dridex | 91e876e9a1f7db2677a3706228a7d73ae0654d144168a7cdece5562d70e36026

Analysis

max time kernel
150s
max time network
147s
platform
windows10_x64
resource
win10-en-20210920
submitted
30-09-2021 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91e876e9a1f7db2677a3706228a7d73ae0654d144168a7cdece5562d70e36026.dll
Size

1.2MB
MD5

c1cd29287def3b7d044e400ff6fd830b
SHA1

1832a3a550610657a8110a2810932137d1d3e62b
SHA256

91e876e9a1f7db2677a3706228a7d73ae0654d144168a7cdece5562d70e36026
SHA512

d4cf7ad019ddc4311824bb9bbdf6efc0bf019b1812fa1c0c59603314afcda003df51dbf8125c5af356bd1a1f2429ac4510e82c3fb53146c6bb74e1cf27b9e58e

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3028-120-0x0000000000840000-0x0000000000841000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

eudcedit.exeAgentService.exemsra.exe

pid process

3992 eudcedit.exe
4316 AgentService.exe
4224 msra.exe
Loads dropped DLL 3 IoCs

Processes:

eudcedit.exeAgentService.exemsra.exe

pid process

3992 eudcedit.exe
4316 AgentService.exe
4224 msra.exe

pid	process
3992	eudcedit.exe
4316	AgentService.exe
4224	msra.exe

pid	process
3992	eudcedit.exe
4316	AgentService.exe
4224	msra.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wjvmqhmsyzhtvy = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\8LBKCI~1\\AGENTS~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeeudcedit.exeAgentService.exemsra.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eudcedit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AgentService.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4080	rundll32.exe
4080	rundll32.exe
4080	rundll32.exe
4080	rundll32.exe
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3028

pid	process
3028

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3028 wrote to memory of 3996	3028	eudcedit.exe
PID 3028 wrote to memory of 3996	3028	eudcedit.exe
PID 3028 wrote to memory of 3992	3028	eudcedit.exe
PID 3028 wrote to memory of 3992	3028	eudcedit.exe
PID 3028 wrote to memory of 692	3028	AgentService.exe
PID 3028 wrote to memory of 692	3028	AgentService.exe
PID 3028 wrote to memory of 4316	3028	AgentService.exe
PID 3028 wrote to memory of 4316	3028	AgentService.exe
PID 3028 wrote to memory of 4196	3028	msra.exe
PID 3028 wrote to memory of 4196	3028	msra.exe
PID 3028 wrote to memory of 4224	3028	msra.exe
PID 3028 wrote to memory of 4224	3028	msra.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\91e876e9a1f7db2677a3706228a7d73ae0654d144168a7cdece5562d70e36026.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4080

C:\Windows\system32\eudcedit.exe
C:\Windows\system32\eudcedit.exe
1⤵
PID:3996

C:\Users\Admin\AppData\Local\qRsLZhq9\eudcedit.exe
C:\Users\Admin\AppData\Local\qRsLZhq9\eudcedit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3992

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
PID:692

C:\Users\Admin\AppData\Local\tHx1PBT\AgentService.exe
C:\Users\Admin\AppData\Local\tHx1PBT\AgentService.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4316

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:4196

C:\Users\Admin\AppData\Local\fx6N\msra.exe
C:\Users\Admin\AppData\Local\fx6N\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4224

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\fx6N\UxTheme.dll
MD5
a798c1b68150d8f85124a84ee02841fe

SHA1
1ee9404fd234a0e7592decb519a7a947c5703a36

SHA256
a7792da9d9865ede0cf37b99aab6e6545db7ba2c9a912e2c0578d663ffef5a70

SHA512
2054c86e61a51bd38b1a247af93864ad8f5b078dc0a61523cb628dc5ad51364e2251d10f9620b13fd346325780d98bd5a5ff4821712deea77d1269b4e7d302cd

Download Submit
C:\Users\Admin\AppData\Local\fx6N\msra.exe
MD5
b00eb640229462c7080dc17e5805dfc9

SHA1
28b438b47d145b17c94cbec39b204ced6eccb5f1

SHA256
529378155b8aa91ff47d1f015c96a373fdb12acef3811d2f8a7e3dff67fded3b

SHA512
e962f71be1f25787710b8cb92453bcc19ff38921d01b2c892a4c61bfa09959377a73a95a02c0a62b1c93aaef7d9b4a43c196ca76ac7c7327abe85340bf94b6d2

Download Submit
C:\Users\Admin\AppData\Local\qRsLZhq9\MFC42u.dll
MD5
11545e845e7768f1e4064863aedd4e89

SHA1
b776f6c18ea026d486fa9f19755e5884a1594068

SHA256
7ec08456fe277c8f68d9571e080fd0d1f7425dfb0f928c8d682c1873230f2251

SHA512
f0e1d9f143aba9fc8c68f78fb44b636307045ab29faaa6ad6484880d10118a1753cbfa92cc119e10a85d4a0b713311c15ebf9996a3a27eeeff2ce0eee808cea4

Download Submit
C:\Users\Admin\AppData\Local\qRsLZhq9\eudcedit.exe
MD5
91d59a7cad942eacccc0788bde9d69da

SHA1
62987649e35257a4230abc5081acdcf3049b0c4c

SHA256
ca4c171a40af34d3dc0b21e0206054f002b340359403f393d7c8616220c22416

SHA512
e3b5fe3c5a959e3fe3760af4dc7bf2af4af3bb1df23ba622296cd09d32c3ebfec6f60648346a5f38537af1e88fce424888b6d4f2ba530c578989f7c3e02c80a0

Download Submit
C:\Users\Admin\AppData\Local\tHx1PBT\ACTIVEDS.dll
MD5
f11708e0d8d03ea000eff65939b565be

SHA1
9e2b83be6acf558d2057d3f7337eaf42b723c6b2

SHA256
9e1335705d6ea2ca53c236214b8efbcd638877cd3c661dbf7f5eafb55910192c

SHA512
e6d2aff110fbf14481e8d1455faa5d1f2b96eb64a912e164d582dc66a709d452a2d93a6fab1c85b10e8f6c1b67467aeb6cf03871632375fac57eaffd51fbb25d

Download Submit
C:\Users\Admin\AppData\Local\tHx1PBT\AgentService.exe
MD5
5f1da3635c2f6b74ebfdebfc747b63b5

SHA1
8c26309d2bad1b97195a408d9a742c61942a09d1

SHA256
1b456b777c5099a67e405fef20b5cbcb24c6fce9ed7a5a421c6574618364fd47

SHA512
9d122a0388484844a6646a27d359532b437e10fa412b075597183b7bc8cbb4e3593eb193c25e0b81dc62b3098d340d6bdc53733e08ee6657c82d11ba32fe2d32

Download Submit
\Users\Admin\AppData\Local\fx6N\UxTheme.dll
MD5
a798c1b68150d8f85124a84ee02841fe

SHA1
1ee9404fd234a0e7592decb519a7a947c5703a36

SHA256
a7792da9d9865ede0cf37b99aab6e6545db7ba2c9a912e2c0578d663ffef5a70

SHA512
2054c86e61a51bd38b1a247af93864ad8f5b078dc0a61523cb628dc5ad51364e2251d10f9620b13fd346325780d98bd5a5ff4821712deea77d1269b4e7d302cd

Download Submit
\Users\Admin\AppData\Local\qRsLZhq9\MFC42u.dll
MD5
11545e845e7768f1e4064863aedd4e89

SHA1
b776f6c18ea026d486fa9f19755e5884a1594068

SHA256
7ec08456fe277c8f68d9571e080fd0d1f7425dfb0f928c8d682c1873230f2251

SHA512
f0e1d9f143aba9fc8c68f78fb44b636307045ab29faaa6ad6484880d10118a1753cbfa92cc119e10a85d4a0b713311c15ebf9996a3a27eeeff2ce0eee808cea4

Download Submit
\Users\Admin\AppData\Local\tHx1PBT\ACTIVEDS.dll
MD5
f11708e0d8d03ea000eff65939b565be

SHA1
9e2b83be6acf558d2057d3f7337eaf42b723c6b2

SHA256
9e1335705d6ea2ca53c236214b8efbcd638877cd3c661dbf7f5eafb55910192c

SHA512
e6d2aff110fbf14481e8d1455faa5d1f2b96eb64a912e164d582dc66a709d452a2d93a6fab1c85b10e8f6c1b67467aeb6cf03871632375fac57eaffd51fbb25d

Download Submit
memory/3028-144-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-148-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-129-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-131-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-130-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-132-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-133-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-135-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-134-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-137-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-136-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-138-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-139-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-140-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-141-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-142-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-143-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-120-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/3028-145-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-146-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-147-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-128-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-150-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-151-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-152-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-153-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-149-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-154-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-162-0x00007FFDD8914560-0x00007FFDD8915560-memory.dmp

Filesize
4KB

Download
memory/3028-164-0x00007FFDD8860000-0x00007FFDD8870000-memory.dmp

Filesize
64KB

Download
memory/3028-122-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-127-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-126-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-125-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-121-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-123-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3028-124-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3992-169-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3992-165-0x0000000000000000-mapping.dmp

Download
memory/4080-115-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4080-119-0x0000025C3EEE0000-0x0000025C3EEE7000-memory.dmp

Filesize
28KB

Download
memory/4224-183-0x0000000000000000-mapping.dmp

Download
memory/4316-174-0x0000000000000000-mapping.dmp

Download
memory/4316-178-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads