dridex | ff3aa75e4d4637599d3e97fb8b42ce8a1254425f856671ae56377df2676b1033

Analysis

max time kernel
152s
max time network
129s
platform
windows7_x64
resource
win7-en-20210920
submitted
28-09-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff3aa75e4d4637599d3e97fb8b42ce8a1254425f856671ae56377df2676b1033.dll
Size

1.1MB
MD5

c50f692a715db805e68e9655ff6a9ab2
SHA1

229b257301ed99d518364afd22c4276daa5b3d20
SHA256

ff3aa75e4d4637599d3e97fb8b42ce8a1254425f856671ae56377df2676b1033
SHA512

ad74f556ccef1f8fd4a3c18a18c27adcafd2f552025bf7f83864261c6944db5423c719ea161c341e593800499c6e01aba846031e79caf1e771b2b16e7d6e33d1

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 3 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1144-54-0x0000000140000000-0x000000014010F000-memory.dmp	dridex_payload
behavioral1/memory/596-94-0x0000000140000000-0x0000000140110000-memory.dmp	dridex_payload
behavioral1/memory/1472-101-0x0000000140000000-0x0000000140111000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1268-57-0x0000000002B40000-0x0000000002B41000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

unregmp2.exerrinstaller.exeSndVol.exe

pid process

596 unregmp2.exe
1472 rrinstaller.exe
1308 SndVol.exe
Loads dropped DLL 7 IoCs

Processes:

unregmp2.exerrinstaller.exeSndVol.exe

pid process

1268
596 unregmp2.exe
1268
1472 rrinstaller.exe
1268
1308 SndVol.exe
1268

pid	process
596	unregmp2.exe
1472	rrinstaller.exe
1308	SndVol.exe

pid	process
1268
596	unregmp2.exe
1268
1472	rrinstaller.exe
1268
1308	SndVol.exe
1268

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wbbdywj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\WRXIEP~1\\RRINST~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeunregmp2.exerrinstaller.exeSndVol.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unregmp2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rrinstaller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1144	rundll32.exe
1144	rundll32.exe
1144	rundll32.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1268
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1268
1268
1268
1268
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

1268
1268
1268
1268
1268
1268

pid	process
1268

pid	process
1268
1268
1268
1268

pid	process
1268
1268
1268
1268
1268
1268

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1268 wrote to memory of 784	1268	unregmp2.exe
PID 1268 wrote to memory of 784	1268	unregmp2.exe
PID 1268 wrote to memory of 784	1268	unregmp2.exe
PID 1268 wrote to memory of 596	1268	unregmp2.exe
PID 1268 wrote to memory of 596	1268	unregmp2.exe
PID 1268 wrote to memory of 596	1268	unregmp2.exe
PID 1268 wrote to memory of 1696	1268	rrinstaller.exe
PID 1268 wrote to memory of 1696	1268	rrinstaller.exe
PID 1268 wrote to memory of 1696	1268	rrinstaller.exe
PID 1268 wrote to memory of 1472	1268	rrinstaller.exe
PID 1268 wrote to memory of 1472	1268	rrinstaller.exe
PID 1268 wrote to memory of 1472	1268	rrinstaller.exe
PID 1268 wrote to memory of 840	1268	SndVol.exe
PID 1268 wrote to memory of 840	1268	SndVol.exe
PID 1268 wrote to memory of 840	1268	SndVol.exe
PID 1268 wrote to memory of 1308	1268	SndVol.exe
PID 1268 wrote to memory of 1308	1268	SndVol.exe
PID 1268 wrote to memory of 1308	1268	SndVol.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff3aa75e4d4637599d3e97fb8b42ce8a1254425f856671ae56377df2676b1033.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1144

C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
1⤵
PID:784

C:\Users\Admin\AppData\Local\WoGXLRxX\unregmp2.exe
C:\Users\Admin\AppData\Local\WoGXLRxX\unregmp2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:596

C:\Windows\system32\rrinstaller.exe
C:\Windows\system32\rrinstaller.exe
1⤵
PID:1696

C:\Users\Admin\AppData\Local\vuOrf\rrinstaller.exe
C:\Users\Admin\AppData\Local\vuOrf\rrinstaller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1472

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:840

C:\Users\Admin\AppData\Local\wxGwRC\SndVol.exe
C:\Users\Admin\AppData\Local\wxGwRC\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1308

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WoGXLRxX\slc.dll
MD5
98588c2d3049318cffd261f3570de375

SHA1
29e98da00e8111fcf7296325401806518a761e70

SHA256
b40957100ae51e1b8eb93d60ea1c3aeea26a6f13151fce4ca3d0450e0d4efccd

SHA512
84ee815ef5d2c3d1ff557b5bc3a89b1a9ebe2e8bd5eb593b111cae40b8ef6a731306be7841d8fbde4dc6ad101ab5501be8caab8d0497ed9394e70bc694f6d44f

Download Submit
C:\Users\Admin\AppData\Local\WoGXLRxX\unregmp2.exe
MD5
64b328d52dfc8cda123093e3f6e4c37c

SHA1
f68f45b21b911906f3aa982e64504e662a92e5ab

SHA256
7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

SHA512
e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

Download Submit
C:\Users\Admin\AppData\Local\vuOrf\MFPlat.DLL
MD5
1aa0b7d76719cc19e76fc3e2bfbfac19

SHA1
bd07e8f34894b037a5582b9724e4ec5f9f51ddf7

SHA256
86888fda468541c61b604aa8e22b3017688f533b483a03c29653fec1ebbfd14d

SHA512
cdf92babf9445a11ce5fc9339e9c7db4445bae8beef8135bca5c67887a07673d0a3c6ff8fefd2f862c199ac5c514f2b335454d3b9201ebcf1047b56c0fdc01ab

Download Submit
C:\Users\Admin\AppData\Local\vuOrf\rrinstaller.exe
MD5
0d3a73b0b30252680b383532f1758649

SHA1
9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

SHA256
fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

SHA512
a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

Download Submit
C:\Users\Admin\AppData\Local\wxGwRC\SndVol.exe
MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
C:\Users\Admin\AppData\Local\wxGwRC\UxTheme.dll
MD5
073d47b0eee6689a488b0769518e37a2

SHA1
b203d25cb6b7948fa908ea219aaa123c5665e3dd

SHA256
fac14c96da45f1845e32205ff9f559ad9375ad161e9af6201df9a3a38b708656

SHA512
41e8ae1bde18d9e0331e74caf2dae9b5d92a6a3bc6460de1bb98b5cf15a6e462aeda70b08233f7ac78593dd650fe5b7644fa598c72a06c530764926f49450211

Download Submit
\Users\Admin\AppData\Local\WoGXLRxX\slc.dll
MD5
98588c2d3049318cffd261f3570de375

SHA1
29e98da00e8111fcf7296325401806518a761e70

SHA256
b40957100ae51e1b8eb93d60ea1c3aeea26a6f13151fce4ca3d0450e0d4efccd

SHA512
84ee815ef5d2c3d1ff557b5bc3a89b1a9ebe2e8bd5eb593b111cae40b8ef6a731306be7841d8fbde4dc6ad101ab5501be8caab8d0497ed9394e70bc694f6d44f

Download Submit
\Users\Admin\AppData\Local\WoGXLRxX\unregmp2.exe
MD5
64b328d52dfc8cda123093e3f6e4c37c

SHA1
f68f45b21b911906f3aa982e64504e662a92e5ab

SHA256
7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

SHA512
e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

Download Submit
\Users\Admin\AppData\Local\vuOrf\MFPlat.DLL
MD5
1aa0b7d76719cc19e76fc3e2bfbfac19

SHA1
bd07e8f34894b037a5582b9724e4ec5f9f51ddf7

SHA256
86888fda468541c61b604aa8e22b3017688f533b483a03c29653fec1ebbfd14d

SHA512
cdf92babf9445a11ce5fc9339e9c7db4445bae8beef8135bca5c67887a07673d0a3c6ff8fefd2f862c199ac5c514f2b335454d3b9201ebcf1047b56c0fdc01ab

Download Submit
\Users\Admin\AppData\Local\vuOrf\rrinstaller.exe
MD5
0d3a73b0b30252680b383532f1758649

SHA1
9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

SHA256
fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

SHA512
a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

Download Submit
\Users\Admin\AppData\Local\wxGwRC\SndVol.exe
MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
\Users\Admin\AppData\Local\wxGwRC\UxTheme.dll
MD5
073d47b0eee6689a488b0769518e37a2

SHA1
b203d25cb6b7948fa908ea219aaa123c5665e3dd

SHA256
fac14c96da45f1845e32205ff9f559ad9375ad161e9af6201df9a3a38b708656

SHA512
41e8ae1bde18d9e0331e74caf2dae9b5d92a6a3bc6460de1bb98b5cf15a6e462aeda70b08233f7ac78593dd650fe5b7644fa598c72a06c530764926f49450211

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\m1\SndVol.exe
MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
memory/596-90-0x0000000000000000-mapping.dmp

Download
memory/596-94-0x0000000140000000-0x0000000140110000-memory.dmp

Filesize
1.1MB

Download
memory/1144-54-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1144-56-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1268-66-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-69-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-74-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-75-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-76-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-77-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-79-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-78-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-80-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-81-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-82-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-83-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-71-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-72-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-70-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-73-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-68-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-67-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-57-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/1268-65-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-64-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-58-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-63-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-62-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-61-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-59-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1268-60-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1308-106-0x000007FEFC011000-0x000007FEFC013000-memory.dmp

Filesize
8KB

Download
memory/1308-104-0x0000000000000000-mapping.dmp

Download
memory/1472-101-0x0000000140000000-0x0000000140111000-memory.dmp

Filesize
1.1MB

Download
memory/1472-97-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads