dridex | 1fa221f1d5a2c006943c6986babc756890b79c2b38380403789e54f467e1a84c

Analysis

max time kernel
153s
max time network
122s
platform
windows10_x64
resource
win10-en-20210920
submitted
28-09-2021 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fa221f1d5a2c006943c6986babc756890b79c2b38380403789e54f467e1a84c.dll
Size

1.4MB
MD5

8ad564b939e5a713e39154c7e566adc6
SHA1

8cd069a890ab232fca75a17e324de60c426f3115
SHA256

1fa221f1d5a2c006943c6986babc756890b79c2b38380403789e54f467e1a84c
SHA512

d23b0ca458cc91756ac7bc15934a040c71ac4a270676ff42bd9e20e1675736084bd9820f6456bf4da784a4cf5d7556df16be07af770a19d931349c003e9ca46f

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3000-120-0x00000000003A0000-0x00000000003A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

bdeunlock.exerdpinput.exeiexpress.exe

pid process

1576 bdeunlock.exe
672 rdpinput.exe
2156 iexpress.exe
Loads dropped DLL 3 IoCs

Processes:

bdeunlock.exerdpinput.exeiexpress.exe

pid process

1576 bdeunlock.exe
672 rdpinput.exe
2156 iexpress.exe

pid	process
1576	bdeunlock.exe
672	rdpinput.exe
2156	iexpress.exe

pid	process
1576	bdeunlock.exe
672	rdpinput.exe
2156	iexpress.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wjvmqhmsyzhtvy = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ypIJI\\rdpinput.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exebdeunlock.exerdpinput.exeiexpress.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdeunlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinput.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2056	rundll32.exe
2056	rundll32.exe
2056	rundll32.exe
2056	rundll32.exe
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000
3000

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3000

pid	process
3000

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3000
Token: SeCreatePagefilePrivilege	3000
Token: SeShutdownPrivilege	3000
Token: SeCreatePagefilePrivilege	3000
Token: SeShutdownPrivilege	3000
Token: SeCreatePagefilePrivilege	3000
Token: SeShutdownPrivilege	3000
Token: SeCreatePagefilePrivilege	3000
Token: SeShutdownPrivilege	3000
Token: SeCreatePagefilePrivilege	3000
Token: SeShutdownPrivilege	3000
Token: SeCreatePagefilePrivilege	3000

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3000 wrote to memory of 2308	3000	bdeunlock.exe
PID 3000 wrote to memory of 2308	3000	bdeunlock.exe
PID 3000 wrote to memory of 1576	3000	bdeunlock.exe
PID 3000 wrote to memory of 1576	3000	bdeunlock.exe
PID 3000 wrote to memory of 904	3000	rdpinput.exe
PID 3000 wrote to memory of 904	3000	rdpinput.exe
PID 3000 wrote to memory of 672	3000	rdpinput.exe
PID 3000 wrote to memory of 672	3000	rdpinput.exe
PID 3000 wrote to memory of 1952	3000	iexpress.exe
PID 3000 wrote to memory of 1952	3000	iexpress.exe
PID 3000 wrote to memory of 2156	3000	iexpress.exe
PID 3000 wrote to memory of 2156	3000	iexpress.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fa221f1d5a2c006943c6986babc756890b79c2b38380403789e54f467e1a84c.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2056

C:\Windows\system32\bdeunlock.exe
C:\Windows\system32\bdeunlock.exe
1⤵
PID:2308

C:\Users\Admin\AppData\Local\mrYl5S1g\bdeunlock.exe
C:\Users\Admin\AppData\Local\mrYl5S1g\bdeunlock.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1576

C:\Windows\system32\rdpinput.exe
C:\Windows\system32\rdpinput.exe
1⤵
PID:904

C:\Users\Admin\AppData\Local\8yS\rdpinput.exe
C:\Users\Admin\AppData\Local\8yS\rdpinput.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:672

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:1952

C:\Users\Admin\AppData\Local\KIVRGhP\iexpress.exe
C:\Users\Admin\AppData\Local\KIVRGhP\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2156

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8yS\WTSAPI32.dll
MD5
e449f012164dd539db533507813d2c6b

SHA1
3ae7c78ba6c83052565f18b9d1965041b1ea0b1c

SHA256
f7c0a48d4263e93fb4e372b90d0565dc856c2856f06136bc88bce56405bba9dc

SHA512
d8dddead1ed41cc4a6dc6b0163618f779411222adf8fb2049f07350fc250cfea02e674b5771546618cfea779c6c43fd598ed8c007d64c4f491abb08f8018eb8b

Download Submit
C:\Users\Admin\AppData\Local\8yS\rdpinput.exe
MD5
431364c49991ebfea19b468020368e08

SHA1
c36c8a01ccd17b8ec754fe92d1e03558bb3f05ac

SHA256
6c59ea8b7807d9cc9de5c67cf679a1fb1bed4629da1f0a071e03af775de8e4fc

SHA512
6b2baeb9abc1277fef874ead7d0c4b2b5c5953b8f9db5ae056a14a0af6edb6482b303e7f4ba5237a22e62919f09cd8334692dd58053754ed18837ace14565d8f

Download Submit
C:\Users\Admin\AppData\Local\KIVRGhP\VERSION.dll
MD5
1257a43bc4308a0815d8ef48b8da3096

SHA1
2ebedcbf014706377e04bb2c99d1138a5e3c8680

SHA256
a6ffe132006ea4acd6b03ea6633fd2e18e4cffdc46daee772ae69723fff2a3ba

SHA512
2c4df964057b463a141ce7ae6ccca8b22776aa1eb984be5fcaf0c0348a7a72b0df7df51a208522f50a35fd13fac0a5bd3283ee3a58b2471ed1040dc275f615a5

Download Submit
C:\Users\Admin\AppData\Local\KIVRGhP\iexpress.exe
MD5
673b6274252dec0bab375e9fb2d8dd5b

SHA1
3c072e2eddf4ce9a1ad0dfa25d4e558c1bd50483

SHA256
2d981e5e4860ad9b51cfeedff6d1cfcb609b91c35173980fcde245ae5534e8d9

SHA512
5a8f317ed013ee3851ffeb04f75005f6f6df8d549d9bc4cce24d63c48f88f759443a5c8c50f185de23da730c7609232483d4aa25b637c55748a4af9e3e27b42c

Download Submit
C:\Users\Admin\AppData\Local\mrYl5S1g\DUI70.dll
MD5
4e156e622429b717feb726363aa9b67d

SHA1
133460cf8000a157438c49c0d641055a481c3db0

SHA256
f39cb6609440dedc6c9c4c25f1fb5a4142a92ca9d9cc462b17656a9b40492d50

SHA512
f8deb3cbdb5ceffa2c1cc348ccf30ecf83d2873c0698f9706d249be368f78f506757bf96dfdf2aaa8ceb02a91671bc09fc7975c5a59d435cbbe81f6cced22229

Download Submit
C:\Users\Admin\AppData\Local\mrYl5S1g\bdeunlock.exe
MD5
99aff8e54d3b41aee863a8256d31fb83

SHA1
b2f48c802a43e3e420cbc12c16d2277769631159

SHA256
c1d9fd2a52ccf1cc1e587fc598c2848778107b902d492749e1ec1a7b777bead6

SHA512
616179c5b4e94a05c101ab4d3a227f80789966c9e18c56ad5587dfe0f96c0e36b522512b126ffefedab585e85ea90ba61726f4e585dca0e894adb1bf8a742127

Download Submit
\Users\Admin\AppData\Local\8yS\WTSAPI32.dll
MD5
e449f012164dd539db533507813d2c6b

SHA1
3ae7c78ba6c83052565f18b9d1965041b1ea0b1c

SHA256
f7c0a48d4263e93fb4e372b90d0565dc856c2856f06136bc88bce56405bba9dc

SHA512
d8dddead1ed41cc4a6dc6b0163618f779411222adf8fb2049f07350fc250cfea02e674b5771546618cfea779c6c43fd598ed8c007d64c4f491abb08f8018eb8b

Download Submit
\Users\Admin\AppData\Local\KIVRGhP\VERSION.dll
MD5
1257a43bc4308a0815d8ef48b8da3096

SHA1
2ebedcbf014706377e04bb2c99d1138a5e3c8680

SHA256
a6ffe132006ea4acd6b03ea6633fd2e18e4cffdc46daee772ae69723fff2a3ba

SHA512
2c4df964057b463a141ce7ae6ccca8b22776aa1eb984be5fcaf0c0348a7a72b0df7df51a208522f50a35fd13fac0a5bd3283ee3a58b2471ed1040dc275f615a5

Download Submit
\Users\Admin\AppData\Local\mrYl5S1g\DUI70.dll
MD5
4e156e622429b717feb726363aa9b67d

SHA1
133460cf8000a157438c49c0d641055a481c3db0

SHA256
f39cb6609440dedc6c9c4c25f1fb5a4142a92ca9d9cc462b17656a9b40492d50

SHA512
f8deb3cbdb5ceffa2c1cc348ccf30ecf83d2873c0698f9706d249be368f78f506757bf96dfdf2aaa8ceb02a91671bc09fc7975c5a59d435cbbe81f6cced22229

Download Submit
memory/672-176-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/672-172-0x0000000000000000-mapping.dmp

Download
memory/1576-167-0x0000000140000000-0x00000001401B5000-memory.dmp

Filesize
1.7MB

Download
memory/1576-163-0x0000000000000000-mapping.dmp

Download
memory/2056-115-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/2056-119-0x000001FD4A740000-0x000001FD4A747000-memory.dmp

Filesize
28KB

Download
memory/2156-181-0x0000000000000000-mapping.dmp

Download
memory/3000-142-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-151-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-136-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-137-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-138-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-139-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-141-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-140-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-134-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-143-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-145-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-146-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-144-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-147-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-149-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-148-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-150-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-135-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-152-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-160-0x00007FFA43084560-0x00007FFA43085560-memory.dmp

Filesize
4KB

Download
memory/3000-162-0x00007FFA431C0000-0x00007FFA431C2000-memory.dmp

Filesize
8KB

Download
memory/3000-133-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-132-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-131-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-130-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-129-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-128-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-127-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-126-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-125-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-124-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-123-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-122-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-121-0x0000000140000000-0x000000014016F000-memory.dmp

Filesize
1.4MB

Download
memory/3000-120-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads