dridex | 807f12238d1ff9667c31f44178796a63ce759c4ca78cd472f9975d0c753aebaf

Analysis

max time kernel
150s
max time network
74s
platform
windows10_x64
resource
win10v20210408
submitted
29-09-2021 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

807f12238d1ff9667c31f44178796a63ce759c4ca78cd472f9975d0c753aebaf.dll
Size

836KB
MD5

f3a936183d790d82ae77402dbad857a2
SHA1

c569987ea8787f4edd108218052fcc7b9d79d38d
SHA256

807f12238d1ff9667c31f44178796a63ce759c4ca78cd472f9975d0c753aebaf
SHA512

7ba1542786cded740fbd1bf6f1ebe9a06083f7a36aa1468b7de61ccb712e3c186fa6d367efbba1ac24e0c33d551871c73a7d66ca36ffd30a666ce6e6a2b46197

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 5 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/664-114-0x0000000140000000-0x00000001400D1000-memory.dmp	dridex_payload
behavioral2/memory/3528-163-0x0000000140000000-0x00000001400D8000-memory.dmp	dridex_payload
behavioral2/memory/3992-172-0x0000000140000000-0x00000001400D2000-memory.dmp	dridex_payload
behavioral2/memory/508-182-0x000001EB64BA0000-0x000001EB64C72000-memory.dmp	dridex_payload
behavioral2/memory/508-184-0x000001EB64BA1000-0x000001EB64C1D000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3024-120-0x0000000002640000-0x0000000002641000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

FXSCOVER.exerstrui.exePresentationHost.exe

pid process

3528 FXSCOVER.exe
3992 rstrui.exe
508 PresentationHost.exe
Loads dropped DLL 4 IoCs

Processes:

FXSCOVER.exerstrui.exePresentationHost.exe

pid process

3528 FXSCOVER.exe
3992 rstrui.exe
508 PresentationHost.exe
508 PresentationHost.exe

pid	process
3528	FXSCOVER.exe
3992	rstrui.exe
508	PresentationHost.exe

pid	process
3528	FXSCOVER.exe
3992	rstrui.exe
508	PresentationHost.exe
508	PresentationHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rvhohwdqaanc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Proof\\umf\\rstrui.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeFXSCOVER.exerstrui.exePresentationHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rstrui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationHost.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
664	rundll32.exe
664	rundll32.exe
664	rundll32.exe
664	rundll32.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3024

pid	process
3024

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

3024
3024
3024
3024

pid	process
3024
3024
3024
3024

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3024 wrote to memory of 2796	3024	FXSCOVER.exe
PID 3024 wrote to memory of 2796	3024	FXSCOVER.exe
PID 3024 wrote to memory of 3528	3024	FXSCOVER.exe
PID 3024 wrote to memory of 3528	3024	FXSCOVER.exe
PID 3024 wrote to memory of 492	3024	rstrui.exe
PID 3024 wrote to memory of 492	3024	rstrui.exe
PID 3024 wrote to memory of 3992	3024	rstrui.exe
PID 3024 wrote to memory of 3992	3024	rstrui.exe
PID 3024 wrote to memory of 3736	3024	PresentationHost.exe
PID 3024 wrote to memory of 3736	3024	PresentationHost.exe
PID 3024 wrote to memory of 508	3024	PresentationHost.exe
PID 3024 wrote to memory of 508	3024	PresentationHost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\807f12238d1ff9667c31f44178796a63ce759c4ca78cd472f9975d0c753aebaf.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:664

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:2796

C:\Users\Admin\AppData\Local\72H4eD\FXSCOVER.exe
C:\Users\Admin\AppData\Local\72H4eD\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3528

C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
1⤵
PID:492

C:\Users\Admin\AppData\Local\dLx\rstrui.exe
C:\Users\Admin\AppData\Local\dLx\rstrui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3992

C:\Windows\system32\PresentationHost.exe
C:\Windows\system32\PresentationHost.exe
1⤵
PID:3736

C:\Users\Admin\AppData\Local\VeoC\PresentationHost.exe
C:\Users\Admin\AppData\Local\VeoC\PresentationHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:508

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\72H4eD\FXSCOVER.exe
MD5
fd8a15f70619a553acd265264c3e435d

SHA1
394f6a1db57b502eb5196d9276d1c00afc791663

SHA256
b9eec80e92a71b7405db190ac0d1fc177ba3d1f97411c43328a340d30a9d71a4

SHA512
af30027401e97a69aa57847c00c73ccafd4113e58349efd9addf5e7c3a5809f5ff35430d181844c5acd0abba947ff9acb450ff3e0383ef7c187bd9b7808a8799

Download Submit
C:\Users\Admin\AppData\Local\72H4eD\MFC42u.dll
MD5
27e392deb5d24e0bf73dc08fb8575eee

SHA1
33475d7a0f2d12533282b809faa6ada25dae6b27

SHA256
ff12399e881c2eb3f641953f0d32e0ab5a18b3cb4dfa99923282c5b3020e50a0

SHA512
461f75d9e9fc2d8d5efce6726b99c3f77933e391868b55e8bfa84afad084d342ea363fc1555615bb9e70d80afb61f86764c92bf5907313df0798917d147ef5bb

Download Submit
C:\Users\Admin\AppData\Local\VeoC\PresentationHost.exe
MD5
7009b2746734a3538e7735cf24f3c93b

SHA1
f994c53697e0d9b6ab2b5d5dd5f31fafa30109b1

SHA256
d0011ec1f0e14a3c6a515df997268a851c98722472f21c03b0fdc6477f14fdb7

SHA512
7934cc17f7bbb6ec8b0f3fb4c775b21885693eaf3e332de97b14f294dac7a189801eeb6165dfc04e2a9aa019c444a9af65d498926fe9dc0c4fc1b71ba272f89b

Download Submit
C:\Users\Admin\AppData\Local\VeoC\VERSION.dll
MD5
daac585172eebb055e27444e134e95ff

SHA1
bf02a73ff8a076b597282975ff70b87e6f06466d

SHA256
461169eec758283bddd8a634d313503e73072e50f2ae8832cb803f164ebb2794

SHA512
9997d927b23961e9d97415b570d58be8e22853623d9b6ea71d69100eefdd08cc027e2a11eee9729de5b686040f5250e60721404835f3c81cfd89e766d6cb2d8b

Download Submit
C:\Users\Admin\AppData\Local\dLx\SPP.dll
MD5
8dd8b8e5cd86c0b24c3bf5f51b2c529b

SHA1
367cbbf56382820ad7685d67c309c0bef488f677

SHA256
13aff12326b59983656dd8043f88b606d90d28e80ac20c232943883f0b33a09d

SHA512
226d51d53a086bb1d7b1fc53acba55b1d460b9ceafcaa776cbb4c98355d14bedeff5273189ecb1b414ff1bd370afa9f97cee7495f548c7b14181d18bfdce4398

Download Submit
C:\Users\Admin\AppData\Local\dLx\rstrui.exe
MD5
c0167cf19678a97a78a675ef18b7fc85

SHA1
f7589dcdff216ca879dba1d68764b2cf69652d3b

SHA256
b1aacd2735f524f8460c031a4f66e78fb09cffbc7350fac5695d448a287fb7cb

SHA512
f71ca6d233784312dce0e5867d2710de40c738bb567aac212ccd78804176ac51b9ae82bc2ba0498cdd24893f3d3fa6cfddd0d7a9d2c1bd9148916961d6ee0c44

Download Submit
\Users\Admin\AppData\Local\72H4eD\MFC42u.dll
MD5
27e392deb5d24e0bf73dc08fb8575eee

SHA1
33475d7a0f2d12533282b809faa6ada25dae6b27

SHA256
ff12399e881c2eb3f641953f0d32e0ab5a18b3cb4dfa99923282c5b3020e50a0

SHA512
461f75d9e9fc2d8d5efce6726b99c3f77933e391868b55e8bfa84afad084d342ea363fc1555615bb9e70d80afb61f86764c92bf5907313df0798917d147ef5bb

Download Submit
\Users\Admin\AppData\Local\VeoC\VERSION.dll
MD5
daac585172eebb055e27444e134e95ff

SHA1
bf02a73ff8a076b597282975ff70b87e6f06466d

SHA256
461169eec758283bddd8a634d313503e73072e50f2ae8832cb803f164ebb2794

SHA512
9997d927b23961e9d97415b570d58be8e22853623d9b6ea71d69100eefdd08cc027e2a11eee9729de5b686040f5250e60721404835f3c81cfd89e766d6cb2d8b

Download Submit
\Users\Admin\AppData\Local\VeoC\VERSION.dll
MD5
daac585172eebb055e27444e134e95ff

SHA1
bf02a73ff8a076b597282975ff70b87e6f06466d

SHA256
461169eec758283bddd8a634d313503e73072e50f2ae8832cb803f164ebb2794

SHA512
9997d927b23961e9d97415b570d58be8e22853623d9b6ea71d69100eefdd08cc027e2a11eee9729de5b686040f5250e60721404835f3c81cfd89e766d6cb2d8b

Download Submit
\Users\Admin\AppData\Local\dLx\SPP.dll
MD5
8dd8b8e5cd86c0b24c3bf5f51b2c529b

SHA1
367cbbf56382820ad7685d67c309c0bef488f677

SHA256
13aff12326b59983656dd8043f88b606d90d28e80ac20c232943883f0b33a09d

SHA512
226d51d53a086bb1d7b1fc53acba55b1d460b9ceafcaa776cbb4c98355d14bedeff5273189ecb1b414ff1bd370afa9f97cee7495f548c7b14181d18bfdce4398

Download Submit
memory/508-177-0x0000000000000000-mapping.dmp

Download
memory/508-182-0x000001EB64BA0000-0x000001EB64C72000-memory.dmp

Filesize
840KB

Download
memory/508-184-0x000001EB64BA1000-0x000001EB64C1D000-memory.dmp

Filesize
496KB

Download
memory/664-114-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/664-119-0x000001A1D2300000-0x000001A1D2307000-memory.dmp

Filesize
28KB

Download
memory/3024-130-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-158-0x00007FFAEC674320-0x00007FFAEC675320-memory.dmp

Filesize
4KB

Download
memory/3024-135-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-136-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-137-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-138-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-139-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-140-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-141-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-142-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-143-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-144-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-145-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-146-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-147-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-148-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-149-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-134-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-133-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-120-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/3024-132-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-131-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-122-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-121-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-129-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-128-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-127-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-123-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-126-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-125-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3024-124-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3528-163-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/3528-159-0x0000000000000000-mapping.dmp

Download
memory/3992-172-0x0000000140000000-0x00000001400D2000-memory.dmp

Filesize
840KB

Download
memory/3992-168-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads