dridex | dc684f824a7deaf6028f6266b48cc3f982a4931ce2db003f692a448da8e255e3

Analysis

max time kernel
156s
max time network
149s
platform
windows7_x64
resource
win7v20210408
submitted
28-09-2021 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc684f824a7deaf6028f6266b48cc3f982a4931ce2db003f692a448da8e255e3.dll
Size

1.2MB
MD5

ecdfff8b0ece2175cd699e690de1fcaf
SHA1

9359770d71e743832ca22597db917dfa817038b2
SHA256

dc684f824a7deaf6028f6266b48cc3f982a4931ce2db003f692a448da8e255e3
SHA512

106ecdecdc64b395ae74fd231dc858f0c18a75baba52729ec928451884462d7f5e828f20dd0de3fc750c817d96461708030679873d7a675327b35f51bb8fcc3d

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1208-63-0x0000000003BB0000-0x0000000003BB1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

VaultSysUi.exemfpmp.exeshrpubw.exe

pid process

792 VaultSysUi.exe
612 mfpmp.exe
1744 shrpubw.exe
Loads dropped DLL 8 IoCs

Processes:

VaultSysUi.exemfpmp.exeshrpubw.exe

pid process

1208
1208
792 VaultSysUi.exe
1208
612 mfpmp.exe
1208
1744 shrpubw.exe
1208

pid	process
792	VaultSysUi.exe
612	mfpmp.exe
1744	shrpubw.exe

pid	process
1208
1208
792	VaultSysUi.exe
1208
612	mfpmp.exe
1208
1744	shrpubw.exe
1208

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Axiifu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\3yo\\mfpmp.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeVaultSysUi.exemfpmp.exeshrpubw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VaultSysUi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
816	rundll32.exe
816	rundll32.exe
816	rundll32.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1208
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1208
1208
1208
1208
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1208
1208
1208
1208

pid	process
1208

pid	process
1208
1208
1208
1208

pid	process
1208
1208
1208
1208

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1208 wrote to memory of 996	1208	VaultSysUi.exe
PID 1208 wrote to memory of 996	1208	VaultSysUi.exe
PID 1208 wrote to memory of 996	1208	VaultSysUi.exe
PID 1208 wrote to memory of 792	1208	VaultSysUi.exe
PID 1208 wrote to memory of 792	1208	VaultSysUi.exe
PID 1208 wrote to memory of 792	1208	VaultSysUi.exe
PID 1208 wrote to memory of 1888	1208	mfpmp.exe
PID 1208 wrote to memory of 1888	1208	mfpmp.exe
PID 1208 wrote to memory of 1888	1208	mfpmp.exe
PID 1208 wrote to memory of 612	1208	mfpmp.exe
PID 1208 wrote to memory of 612	1208	mfpmp.exe
PID 1208 wrote to memory of 612	1208	mfpmp.exe
PID 1208 wrote to memory of 1296	1208	shrpubw.exe
PID 1208 wrote to memory of 1296	1208	shrpubw.exe
PID 1208 wrote to memory of 1296	1208	shrpubw.exe
PID 1208 wrote to memory of 1744	1208	shrpubw.exe
PID 1208 wrote to memory of 1744	1208	shrpubw.exe
PID 1208 wrote to memory of 1744	1208	shrpubw.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc684f824a7deaf6028f6266b48cc3f982a4931ce2db003f692a448da8e255e3.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:816

C:\Windows\system32\VaultSysUi.exe
C:\Windows\system32\VaultSysUi.exe
1⤵
PID:996

C:\Users\Admin\AppData\Local\nngW\VaultSysUi.exe
C:\Users\Admin\AppData\Local\nngW\VaultSysUi.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:792

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:1888

C:\Users\Admin\AppData\Local\De8yVX\mfpmp.exe
C:\Users\Admin\AppData\Local\De8yVX\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:612

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:1296

C:\Users\Admin\AppData\Local\vSgTMFLRC\shrpubw.exe
C:\Users\Admin\AppData\Local\vSgTMFLRC\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1744

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\De8yVX\MFPlat.DLL
MD5
a03e5ad6278da059d65180eddee053bf

SHA1
e50f282582af7c66ebb27c24e01bc54a02290e54

SHA256
8bcf7be90cc2293ad67ea716cd56651441cb38e05f0cb7e3a5415223cf72a408

SHA512
04aaa4fa7f0cd9cca7a755b2036c46a23cf7f6e7b2888be2f8156caa5f45d550d8ea6950d59af2c9a8a7179b7c5395b7ab258922a7e937bdc9761e7265146717

Download Submit
C:\Users\Admin\AppData\Local\De8yVX\mfpmp.exe
MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
C:\Users\Admin\AppData\Local\nngW\VaultSysUi.exe
MD5
f40ef105d94350d36c799ee23f7fec0f

SHA1
ee3a5cfe8b807e1c1718a27eb97fa134360816e3

SHA256
eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

SHA512
f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

Download Submit
C:\Users\Admin\AppData\Local\nngW\credui.dll
MD5
1bc953df90b1a4f6f6d8ebd3f89d9ddf

SHA1
175c9e4f799bacadca68870ca919ca74f8d7c1f0

SHA256
d527c11d4994710f94fe7528d0b7f734adfc8a4f73fff46bc290fde24346c00a

SHA512
d64803bd4fd60fa18207564035c910692e4705a6fb689e9cc03b676556a19eabb16d0f40038f9838c04c5dd4d7c88d5dcf41bd44e4f026e22596b9186feab7ad

Download Submit
C:\Users\Admin\AppData\Local\vSgTMFLRC\MFC42u.dll
MD5
da3966287e5ca94c82492991d351bc83

SHA1
3baf330ab62339487b572d763b96ec04530cb537

SHA256
125a1c962b72e7c5e0dd3c461c94a8981f51b63cdb68eb3c0990e208831863f4

SHA512
a5d1b12b21dd36766413a0961dfb82726ceedc6dc78d2e055bb5128ddf11269cb8d896c9a91ed2e8602aa81c69320fd756920c83fd019634df0a60b373ef236f

Download Submit
C:\Users\Admin\AppData\Local\vSgTMFLRC\shrpubw.exe
MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
\Users\Admin\AppData\Local\De8yVX\MFPlat.DLL
MD5
a03e5ad6278da059d65180eddee053bf

SHA1
e50f282582af7c66ebb27c24e01bc54a02290e54

SHA256
8bcf7be90cc2293ad67ea716cd56651441cb38e05f0cb7e3a5415223cf72a408

SHA512
04aaa4fa7f0cd9cca7a755b2036c46a23cf7f6e7b2888be2f8156caa5f45d550d8ea6950d59af2c9a8a7179b7c5395b7ab258922a7e937bdc9761e7265146717

Download Submit
\Users\Admin\AppData\Local\De8yVX\mfpmp.exe
MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
\Users\Admin\AppData\Local\nngW\VaultSysUi.exe
MD5
f40ef105d94350d36c799ee23f7fec0f

SHA1
ee3a5cfe8b807e1c1718a27eb97fa134360816e3

SHA256
eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

SHA512
f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

Download Submit
\Users\Admin\AppData\Local\nngW\VaultSysUi.exe
MD5
f40ef105d94350d36c799ee23f7fec0f

SHA1
ee3a5cfe8b807e1c1718a27eb97fa134360816e3

SHA256
eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

SHA512
f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

Download Submit
\Users\Admin\AppData\Local\nngW\credui.dll
MD5
1bc953df90b1a4f6f6d8ebd3f89d9ddf

SHA1
175c9e4f799bacadca68870ca919ca74f8d7c1f0

SHA256
d527c11d4994710f94fe7528d0b7f734adfc8a4f73fff46bc290fde24346c00a

SHA512
d64803bd4fd60fa18207564035c910692e4705a6fb689e9cc03b676556a19eabb16d0f40038f9838c04c5dd4d7c88d5dcf41bd44e4f026e22596b9186feab7ad

Download Submit
\Users\Admin\AppData\Local\vSgTMFLRC\MFC42u.dll
MD5
da3966287e5ca94c82492991d351bc83

SHA1
3baf330ab62339487b572d763b96ec04530cb537

SHA256
125a1c962b72e7c5e0dd3c461c94a8981f51b63cdb68eb3c0990e208831863f4

SHA512
a5d1b12b21dd36766413a0961dfb82726ceedc6dc78d2e055bb5128ddf11269cb8d896c9a91ed2e8602aa81c69320fd756920c83fd019634df0a60b373ef236f

Download Submit
\Users\Admin\AppData\Local\vSgTMFLRC\shrpubw.exe
MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\H5vu\shrpubw.exe
MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
memory/612-114-0x0000000000000000-mapping.dmp

Download
memory/612-118-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/792-111-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/792-107-0x0000000000000000-mapping.dmp

Download
memory/816-60-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/816-62-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1208-78-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-82-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-63-0x0000000003BB0000-0x0000000003BB1000-memory.dmp

Filesize
4KB

Download
memory/1208-84-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-85-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-86-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-87-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-88-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-89-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-90-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-92-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-93-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-94-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-95-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-91-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-96-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-98-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-97-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-104-0x00000000770E0000-0x00000000770E2000-memory.dmp

Filesize
8KB

Download
memory/1208-83-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-80-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-81-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-77-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-79-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-75-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-76-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-74-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-73-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-72-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-71-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-70-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-64-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-65-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-69-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-67-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-68-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1208-66-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1744-125-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download
memory/1744-126-0x0000000140000000-0x0000000140138000-memory.dmp

Filesize
1.2MB

Download
memory/1744-121-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads