dridex | ff3aa75e4d4637599d3e97fb8b42ce8a1254425f856671ae56377df2676b1033

Analysis

max time kernel
152s
max time network
119s
platform
windows10_x64
resource
win10-en-20210920
submitted
28-09-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff3aa75e4d4637599d3e97fb8b42ce8a1254425f856671ae56377df2676b1033.dll
Size

1.1MB
MD5

c50f692a715db805e68e9655ff6a9ab2
SHA1

229b257301ed99d518364afd22c4276daa5b3d20
SHA256

ff3aa75e4d4637599d3e97fb8b42ce8a1254425f856671ae56377df2676b1033
SHA512

ad74f556ccef1f8fd4a3c18a18c27adcafd2f552025bf7f83864261c6944db5423c719ea161c341e593800499c6e01aba846031e79caf1e771b2b16e7d6e33d1

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 6 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/1676-115-0x0000000140000000-0x000000014010F000-memory.dmp	dridex_payload
behavioral2/memory/3696-164-0x000002B1168A0000-0x000002B1169B0000-memory.dmp	dridex_payload
behavioral2/memory/3696-166-0x000002B1168A1000-0x000002B11691D000-memory.dmp	dridex_payload
behavioral2/memory/660-190-0x0000000140000000-0x0000000140155000-memory.dmp	dridex_payload
behavioral2/memory/2956-201-0x000001E31E470000-0x000001E31E580000-memory.dmp	dridex_payload
behavioral2/memory/2956-203-0x000001E31E471000-0x000001E31E4ED000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3028-121-0x0000000001030000-0x0000000001031000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

ie4uinit.exeSysResetErr.exeie4uinit.exe

pid process

3696 ie4uinit.exe
660 SysResetErr.exe
2956 ie4uinit.exe
Loads dropped DLL 7 IoCs

Processes:

ie4uinit.exeSysResetErr.exeie4uinit.exe

pid process

3696 ie4uinit.exe
3696 ie4uinit.exe
3696 ie4uinit.exe
660 SysResetErr.exe
2956 ie4uinit.exe
2956 ie4uinit.exe
2956 ie4uinit.exe

pid	process
3696	ie4uinit.exe
660	SysResetErr.exe
2956	ie4uinit.exe

pid	process
3696	ie4uinit.exe
3696	ie4uinit.exe
3696	ie4uinit.exe
660	SysResetErr.exe
2956	ie4uinit.exe
2956	ie4uinit.exe
2956	ie4uinit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wjvmqhmsyzhtvy = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\Mr6Y64nuuO\\SysResetErr.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SysResetErr.exeie4uinit.exerundll32.exeie4uinit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SysResetErr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ie4uinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ie4uinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1676	rundll32.exe
1676	rundll32.exe
1676	rundll32.exe
1676	rundll32.exe
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3028
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3028
3028
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

3028
3028

pid	process
3028

pid	process
3028
3028

pid	process
3028
3028

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3028 wrote to memory of 3488	3028	ie4uinit.exe
PID 3028 wrote to memory of 3488	3028	ie4uinit.exe
PID 3028 wrote to memory of 3696	3028	ie4uinit.exe
PID 3028 wrote to memory of 3696	3028	ie4uinit.exe
PID 3028 wrote to memory of 1184	3028	SysResetErr.exe
PID 3028 wrote to memory of 1184	3028	SysResetErr.exe
PID 3028 wrote to memory of 660	3028	SysResetErr.exe
PID 3028 wrote to memory of 660	3028	SysResetErr.exe
PID 3028 wrote to memory of 2400	3028	ie4uinit.exe
PID 3028 wrote to memory of 2400	3028	ie4uinit.exe
PID 3028 wrote to memory of 2956	3028	ie4uinit.exe
PID 3028 wrote to memory of 2956	3028	ie4uinit.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff3aa75e4d4637599d3e97fb8b42ce8a1254425f856671ae56377df2676b1033.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1676

C:\Windows\system32\ie4uinit.exe
C:\Windows\system32\ie4uinit.exe
1⤵
PID:3488

C:\Users\Admin\AppData\Local\oNeLOlCH\ie4uinit.exe
C:\Users\Admin\AppData\Local\oNeLOlCH\ie4uinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3696

C:\Windows\system32\SysResetErr.exe
C:\Windows\system32\SysResetErr.exe
1⤵
PID:1184

C:\Users\Admin\AppData\Local\8iCsWklu\SysResetErr.exe
C:\Users\Admin\AppData\Local\8iCsWklu\SysResetErr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:660

C:\Windows\system32\ie4uinit.exe
C:\Windows\system32\ie4uinit.exe
1⤵
PID:2400

C:\Users\Admin\AppData\Local\BG3egyWz\ie4uinit.exe
C:\Users\Admin\AppData\Local\BG3egyWz\ie4uinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8iCsWklu\DUI70.dll
MD5
d199908383cde32ace64555345de957d

SHA1
c56bd0815fa97e90d1d9e6e8cdc4f4bae506f99d

SHA256
6ac7baa8c6bd34ecb9cbec85e490ad543a39847ed1068720e8abdb7367936f8d

SHA512
f41e4a2c41a5e912d9dc9ba5f166063b672f15a8884e31dcf4e6a919e0e77f346addef9488755df54a223d9ed1d5cc0db123070916bd30f2f543b9b6663dde8c

Download Submit
C:\Users\Admin\AppData\Local\8iCsWklu\SysResetErr.exe
MD5
432557a19cef7e1c23a4dcc7d148b712

SHA1
b26c19de3b32108f8ac9307c30027e635615fc65

SHA256
f519aba77298a8c04f3e9c8f5f1b40c8de05e41898f13033f337e13e05d4282a

SHA512
542e71740094ea810651901ec23f06c495e0c2d57fae09d6dd9730e11650843ade34eeba0b2816df025179c597825129b3a26a0007c75e10f1a8857340452ff7

Download Submit
C:\Users\Admin\AppData\Local\BG3egyWz\VERSION.dll
MD5
2fe18414b303492c4d86f171879ad976

SHA1
c70061eb3de2a2f7092cb1961660d1054172885d

SHA256
8870fc579b4c74bc4ba938184552d2e622454790c3fa2e5b620baf551cebb46b

SHA512
3453a68d49b52f09028d99610f3d389846aa1da9193437004dc06086a9b0742597feaaf042db99dfacfc15fc49cde46d7289ac360d0119efeb67e6467b9090e1

Download Submit
C:\Users\Admin\AppData\Local\BG3egyWz\ie4uinit.exe
MD5
e259e65dbf6958b4bbd816c6d890d3f8

SHA1
ad0b061cdf69ab50977d64600fd33ad1e55773b1

SHA256
26e2ba63d70090b4acaaab1746f07a42ca8d0b5d1ef3711847edf4d0784c2106

SHA512
8a708480f8e595ac8d2c2a9b9d460ca3c933ffebb1f1d266b8fe77ee1a4b164ad58a4335c15d3843684488c34cc1bcfc79cfa66e750e41a203a5137b7c912a3b

Download Submit
C:\Users\Admin\AppData\Local\oNeLOlCH\VERSION.dll
MD5
d0008781c726ea3164c69cc21877c7f5

SHA1
cc1bd6d810e6f11f760c0765294914c9d0d93ba1

SHA256
6e52079ecdb8cc9563479f54296f577819c17682478f80e0bbfb25f5182a5f81

SHA512
24a0daf10aa96ce82ae6429a6f1cdc9db01377d3bacc966b101ba12b1ed57196fa02a9fd4390858c7516a664524677e3e29a6e21fedd8253c983f2362ace8af4

Download Submit
C:\Users\Admin\AppData\Local\oNeLOlCH\ie4uinit.exe
MD5
e259e65dbf6958b4bbd816c6d890d3f8

SHA1
ad0b061cdf69ab50977d64600fd33ad1e55773b1

SHA256
26e2ba63d70090b4acaaab1746f07a42ca8d0b5d1ef3711847edf4d0784c2106

SHA512
8a708480f8e595ac8d2c2a9b9d460ca3c933ffebb1f1d266b8fe77ee1a4b164ad58a4335c15d3843684488c34cc1bcfc79cfa66e750e41a203a5137b7c912a3b

Download Submit
\Users\Admin\AppData\Local\8iCsWklu\DUI70.dll
MD5
d199908383cde32ace64555345de957d

SHA1
c56bd0815fa97e90d1d9e6e8cdc4f4bae506f99d

SHA256
6ac7baa8c6bd34ecb9cbec85e490ad543a39847ed1068720e8abdb7367936f8d

SHA512
f41e4a2c41a5e912d9dc9ba5f166063b672f15a8884e31dcf4e6a919e0e77f346addef9488755df54a223d9ed1d5cc0db123070916bd30f2f543b9b6663dde8c

Download Submit
\Users\Admin\AppData\Local\BG3egyWz\VERSION.dll
MD5
2fe18414b303492c4d86f171879ad976

SHA1
c70061eb3de2a2f7092cb1961660d1054172885d

SHA256
8870fc579b4c74bc4ba938184552d2e622454790c3fa2e5b620baf551cebb46b

SHA512
3453a68d49b52f09028d99610f3d389846aa1da9193437004dc06086a9b0742597feaaf042db99dfacfc15fc49cde46d7289ac360d0119efeb67e6467b9090e1

Download Submit
\Users\Admin\AppData\Local\BG3egyWz\VERSION.dll
MD5
2fe18414b303492c4d86f171879ad976

SHA1
c70061eb3de2a2f7092cb1961660d1054172885d

SHA256
8870fc579b4c74bc4ba938184552d2e622454790c3fa2e5b620baf551cebb46b

SHA512
3453a68d49b52f09028d99610f3d389846aa1da9193437004dc06086a9b0742597feaaf042db99dfacfc15fc49cde46d7289ac360d0119efeb67e6467b9090e1

Download Submit
\Users\Admin\AppData\Local\BG3egyWz\VERSION.dll
MD5
2fe18414b303492c4d86f171879ad976

SHA1
c70061eb3de2a2f7092cb1961660d1054172885d

SHA256
8870fc579b4c74bc4ba938184552d2e622454790c3fa2e5b620baf551cebb46b

SHA512
3453a68d49b52f09028d99610f3d389846aa1da9193437004dc06086a9b0742597feaaf042db99dfacfc15fc49cde46d7289ac360d0119efeb67e6467b9090e1

Download Submit
\Users\Admin\AppData\Local\oNeLOlCH\VERSION.dll
MD5
d0008781c726ea3164c69cc21877c7f5

SHA1
cc1bd6d810e6f11f760c0765294914c9d0d93ba1

SHA256
6e52079ecdb8cc9563479f54296f577819c17682478f80e0bbfb25f5182a5f81

SHA512
24a0daf10aa96ce82ae6429a6f1cdc9db01377d3bacc966b101ba12b1ed57196fa02a9fd4390858c7516a664524677e3e29a6e21fedd8253c983f2362ace8af4

Download Submit
\Users\Admin\AppData\Local\oNeLOlCH\VERSION.dll
MD5
d0008781c726ea3164c69cc21877c7f5

SHA1
cc1bd6d810e6f11f760c0765294914c9d0d93ba1

SHA256
6e52079ecdb8cc9563479f54296f577819c17682478f80e0bbfb25f5182a5f81

SHA512
24a0daf10aa96ce82ae6429a6f1cdc9db01377d3bacc966b101ba12b1ed57196fa02a9fd4390858c7516a664524677e3e29a6e21fedd8253c983f2362ace8af4

Download Submit
\Users\Admin\AppData\Local\oNeLOlCH\VERSION.dll
MD5
d0008781c726ea3164c69cc21877c7f5

SHA1
cc1bd6d810e6f11f760c0765294914c9d0d93ba1

SHA256
6e52079ecdb8cc9563479f54296f577819c17682478f80e0bbfb25f5182a5f81

SHA512
24a0daf10aa96ce82ae6429a6f1cdc9db01377d3bacc966b101ba12b1ed57196fa02a9fd4390858c7516a664524677e3e29a6e21fedd8253c983f2362ace8af4

Download Submit
memory/660-186-0x0000000000000000-mapping.dmp

Download
memory/660-190-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1676-115-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/1676-120-0x00000215B0CD0000-0x00000215B0CD7000-memory.dmp

Filesize
28KB

Download
memory/2956-195-0x0000000000000000-mapping.dmp

Download
memory/2956-201-0x000001E31E470000-0x000001E31E580000-memory.dmp

Filesize
1.1MB

Download
memory/2956-203-0x000001E31E471000-0x000001E31E4ED000-memory.dmp

Filesize
496KB

Download
memory/3028-132-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-136-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-141-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-143-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-142-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-144-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-145-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-146-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-147-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-156-0x00007FFF21484320-0x00007FFF21485320-memory.dmp

Filesize
4KB

Download
memory/3028-157-0x00007FFF21454320-0x00007FFF21455320-memory.dmp

Filesize
4KB

Download
memory/3028-121-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/3028-140-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-138-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-137-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-139-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-135-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-123-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-122-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-134-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-133-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-131-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-130-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-129-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-128-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-127-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-126-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-125-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3028-124-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3696-166-0x000002B1168A1000-0x000002B11691D000-memory.dmp

Filesize
496KB

Download
memory/3696-164-0x000002B1168A0000-0x000002B1169B0000-memory.dmp

Filesize
1.1MB

Download
memory/3696-158-0x0000000000000000-mapping.dmp

Download