dridex | 727480f59a875531de664c9b0b28be52e89fefd526f0f48cf58a60b5cbd72e78

Analysis

max time kernel
150s
max time network
23s
platform
windows7_x64
resource
win7-en-20210920
submitted
30-09-2021 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

727480f59a875531de664c9b0b28be52e89fefd526f0f48cf58a60b5cbd72e78.dll
Size

836KB
MD5

83fde71058621e61972a1ccb752287d1
SHA1

dab9e2ec800d9437556f4752470a5ba74bf53de6
SHA256

727480f59a875531de664c9b0b28be52e89fefd526f0f48cf58a60b5cbd72e78
SHA512

ac4902a487fe637929cde77709df2f34194f0f340f4fea943e7c5be7094b10d7de2dddd5583267b54deb2cf9a202ecb745841822d71d24067aad7018b256a759

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 3 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1544-54-0x0000000140000000-0x00000001400D1000-memory.dmp	dridex_payload
behavioral1/memory/1816-96-0x0000000140000000-0x00000001400D3000-memory.dmp	dridex_payload
behavioral1/memory/536-113-0x0000000140000000-0x00000001400D8000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1404-57-0x0000000002570000-0x0000000002571000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

winlogon.exeWFS.exeshrpubw.exe

pid process

1816 winlogon.exe
548 WFS.exe
536 shrpubw.exe
Loads dropped DLL 7 IoCs

Processes:

winlogon.exeWFS.exeshrpubw.exe

pid process

1404
1816 winlogon.exe
1404
548 WFS.exe
1404
536 shrpubw.exe
1404

pid	process
1816	winlogon.exe
548	WFS.exe
536	shrpubw.exe

pid	process
1404
1816	winlogon.exe
1404
548	WFS.exe
1404
536	shrpubw.exe
1404

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wbbdywj = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\Npu\\WFS.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exewinlogon.exeWFS.exeshrpubw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1544	rundll32.exe
1544	rundll32.exe
1544	rundll32.exe
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1404
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1404
1404
1404
1404
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

1404
1404
1404
1404
1404
1404

pid	process
1404

pid	process
1404
1404
1404
1404

pid	process
1404
1404
1404
1404
1404
1404

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1404 wrote to memory of 1452	1404	winlogon.exe
PID 1404 wrote to memory of 1452	1404	winlogon.exe
PID 1404 wrote to memory of 1452	1404	winlogon.exe
PID 1404 wrote to memory of 1816	1404	winlogon.exe
PID 1404 wrote to memory of 1816	1404	winlogon.exe
PID 1404 wrote to memory of 1816	1404	winlogon.exe
PID 1404 wrote to memory of 1236	1404	WFS.exe
PID 1404 wrote to memory of 1236	1404	WFS.exe
PID 1404 wrote to memory of 1236	1404	WFS.exe
PID 1404 wrote to memory of 548	1404	WFS.exe
PID 1404 wrote to memory of 548	1404	WFS.exe
PID 1404 wrote to memory of 548	1404	WFS.exe
PID 1404 wrote to memory of 1216	1404	shrpubw.exe
PID 1404 wrote to memory of 1216	1404	shrpubw.exe
PID 1404 wrote to memory of 1216	1404	shrpubw.exe
PID 1404 wrote to memory of 536	1404	shrpubw.exe
PID 1404 wrote to memory of 536	1404	shrpubw.exe
PID 1404 wrote to memory of 536	1404	shrpubw.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\727480f59a875531de664c9b0b28be52e89fefd526f0f48cf58a60b5cbd72e78.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1544

C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
1⤵
PID:1452

C:\Users\Admin\AppData\Local\8qbxkk9\winlogon.exe
C:\Users\Admin\AppData\Local\8qbxkk9\winlogon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1816

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:1236

C:\Users\Admin\AppData\Local\tumQ6\WFS.exe
C:\Users\Admin\AppData\Local\tumQ6\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:548

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:1216

C:\Users\Admin\AppData\Local\AKjrGxy\shrpubw.exe
C:\Users\Admin\AppData\Local\AKjrGxy\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:536

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8qbxkk9\WINSTA.dll
MD5
49c06ea7d77e0ff9b0c0aec0a2f5f25e

SHA1
6f73a1b91ba3b62db6a65adfe11238e33378bef2

SHA256
a608d3ad4e2450775258a90150953f724ee1f9b585392a9ae3e65cfcb124987c

SHA512
770953ed29a0eb1fd6ebf5dd57192f7603710ff33bfb72ed3d8a753b36762208c56d7414e5e954a5ffb1d09597d97ac8c0b564b5053a749d2ff96cbbfb454efc

Download Submit
C:\Users\Admin\AppData\Local\8qbxkk9\winlogon.exe
MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
C:\Users\Admin\AppData\Local\AKjrGxy\MFC42u.dll
MD5
e84b855923b3b2d483fce941b90f3607

SHA1
0007c43e9fae286c49bea4c175baee656e699de6

SHA256
b898a35ff587553bb2e674766c1cfd8b3031ffce4ce06794e850ccab4e4b1ad5

SHA512
e6208e6dc27fb4ad088766baf5e55aa6c232e5491b4c98dd016e02b8bbaf5589f9eb3ce9a86cbf4348f6cca9a1060d3e19c521d2a886d99869fbc23a2054b78d

Download Submit
C:\Users\Admin\AppData\Local\AKjrGxy\shrpubw.exe
MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
C:\Users\Admin\AppData\Local\tumQ6\WFS.exe
MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
C:\Users\Admin\AppData\Local\tumQ6\WINMM.dll
MD5
e483eaf0d4ace45951110b0b728e0ffc

SHA1
8344d8f8a1c84b0375d6503d994ed7f88b928382

SHA256
dd0e0ad4ad8fae041e568cd88683157aa038d648081e32d0ea2e362f877650a5

SHA512
aebe3a3a71b5f5ae8c806d61a448996f675292126e103f29f9320b1ef4f746c688edde725972d1ed6010c35a2bc7d0f85d7f9d11cc4211d41ba69fb0fe6dbead

Download Submit
\Users\Admin\AppData\Local\8qbxkk9\WINSTA.dll
MD5
49c06ea7d77e0ff9b0c0aec0a2f5f25e

SHA1
6f73a1b91ba3b62db6a65adfe11238e33378bef2

SHA256
a608d3ad4e2450775258a90150953f724ee1f9b585392a9ae3e65cfcb124987c

SHA512
770953ed29a0eb1fd6ebf5dd57192f7603710ff33bfb72ed3d8a753b36762208c56d7414e5e954a5ffb1d09597d97ac8c0b564b5053a749d2ff96cbbfb454efc

Download Submit
\Users\Admin\AppData\Local\8qbxkk9\winlogon.exe
MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
\Users\Admin\AppData\Local\AKjrGxy\MFC42u.dll
MD5
e84b855923b3b2d483fce941b90f3607

SHA1
0007c43e9fae286c49bea4c175baee656e699de6

SHA256
b898a35ff587553bb2e674766c1cfd8b3031ffce4ce06794e850ccab4e4b1ad5

SHA512
e6208e6dc27fb4ad088766baf5e55aa6c232e5491b4c98dd016e02b8bbaf5589f9eb3ce9a86cbf4348f6cca9a1060d3e19c521d2a886d99869fbc23a2054b78d

Download Submit
\Users\Admin\AppData\Local\AKjrGxy\shrpubw.exe
MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
\Users\Admin\AppData\Local\tumQ6\WFS.exe
MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
\Users\Admin\AppData\Local\tumQ6\WINMM.dll
MD5
e483eaf0d4ace45951110b0b728e0ffc

SHA1
8344d8f8a1c84b0375d6503d994ed7f88b928382

SHA256
dd0e0ad4ad8fae041e568cd88683157aa038d648081e32d0ea2e362f877650a5

SHA512
aebe3a3a71b5f5ae8c806d61a448996f675292126e103f29f9320b1ef4f746c688edde725972d1ed6010c35a2bc7d0f85d7f9d11cc4211d41ba69fb0fe6dbead

Download Submit
\Users\Admin\AppData\Roaming\Adobe\HGnR\shrpubw.exe
MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
memory/536-108-0x0000000000000000-mapping.dmp

Download
memory/536-113-0x0000000140000000-0x00000001400D8000-memory.dmp

Filesize
864KB

Download
memory/548-101-0x000007FEFBA11000-0x000007FEFBA13000-memory.dmp

Filesize
8KB

Download
memory/548-99-0x0000000000000000-mapping.dmp

Download
memory/548-104-0x000000013FC91000-0x000000013FC93000-memory.dmp

Filesize
8KB

Download
memory/1404-67-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-70-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-75-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-76-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-77-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-79-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-78-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-80-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-81-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-82-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-83-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-85-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-84-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-73-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-57-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1404-72-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-71-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-74-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-58-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-69-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-68-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-59-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-66-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-65-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-64-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-63-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-60-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-61-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1404-62-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1544-54-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1544-56-0x0000000000200000-0x0000000000207000-memory.dmp

Filesize
28KB

Download
memory/1816-96-0x0000000140000000-0x00000001400D3000-memory.dmp

Filesize
844KB

Download
memory/1816-92-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads