dridex | 30b8a22979fcf9cd5eadbaf0683b68dce6608e4507079f508ebf5e9f3a4cb3f9

Analysis

max time kernel
151s
max time network
144s
platform
windows10_x64
resource
win10-en-20210920
submitted
30-09-2021 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30b8a22979fcf9cd5eadbaf0683b68dce6608e4507079f508ebf5e9f3a4cb3f9.dll
Size

1.2MB
MD5

050f7b6b85755449ad51107dd8be3946
SHA1

1c04df714fa68afabc5c9e3528ae7a3114b55078
SHA256

30b8a22979fcf9cd5eadbaf0683b68dce6608e4507079f508ebf5e9f3a4cb3f9
SHA512

f06deb19569c9d52ffc8c5d3d4b221cc327b57073819471e27623f7e4e93384f33d82478da3c8a7ecbef4f02138c7a69af0e38bdab1a7d7e386456112599d297

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3040-120-0x0000000000780000-0x0000000000781000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

systemreset.exeSystemPropertiesPerformance.exeraserver.exe

pid process

1276 systemreset.exe
1424 SystemPropertiesPerformance.exe
1140 raserver.exe
Loads dropped DLL 3 IoCs

Processes:

systemreset.exeSystemPropertiesPerformance.exeraserver.exe

pid process

1276 systemreset.exe
1424 SystemPropertiesPerformance.exe
1140 raserver.exe

pid	process
1276	systemreset.exe
1424	SystemPropertiesPerformance.exe
1140	raserver.exe

pid	process
1276	systemreset.exe
1424	SystemPropertiesPerformance.exe
1140	raserver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wjvmqhmsyzhtvy = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\gMg1V3Q3u\\SystemPropertiesPerformance.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exesystemreset.exeSystemPropertiesPerformance.exeraserver.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	systemreset.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2452	rundll32.exe
2452	rundll32.exe
2452	rundll32.exe
2452	rundll32.exe
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3040

pid	process
3040

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3040 wrote to memory of 648	3040	systemreset.exe
PID 3040 wrote to memory of 648	3040	systemreset.exe
PID 3040 wrote to memory of 1276	3040	systemreset.exe
PID 3040 wrote to memory of 1276	3040	systemreset.exe
PID 3040 wrote to memory of 1244	3040	SystemPropertiesPerformance.exe
PID 3040 wrote to memory of 1244	3040	SystemPropertiesPerformance.exe
PID 3040 wrote to memory of 1424	3040	SystemPropertiesPerformance.exe
PID 3040 wrote to memory of 1424	3040	SystemPropertiesPerformance.exe
PID 3040 wrote to memory of 1680	3040	raserver.exe
PID 3040 wrote to memory of 1680	3040	raserver.exe
PID 3040 wrote to memory of 1140	3040	raserver.exe
PID 3040 wrote to memory of 1140	3040	raserver.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\30b8a22979fcf9cd5eadbaf0683b68dce6608e4507079f508ebf5e9f3a4cb3f9.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2452

C:\Windows\system32\systemreset.exe
C:\Windows\system32\systemreset.exe
1⤵
PID:648

C:\Users\Admin\AppData\Local\LpV\systemreset.exe
C:\Users\Admin\AppData\Local\LpV\systemreset.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1276

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:1244

C:\Users\Admin\AppData\Local\yUJriFX\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\yUJriFX\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1424

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:1680

C:\Users\Admin\AppData\Local\SzEgyt8X\raserver.exe
C:\Users\Admin\AppData\Local\SzEgyt8X\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1140

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\LpV\DUI70.dll
MD5
7a8359dd97a60bfb8f3123b3aa83171f

SHA1
eb9eaa6d5f271bc34bbc3aeacd425e0d4b3316ab

SHA256
4277c52e904c4fc7f16fdaca5600b3eed70de734655038c59b98e86257a7b7b3

SHA512
bb5608eae2e26b078d2a7037beda28340e8df36f74c9b545937c5be80c9496346fe5c72fd19e39244f49301e4ffc36990204d9f538d84d3bda19360b928053b1

Download Submit
C:\Users\Admin\AppData\Local\LpV\systemreset.exe
MD5
edf120755c3c58b7e2f2ea085ccc2298

SHA1
5d23a67059805426c5dcf28ece05b4b95b8bd5b6

SHA256
fcbe3646ae132221337f6a2823550f79ce6f2a20e54bdb33ea0fde0f6c6dec7e

SHA512
9d55fb581e33fcdef904d80c1671ad42479598ed39f32ffe25e81a792c2d7257dfe7f83cdbe47c466e53e23a9aa8541cc194f80f39762fd79253ec1cadf41eb0

Download Submit
C:\Users\Admin\AppData\Local\SzEgyt8X\WTSAPI32.dll
MD5
fe76a30e005f4edb3b239fe510931617

SHA1
679f5cf8e053fd22b6933ae1a3436cacec57ad37

SHA256
13b52f45d4c29a147ad9cb212bb8b33b6466ecd52ae4511ecf2ecfcd3fe15ada

SHA512
6408480b57473d10a5cd8140de9fb84fc2c661c2943b87177c2e5004bb957a9d35c077c3c10fb81a84c92768bb225d016a42ed9dd246cef562fa5792bd8d3881

Download Submit
C:\Users\Admin\AppData\Local\SzEgyt8X\raserver.exe
MD5
71cacb0f5b7b70055fbba02055e503b1

SHA1
49e247edcc721fc7329045a8587877b645b7531f

SHA256
7a4aa698ea00d4347a1b85a2510c2502fdf23cc5d487079097999be9780f8eb1

SHA512
3cce7df2ab1ece95baf888982a0664fb53c1378029dc2aee1c583fc6e9065968074a9f8135988f1b9f50937e3eb69edc118976b61067c3461fe8351535295a18

Download Submit
C:\Users\Admin\AppData\Local\yUJriFX\SYSDM.CPL
MD5
f78b3d07f8d3dc162f386c3a19e1c626

SHA1
afc644f43139829a1dbb2f4ac599044f781042a1

SHA256
487d2a1d5e1abfdc34ac916c0dfea5b6f54abdc5e3ed104aff67f5e07ee51d0d

SHA512
dcabebe7c8b92c7bbcfd2d53cf538e8e9145559f55d0bfea34f9a76c269e1c1587293ab0b84d933aee16fe740d9b5bd5e66ad8fb9e08ac62065beddcfcf2a066

Download Submit
C:\Users\Admin\AppData\Local\yUJriFX\SystemPropertiesPerformance.exe
MD5
0a23dbe5f3926280d0eeef6e35b8e603

SHA1
3023d1eaef3944a8487c18672af1d562114b9f5f

SHA256
24482d0a1972e7424e50de2aeb37d6f0d8a05e3f09afe4a0c7354817193a2d40

SHA512
ef7c1f4fe4d20f47f4d8576df86cdd14f89e35a88e1253f27a0432e4963885acede7622e350116135f0f90eb2eaea60cba5f0612c127cb495e5e4f54333126f4

Download Submit
\Users\Admin\AppData\Local\LpV\DUI70.dll
MD5
7a8359dd97a60bfb8f3123b3aa83171f

SHA1
eb9eaa6d5f271bc34bbc3aeacd425e0d4b3316ab

SHA256
4277c52e904c4fc7f16fdaca5600b3eed70de734655038c59b98e86257a7b7b3

SHA512
bb5608eae2e26b078d2a7037beda28340e8df36f74c9b545937c5be80c9496346fe5c72fd19e39244f49301e4ffc36990204d9f538d84d3bda19360b928053b1

Download Submit
\Users\Admin\AppData\Local\SzEgyt8X\WTSAPI32.dll
MD5
fe76a30e005f4edb3b239fe510931617

SHA1
679f5cf8e053fd22b6933ae1a3436cacec57ad37

SHA256
13b52f45d4c29a147ad9cb212bb8b33b6466ecd52ae4511ecf2ecfcd3fe15ada

SHA512
6408480b57473d10a5cd8140de9fb84fc2c661c2943b87177c2e5004bb957a9d35c077c3c10fb81a84c92768bb225d016a42ed9dd246cef562fa5792bd8d3881

Download Submit
\Users\Admin\AppData\Local\yUJriFX\SYSDM.CPL
MD5
f78b3d07f8d3dc162f386c3a19e1c626

SHA1
afc644f43139829a1dbb2f4ac599044f781042a1

SHA256
487d2a1d5e1abfdc34ac916c0dfea5b6f54abdc5e3ed104aff67f5e07ee51d0d

SHA512
dcabebe7c8b92c7bbcfd2d53cf538e8e9145559f55d0bfea34f9a76c269e1c1587293ab0b84d933aee16fe740d9b5bd5e66ad8fb9e08ac62065beddcfcf2a066

Download Submit
memory/1140-185-0x0000000000000000-mapping.dmp

Download
memory/1276-171-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1276-167-0x0000000000000000-mapping.dmp

Download
memory/1424-180-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1424-176-0x0000000000000000-mapping.dmp

Download
memory/2452-119-0x00000203DE710000-0x00000203DE717000-memory.dmp

Filesize
28KB

Download
memory/2452-115-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-140-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-149-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-132-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-133-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-134-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-135-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-136-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-137-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-138-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-139-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-131-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-141-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-142-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-143-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-144-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-145-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-146-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-147-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-148-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-127-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-150-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-151-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-152-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-123-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-153-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-130-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-129-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-128-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-126-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-125-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-124-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-121-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-122-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-120-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3040-154-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-155-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-156-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3040-164-0x00007FFCF3234560-0x00007FFCF3235560-memory.dmp

Filesize
4KB

Download
memory/3040-166-0x00007FFCF3370000-0x00007FFCF3372000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads