dridex | 97058d4465daae2446886d425d9a8215df518e6845e8a4bedb30acea4e8d2070

Analysis

max time kernel
150s
max time network
129s
platform
windows10_x64
resource
win10-en-20210920
submitted
28-09-2021 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97058d4465daae2446886d425d9a8215df518e6845e8a4bedb30acea4e8d2070.dll
Size

1.2MB
MD5

2955d4759afce09a41c1df5b108f0287
SHA1

11e277c3c987b4119909dd099a5f901e074698e3
SHA256

97058d4465daae2446886d425d9a8215df518e6845e8a4bedb30acea4e8d2070
SHA512

1cb1adb483d7652ac7c41fc471612d9ee14415763c753e269645a97917050cf1e144daa679f09714a29b9d00d6234606eed407c9735c0d4bb3bfe12ca9b74a80

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2848-120-0x00000000007F0000-0x00000000007F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

mspaint.exeCameraSettingsUIHost.exebdeunlock.exe

pid process

1768 mspaint.exe
4068 CameraSettingsUIHost.exe
1400 bdeunlock.exe
Loads dropped DLL 3 IoCs

Processes:

mspaint.exeCameraSettingsUIHost.exebdeunlock.exe

pid process

1768 mspaint.exe
4068 CameraSettingsUIHost.exe
1400 bdeunlock.exe

pid	process
1768	mspaint.exe
4068	CameraSettingsUIHost.exe
1400	bdeunlock.exe

pid	process
1768	mspaint.exe
4068	CameraSettingsUIHost.exe
1400	bdeunlock.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wjvmqhmsyzhtvy = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\F3qC\\CameraSettingsUIHost.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemspaint.exeCameraSettingsUIHost.exebdeunlock.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CameraSettingsUIHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdeunlock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1952	rundll32.exe
1952	rundll32.exe
1952	rundll32.exe
1952	rundll32.exe
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848
2848

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2848

pid	process
2848

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2848 wrote to memory of 3624	2848	mspaint.exe
PID 2848 wrote to memory of 3624	2848	mspaint.exe
PID 2848 wrote to memory of 1768	2848	mspaint.exe
PID 2848 wrote to memory of 1768	2848	mspaint.exe
PID 2848 wrote to memory of 3104	2848	CameraSettingsUIHost.exe
PID 2848 wrote to memory of 3104	2848	CameraSettingsUIHost.exe
PID 2848 wrote to memory of 4068	2848	CameraSettingsUIHost.exe
PID 2848 wrote to memory of 4068	2848	CameraSettingsUIHost.exe
PID 2848 wrote to memory of 1160	2848	bdeunlock.exe
PID 2848 wrote to memory of 1160	2848	bdeunlock.exe
PID 2848 wrote to memory of 1400	2848	bdeunlock.exe
PID 2848 wrote to memory of 1400	2848	bdeunlock.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\97058d4465daae2446886d425d9a8215df518e6845e8a4bedb30acea4e8d2070.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1952

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:3624

C:\Users\Admin\AppData\Local\EUarIjS\mspaint.exe
C:\Users\Admin\AppData\Local\EUarIjS\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1768

C:\Windows\system32\CameraSettingsUIHost.exe
C:\Windows\system32\CameraSettingsUIHost.exe
1⤵
PID:3104

C:\Users\Admin\AppData\Local\g807\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Local\g807\CameraSettingsUIHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4068

C:\Windows\system32\bdeunlock.exe
C:\Windows\system32\bdeunlock.exe
1⤵
PID:1160

C:\Users\Admin\AppData\Local\eiU7\bdeunlock.exe
C:\Users\Admin\AppData\Local\eiU7\bdeunlock.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EUarIjS\MFC42u.dll
MD5
5dd9d05cac23d72d626359171ca1e9a8

SHA1
3225a14ee1d9efd9dcc482ab48929e3d9c93e39c

SHA256
7014c90d83890fdc5f56e6b1b1892660bd9f17322b5a6bbcb5f67a4a2c6768dd

SHA512
650e4bba6bab53727d90b3239a22ae2efb3a0792bbfe96d9b2f14f57a50008396063db57f9c8863e353fdd1fb13218fd4b8a5a14ed79984ff494dfb90ddc2a9e

Download Submit
C:\Users\Admin\AppData\Local\EUarIjS\mspaint.exe
MD5
d19c421c2609048fbb88f37baeb53c29

SHA1
3a29ebe10d225242d88714e17b9d612b16c1947b

SHA256
b80c76fc0bc57f7d74f5aca9f60d9609dcff4a8683dcd5de2e0b9eeb1621bca7

SHA512
7b2327a658e3236ec678179de9221b92bc5c0ca36cf2c7af238e4c9f630ecb06e0558f2c3e2617941f6021f3a4132d0e3b6a117c6dbe684f63eb5380ea42d288

Download Submit
C:\Users\Admin\AppData\Local\EUarIjS\mspaint.exe
MD5
d19c421c2609048fbb88f37baeb53c29

SHA1
3a29ebe10d225242d88714e17b9d612b16c1947b

SHA256
b80c76fc0bc57f7d74f5aca9f60d9609dcff4a8683dcd5de2e0b9eeb1621bca7

SHA512
7b2327a658e3236ec678179de9221b92bc5c0ca36cf2c7af238e4c9f630ecb06e0558f2c3e2617941f6021f3a4132d0e3b6a117c6dbe684f63eb5380ea42d288

Download Submit
C:\Users\Admin\AppData\Local\eiU7\DUser.dll
MD5
2ec5e4552693d180591f161b9d7adafb

SHA1
430dbbd015ed21e7a2457629651458d40b1a8db0

SHA256
48d05db3d1c77f6e64c7b2aa05f980b62bd8a8f956d3b30ffe79e5054ef2cb6a

SHA512
9b8a5f3453f8f264a2cf3dddea9c10a35c92bb14be8476878ff9d4d953ddf8a7f5130d89015045bc4f5aed26b3cd048397977e24e63867a0c2421e7a43d8b06a

Download Submit
C:\Users\Admin\AppData\Local\eiU7\bdeunlock.exe
MD5
99aff8e54d3b41aee863a8256d31fb83

SHA1
b2f48c802a43e3e420cbc12c16d2277769631159

SHA256
c1d9fd2a52ccf1cc1e587fc598c2848778107b902d492749e1ec1a7b777bead6

SHA512
616179c5b4e94a05c101ab4d3a227f80789966c9e18c56ad5587dfe0f96c0e36b522512b126ffefedab585e85ea90ba61726f4e585dca0e894adb1bf8a742127

Download Submit
C:\Users\Admin\AppData\Local\g807\CameraSettingsUIHost.exe
MD5
a2f3bedc6124ad9d582ebd5086be2aa2

SHA1
5586e7796ea73cfb4aac094905b334b12de8a151

SHA256
dd3ceee2dcd4884fbd46676045ab4a02ce4c0a0a4ad13ab54364c6e136c259a0

SHA512
9dc1909e07326c55c2eff881b31d0146a595010a8ae78ae9afd64093b2b691c75f68de873acee27d2093a34c0431ee81e693d24d8241c2f4805590a11be9d07b

Download Submit
C:\Users\Admin\AppData\Local\g807\DUI70.dll
MD5
e591b52db60a96d6a149628b1613de9c

SHA1
990e8d19a79945c6bb1230f07933f88377a5f343

SHA256
093d72046b6799e3daa59d88926e514f40c10d415bf90a618044f311187fda75

SHA512
e7f61c5770a8d1f5d4c5611b9617a804280025907d66ecb9951b42be71cc4e18aebc041baeef97206a25e015c4b691f940e829619b20f93dbbe53628bf0384f9

Download Submit
\Users\Admin\AppData\Local\EUarIjS\MFC42u.dll
MD5
5dd9d05cac23d72d626359171ca1e9a8

SHA1
3225a14ee1d9efd9dcc482ab48929e3d9c93e39c

SHA256
7014c90d83890fdc5f56e6b1b1892660bd9f17322b5a6bbcb5f67a4a2c6768dd

SHA512
650e4bba6bab53727d90b3239a22ae2efb3a0792bbfe96d9b2f14f57a50008396063db57f9c8863e353fdd1fb13218fd4b8a5a14ed79984ff494dfb90ddc2a9e

Download Submit
\Users\Admin\AppData\Local\eiU7\DUser.dll
MD5
2ec5e4552693d180591f161b9d7adafb

SHA1
430dbbd015ed21e7a2457629651458d40b1a8db0

SHA256
48d05db3d1c77f6e64c7b2aa05f980b62bd8a8f956d3b30ffe79e5054ef2cb6a

SHA512
9b8a5f3453f8f264a2cf3dddea9c10a35c92bb14be8476878ff9d4d953ddf8a7f5130d89015045bc4f5aed26b3cd048397977e24e63867a0c2421e7a43d8b06a

Download Submit
\Users\Admin\AppData\Local\g807\DUI70.dll
MD5
e591b52db60a96d6a149628b1613de9c

SHA1
990e8d19a79945c6bb1230f07933f88377a5f343

SHA256
093d72046b6799e3daa59d88926e514f40c10d415bf90a618044f311187fda75

SHA512
e7f61c5770a8d1f5d4c5611b9617a804280025907d66ecb9951b42be71cc4e18aebc041baeef97206a25e015c4b691f940e829619b20f93dbbe53628bf0384f9

Download Submit
memory/1400-184-0x0000000000000000-mapping.dmp

Download
memory/1400-188-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1768-165-0x0000000000000000-mapping.dmp

Download
memory/1768-170-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1952-115-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1952-119-0x000001E2957D0000-0x000001E2957D7000-memory.dmp

Filesize
28KB

Download
memory/2848-132-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-153-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-137-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-128-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-139-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-140-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-141-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-138-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-143-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-144-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-145-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-146-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-142-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-147-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-148-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-149-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-151-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-150-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-152-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-136-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-154-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-162-0x00007FFB91F44560-0x00007FFB91F45560-memory.dmp

Filesize
4KB

Download
memory/2848-164-0x00007FFB92080000-0x00007FFB92082000-memory.dmp

Filesize
8KB

Download
memory/2848-135-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-134-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-133-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-131-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-130-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-129-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-127-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-120-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2848-126-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-125-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-121-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-124-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-123-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/2848-122-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/4068-179-0x0000000140000000-0x0000000140171000-memory.dmp

Filesize
1.4MB

Download
memory/4068-175-0x0000000000000000-mapping.dmp

Download