dridex | 1fa221f1d5a2c006943c6986babc756890b79c2b38380403789e54f467e1a84c

Analysis

max time kernel
151s
max time network
149s
platform
windows7_x64
resource
win7v20210408
submitted
28-09-2021 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fa221f1d5a2c006943c6986babc756890b79c2b38380403789e54f467e1a84c.dll
Size

1.4MB
MD5

8ad564b939e5a713e39154c7e566adc6
SHA1

8cd069a890ab232fca75a17e324de60c426f3115
SHA256

1fa221f1d5a2c006943c6986babc756890b79c2b38380403789e54f467e1a84c
SHA512

d23b0ca458cc91756ac7bc15934a040c71ac4a270676ff42bd9e20e1675736084bd9820f6456bf4da784a4cf5d7556df16be07af770a19d931349c003e9ca46f

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1208-63-0x0000000004020000-0x0000000004021000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

mspaint.exePresentationSettings.exedvdupgrd.exe

pid process

1704 mspaint.exe
564 PresentationSettings.exe
1876 dvdupgrd.exe
Loads dropped DLL 7 IoCs

Processes:

mspaint.exePresentationSettings.exedvdupgrd.exe

pid process

1208
1704 mspaint.exe
1208
564 PresentationSettings.exe
1208
1876 dvdupgrd.exe
1208

pid	process
1704	mspaint.exe
564	PresentationSettings.exe
1876	dvdupgrd.exe

pid	process
1208
1704	mspaint.exe
1208
564	PresentationSettings.exe
1208
1876	dvdupgrd.exe
1208

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Axiifu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\MYIUJ\\PresentationSettings.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemspaint.exePresentationSettings.exedvdupgrd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dvdupgrd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1648	rundll32.exe
1648	rundll32.exe
1648	rundll32.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1208
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pid process

1208
1208
1208
1208
1208
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

pid process

1208
1208
1208
1208
1208
1208
1208

pid	process
1208

pid	process
1208
1208
1208
1208
1208

pid	process
1208
1208
1208
1208
1208
1208
1208

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1208 wrote to memory of 1860	1208	mspaint.exe
PID 1208 wrote to memory of 1860	1208	mspaint.exe
PID 1208 wrote to memory of 1860	1208	mspaint.exe
PID 1208 wrote to memory of 1704	1208	mspaint.exe
PID 1208 wrote to memory of 1704	1208	mspaint.exe
PID 1208 wrote to memory of 1704	1208	mspaint.exe
PID 1208 wrote to memory of 864	1208	PresentationSettings.exe
PID 1208 wrote to memory of 864	1208	PresentationSettings.exe
PID 1208 wrote to memory of 864	1208	PresentationSettings.exe
PID 1208 wrote to memory of 564	1208	PresentationSettings.exe
PID 1208 wrote to memory of 564	1208	PresentationSettings.exe
PID 1208 wrote to memory of 564	1208	PresentationSettings.exe
PID 1208 wrote to memory of 1004	1208	dvdupgrd.exe
PID 1208 wrote to memory of 1004	1208	dvdupgrd.exe
PID 1208 wrote to memory of 1004	1208	dvdupgrd.exe
PID 1208 wrote to memory of 1876	1208	dvdupgrd.exe
PID 1208 wrote to memory of 1876	1208	dvdupgrd.exe
PID 1208 wrote to memory of 1876	1208	dvdupgrd.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fa221f1d5a2c006943c6986babc756890b79c2b38380403789e54f467e1a84c.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1648

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:1860

C:\Users\Admin\AppData\Local\OZY\mspaint.exe
C:\Users\Admin\AppData\Local\OZY\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1704

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:864

C:\Users\Admin\AppData\Local\gBUpzS\PresentationSettings.exe
C:\Users\Admin\AppData\Local\gBUpzS\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:564

C:\Windows\system32\dvdupgrd.exe
C:\Windows\system32\dvdupgrd.exe
1⤵
PID:1004

C:\Users\Admin\AppData\Local\gnf26af\dvdupgrd.exe
C:\Users\Admin\AppData\Local\gnf26af\dvdupgrd.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1876

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\OZY\VERSION.dll
MD5
b64191677e7096d15a06809d925a147f

SHA1
70c50bfc8ac69da62dc2a3a983fb80124449f336

SHA256
0b875d836c63092a7cb63371d6a71d1d3f5c01e0833a4a4c0d04bb7daf1af19d

SHA512
a6704cbdf367e7f8df03f050727da21e2cea42c5475b963bca90f91fcc947ef6beb306f6b3135bd64cdfe695ce4f36461885b24274adbe4266a114df3acbcbe0

Download Submit
C:\Users\Admin\AppData\Local\OZY\mspaint.exe
MD5
458f4590f80563eb2a0a72709bfc2bd9

SHA1
3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

SHA256
ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

SHA512
e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

Download Submit
C:\Users\Admin\AppData\Local\gBUpzS\PresentationSettings.exe
MD5
a6f8d318f6041334889481b472000081

SHA1
b8cf08ec17b30c8811f2514246fcdff62731dd58

SHA256
208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

SHA512
60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

Download Submit
C:\Users\Admin\AppData\Local\gBUpzS\WINMM.dll
MD5
a9770d4e49f7e5b12f0e41347cea315e

SHA1
e78b39dbae06bc32908a55b289d5734f7845d311

SHA256
9405a6aea5b951c4257995edaf038785e027cb7b629fa44ef9264d8eb61c6049

SHA512
af643f581893d9d8fe1d8ec1624834c080dbd9496bd9330c48366f399762166533fadbd29be5e2176ca4c39fcc8011f1ae3793e53bd535b9fc6a3a6868349e18

Download Submit
C:\Users\Admin\AppData\Local\gnf26af\VERSION.dll
MD5
aed37714b816d1d97a0436a8e96cdffb

SHA1
01b3964043780fb9a634c587991d185c6593d2cf

SHA256
5ca685801c3ab20aa09255a909ada33061e7d25df316c72009327de0f63ad39c

SHA512
4ca0f7ec2658aa9bc5d0d13d4aec2dabfffe370e99169539bcfe6875a265c75d427f6a468b62a9d02711d71197cbc223a1e60ec46b4ddee7dc8f3c461cdfb642

Download Submit
C:\Users\Admin\AppData\Local\gnf26af\dvdupgrd.exe
MD5
75a9b4172eac01d9648c6d2133af952f

SHA1
63c7e1af762d2b584e9cc841e8b0100f2a482b81

SHA256
18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

SHA512
5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

Download Submit
\Users\Admin\AppData\Local\OZY\VERSION.dll
MD5
b64191677e7096d15a06809d925a147f

SHA1
70c50bfc8ac69da62dc2a3a983fb80124449f336

SHA256
0b875d836c63092a7cb63371d6a71d1d3f5c01e0833a4a4c0d04bb7daf1af19d

SHA512
a6704cbdf367e7f8df03f050727da21e2cea42c5475b963bca90f91fcc947ef6beb306f6b3135bd64cdfe695ce4f36461885b24274adbe4266a114df3acbcbe0

Download Submit
\Users\Admin\AppData\Local\OZY\mspaint.exe
MD5
458f4590f80563eb2a0a72709bfc2bd9

SHA1
3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

SHA256
ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

SHA512
e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

Download Submit
\Users\Admin\AppData\Local\gBUpzS\PresentationSettings.exe
MD5
a6f8d318f6041334889481b472000081

SHA1
b8cf08ec17b30c8811f2514246fcdff62731dd58

SHA256
208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

SHA512
60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

Download Submit
\Users\Admin\AppData\Local\gBUpzS\WINMM.dll
MD5
a9770d4e49f7e5b12f0e41347cea315e

SHA1
e78b39dbae06bc32908a55b289d5734f7845d311

SHA256
9405a6aea5b951c4257995edaf038785e027cb7b629fa44ef9264d8eb61c6049

SHA512
af643f581893d9d8fe1d8ec1624834c080dbd9496bd9330c48366f399762166533fadbd29be5e2176ca4c39fcc8011f1ae3793e53bd535b9fc6a3a6868349e18

Download Submit
\Users\Admin\AppData\Local\gnf26af\VERSION.dll
MD5
aed37714b816d1d97a0436a8e96cdffb

SHA1
01b3964043780fb9a634c587991d185c6593d2cf

SHA256
5ca685801c3ab20aa09255a909ada33061e7d25df316c72009327de0f63ad39c

SHA512
4ca0f7ec2658aa9bc5d0d13d4aec2dabfffe370e99169539bcfe6875a265c75d427f6a468b62a9d02711d71197cbc223a1e60ec46b4ddee7dc8f3c461cdfb642

Download Submit
\Users\Admin\AppData\Local\gnf26af\dvdupgrd.exe
MD5
75a9b4172eac01d9648c6d2133af952f

SHA1
63c7e1af762d2b584e9cc841e8b0100f2a482b81

SHA256
18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

SHA512
5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\H0Oer7X\dvdupgrd.exe
MD5
75a9b4172eac01d9648c6d2133af952f

SHA1
63c7e1af762d2b584e9cc841e8b0100f2a482b81

SHA256
18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

SHA512
5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

Download Submit
memory/564-116-0x0000000140000000-0x0000000140171000-memory.dmp

Filesize
1.4MB

Download
memory/564-111-0x0000000000000000-mapping.dmp

Download
memory/1208-74-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-95-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-78-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-79-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-80-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-81-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-82-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-83-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-84-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-85-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-86-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-87-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-88-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-89-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-90-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-91-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-92-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-93-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-94-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-77-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-101-0x0000000077800000-0x0000000077802000-memory.dmp

Filesize
8KB

Download
memory/1208-76-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-65-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-75-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-66-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-64-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-63-0x0000000004020000-0x0000000004021000-memory.dmp

Filesize
4KB

Download
memory/1208-69-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-73-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-67-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-68-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-71-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-72-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1208-70-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1648-60-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/1648-62-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1704-108-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1704-105-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp

Filesize
8KB

Download
memory/1704-103-0x0000000000000000-mapping.dmp

Download
memory/1876-119-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads