dridex | 73541b82ca26c8c60a84354c657c42bd2ece5cfad3f49437a927b4265234b9da

Analysis

max time kernel
153s
max time network
139s
platform
windows7_x64
resource
win7-en-20210920
submitted
28-09-2021 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73541b82ca26c8c60a84354c657c42bd2ece5cfad3f49437a927b4265234b9da.dll
Size

1.3MB
MD5

d49772c85d426ce5fe41cf8c5529a5ff
SHA1

4eaa4a005cd6825706634cf5fb9b95c4f546778e
SHA256

73541b82ca26c8c60a84354c657c42bd2ece5cfad3f49437a927b4265234b9da
SHA512

ac76de00fd7f4cfaaac884990f02ff26883500d4a7c1c37e13a173de04b7228847527bca4737aa32e9498a05f473ac1a27ce98f35dead85fcc95e9c54efc924e

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 3 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1424-54-0x0000000140000000-0x000000014014E000-memory.dmp	dridex_payload
behavioral1/memory/1360-95-0x0000000140000000-0x000000014014F000-memory.dmp	dridex_payload
behavioral1/memory/828-104-0x0000000140000000-0x0000000140150000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1428-57-0x00000000025E0000-0x00000000025E1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

notepad.exeWFS.exewinlogon.exe

pid process

1360 notepad.exe
828 WFS.exe
1076 winlogon.exe
Loads dropped DLL 7 IoCs

Processes:

notepad.exeWFS.exewinlogon.exe

pid process

1428
1360 notepad.exe
1428
828 WFS.exe
1428
1076 winlogon.exe
1428

pid	process
1360	notepad.exe
828	WFS.exe
1076	winlogon.exe

pid	process
1428
1360	notepad.exe
1428
828	WFS.exe
1428
1076	winlogon.exe
1428

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wbbdywj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\8V\\WFS.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

notepad.exeWFS.exewinlogon.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	notepad.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1424	rundll32.exe
1424	rundll32.exe
1424	rundll32.exe
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1428
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1428
1428
1428
1428
Suspicious use of SendNotifyMessage 10 IoCs

Processes:

pid process

1428
1428
1428
1428
1428
1428
1428
1428
1428
1428

pid	process
1428

pid	process
1428
1428
1428
1428

pid	process
1428
1428
1428
1428
1428
1428
1428
1428
1428
1428

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1428 wrote to memory of 1336	1428	notepad.exe
PID 1428 wrote to memory of 1336	1428	notepad.exe
PID 1428 wrote to memory of 1336	1428	notepad.exe
PID 1428 wrote to memory of 1360	1428	notepad.exe
PID 1428 wrote to memory of 1360	1428	notepad.exe
PID 1428 wrote to memory of 1360	1428	notepad.exe
PID 1428 wrote to memory of 1324	1428	WFS.exe
PID 1428 wrote to memory of 1324	1428	WFS.exe
PID 1428 wrote to memory of 1324	1428	WFS.exe
PID 1428 wrote to memory of 828	1428	WFS.exe
PID 1428 wrote to memory of 828	1428	WFS.exe
PID 1428 wrote to memory of 828	1428	WFS.exe
PID 1428 wrote to memory of 1944	1428	winlogon.exe
PID 1428 wrote to memory of 1944	1428	winlogon.exe
PID 1428 wrote to memory of 1944	1428	winlogon.exe
PID 1428 wrote to memory of 1076	1428	winlogon.exe
PID 1428 wrote to memory of 1076	1428	winlogon.exe
PID 1428 wrote to memory of 1076	1428	winlogon.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\73541b82ca26c8c60a84354c657c42bd2ece5cfad3f49437a927b4265234b9da.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1424

C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
1⤵
PID:1336

C:\Users\Admin\AppData\Local\tKhUCnT\notepad.exe
C:\Users\Admin\AppData\Local\tKhUCnT\notepad.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1360

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:1324

C:\Users\Admin\AppData\Local\X3psNv\WFS.exe
C:\Users\Admin\AppData\Local\X3psNv\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:828

C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
1⤵
PID:1944

C:\Users\Admin\AppData\Local\Wrmxe\winlogon.exe
C:\Users\Admin\AppData\Local\Wrmxe\winlogon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1076

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Wrmxe\WINSTA.dll
MD5
d36fa8fd54eb61c2e8d6ced8c972947c

SHA1
e1c34c19f362f6c09734d66f249258b69b085a34

SHA256
406de11420f1aa10bdff5d7bbfba9c9b49ac93c2f0d798b01e2445042158766b

SHA512
d10b8bd6cc33a24ca83ffcbd569adac478747e7b77d03d3a30fc145571c60c4a1cb4d567a618b23ab23c44c124688c9618ccee6b9f5b0455b45f1a89f0bb2523

Download Submit
C:\Users\Admin\AppData\Local\Wrmxe\winlogon.exe
MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
C:\Users\Admin\AppData\Local\X3psNv\WFS.exe
MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
C:\Users\Admin\AppData\Local\X3psNv\WINMM.dll
MD5
f6bd3879991d5838438b450495f22117

SHA1
285cb357448fae2b1ebe09ca845d504602192aae

SHA256
3896b22192cb0298eb3e57696390629b1d0e5ea4cf5f78ce61c2330224dfbaa9

SHA512
cf90d0f86ac6dccdc95bb58657615de58049b8cc10911546bd04ba9e106cadeeadbc1a79f3c77e41815ba193858256d151688f96405860aa24680d904deed0c6

Download Submit
C:\Users\Admin\AppData\Local\tKhUCnT\VERSION.dll
MD5
e0eef18fb604c42d7b878474ef7a3ef2

SHA1
3e1f75a8a16aaf1a7355cfcb2c961d0a04e9e38f

SHA256
338325b4e32dbb9b23656dc0261d6a63bd8e6f7a146a8ef452456f28bff062c4

SHA512
3353b2ba8d3bb04e4bdc125590df39bf7639919be577f700a9b0d674ba89ddced6f27030e24adb80de97169f62557eddb5d73cae47d7daeca18234bc19e2d466

Download Submit
C:\Users\Admin\AppData\Local\tKhUCnT\notepad.exe
MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
\Users\Admin\AppData\Local\Wrmxe\WINSTA.dll
MD5
d36fa8fd54eb61c2e8d6ced8c972947c

SHA1
e1c34c19f362f6c09734d66f249258b69b085a34

SHA256
406de11420f1aa10bdff5d7bbfba9c9b49ac93c2f0d798b01e2445042158766b

SHA512
d10b8bd6cc33a24ca83ffcbd569adac478747e7b77d03d3a30fc145571c60c4a1cb4d567a618b23ab23c44c124688c9618ccee6b9f5b0455b45f1a89f0bb2523

Download Submit
\Users\Admin\AppData\Local\Wrmxe\winlogon.exe
MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
\Users\Admin\AppData\Local\X3psNv\WFS.exe
MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
\Users\Admin\AppData\Local\X3psNv\WINMM.dll
MD5
f6bd3879991d5838438b450495f22117

SHA1
285cb357448fae2b1ebe09ca845d504602192aae

SHA256
3896b22192cb0298eb3e57696390629b1d0e5ea4cf5f78ce61c2330224dfbaa9

SHA512
cf90d0f86ac6dccdc95bb58657615de58049b8cc10911546bd04ba9e106cadeeadbc1a79f3c77e41815ba193858256d151688f96405860aa24680d904deed0c6

Download Submit
\Users\Admin\AppData\Local\tKhUCnT\VERSION.dll
MD5
e0eef18fb604c42d7b878474ef7a3ef2

SHA1
3e1f75a8a16aaf1a7355cfcb2c961d0a04e9e38f

SHA256
338325b4e32dbb9b23656dc0261d6a63bd8e6f7a146a8ef452456f28bff062c4

SHA512
3353b2ba8d3bb04e4bdc125590df39bf7639919be577f700a9b0d674ba89ddced6f27030e24adb80de97169f62557eddb5d73cae47d7daeca18234bc19e2d466

Download Submit
\Users\Admin\AppData\Local\tKhUCnT\notepad.exe
MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\zspP\winlogon.exe
MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
memory/828-104-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/828-98-0x0000000000000000-mapping.dmp

Download
memory/828-103-0x000000013F7D1000-0x000000013F7D3000-memory.dmp

Filesize
8KB

Download
memory/1076-107-0x0000000000000000-mapping.dmp

Download
memory/1360-92-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp

Filesize
8KB

Download
memory/1360-95-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1360-90-0x0000000000000000-mapping.dmp

Download
memory/1424-54-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1424-56-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/1428-75-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-80-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-68-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-65-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-64-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-59-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-58-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-71-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-83-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-74-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-76-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-81-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-82-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-69-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-78-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-79-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-77-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-73-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-72-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-70-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-67-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-66-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-62-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-63-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-61-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-60-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1428-57-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads