dridex | a72893e9c798ac62205585b9e001aa851c59c433c82ebd3d33377df4e0ff5177

Analysis

max time kernel
151s
max time network
26s
platform
windows7_x64
resource
win7-en-20210920
submitted
30-09-2021 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a72893e9c798ac62205585b9e001aa851c59c433c82ebd3d33377df4e0ff5177.dll
Size

1.2MB
MD5

e9cdd1a78504596450206f6895be8e90
SHA1

e40e3776e6e6869e0f5ca7a44777c5586af90622
SHA256

a72893e9c798ac62205585b9e001aa851c59c433c82ebd3d33377df4e0ff5177
SHA512

f461fbbf770208239d3db58fbf934a307d9afbc3656f446510b889578fec886e244827e270a1f8f3413cb2115157a9ff9774debd127e8935d4ac06d7cef6e2ed

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1204-57-0x0000000002930000-0x0000000002931000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

rrinstaller.exeMpSigStub.exeSndVol.exe

pid process

1796 rrinstaller.exe
1472 MpSigStub.exe
1812 SndVol.exe
Loads dropped DLL 7 IoCs

Processes:

rrinstaller.exeMpSigStub.exeSndVol.exe

pid process

1204
1796 rrinstaller.exe
1204
1472 MpSigStub.exe
1204
1812 SndVol.exe
1204

pid	process
1796	rrinstaller.exe
1472	MpSigStub.exe
1812	SndVol.exe

pid	process
1204
1796	rrinstaller.exe
1204
1472	MpSigStub.exe
1204
1812	SndVol.exe
1204

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wbbdywj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\YfPHY\\MpSigStub.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerrinstaller.exeMpSigStub.exeSndVol.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rrinstaller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MpSigStub.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1368	rundll32.exe
1368	rundll32.exe
1368	rundll32.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1204
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1204
1204
1204
1204
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1204
1204
1204
1204

pid	process
1204

pid	process
1204
1204
1204
1204

pid	process
1204
1204
1204
1204

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1204 wrote to memory of 608	1204	rrinstaller.exe
PID 1204 wrote to memory of 608	1204	rrinstaller.exe
PID 1204 wrote to memory of 608	1204	rrinstaller.exe
PID 1204 wrote to memory of 1796	1204	rrinstaller.exe
PID 1204 wrote to memory of 1796	1204	rrinstaller.exe
PID 1204 wrote to memory of 1796	1204	rrinstaller.exe
PID 1204 wrote to memory of 1124	1204	MpSigStub.exe
PID 1204 wrote to memory of 1124	1204	MpSigStub.exe
PID 1204 wrote to memory of 1124	1204	MpSigStub.exe
PID 1204 wrote to memory of 1472	1204	MpSigStub.exe
PID 1204 wrote to memory of 1472	1204	MpSigStub.exe
PID 1204 wrote to memory of 1472	1204	MpSigStub.exe
PID 1204 wrote to memory of 1808	1204	SndVol.exe
PID 1204 wrote to memory of 1808	1204	SndVol.exe
PID 1204 wrote to memory of 1808	1204	SndVol.exe
PID 1204 wrote to memory of 1812	1204	SndVol.exe
PID 1204 wrote to memory of 1812	1204	SndVol.exe
PID 1204 wrote to memory of 1812	1204	SndVol.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a72893e9c798ac62205585b9e001aa851c59c433c82ebd3d33377df4e0ff5177.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1368

C:\Windows\system32\rrinstaller.exe
C:\Windows\system32\rrinstaller.exe
1⤵
PID:608

C:\Users\Admin\AppData\Local\G4qQ\rrinstaller.exe
C:\Users\Admin\AppData\Local\G4qQ\rrinstaller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1796

C:\Windows\system32\MpSigStub.exe
C:\Windows\system32\MpSigStub.exe
1⤵
PID:1124

C:\Users\Admin\AppData\Local\dLY3uqqO5\MpSigStub.exe
C:\Users\Admin\AppData\Local\dLY3uqqO5\MpSigStub.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1472

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:1808

C:\Users\Admin\AppData\Local\EmEgcTc\SndVol.exe
C:\Users\Admin\AppData\Local\EmEgcTc\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1812

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EmEgcTc\SndVol.exe
MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
C:\Users\Admin\AppData\Local\EmEgcTc\UxTheme.dll
MD5
fdb80909ec8675c4af692b34f756455f

SHA1
f753f52e0940c048ab09e2963026838bc177505c

SHA256
2cfc07484d2449dfc38fe88037c9df6837bcff0f0f579a607d73615cda7c1f20

SHA512
0d3906f15f1d705d3ec721142776777772344fea5d0db7ae271145c7a3d9b7d9453503162461475a102df87dbc38d5b698e31d7a2a50414ba0b8d554787526eb

Download Submit
C:\Users\Admin\AppData\Local\G4qQ\MFPlat.DLL
MD5
759519a5625b3d2dcc311d1d1b34451f

SHA1
018f7b88f95b4c4de545f1f539d54aab4a5f5377

SHA256
37ae9192c4e6f4c39f77476de93b70677f95f6b6f5d69868a998d6077862d371

SHA512
495ce0d1471adb9a30abdd2fd9cba565ca78747bff8b150519d2047dee66695434096364aa72c93892ce708db2f056590a2af1d2e4061f446f8c0ecf6623dd95

Download Submit
C:\Users\Admin\AppData\Local\G4qQ\rrinstaller.exe
MD5
0d3a73b0b30252680b383532f1758649

SHA1
9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

SHA256
fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

SHA512
a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

Download Submit
C:\Users\Admin\AppData\Local\dLY3uqqO5\MpSigStub.exe
MD5
2e6bd16aa62e5e95c7b256b10d637f8f

SHA1
350be084477b1fe581af83ca79eb58d4defe260f

SHA256
d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

SHA512
1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

Download Submit
C:\Users\Admin\AppData\Local\dLY3uqqO5\VERSION.dll
MD5
ce0b5875ac334f42dea7d30eae86166b

SHA1
e0b355856567ca1c10340bf15d6ecc031792bdb8

SHA256
c9923d46f10da656f94f2577b86e441283d284c85dc783f97e960562f704b560

SHA512
00ea3f664efda34a0ac77503677a48b098ac91d2ce4e7cef2e7a577169044f4bd8bdc00bebb6c60187d2a16201ad85dc26945286a9a4eac9796ba724eaf5e0c5

Download Submit
\Users\Admin\AppData\Local\EmEgcTc\SndVol.exe
MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
\Users\Admin\AppData\Local\EmEgcTc\UxTheme.dll
MD5
fdb80909ec8675c4af692b34f756455f

SHA1
f753f52e0940c048ab09e2963026838bc177505c

SHA256
2cfc07484d2449dfc38fe88037c9df6837bcff0f0f579a607d73615cda7c1f20

SHA512
0d3906f15f1d705d3ec721142776777772344fea5d0db7ae271145c7a3d9b7d9453503162461475a102df87dbc38d5b698e31d7a2a50414ba0b8d554787526eb

Download Submit
\Users\Admin\AppData\Local\G4qQ\MFPlat.DLL
MD5
759519a5625b3d2dcc311d1d1b34451f

SHA1
018f7b88f95b4c4de545f1f539d54aab4a5f5377

SHA256
37ae9192c4e6f4c39f77476de93b70677f95f6b6f5d69868a998d6077862d371

SHA512
495ce0d1471adb9a30abdd2fd9cba565ca78747bff8b150519d2047dee66695434096364aa72c93892ce708db2f056590a2af1d2e4061f446f8c0ecf6623dd95

Download Submit
\Users\Admin\AppData\Local\G4qQ\rrinstaller.exe
MD5
0d3a73b0b30252680b383532f1758649

SHA1
9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

SHA256
fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

SHA512
a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

Download Submit
\Users\Admin\AppData\Local\dLY3uqqO5\MpSigStub.exe
MD5
2e6bd16aa62e5e95c7b256b10d637f8f

SHA1
350be084477b1fe581af83ca79eb58d4defe260f

SHA256
d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

SHA512
1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

Download Submit
\Users\Admin\AppData\Local\dLY3uqqO5\VERSION.dll
MD5
ce0b5875ac334f42dea7d30eae86166b

SHA1
e0b355856567ca1c10340bf15d6ecc031792bdb8

SHA256
c9923d46f10da656f94f2577b86e441283d284c85dc783f97e960562f704b560

SHA512
00ea3f664efda34a0ac77503677a48b098ac91d2ce4e7cef2e7a577169044f4bd8bdc00bebb6c60187d2a16201ad85dc26945286a9a4eac9796ba724eaf5e0c5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\kBC\SndVol.exe
MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
memory/1204-75-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-87-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-72-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-62-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-61-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-60-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-59-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-58-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-76-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-78-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-77-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-80-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-79-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-81-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-82-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-83-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-84-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-91-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-90-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-89-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-88-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-57-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/1204-86-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-85-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-97-0x0000000077900000-0x0000000077902000-memory.dmp

Filesize
8KB

Download
memory/1204-74-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-65-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-73-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-63-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-66-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-64-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-67-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-71-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-68-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-69-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1204-70-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1368-54-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1368-56-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1472-110-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1472-106-0x0000000000000000-mapping.dmp

Download
memory/1796-103-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1796-99-0x0000000000000000-mapping.dmp

Download
memory/1812-113-0x0000000000000000-mapping.dmp

Download
memory/1812-115-0x000007FEFBFD1000-0x000007FEFBFD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads