dridex | 2f10b593a5e04506d8050ebe39e28619199958a4f4bae0b9f3a1ee2af3d74862

Analysis

max time kernel
150s
max time network
95s
platform
windows7_x64
resource
win7v20210408
submitted
28-09-2021 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f10b593a5e04506d8050ebe39e28619199958a4f4bae0b9f3a1ee2af3d74862.dll
Size

1.2MB
MD5

94f8317b419e9476120b14a29d9b05d2
SHA1

f2b03dd4441f3808468bdbb8b26273cfb41b5298
SHA256

2f10b593a5e04506d8050ebe39e28619199958a4f4bae0b9f3a1ee2af3d74862
SHA512

73edd03df050bf72249dafdc8e0c71884d236e713b871c5e8ce9c825937ba1c8447ae791e39400a1d7b5af77aa5ec5d01b6db356003e9616ed7d24e7f78b24a3

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1212-63-0x0000000002770000-0x0000000002771000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

slui.exeWindowsAnytimeUpgradeResults.exeunregmp2.exe

pid process

1208 slui.exe
1436 WindowsAnytimeUpgradeResults.exe
1540 unregmp2.exe
Loads dropped DLL 7 IoCs

Processes:

slui.exeWindowsAnytimeUpgradeResults.exeunregmp2.exe

pid process

1212
1208 slui.exe
1212
1436 WindowsAnytimeUpgradeResults.exe
1212
1540 unregmp2.exe
1212

pid	process
1208	slui.exe
1436	WindowsAnytimeUpgradeResults.exe
1540	unregmp2.exe

pid	process
1212
1208	slui.exe
1212
1436	WindowsAnytimeUpgradeResults.exe
1212
1540	unregmp2.exe
1212

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Axiifu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\dhDX6\\WindowsAnytimeUpgradeResults.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WindowsAnytimeUpgradeResults.exeunregmp2.exerundll32.exeslui.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsAnytimeUpgradeResults.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unregmp2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1516	rundll32.exe
1516	rundll32.exe
1516	rundll32.exe
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1212
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pid process

1212
1212
1212
1212
1212
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

1212
1212
1212
1212
1212
1212

pid	process
1212

pid	process
1212
1212
1212
1212
1212

pid	process
1212
1212
1212
1212
1212
1212

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1212 wrote to memory of 1232	1212	slui.exe
PID 1212 wrote to memory of 1232	1212	slui.exe
PID 1212 wrote to memory of 1232	1212	slui.exe
PID 1212 wrote to memory of 1208	1212	slui.exe
PID 1212 wrote to memory of 1208	1212	slui.exe
PID 1212 wrote to memory of 1208	1212	slui.exe
PID 1212 wrote to memory of 1556	1212	WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 1556	1212	WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 1556	1212	WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 1436	1212	WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 1436	1212	WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 1436	1212	WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 1756	1212	unregmp2.exe
PID 1212 wrote to memory of 1756	1212	unregmp2.exe
PID 1212 wrote to memory of 1756	1212	unregmp2.exe
PID 1212 wrote to memory of 1540	1212	unregmp2.exe
PID 1212 wrote to memory of 1540	1212	unregmp2.exe
PID 1212 wrote to memory of 1540	1212	unregmp2.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f10b593a5e04506d8050ebe39e28619199958a4f4bae0b9f3a1ee2af3d74862.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1516

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:1232

C:\Users\Admin\AppData\Local\TvTfK\slui.exe
C:\Users\Admin\AppData\Local\TvTfK\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1208

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
1⤵
PID:1556

C:\Users\Admin\AppData\Local\keyxvRRWZ\WindowsAnytimeUpgradeResults.exe
C:\Users\Admin\AppData\Local\keyxvRRWZ\WindowsAnytimeUpgradeResults.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1436

C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
1⤵
PID:1756

C:\Users\Admin\AppData\Local\mgT\unregmp2.exe
C:\Users\Admin\AppData\Local\mgT\unregmp2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1540

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TvTfK\WINBRAND.dll
MD5
83acb087d9d7151523e7b29407fe2053

SHA1
c4a49b6ec6b3e6730f7ca0e24fe49741704d1df2

SHA256
3d16fd543749a9d686d11ef8455afb7dd1d80b4adc6c35b9590c95f1fdba1605

SHA512
aa867034a8e393570b5f9c3c29823fe2ddc91b9e6c9954ddc42144acabcb35c449c2b1e7c794b44b71169fc88a4429e6629aa6caa9e048f7108ae048549b0ac9

Download Submit
C:\Users\Admin\AppData\Local\TvTfK\slui.exe
MD5
c5ce5ce799387e82b7698a0ee5544a6d

SHA1
ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

SHA256
34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

SHA512
79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

Download Submit
C:\Users\Admin\AppData\Local\keyxvRRWZ\UxTheme.dll
MD5
4b6ab8066aa1fd73b82f9039ef532cb2

SHA1
f16bacf36480b0a63d09f4e315fc181f91cc0475

SHA256
400f8ab8c24dac5112f06c18647a3517d2068d8c2d45068cf60c4a6af77dcc31

SHA512
3547fcc3bc8eb31467ef650ca310fad88c922d5323ddfd3b14c8402be345e41ff75ead1c198ad8165bb875b7862f42e385d5e82ed57349b2649771d7d85ba40b

Download Submit
C:\Users\Admin\AppData\Local\keyxvRRWZ\WindowsAnytimeUpgradeResults.exe
MD5
6f3f29905f0ec4ce22c1fd8acbf6c6de

SHA1
68bdfefe549dfa6262ad659f1578f3e87d862773

SHA256
e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b

SHA512
16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

Download Submit
C:\Users\Admin\AppData\Local\mgT\VERSION.dll
MD5
3344088da86334cfad76fd07e8f92ba3

SHA1
4f00843654772389fce2089fd2c484a5917e9f38

SHA256
ea0137fdeb6f58e93ed6517f20ae1f9e8019b5856265b0a7818375a77e89b8f1

SHA512
1ed2d32586a1dcdc99ab4f5a65e55e48b5e13ef2a4aee113c03ec3eff7a247707350e9814e4e8da76a73d8a439538f8358b1ee430083062fcff649eb43ac8095

Download Submit
C:\Users\Admin\AppData\Local\mgT\unregmp2.exe
MD5
64b328d52dfc8cda123093e3f6e4c37c

SHA1
f68f45b21b911906f3aa982e64504e662a92e5ab

SHA256
7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

SHA512
e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

Download Submit
\Users\Admin\AppData\Local\TvTfK\WINBRAND.dll
MD5
83acb087d9d7151523e7b29407fe2053

SHA1
c4a49b6ec6b3e6730f7ca0e24fe49741704d1df2

SHA256
3d16fd543749a9d686d11ef8455afb7dd1d80b4adc6c35b9590c95f1fdba1605

SHA512
aa867034a8e393570b5f9c3c29823fe2ddc91b9e6c9954ddc42144acabcb35c449c2b1e7c794b44b71169fc88a4429e6629aa6caa9e048f7108ae048549b0ac9

Download Submit
\Users\Admin\AppData\Local\TvTfK\slui.exe
MD5
c5ce5ce799387e82b7698a0ee5544a6d

SHA1
ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

SHA256
34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

SHA512
79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

Download Submit
\Users\Admin\AppData\Local\keyxvRRWZ\UxTheme.dll
MD5
4b6ab8066aa1fd73b82f9039ef532cb2

SHA1
f16bacf36480b0a63d09f4e315fc181f91cc0475

SHA256
400f8ab8c24dac5112f06c18647a3517d2068d8c2d45068cf60c4a6af77dcc31

SHA512
3547fcc3bc8eb31467ef650ca310fad88c922d5323ddfd3b14c8402be345e41ff75ead1c198ad8165bb875b7862f42e385d5e82ed57349b2649771d7d85ba40b

Download Submit
\Users\Admin\AppData\Local\keyxvRRWZ\WindowsAnytimeUpgradeResults.exe
MD5
6f3f29905f0ec4ce22c1fd8acbf6c6de

SHA1
68bdfefe549dfa6262ad659f1578f3e87d862773

SHA256
e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b

SHA512
16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

Download Submit
\Users\Admin\AppData\Local\mgT\VERSION.dll
MD5
3344088da86334cfad76fd07e8f92ba3

SHA1
4f00843654772389fce2089fd2c484a5917e9f38

SHA256
ea0137fdeb6f58e93ed6517f20ae1f9e8019b5856265b0a7818375a77e89b8f1

SHA512
1ed2d32586a1dcdc99ab4f5a65e55e48b5e13ef2a4aee113c03ec3eff7a247707350e9814e4e8da76a73d8a439538f8358b1ee430083062fcff649eb43ac8095

Download Submit
\Users\Admin\AppData\Local\mgT\unregmp2.exe
MD5
64b328d52dfc8cda123093e3f6e4c37c

SHA1
f68f45b21b911906f3aa982e64504e662a92e5ab

SHA256
7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

SHA512
e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\tXFI2MVbKQr\unregmp2.exe
MD5
64b328d52dfc8cda123093e3f6e4c37c

SHA1
f68f45b21b911906f3aa982e64504e662a92e5ab

SHA256
7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

SHA512
e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

Download Submit
memory/1208-113-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1208-110-0x000007FEFB631000-0x000007FEFB633000-memory.dmp

Filesize
8KB

Download
memory/1208-108-0x0000000000000000-mapping.dmp

Download
memory/1212-64-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-98-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-80-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-81-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-82-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-78-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-84-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-83-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-86-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-87-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-85-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-90-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-89-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-92-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-91-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-88-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-93-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-95-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-94-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-96-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-97-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-79-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-99-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-100-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-106-0x0000000076F60000-0x0000000076F62000-memory.dmp

Filesize
8KB

Download
memory/1212-63-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/1212-77-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-66-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-76-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-75-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-74-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-73-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-65-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-67-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-72-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-71-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-68-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-70-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1212-69-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1436-116-0x0000000000000000-mapping.dmp

Download
memory/1516-60-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1516-62-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/1540-123-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads