dridex | 8c6869c37e036692ba883df97a20e5050aaa4923e0463a11b32e47ded3373b2b

Analysis

max time kernel
153s
max time network
129s
platform
windows7_x64
resource
win7-en-20210920
submitted
30-09-2021 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c6869c37e036692ba883df97a20e5050aaa4923e0463a11b32e47ded3373b2b.dll
Size

1.2MB
MD5

0a3c77c4b58a5356bd66f8f38085c8c3
SHA1

f5ad1150764fbb7cd57582fe2b28cd107e3c6d43
SHA256

8c6869c37e036692ba883df97a20e5050aaa4923e0463a11b32e47ded3373b2b
SHA512

bf2c11596f323d106a7781c62a5cd4bab0aa40f57b2aa286df4ca90f3ba92e461b96e02af54348b23452e5257d774984d64c7128dffd6aeb6e6b2fcfc3eca1f6

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1336-58-0x00000000026B0000-0x00000000026B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

msconfig.exeSystemPropertiesAdvanced.exewinlogon.exe

pid process

1436 msconfig.exe
1472 SystemPropertiesAdvanced.exe
1132 winlogon.exe
Loads dropped DLL 7 IoCs

Processes:

msconfig.exeSystemPropertiesAdvanced.exewinlogon.exe

pid process

1336
1436 msconfig.exe
1336
1472 SystemPropertiesAdvanced.exe
1336
1132 winlogon.exe
1336

pid	process
1436	msconfig.exe
1472	SystemPropertiesAdvanced.exe
1132	winlogon.exe

pid	process
1336
1436	msconfig.exe
1336
1472	SystemPropertiesAdvanced.exe
1336
1132	winlogon.exe
1336

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wbbdywj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\wkdNLYcE3H\\SystemPropertiesAdvanced.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msconfig.exeSystemPropertiesAdvanced.exewinlogon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
1128	regsvr32.exe
1128	regsvr32.exe
1128	regsvr32.exe
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1336
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1336
1336
1336
1336
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

1336
1336
1336
1336
1336
1336

pid	process
1336

pid	process
1336
1336
1336
1336

pid	process
1336
1336
1336
1336
1336
1336

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1336 wrote to memory of 288	1336	msconfig.exe
PID 1336 wrote to memory of 288	1336	msconfig.exe
PID 1336 wrote to memory of 288	1336	msconfig.exe
PID 1336 wrote to memory of 1436	1336	msconfig.exe
PID 1336 wrote to memory of 1436	1336	msconfig.exe
PID 1336 wrote to memory of 1436	1336	msconfig.exe
PID 1336 wrote to memory of 616	1336	SystemPropertiesAdvanced.exe
PID 1336 wrote to memory of 616	1336	SystemPropertiesAdvanced.exe
PID 1336 wrote to memory of 616	1336	SystemPropertiesAdvanced.exe
PID 1336 wrote to memory of 1472	1336	SystemPropertiesAdvanced.exe
PID 1336 wrote to memory of 1472	1336	SystemPropertiesAdvanced.exe
PID 1336 wrote to memory of 1472	1336	SystemPropertiesAdvanced.exe
PID 1336 wrote to memory of 1828	1336	winlogon.exe
PID 1336 wrote to memory of 1828	1336	winlogon.exe
PID 1336 wrote to memory of 1828	1336	winlogon.exe
PID 1336 wrote to memory of 1132	1336	winlogon.exe
PID 1336 wrote to memory of 1132	1336	winlogon.exe
PID 1336 wrote to memory of 1132	1336	winlogon.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8c6869c37e036692ba883df97a20e5050aaa4923e0463a11b32e47ded3373b2b.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1128

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:288

C:\Users\Admin\AppData\Local\tuQmMH\msconfig.exe
C:\Users\Admin\AppData\Local\tuQmMH\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1436

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:616

C:\Users\Admin\AppData\Local\gK6pRAuPC\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\gK6pRAuPC\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1472

C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
1⤵
PID:1828

C:\Users\Admin\AppData\Local\fU1wJ\winlogon.exe
C:\Users\Admin\AppData\Local\fU1wJ\winlogon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1132

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\fU1wJ\WINSTA.dll
MD5
f3852b5e975df3170d7a3c1576d5792c

SHA1
78d6b3794171e1c0920a577e251e7de7cf1a6fc1

SHA256
09668af587d0b9c2042baf07ac4fd4c0c9050dcc9405659b7e58b9d44e73335e

SHA512
42a5501b87f2eb8b8fafa694429a4b4d2006132e6a5d1171226c8edc7c7de26d2b586fb08006603d4a62601266cf685cd151cbf0b71d24a2f0d8594fcfcd42b1

Download Submit
C:\Users\Admin\AppData\Local\fU1wJ\winlogon.exe
MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
C:\Users\Admin\AppData\Local\gK6pRAuPC\SYSDM.CPL
MD5
9f75841b0bfbc3bc2514f438e815f038

SHA1
6acd1071beac7c2258d506e4a0fb4169eb6d80a4

SHA256
ee1b0510b7974c08b1aa523a43bdc0a5fdb46137924cdb521eb286d92bf64c3b

SHA512
70a3276f6bf7621a11884a7151009cd55b0530efc2e48472625781d70cfd9c21dde06c32c2d2cff08907f54a46000c0964d73fa9177b2ae1928044df375a7c30

Download Submit
C:\Users\Admin\AppData\Local\gK6pRAuPC\SystemPropertiesAdvanced.exe
MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
C:\Users\Admin\AppData\Local\tuQmMH\VERSION.dll
MD5
4795520f286b461be2a41161a2036a6b

SHA1
fc09bc736fd0ec946182e72f9f729857939a0416

SHA256
5932a82a5e9d0581d90c068d4ac2379cb33725ebe75ff5f0b8e11c8022d4e1c8

SHA512
82d2569077a6d4db7e3e5dac38b02736028d4f563d7b2665d7728ded5bff6103a30927fb40d91d169f5fdeab40bfc5efc5a4f88dec43dbcfa130378a404b2afc

Download Submit
C:\Users\Admin\AppData\Local\tuQmMH\msconfig.exe
MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
\Users\Admin\AppData\Local\fU1wJ\WINSTA.dll
MD5
f3852b5e975df3170d7a3c1576d5792c

SHA1
78d6b3794171e1c0920a577e251e7de7cf1a6fc1

SHA256
09668af587d0b9c2042baf07ac4fd4c0c9050dcc9405659b7e58b9d44e73335e

SHA512
42a5501b87f2eb8b8fafa694429a4b4d2006132e6a5d1171226c8edc7c7de26d2b586fb08006603d4a62601266cf685cd151cbf0b71d24a2f0d8594fcfcd42b1

Download Submit
\Users\Admin\AppData\Local\fU1wJ\winlogon.exe
MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
\Users\Admin\AppData\Local\gK6pRAuPC\SYSDM.CPL
MD5
9f75841b0bfbc3bc2514f438e815f038

SHA1
6acd1071beac7c2258d506e4a0fb4169eb6d80a4

SHA256
ee1b0510b7974c08b1aa523a43bdc0a5fdb46137924cdb521eb286d92bf64c3b

SHA512
70a3276f6bf7621a11884a7151009cd55b0530efc2e48472625781d70cfd9c21dde06c32c2d2cff08907f54a46000c0964d73fa9177b2ae1928044df375a7c30

Download Submit
\Users\Admin\AppData\Local\gK6pRAuPC\SystemPropertiesAdvanced.exe
MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
\Users\Admin\AppData\Local\tuQmMH\VERSION.dll
MD5
4795520f286b461be2a41161a2036a6b

SHA1
fc09bc736fd0ec946182e72f9f729857939a0416

SHA256
5932a82a5e9d0581d90c068d4ac2379cb33725ebe75ff5f0b8e11c8022d4e1c8

SHA512
82d2569077a6d4db7e3e5dac38b02736028d4f563d7b2665d7728ded5bff6103a30927fb40d91d169f5fdeab40bfc5efc5a4f88dec43dbcfa130378a404b2afc

Download Submit
\Users\Admin\AppData\Local\tuQmMH\msconfig.exe
MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\w0kwy7\winlogon.exe
MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
memory/1128-57-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1128-55-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1128-54-0x000007FEFB891000-0x000007FEFB893000-memory.dmp

Filesize
8KB

Download
memory/1132-116-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1132-112-0x0000000000000000-mapping.dmp

Download
memory/1336-87-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-81-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-82-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-79-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-75-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-74-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-73-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-71-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-70-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-69-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-68-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-66-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-65-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-64-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-63-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-61-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-60-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-59-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-96-0x00000000771C0000-0x00000000771C2000-memory.dmp

Filesize
8KB

Download
memory/1336-58-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/1336-85-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-86-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-88-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-90-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-62-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-89-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-67-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-84-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-83-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-80-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-78-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-76-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-77-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1336-72-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1436-102-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1436-98-0x0000000000000000-mapping.dmp

Download
memory/1472-105-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads