dridex | dc684f824a7deaf6028f6266b48cc3f982a4931ce2db003f692a448da8e255e3

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10-en-20210920
submitted
28-09-2021 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc684f824a7deaf6028f6266b48cc3f982a4931ce2db003f692a448da8e255e3.dll
Size

1.2MB
MD5

ecdfff8b0ece2175cd699e690de1fcaf
SHA1

9359770d71e743832ca22597db917dfa817038b2
SHA256

dc684f824a7deaf6028f6266b48cc3f982a4931ce2db003f692a448da8e255e3
SHA512

106ecdecdc64b395ae74fd231dc858f0c18a75baba52729ec928451884462d7f5e828f20dd0de3fc750c817d96461708030679873d7a675327b35f51bb8fcc3d

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3068-120-0x0000000000CD0000-0x0000000000CD1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

raserver.exewextract.exeSnippingTool.exe

pid process

2636 raserver.exe
916 wextract.exe
1012 SnippingTool.exe
Loads dropped DLL 3 IoCs

Processes:

raserver.exewextract.exeSnippingTool.exe

pid process

2636 raserver.exe
916 wextract.exe
1012 SnippingTool.exe

pid	process
2636	raserver.exe
916	wextract.exe
1012	SnippingTool.exe

pid	process
2636	raserver.exe
916	wextract.exe
1012	SnippingTool.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wjvmqhmsyzhtvy = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\UProof\\4bUeVLGu\\wextract.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeraserver.exewextract.exeSnippingTool.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SnippingTool.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3068

pid	process
3068

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3068 wrote to memory of 2288	3068	raserver.exe
PID 3068 wrote to memory of 2288	3068	raserver.exe
PID 3068 wrote to memory of 2636	3068	raserver.exe
PID 3068 wrote to memory of 2636	3068	raserver.exe
PID 3068 wrote to memory of 400	3068	wextract.exe
PID 3068 wrote to memory of 400	3068	wextract.exe
PID 3068 wrote to memory of 916	3068	wextract.exe
PID 3068 wrote to memory of 916	3068	wextract.exe
PID 3068 wrote to memory of 2736	3068	SnippingTool.exe
PID 3068 wrote to memory of 2736	3068	SnippingTool.exe
PID 3068 wrote to memory of 1012	3068	SnippingTool.exe
PID 3068 wrote to memory of 1012	3068	SnippingTool.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dc684f824a7deaf6028f6266b48cc3f982a4931ce2db003f692a448da8e255e3.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2168

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:2288

C:\Users\Admin\AppData\Local\pLTpszW\raserver.exe
C:\Users\Admin\AppData\Local\pLTpszW\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2636

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:400

C:\Users\Admin\AppData\Local\dfhM8\wextract.exe
C:\Users\Admin\AppData\Local\dfhM8\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:916

C:\Windows\system32\SnippingTool.exe
C:\Windows\system32\SnippingTool.exe
1⤵
PID:2736

C:\Users\Admin\AppData\Local\o3R\SnippingTool.exe
C:\Users\Admin\AppData\Local\o3R\SnippingTool.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\dfhM8\VERSION.dll
MD5
e2440718e9135927846a9e805c6ab135

SHA1
21c2a9bd00984a9e05e2f269c86e93be6d84d948

SHA256
309a2b33a6f5933fa635ada99b8fee86ff5f2d688f0f5018eab3767ad1514f73

SHA512
49fd3119566c1c4316d1c2aa065121d82fc1160d634d0ac7d5e6ab3db969b74d2c381ffc8607469aa85e6d1a71713c0a760c1f6bb80de4abf464eb4238a15946

Download Submit
C:\Users\Admin\AppData\Local\dfhM8\wextract.exe
MD5
e78764b49f5806ce029cd547004493c9

SHA1
8c1f3f989913bebf827a707c04754047507a8cf3

SHA256
ab519b1c2711219a9f262b23bf72343eec3c0df4c7ddd135d30d05e700ec302e

SHA512
71040e5f0d2d409efaba70a7daaebe7a4675cb19009436a826a679671cc0d7c960498364ec7a29fb163ce8dada65218b75bebb973e6c8b194734e01970fd3a6b

Download Submit
C:\Users\Admin\AppData\Local\o3R\SnippingTool.exe
MD5
e40c6c256043c143f7b8cdca70f69f4f

SHA1
129f4f0257715715d50fd7b7129ce231771ae1ea

SHA256
76610fec5aabe77401425bc8a437f58e9307b636197ffd048ece9e02e955f88d

SHA512
fb83e4feb112cbee5fb922178795df1f02f29cbe009d8b3b4d9b4f1a62c08d184a64df52e57ee3d4d8be839621f875a5279d15f39b94ff3a987a863fa4d743ba

Download Submit
C:\Users\Admin\AppData\Local\o3R\UxTheme.dll
MD5
675fac1537b8f210bcbb07903c346b63

SHA1
85cd081a6c195e9c2de3633109f56a737fb55de4

SHA256
7c9d68c61de4ff7290b1b0460e76d85a74dbdb6e87ce3e854b518188935c93b9

SHA512
cf67b8e31fd1dc67feb5dd50d0ba39a00e63ee82dad14006f24877635aa485a41289f199e8821884c0d0a2f63f2bea6246cb77e94afffc53f24e286b6b19a6ff

Download Submit
C:\Users\Admin\AppData\Local\pLTpszW\WTSAPI32.dll
MD5
598ad33eab43aaa10cf18a8f64c8aa49

SHA1
ec135064f90f5705c2a77c9b8643e708b3ebf3fd

SHA256
e56d725325b8257da757851cee3fb30cb60d4fd7fede45caf3c76263bccad76b

SHA512
9cb9cfc91c3a427f94a1ea535b91d0007bc4fa2f7c604cf524340221e944005e27d9e54e48fc07893543487010d4e5c8ad77d32d601a2ce4a4e66aaf56fdce4f

Download Submit
C:\Users\Admin\AppData\Local\pLTpszW\raserver.exe
MD5
71cacb0f5b7b70055fbba02055e503b1

SHA1
49e247edcc721fc7329045a8587877b645b7531f

SHA256
7a4aa698ea00d4347a1b85a2510c2502fdf23cc5d487079097999be9780f8eb1

SHA512
3cce7df2ab1ece95baf888982a0664fb53c1378029dc2aee1c583fc6e9065968074a9f8135988f1b9f50937e3eb69edc118976b61067c3461fe8351535295a18

Download Submit
\Users\Admin\AppData\Local\dfhM8\VERSION.dll
MD5
e2440718e9135927846a9e805c6ab135

SHA1
21c2a9bd00984a9e05e2f269c86e93be6d84d948

SHA256
309a2b33a6f5933fa635ada99b8fee86ff5f2d688f0f5018eab3767ad1514f73

SHA512
49fd3119566c1c4316d1c2aa065121d82fc1160d634d0ac7d5e6ab3db969b74d2c381ffc8607469aa85e6d1a71713c0a760c1f6bb80de4abf464eb4238a15946

Download Submit
\Users\Admin\AppData\Local\o3R\UxTheme.dll
MD5
675fac1537b8f210bcbb07903c346b63

SHA1
85cd081a6c195e9c2de3633109f56a737fb55de4

SHA256
7c9d68c61de4ff7290b1b0460e76d85a74dbdb6e87ce3e854b518188935c93b9

SHA512
cf67b8e31fd1dc67feb5dd50d0ba39a00e63ee82dad14006f24877635aa485a41289f199e8821884c0d0a2f63f2bea6246cb77e94afffc53f24e286b6b19a6ff

Download Submit
\Users\Admin\AppData\Local\pLTpszW\WTSAPI32.dll
MD5
598ad33eab43aaa10cf18a8f64c8aa49

SHA1
ec135064f90f5705c2a77c9b8643e708b3ebf3fd

SHA256
e56d725325b8257da757851cee3fb30cb60d4fd7fede45caf3c76263bccad76b

SHA512
9cb9cfc91c3a427f94a1ea535b91d0007bc4fa2f7c604cf524340221e944005e27d9e54e48fc07893543487010d4e5c8ad77d32d601a2ce4a4e66aaf56fdce4f

Download Submit
memory/916-175-0x0000000000000000-mapping.dmp

Download
memory/1012-184-0x0000000000000000-mapping.dmp

Download
memory/2168-115-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2168-119-0x000002549DD00000-0x000002549DD07000-memory.dmp

Filesize
28KB

Download
memory/2636-170-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/2636-166-0x0000000000000000-mapping.dmp

Download
memory/3068-144-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-153-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-135-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-136-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-137-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-138-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-139-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-140-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-141-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-142-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-143-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-133-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-145-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-146-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-147-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-148-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-149-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-150-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-152-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-134-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-154-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-151-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-155-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-163-0x00007FFBCC984560-0x00007FFBCC985560-memory.dmp

Filesize
4KB

Download
memory/3068-165-0x00007FFBCC8B0000-0x00007FFBCC8C0000-memory.dmp

Filesize
64KB

Download
memory/3068-132-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-131-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-130-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-129-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-128-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-127-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-126-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-125-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-124-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-123-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-122-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-121-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3068-120-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download