dridex | 8c6869c37e036692ba883df97a20e5050aaa4923e0463a11b32e47ded3373b2b

Analysis

max time kernel
151s
max time network
104s
platform
windows10_x64
resource
win10v20210408
submitted
30-09-2021 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c6869c37e036692ba883df97a20e5050aaa4923e0463a11b32e47ded3373b2b.dll
Size

1.2MB
MD5

0a3c77c4b58a5356bd66f8f38085c8c3
SHA1

f5ad1150764fbb7cd57582fe2b28cd107e3c6d43
SHA256

8c6869c37e036692ba883df97a20e5050aaa4923e0463a11b32e47ded3373b2b
SHA512

bf2c11596f323d106a7781c62a5cd4bab0aa40f57b2aa286df4ca90f3ba92e461b96e02af54348b23452e5257d774984d64c7128dffd6aeb6e6b2fcfc3eca1f6

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2900-119-0x0000000001020000-0x0000000001021000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

EaseOfAccessDialog.exerstrui.exeBitLockerWizardElev.exe

pid process

992 EaseOfAccessDialog.exe
3592 rstrui.exe
4204 BitLockerWizardElev.exe
Loads dropped DLL 3 IoCs

Processes:

EaseOfAccessDialog.exerstrui.exeBitLockerWizardElev.exe

pid process

992 EaseOfAccessDialog.exe
3592 rstrui.exe
4204 BitLockerWizardElev.exe

pid	process
992	EaseOfAccessDialog.exe
3592	rstrui.exe
4204	BitLockerWizardElev.exe

pid	process
992	EaseOfAccessDialog.exe
3592	rstrui.exe
4204	BitLockerWizardElev.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rvhohwdqaanc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\PisdZhbnD\\rstrui.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

EaseOfAccessDialog.exerstrui.exeBitLockerWizardElev.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EaseOfAccessDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rstrui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
4796	regsvr32.exe
4796	regsvr32.exe
4796	regsvr32.exe
4796	regsvr32.exe
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900
2900

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2900

pid	process
2900

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900
Token: SeShutdownPrivilege	2900
Token: SeCreatePagefilePrivilege	2900

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

pid process

2900
2900
2900
2900
2900
2900
2900
2900

pid	process
2900
2900
2900
2900
2900
2900
2900
2900

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2900 wrote to memory of 988	2900	EaseOfAccessDialog.exe
PID 2900 wrote to memory of 988	2900	EaseOfAccessDialog.exe
PID 2900 wrote to memory of 992	2900	EaseOfAccessDialog.exe
PID 2900 wrote to memory of 992	2900	EaseOfAccessDialog.exe
PID 2900 wrote to memory of 3468	2900	rstrui.exe
PID 2900 wrote to memory of 3468	2900	rstrui.exe
PID 2900 wrote to memory of 3592	2900	rstrui.exe
PID 2900 wrote to memory of 3592	2900	rstrui.exe
PID 2900 wrote to memory of 4220	2900	BitLockerWizardElev.exe
PID 2900 wrote to memory of 4220	2900	BitLockerWizardElev.exe
PID 2900 wrote to memory of 4204	2900	BitLockerWizardElev.exe
PID 2900 wrote to memory of 4204	2900	BitLockerWizardElev.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8c6869c37e036692ba883df97a20e5050aaa4923e0463a11b32e47ded3373b2b.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4796

C:\Windows\system32\EaseOfAccessDialog.exe
C:\Windows\system32\EaseOfAccessDialog.exe
1⤵
PID:988

C:\Users\Admin\AppData\Local\Jq3q\EaseOfAccessDialog.exe
C:\Users\Admin\AppData\Local\Jq3q\EaseOfAccessDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:992

C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
1⤵
PID:3468

C:\Users\Admin\AppData\Local\ay3Umtg\rstrui.exe
C:\Users\Admin\AppData\Local\ay3Umtg\rstrui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3592

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:4220

C:\Users\Admin\AppData\Local\4CaX\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\4CaX\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4204

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4CaX\BitLockerWizardElev.exe
MD5
43d63950e411885e21eeb33a7f33dc85

SHA1
aa5489c400ae898ba8590e7198846ca51d4ae872

SHA256
82f381697c3ea8df147de184892751a5c99475617c245b3caece870bb0a5418a

SHA512
65b87ecb21289f3ce72f8ea00e877f6023551d4ba5f62e27ac00df7376c1f1d3d612419fac54211a91383b016e03a7f82ac8bc0beaa10262767538dba09423ca

Download Submit
C:\Users\Admin\AppData\Local\4CaX\FVEWIZ.dll
MD5
5fe4a06208614708e670c85214ea4487

SHA1
d6c765cd6250348a1e8a2401818be1b587400e43

SHA256
d422d0e7a796cb1b01c314c81ada3abbae5c6480764392cda82c6a2fc466f571

SHA512
1f619cd55ec9af76f629fa7b072a8e1821be86eda4d5a9b6f79b0336632bdc3245c9f18314304ce86d0b516945d78fb7f7cab2a7700ba06a12edf4aca2522b14

Download Submit
C:\Users\Admin\AppData\Local\Jq3q\EaseOfAccessDialog.exe
MD5
7eea1db3812b97249530920bb6984f1b

SHA1
64a217bb388459aee06f2e838404f5136faaee4d

SHA256
45d3a9f983aa6307ecba03bd5c8fe1dcaa510753178c8a126b55c565b7cf01c5

SHA512
911d60bb9780b9dda5e7f5cdc791d2c90fc161504d24a6d66a5f3c78dc3c2d30b5222247d4372486ba3c784a53a09a67c953aad7410e9a53c58fd49298bf421d

Download Submit
C:\Users\Admin\AppData\Local\Jq3q\OLEACC.dll
MD5
d100f9b67c936423eeb9c46cc9d381b0

SHA1
53f6895859d4f8fc051f47f5a5ef25fb488cfab1

SHA256
fb83e73ef8c1b616564bec832877fc41df0f3c0100a04299063980f664b2d34c

SHA512
cded05e5b17e0fcb2c8fa46c8018d40fbdb756e7a8d30a8efd0dd4eb44f62572bcf5898742ec8b097b3f1f227e9ae60fb40484722d91ae55fe428497d9ed15ee

Download Submit
C:\Users\Admin\AppData\Local\ay3Umtg\SRCORE.dll
MD5
92e886db40dcfe38efd25d79e8785cee

SHA1
d263118301bac4378cecc4f6fd7d8e5a6545e24b

SHA256
b1f5c5e7addcbdb30082b00a060d9a1654d332504f73140cd1b1598c9314b40c

SHA512
f48919107bcd32ed6b39d855c8b03c8ac377eb1e6889d303a220a596abb5090a8ac0fbdb202a6d22783be9fb3bb1f5eb9cb03134151da823ce9ff43eb768c708

Download Submit
C:\Users\Admin\AppData\Local\ay3Umtg\rstrui.exe
MD5
c0167cf19678a97a78a675ef18b7fc85

SHA1
f7589dcdff216ca879dba1d68764b2cf69652d3b

SHA256
b1aacd2735f524f8460c031a4f66e78fb09cffbc7350fac5695d448a287fb7cb

SHA512
f71ca6d233784312dce0e5867d2710de40c738bb567aac212ccd78804176ac51b9ae82bc2ba0498cdd24893f3d3fa6cfddd0d7a9d2c1bd9148916961d6ee0c44

Download Submit
\Users\Admin\AppData\Local\4CaX\FVEWIZ.dll
MD5
5fe4a06208614708e670c85214ea4487

SHA1
d6c765cd6250348a1e8a2401818be1b587400e43

SHA256
d422d0e7a796cb1b01c314c81ada3abbae5c6480764392cda82c6a2fc466f571

SHA512
1f619cd55ec9af76f629fa7b072a8e1821be86eda4d5a9b6f79b0336632bdc3245c9f18314304ce86d0b516945d78fb7f7cab2a7700ba06a12edf4aca2522b14

Download Submit
\Users\Admin\AppData\Local\Jq3q\OLEACC.dll
MD5
d100f9b67c936423eeb9c46cc9d381b0

SHA1
53f6895859d4f8fc051f47f5a5ef25fb488cfab1

SHA256
fb83e73ef8c1b616564bec832877fc41df0f3c0100a04299063980f664b2d34c

SHA512
cded05e5b17e0fcb2c8fa46c8018d40fbdb756e7a8d30a8efd0dd4eb44f62572bcf5898742ec8b097b3f1f227e9ae60fb40484722d91ae55fe428497d9ed15ee

Download Submit
\Users\Admin\AppData\Local\ay3Umtg\SRCORE.dll
MD5
92e886db40dcfe38efd25d79e8785cee

SHA1
d263118301bac4378cecc4f6fd7d8e5a6545e24b

SHA256
b1f5c5e7addcbdb30082b00a060d9a1654d332504f73140cd1b1598c9314b40c

SHA512
f48919107bcd32ed6b39d855c8b03c8ac377eb1e6889d303a220a596abb5090a8ac0fbdb202a6d22783be9fb3bb1f5eb9cb03134151da823ce9ff43eb768c708

Download Submit
memory/992-162-0x0000000000000000-mapping.dmp

Download
memory/992-166-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2900-141-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-147-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-130-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-131-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-132-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-133-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-134-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-135-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-136-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-137-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-139-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-138-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-140-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-119-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/2900-142-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-143-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-144-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-145-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-146-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-129-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-148-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-149-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-150-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-151-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-159-0x00007FFDAE7D4560-0x00007FFDAE7D5560-memory.dmp

Filesize
4KB

Download
memory/2900-161-0x00007FFDAE910000-0x00007FFDAE912000-memory.dmp

Filesize
8KB

Download
memory/2900-128-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-127-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-126-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-123-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-125-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-121-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-124-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-122-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/2900-120-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3592-171-0x0000000000000000-mapping.dmp

Download
memory/4204-180-0x0000000000000000-mapping.dmp

Download
memory/4796-114-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/4796-118-0x00000000009B0000-0x00000000009B7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads