dridex | 2f10b593a5e04506d8050ebe39e28619199958a4f4bae0b9f3a1ee2af3d74862

Analysis

max time kernel
151s
max time network
121s
platform
windows10_x64
resource
win10-en-20210920
submitted
28-09-2021 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f10b593a5e04506d8050ebe39e28619199958a4f4bae0b9f3a1ee2af3d74862.dll
Size

1.2MB
MD5

94f8317b419e9476120b14a29d9b05d2
SHA1

f2b03dd4441f3808468bdbb8b26273cfb41b5298
SHA256

2f10b593a5e04506d8050ebe39e28619199958a4f4bae0b9f3a1ee2af3d74862
SHA512

73edd03df050bf72249dafdc8e0c71884d236e713b871c5e8ce9c825937ba1c8447ae791e39400a1d7b5af77aa5ec5d01b6db356003e9616ed7d24e7f78b24a3

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3028-120-0x0000000000790000-0x0000000000791000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

DeviceEnroller.exeAtBroker.exeSnippingTool.exe

pid process

592 DeviceEnroller.exe
956 AtBroker.exe
648 SnippingTool.exe
Loads dropped DLL 3 IoCs

Processes:

DeviceEnroller.exeAtBroker.exeSnippingTool.exe

pid process

592 DeviceEnroller.exe
956 AtBroker.exe
648 SnippingTool.exe

pid	process
592	DeviceEnroller.exe
956	AtBroker.exe
648	SnippingTool.exe

pid	process
592	DeviceEnroller.exe
956	AtBroker.exe
648	SnippingTool.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wjvmqhmsyzhtvy = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\jfJOZgi\\AtBroker.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

AtBroker.exeSnippingTool.exerundll32.exeDeviceEnroller.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AtBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SnippingTool.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceEnroller.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3168	rundll32.exe
3168	rundll32.exe
3168	rundll32.exe
3168	rundll32.exe
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3028

pid	process
3028

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3028 wrote to memory of 1556	3028	DeviceEnroller.exe
PID 3028 wrote to memory of 1556	3028	DeviceEnroller.exe
PID 3028 wrote to memory of 592	3028	DeviceEnroller.exe
PID 3028 wrote to memory of 592	3028	DeviceEnroller.exe
PID 3028 wrote to memory of 1064	3028	AtBroker.exe
PID 3028 wrote to memory of 1064	3028	AtBroker.exe
PID 3028 wrote to memory of 956	3028	AtBroker.exe
PID 3028 wrote to memory of 956	3028	AtBroker.exe
PID 3028 wrote to memory of 860	3028	SnippingTool.exe
PID 3028 wrote to memory of 860	3028	SnippingTool.exe
PID 3028 wrote to memory of 648	3028	SnippingTool.exe
PID 3028 wrote to memory of 648	3028	SnippingTool.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f10b593a5e04506d8050ebe39e28619199958a4f4bae0b9f3a1ee2af3d74862.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3168

C:\Windows\system32\DeviceEnroller.exe
C:\Windows\system32\DeviceEnroller.exe
1⤵
PID:1556

C:\Users\Admin\AppData\Local\QOeI\DeviceEnroller.exe
C:\Users\Admin\AppData\Local\QOeI\DeviceEnroller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:592

C:\Windows\system32\AtBroker.exe
C:\Windows\system32\AtBroker.exe
1⤵
PID:1064

C:\Users\Admin\AppData\Local\r8K9cGfBH\AtBroker.exe
C:\Users\Admin\AppData\Local\r8K9cGfBH\AtBroker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:956

C:\Windows\system32\SnippingTool.exe
C:\Windows\system32\SnippingTool.exe
1⤵
PID:860

C:\Users\Admin\AppData\Local\oX9\SnippingTool.exe
C:\Users\Admin\AppData\Local\oX9\SnippingTool.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:648

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\QOeI\DeviceEnroller.exe
MD5
bd732a3a065f5cca6df003a7ca78bb35

SHA1
449d027d933fdd530a6a27d7c2132f98ee56374a

SHA256
fd5f32939c8de2d80a6f2481268313b5151c21c474c61635c92d2b8ea436955e

SHA512
d1cd727841522be31e979484cdea467501693e1a3bab2fabc72510c73698353c960f7d2c16be9a4406d804da2b2ad7da58827a630f9616ebe296cae481103701

Download Submit
C:\Users\Admin\AppData\Local\QOeI\XmlLite.dll
MD5
11ac732a097c90d84f089ea005e79e05

SHA1
ecbba9170f195de85c30e238467caf8865b8aeb8

SHA256
1eed8e2286a6f1cff5db18f3c39f56d7e24389588b3d8a369c8d8e422c3af070

SHA512
9422aceffd8b81881cc2bca988c8ed3a3ea602d1730b64e453515899a92fbef69a40d10e6d6af13001fefe113d79b2891ee8593939d78f1258cec450fa481ad7

Download Submit
C:\Users\Admin\AppData\Local\oX9\OLEACC.dll
MD5
6f3640c34f8493950746fc48196f2b17

SHA1
2506126b1a2e81b4acf7f051c3abc47fc1904413

SHA256
d07362c2f7364ec5e04c56d0a5187bfe2da317a6fa3b84d41c2e0feef30099eb

SHA512
381bb85a3f454daccf1bffc02e080b6cb1dda0234bc5f94b11d14ab97f084ee2008ec68fcd56523a159669fded37f0fad1a7d9f223b3806d160a63ad861624c5

Download Submit
C:\Users\Admin\AppData\Local\oX9\SnippingTool.exe
MD5
e40c6c256043c143f7b8cdca70f69f4f

SHA1
129f4f0257715715d50fd7b7129ce231771ae1ea

SHA256
76610fec5aabe77401425bc8a437f58e9307b636197ffd048ece9e02e955f88d

SHA512
fb83e4feb112cbee5fb922178795df1f02f29cbe009d8b3b4d9b4f1a62c08d184a64df52e57ee3d4d8be839621f875a5279d15f39b94ff3a987a863fa4d743ba

Download Submit
C:\Users\Admin\AppData\Local\r8K9cGfBH\AtBroker.exe
MD5
83245f0857ad28fef08fb21e8afb86ea

SHA1
5d35cc5f249b0347863ffcfec03208206a85474c

SHA256
f7686ec25aaf67724cd6170a9d7a20cd987ea32f35ef654ae56fdcea16180c5d

SHA512
8d3714c1302ea4f1e06586ee84026c5913c8e0970e4dda27ee02f847d6474b5e883818751efde35b01f5039ffbd4ef9a470d37c21286b5fb81e4e415f20d4dd7

Download Submit
C:\Users\Admin\AppData\Local\r8K9cGfBH\UxTheme.dll
MD5
344137556f07d46f8b387e986b622607

SHA1
af94887e6f0dea7d70cb581a7c9424f89a5585db

SHA256
1ed9c85bf30b6e186f8ce869332d25a91d5c4beb3f54d6c408b139a43304b84c

SHA512
41e7034ecc9b39902da8aac55b9a876500502bfe92fd383d87a464334fb6baea93b769a154d952080ed7cf91af0be3fe8e9de035c1448ce6643e81d744e81464

Download Submit
\Users\Admin\AppData\Local\QOeI\XmlLite.dll
MD5
11ac732a097c90d84f089ea005e79e05

SHA1
ecbba9170f195de85c30e238467caf8865b8aeb8

SHA256
1eed8e2286a6f1cff5db18f3c39f56d7e24389588b3d8a369c8d8e422c3af070

SHA512
9422aceffd8b81881cc2bca988c8ed3a3ea602d1730b64e453515899a92fbef69a40d10e6d6af13001fefe113d79b2891ee8593939d78f1258cec450fa481ad7

Download Submit
\Users\Admin\AppData\Local\oX9\OLEACC.dll
MD5
6f3640c34f8493950746fc48196f2b17

SHA1
2506126b1a2e81b4acf7f051c3abc47fc1904413

SHA256
d07362c2f7364ec5e04c56d0a5187bfe2da317a6fa3b84d41c2e0feef30099eb

SHA512
381bb85a3f454daccf1bffc02e080b6cb1dda0234bc5f94b11d14ab97f084ee2008ec68fcd56523a159669fded37f0fad1a7d9f223b3806d160a63ad861624c5

Download Submit
\Users\Admin\AppData\Local\r8K9cGfBH\UxTheme.dll
MD5
344137556f07d46f8b387e986b622607

SHA1
af94887e6f0dea7d70cb581a7c9424f89a5585db

SHA256
1ed9c85bf30b6e186f8ce869332d25a91d5c4beb3f54d6c408b139a43304b84c

SHA512
41e7034ecc9b39902da8aac55b9a876500502bfe92fd383d87a464334fb6baea93b769a154d952080ed7cf91af0be3fe8e9de035c1448ce6643e81d744e81464

Download Submit
memory/592-172-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/592-168-0x0000000000000000-mapping.dmp

Download
memory/648-186-0x0000000000000000-mapping.dmp

Download
memory/956-177-0x0000000000000000-mapping.dmp

Download
memory/3028-144-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-151-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-133-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-134-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-135-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-136-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-137-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-138-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-139-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-140-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-141-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-142-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-143-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-130-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-145-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-146-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-147-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-148-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-149-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-131-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-150-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-132-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-152-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-153-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-154-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-155-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-156-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-129-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-128-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-127-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-126-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-125-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-124-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-123-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-122-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-121-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-120-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/3028-157-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3028-165-0x00007FFB6F814560-0x00007FFB6F815560-memory.dmp

Filesize
4KB

Download
memory/3028-167-0x00007FFB6F950000-0x00007FFB6F952000-memory.dmp

Filesize
8KB

Download
memory/3168-115-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/3168-119-0x0000024C693B0000-0x0000024C693B7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads