dridex | 8bcde178298b0263ce7cb8e4c6a5ef4d0fcea9729a21e2cef4eaec3f2ad27bc8

Analysis

max time kernel
166s
max time network
182s
platform
windows10_x64
resource
win10v20210408
submitted
28-09-2021 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8bcde178298b0263ce7cb8e4c6a5ef4d0fcea9729a21e2cef4eaec3f2ad27bc8.dll
Size

1.2MB
MD5

cbaf988697e5794257533479c39ed20a
SHA1

02d31d47c4bcb4285e847634be7483a31986b29e
SHA256

8bcde178298b0263ce7cb8e4c6a5ef4d0fcea9729a21e2cef4eaec3f2ad27bc8
SHA512

1fe2bf0286729b423da12dd20e81b80bc781d994afd3b9e3379f620e8ece49cb975b4fbaebe15108e9fb7b7e013c29080b9aa84e83ff562c6c8a190ae046678b

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2996-119-0x0000000000E40000-0x0000000000E41000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

shrpubw.exeWindowsActionDialog.exeisoburn.exe

pid process

1776 shrpubw.exe
1288 WindowsActionDialog.exe
2300 isoburn.exe
Loads dropped DLL 3 IoCs

Processes:

shrpubw.exeWindowsActionDialog.exeisoburn.exe

pid process

1776 shrpubw.exe
1288 WindowsActionDialog.exe
2300 isoburn.exe

pid	process
1776	shrpubw.exe
1288	WindowsActionDialog.exe
2300	isoburn.exe

pid	process
1776	shrpubw.exe
1288	WindowsActionDialog.exe
2300	isoburn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rvhohwdqaanc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\pry\\WindowsActionDialog.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeshrpubw.exeWindowsActionDialog.exeisoburn.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsActionDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1612	rundll32.exe
1612	rundll32.exe
1612	rundll32.exe
1612	rundll32.exe
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996
2996

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2996

pid	process
2996

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996
Token: SeShutdownPrivilege	2996
Token: SeCreatePagefilePrivilege	2996

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

pid process

2996
2996
2996
2996
2996
2996
2996
2996

pid	process
2996
2996
2996
2996
2996
2996
2996
2996

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2996 wrote to memory of 1424	2996	shrpubw.exe
PID 2996 wrote to memory of 1424	2996	shrpubw.exe
PID 2996 wrote to memory of 1776	2996	shrpubw.exe
PID 2996 wrote to memory of 1776	2996	shrpubw.exe
PID 2996 wrote to memory of 2960	2996	WindowsActionDialog.exe
PID 2996 wrote to memory of 2960	2996	WindowsActionDialog.exe
PID 2996 wrote to memory of 1288	2996	WindowsActionDialog.exe
PID 2996 wrote to memory of 1288	2996	WindowsActionDialog.exe
PID 2996 wrote to memory of 1976	2996	isoburn.exe
PID 2996 wrote to memory of 1976	2996	isoburn.exe
PID 2996 wrote to memory of 2300	2996	isoburn.exe
PID 2996 wrote to memory of 2300	2996	isoburn.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8bcde178298b0263ce7cb8e4c6a5ef4d0fcea9729a21e2cef4eaec3f2ad27bc8.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1612

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:1424

C:\Users\Admin\AppData\Local\vvi\shrpubw.exe
C:\Users\Admin\AppData\Local\vvi\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1776

C:\Windows\system32\WindowsActionDialog.exe
C:\Windows\system32\WindowsActionDialog.exe
1⤵
PID:2960

C:\Users\Admin\AppData\Local\K8zl\WindowsActionDialog.exe
C:\Users\Admin\AppData\Local\K8zl\WindowsActionDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1288

C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
1⤵
PID:1976

C:\Users\Admin\AppData\Local\WLsGluV1R\isoburn.exe
C:\Users\Admin\AppData\Local\WLsGluV1R\isoburn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\K8zl\DUI70.dll
MD5
6a753476c2b9b6a769860ac5a2ab1ec9

SHA1
915a563fcc743fe0c9bf2ef1a894a21778147d5f

SHA256
abcef6d82099a4d1d9053ed76abcfe547ba478a34df49b88b78940dbe3fbb094

SHA512
94bd65914f69973904ef8b8c2374be3a809d7029c6d76403171e880c96a185c45f3b970ebfac12e389bf2313c816b42df365f5aac4c42c54e88268f603d019fc

Download Submit
C:\Users\Admin\AppData\Local\K8zl\WindowsActionDialog.exe
MD5
d73dceacfd4f8253d21e5a4d7119b9ce

SHA1
d5ab4abe43c38321ece3d98edb50d1ebf699f099

SHA256
f1984d87cda36e7479e1a3f27683cfeee4c1073801d7c6f526b46fa46244ba36

SHA512
f1fa4ab498efbb5e80ed661ab3cca195afc6442fabb22d9e5e5c4adbc835f346bee645e4f328969f400bf7d3e8e5745e298ee30c1e44eedeca8a3587e528af48

Download Submit
C:\Users\Admin\AppData\Local\WLsGluV1R\UxTheme.dll
MD5
b67020ae38df3a40ef4465378a92ae21

SHA1
6b0915f493c499cb9daaa6dbaf318b071a4a2da4

SHA256
b63a831d7088271c8cb035c677f8d2e3e098818772b3ed9d8e9ec9033e01b6f4

SHA512
85fb80a1e6d1f13e796e5278d0caac31a2e78a360048f6db3f09cc2af583379d4183749d38d4de48c4d4151a1f11d1c9d20f3f648dc15a7b21bf6e6aab87a51a

Download Submit
C:\Users\Admin\AppData\Local\WLsGluV1R\isoburn.exe
MD5
2a356c5abe7b39d61fbf6a4e641130b5

SHA1
4223fa610b04482b7ef5d3c50b539d4e0edc47e9

SHA256
802edb5e8ff7a46b6d3fa9cf692f1933cfdf4b1a0bc24bb99e3e165ae478fdd9

SHA512
7f4966ab65f96d5bb07d66ab62f0f8cf550153183d26c490fc0975ba4061360eb46b5609ea734464201333a6879a6201b4cab32731e10e29c7302bcb9144749d

Download Submit
C:\Users\Admin\AppData\Local\vvi\ACLUI.dll
MD5
2196d763b3a9804971547086742f2745

SHA1
353832e9fff14dd37ae9efbeac3dc1bf8cdf7f41

SHA256
6080d72a5664e63b63298026ae8a94c3a8821becdc948cb6336b854f62df5550

SHA512
4801b125d75889c70f7b40a1ccb9871a405111b2ceeb20e6dc7376cbc6c16b8ec7081e60f26b0a89d02fbbccde0968c605e7ad173e65f333e529e6d2f27b4638

Download Submit
C:\Users\Admin\AppData\Local\vvi\shrpubw.exe
MD5
2cc2e7c22c71491178be7c112206354d

SHA1
3925a3ae53c412f39bdef5db553b52f24b5a6c92

SHA256
7880cfe0caa95a3319a5d2862cdc335b40ceb9c7afcbb57129c968628d69acab

SHA512
8cfedb0a15cabda1040e458b0a707889492e609622eed637d00c67ef29d7f64443145e07e1c701bc1ec481116dc45a3222d820228c80c0bed3c2bd86c271a88f

Download Submit
\Users\Admin\AppData\Local\K8zl\DUI70.dll
MD5
6a753476c2b9b6a769860ac5a2ab1ec9

SHA1
915a563fcc743fe0c9bf2ef1a894a21778147d5f

SHA256
abcef6d82099a4d1d9053ed76abcfe547ba478a34df49b88b78940dbe3fbb094

SHA512
94bd65914f69973904ef8b8c2374be3a809d7029c6d76403171e880c96a185c45f3b970ebfac12e389bf2313c816b42df365f5aac4c42c54e88268f603d019fc

Download Submit
\Users\Admin\AppData\Local\WLsGluV1R\UxTheme.dll
MD5
b67020ae38df3a40ef4465378a92ae21

SHA1
6b0915f493c499cb9daaa6dbaf318b071a4a2da4

SHA256
b63a831d7088271c8cb035c677f8d2e3e098818772b3ed9d8e9ec9033e01b6f4

SHA512
85fb80a1e6d1f13e796e5278d0caac31a2e78a360048f6db3f09cc2af583379d4183749d38d4de48c4d4151a1f11d1c9d20f3f648dc15a7b21bf6e6aab87a51a

Download Submit
\Users\Admin\AppData\Local\vvi\ACLUI.dll
MD5
2196d763b3a9804971547086742f2745

SHA1
353832e9fff14dd37ae9efbeac3dc1bf8cdf7f41

SHA256
6080d72a5664e63b63298026ae8a94c3a8821becdc948cb6336b854f62df5550

SHA512
4801b125d75889c70f7b40a1ccb9871a405111b2ceeb20e6dc7376cbc6c16b8ec7081e60f26b0a89d02fbbccde0968c605e7ad173e65f333e529e6d2f27b4638

Download Submit
memory/1288-196-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/1288-192-0x0000000000000000-mapping.dmp

Download
memory/1612-118-0x0000017A5D3A0000-0x0000017A5D3A7000-memory.dmp

Filesize
28KB

Download
memory/1612-114-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1776-167-0x0000000000000000-mapping.dmp

Download
memory/1776-171-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/2300-201-0x0000000000000000-mapping.dmp

Download
memory/2996-131-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-153-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-135-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-136-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-137-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-138-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-139-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-140-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-141-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-142-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-143-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-144-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-145-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-147-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-148-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-149-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-150-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-151-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-152-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-134-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-154-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-155-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-156-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-146-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-164-0x00007FFF90D44560-0x00007FFF90D45560-memory.dmp

Filesize
4KB

Download
memory/2996-166-0x00007FFF90E80000-0x00007FFF90E82000-memory.dmp

Filesize
8KB

Download
memory/2996-133-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-132-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-130-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-129-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-128-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-127-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-126-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-125-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-124-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-123-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-122-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-120-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-121-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2996-119-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download