521fc40aef66c069425589fd2d69c

SHA512
ce26e919aca719e5937dfa1fc906e9db8abd151957ba9af7b70c1a47a538da8786c05b2642bcf408e9330a0a54f609aa22dc0afaa60220d186839f7284843eb2

Download Submit
\Users\Admin\AppData\Local\w023UfLev\DUI70.dll
MD5
ae4e2a1f7e94efc138354824c7b6b258

SHA1
a5c531bf317c1a5d254fd0aa99590ca2dc7950ab

SHA256
7225b41a08e0314d1bd808c83931c7020f6864146383e161a123c4fb170fc0d4

SHA512
04e76ede45c21b8b64a78d12713cdc85224888a5efacc7f353d9cf2185a5ce3277560a5a1a17e6c5e4ac85a0adb349a871e53598d15c1d24fcfa68252f4e5099

Download Submit
memory/392-146-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-148-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-129-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-130-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-131-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-132-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-133-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-134-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-135-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-136-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-137-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-138-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-139-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-140-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-141-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-142-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-143-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-144-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-145-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-120-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/392-147-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-149-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-150-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-128-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-151-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-152-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-153-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-155-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-154-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-156-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-157-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-165-0x00007FFE0B1C4560-0x00007FFE0B1C5560-memory.dmp

Filesize
4KB

Download
memory/392-167-0x00007FFE0B110000-0x00007FFE0B120000-memory.dmp

Filesize
64KB

Download
memory/392-121-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-127-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-126-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-125-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-122-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-123-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/392-124-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/816-186-0x0000000000000000-mapping.dmp

Download
memory/816-190-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/1156-172-0x0000000140000000-0x000000014017A000-memory.dmp

Filesize
1.5MB

Download
memory/1156-168-0x0000000000000000-mapping.dmp

Download
memory/1264-177-0x0000000000000000-mapping.dmp

Download
memory/1264-181-0x0000000140000000-0x00000001401B9000-memory.dmp

Filesize
1.7MB

Download
memory/2404-115-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/2404-119-0x0000015D02260000-0x0000015D02267000-memory.dmp

Filesize
28KB

Download