dridex | 727480f59a875531de664c9b0b28be52e89fefd526f0f48cf58a60b5cbd72e78

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
30-09-2021 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

727480f59a875531de664c9b0b28be52e89fefd526f0f48cf58a60b5cbd72e78.dll
Size

836KB
MD5

83fde71058621e61972a1ccb752287d1
SHA1

dab9e2ec800d9437556f4752470a5ba74bf53de6
SHA256

727480f59a875531de664c9b0b28be52e89fefd526f0f48cf58a60b5cbd72e78
SHA512

ac4902a487fe637929cde77709df2f34194f0f340f4fea943e7c5be7094b10d7de2dddd5583267b54deb2cf9a202ecb745841822d71d24067aad7018b256a759

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 3 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/4060-114-0x0000000140000000-0x00000001400D1000-memory.dmp	dridex_payload
behavioral2/memory/836-164-0x0000000140000000-0x00000001400D3000-memory.dmp	dridex_payload
behavioral2/memory/1396-172-0x0000000140000000-0x00000001400D2000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3016-120-0x0000000000FC0000-0x0000000000FC1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

mfpmp.exephoneactivate.exewextract.exe

pid process

836 mfpmp.exe
1396 phoneactivate.exe
1852 wextract.exe
Loads dropped DLL 3 IoCs

Processes:

mfpmp.exephoneactivate.exewextract.exe

pid process

836 mfpmp.exe
1396 phoneactivate.exe
1852 wextract.exe

pid	process
836	mfpmp.exe
1396	phoneactivate.exe
1852	wextract.exe

pid	process
836	mfpmp.exe
1396	phoneactivate.exe
1852	wextract.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rvhohwdqaanc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\2Wmg\\phoneactivate.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

mfpmp.exephoneactivate.exewextract.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	phoneactivate.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
4060	rundll32.exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3016

pid	process
3016

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

pid process

3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

3016
3016

pid	process
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016

pid	process
3016
3016

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3016 wrote to memory of 492	3016	mfpmp.exe
PID 3016 wrote to memory of 492	3016	mfpmp.exe
PID 3016 wrote to memory of 836	3016	mfpmp.exe
PID 3016 wrote to memory of 836	3016	mfpmp.exe
PID 3016 wrote to memory of 1292	3016	phoneactivate.exe
PID 3016 wrote to memory of 1292	3016	phoneactivate.exe
PID 3016 wrote to memory of 1396	3016	phoneactivate.exe
PID 3016 wrote to memory of 1396	3016	phoneactivate.exe
PID 3016 wrote to memory of 1740	3016	wextract.exe
PID 3016 wrote to memory of 1740	3016	wextract.exe
PID 3016 wrote to memory of 1852	3016	wextract.exe
PID 3016 wrote to memory of 1852	3016	wextract.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\727480f59a875531de664c9b0b28be52e89fefd526f0f48cf58a60b5cbd72e78.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4060

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:492

C:\Users\Admin\AppData\Local\PLQCQ\mfpmp.exe
C:\Users\Admin\AppData\Local\PLQCQ\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:836

C:\Windows\system32\phoneactivate.exe
C:\Windows\system32\phoneactivate.exe
1⤵
PID:1292

C:\Users\Admin\AppData\Local\bZKVXi8j\phoneactivate.exe
C:\Users\Admin\AppData\Local\bZKVXi8j\phoneactivate.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1396

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:1740

C:\Users\Admin\AppData\Local\1KpSioS\wextract.exe
C:\Users\Admin\AppData\Local\1KpSioS\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1852

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1KpSioS\VERSION.dll
MD5
7a4082f8a925cf44b0bb1beb0e1f78ab

SHA1
b4c68f1280ee9778d99e4f7166523c619bc12505

SHA256
74ba18856a7fecd3387bc8d9d6aec192e2de6c54c95d6416b30cc2dbd4d51ecf

SHA512
0030930109ae50ab260e854fee0a4f1383b5863b3b2d0bacbd7e5eff7cb6557d39f506ca94bc2b88f9b0216634a273c07831878887bc597f5e3ec6bb107b0a0a

Download Submit
C:\Users\Admin\AppData\Local\1KpSioS\wextract.exe
MD5
e78764b49f5806ce029cd547004493c9

SHA1
8c1f3f989913bebf827a707c04754047507a8cf3

SHA256
ab519b1c2711219a9f262b23bf72343eec3c0df4c7ddd135d30d05e700ec302e

SHA512
71040e5f0d2d409efaba70a7daaebe7a4675cb19009436a826a679671cc0d7c960498364ec7a29fb163ce8dada65218b75bebb973e6c8b194734e01970fd3a6b

Download Submit
C:\Users\Admin\AppData\Local\PLQCQ\MFPlat.DLL
MD5
4c0fa5d2823ea212fb46742fd83b9493

SHA1
8c860e874bbb0a90ab8c4e750a87d6121e5e8bf2

SHA256
8ac4f3aa7181cfb0490129ffa319801d1cdf7f2c1c01f08797d8e42b70b6d606

SHA512
68a5793c949ad4cd1924fb1f4bc8a6fb93b38287b190d2026e1d2dae5a076d3425929434df1b9d05f0c911901fb8d28af42661d8dc430a47393e24ec3afdf470

Download Submit
C:\Users\Admin\AppData\Local\PLQCQ\mfpmp.exe
MD5
0a51780965f4a75557ac6b1a710a7c7b

SHA1
30e7be939ada607cbafd07261da463396878f4f5

SHA256
45b8b316c617f703af064aafab9a35c465d5f7835b758995e82ac0dedbaad037

SHA512
e62c2252b66809cca9e7f625392ef09891eba1eec3c210798684a9c71a9c5315598ca259c8ebd09af5d8aaf94261fca91f30bd0dd22a917d5287e9443ae18326

Download Submit
C:\Users\Admin\AppData\Local\bZKVXi8j\SLC.dll
MD5
5593a1008826e81787f1648034969452

SHA1
6b7fc6df387bacdf8f3b121300135f232b06bbb7

SHA256
c2ee1377cee93c132a9003ec5c72f9136f9095d22ec24ce559510be11cd0a884

SHA512
dc0f7eb66f882ba615f324f57fbe07b7bed33f2a685f8d74fd82b33af5a4a159ef5e0782107fd4145f5603daac8ea63e4a71a56fa47a9d889cf7ac03a243bebc

Download Submit
C:\Users\Admin\AppData\Local\bZKVXi8j\phoneactivate.exe
MD5
c2bc59e307f825237dce846049fda140

SHA1
30bf767297d2f3a833f57443fbf5dc02c80030bd

SHA256
3a373641d048ef5964efa2d80248e8d441cfcd93b47961e0ed586c1609069c41

SHA512
f4d9aec2b1c24cc8e8094abf561a181659afd86054422d32a67b7dd0b95e0ec710ea5a43a44e610bf94df3c817fca9fc620032e0dbd88e824766ef0e3e1c3b42

Download Submit
\Users\Admin\AppData\Local\1KpSioS\VERSION.dll
MD5
7a4082f8a925cf44b0bb1beb0e1f78ab

SHA1
b4c68f1280ee9778d99e4f7166523c619bc12505

SHA256
74ba18856a7fecd3387bc8d9d6aec192e2de6c54c95d6416b30cc2dbd4d51ecf

SHA512
0030930109ae50ab260e854fee0a4f1383b5863b3b2d0bacbd7e5eff7cb6557d39f506ca94bc2b88f9b0216634a273c07831878887bc597f5e3ec6bb107b0a0a

Download Submit
\Users\Admin\AppData\Local\PLQCQ\MFPlat.DLL
MD5
4c0fa5d2823ea212fb46742fd83b9493

SHA1
8c860e874bbb0a90ab8c4e750a87d6121e5e8bf2

SHA256
8ac4f3aa7181cfb0490129ffa319801d1cdf7f2c1c01f08797d8e42b70b6d606

SHA512
68a5793c949ad4cd1924fb1f4bc8a6fb93b38287b190d2026e1d2dae5a076d3425929434df1b9d05f0c911901fb8d28af42661d8dc430a47393e24ec3afdf470

Download Submit
\Users\Admin\AppData\Local\bZKVXi8j\SLC.dll
MD5
5593a1008826e81787f1648034969452

SHA1
6b7fc6df387bacdf8f3b121300135f232b06bbb7

SHA256
c2ee1377cee93c132a9003ec5c72f9136f9095d22ec24ce559510be11cd0a884

SHA512
dc0f7eb66f882ba615f324f57fbe07b7bed33f2a685f8d74fd82b33af5a4a159ef5e0782107fd4145f5603daac8ea63e4a71a56fa47a9d889cf7ac03a243bebc

Download Submit
memory/836-164-0x0000000140000000-0x00000001400D3000-memory.dmp

Filesize
844KB

Download
memory/836-158-0x0000000000000000-mapping.dmp

Download
memory/1396-168-0x0000000000000000-mapping.dmp

Download
memory/1396-172-0x0000000140000000-0x00000001400D2000-memory.dmp

Filesize
840KB

Download
memory/1852-180-0x0000000000000000-mapping.dmp

Download
memory/3016-130-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-147-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-133-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-135-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-136-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-137-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-138-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-139-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-140-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-141-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-142-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-143-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-144-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-146-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-145-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-134-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-148-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-157-0x00007FFAB0D24320-0x00007FFAB0D25320-memory.dmp

Filesize
4KB

Download
memory/3016-124-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-132-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-131-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-120-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/3016-129-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-128-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-127-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-126-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-125-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-123-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-121-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/3016-122-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/4060-114-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/4060-119-0x0000029744520000-0x0000029744527000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads