dridex | 075742803b0beb6494f4f67850a13e79d0e4b30d6e3c46d3910062a798d99eca

Analysis

max time kernel
151s
max time network
129s
platform
windows7_x64
resource
win7-en-20210920
submitted
30-09-2021 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

075742803b0beb6494f4f67850a13e79d0e4b30d6e3c46d3910062a798d99eca.dll
Size

812KB
MD5

5c4c982abfebbc1780ad0b08e5addb47
SHA1

e38543d77ba0d529febe02806862f51e816ecf99
SHA256

075742803b0beb6494f4f67850a13e79d0e4b30d6e3c46d3910062a798d99eca
SHA512

f685774bc5643b5c349c982c1ce2c2e78e01715da9b9173ed15b1b985ee86cd9430fd1701fac5d9a50ed8da4dd1b2f563edfa5adfcbf64521d07968357f0a37a

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 2 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1116-54-0x0000000140000000-0x00000001400CB000-memory.dmp	dridex_payload
behavioral1/memory/1188-98-0x0000000140000000-0x00000001400CC000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1336-57-0x00000000026B0000-0x00000000026B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

icardagt.exevmicsvc.exeEhStorAuthn.exe

pid process

1188 icardagt.exe
824 vmicsvc.exe
1640 EhStorAuthn.exe
Loads dropped DLL 7 IoCs

Processes:

icardagt.exevmicsvc.exeEhStorAuthn.exe

pid process

1336
1188 icardagt.exe
1336
824 vmicsvc.exe
1336
1640 EhStorAuthn.exe
1336

pid	process
1188	icardagt.exe
824	vmicsvc.exe
1640	EhStorAuthn.exe

pid	process
1336
1188	icardagt.exe
1336
824	vmicsvc.exe
1336
1640	EhStorAuthn.exe
1336

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wbbdywj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\PK86WJv4\\vmicsvc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeicardagt.exevmicsvc.exeEhStorAuthn.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icardagt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vmicsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1116	rundll32.exe
1116	rundll32.exe
1116	rundll32.exe
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336
1336

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1336
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1336
1336
1336
1336
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

pid process

1336
1336
1336
1336
1336
1336
1336
1336

pid	process
1336

pid	process
1336
1336
1336
1336

pid	process
1336
1336
1336
1336
1336
1336
1336
1336

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1336 wrote to memory of 1464	1336	icardagt.exe
PID 1336 wrote to memory of 1464	1336	icardagt.exe
PID 1336 wrote to memory of 1464	1336	icardagt.exe
PID 1336 wrote to memory of 1188	1336	icardagt.exe
PID 1336 wrote to memory of 1188	1336	icardagt.exe
PID 1336 wrote to memory of 1188	1336	icardagt.exe
PID 1336 wrote to memory of 1228	1336	vmicsvc.exe
PID 1336 wrote to memory of 1228	1336	vmicsvc.exe
PID 1336 wrote to memory of 1228	1336	vmicsvc.exe
PID 1336 wrote to memory of 824	1336	vmicsvc.exe
PID 1336 wrote to memory of 824	1336	vmicsvc.exe
PID 1336 wrote to memory of 824	1336	vmicsvc.exe
PID 1336 wrote to memory of 828	1336	EhStorAuthn.exe
PID 1336 wrote to memory of 828	1336	EhStorAuthn.exe
PID 1336 wrote to memory of 828	1336	EhStorAuthn.exe
PID 1336 wrote to memory of 1640	1336	EhStorAuthn.exe
PID 1336 wrote to memory of 1640	1336	EhStorAuthn.exe
PID 1336 wrote to memory of 1640	1336	EhStorAuthn.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\075742803b0beb6494f4f67850a13e79d0e4b30d6e3c46d3910062a798d99eca.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1116

C:\Windows\system32\icardagt.exe
C:\Windows\system32\icardagt.exe
1⤵
PID:1464

C:\Users\Admin\AppData\Local\ierQNA60E\icardagt.exe
C:\Users\Admin\AppData\Local\ierQNA60E\icardagt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1188

C:\Windows\system32\vmicsvc.exe
C:\Windows\system32\vmicsvc.exe
1⤵
PID:1228

C:\Users\Admin\AppData\Local\Kmt\vmicsvc.exe
C:\Users\Admin\AppData\Local\Kmt\vmicsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:824

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:828

C:\Users\Admin\AppData\Local\e6r6zh\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\e6r6zh\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1640

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Kmt\ACTIVEDS.dll
MD5
224c6c09c9cbc582f0b59db28ff1d6e4

SHA1
c71c4d7076f1b1bb78c377b65bf3711a118417f8

SHA256
c575da507bf429fad5877c462bbed218dd62588665cabd91c2da5858719e17a9

SHA512
ef4769f111146ad603c3af95750c57e903b11d9e7746c12bdcbac830ca01b1a9f992afafe5f3b55e3fd0e75df18adfdf117f86429677df2b08dec8aed318fffe

Download Submit
C:\Users\Admin\AppData\Local\Kmt\vmicsvc.exe
MD5
79e14b291ca96a02f1eb22bd721deccd

SHA1
4c8dbff611acd8a92cd2280239f78bebd2a9947e

SHA256
d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

SHA512
f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

Download Submit
C:\Users\Admin\AppData\Local\e6r6zh\EhStorAuthn.exe
MD5
3abe95d92c80dc79707d8e168d79a994

SHA1
64b10c17f602d3f21c84954541e7092bc55bb5ab

SHA256
2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad

SHA512
70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

Download Submit
C:\Users\Admin\AppData\Local\e6r6zh\UxTheme.dll
MD5
fccc7a00d05f569622811b2a34807fb3

SHA1
27b3648fc33a678e4f4964646ec5b261854d0f37

SHA256
1c06fd1b4816465d08d854e89c9afb5f8c3d042639f540d1ae6076f03d2b17a9

SHA512
ee8e4ed9b924d006b321df34bb7365542b6b32f0175b757c898d6444a361881d11def9f2feb84b96a2c53b868fff290e862cdc4fc6ace6d3a3bf3e0476ddbf77

Download Submit
C:\Users\Admin\AppData\Local\ierQNA60E\UxTheme.dll
MD5
5eda72f95c36d7e489a5a8a5cffab424

SHA1
c4719858296708dbf6a6ac12815b2018ffd495ff

SHA256
e0fe1540c52110b0a2326b83d19ddc0de4239585ab2115f36fd9415971380d81

SHA512
77397700c5db5671535ef4b1f7e1ed2b94996c5d53507ac43de4f618447ed5448aaac45861103695c448572e3109fbb5e9ee57ceb8ed0a5bafbaf10a9ebe01e9

Download Submit
C:\Users\Admin\AppData\Local\ierQNA60E\icardagt.exe
MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
\Users\Admin\AppData\Local\Kmt\ACTIVEDS.dll
MD5
224c6c09c9cbc582f0b59db28ff1d6e4

SHA1
c71c4d7076f1b1bb78c377b65bf3711a118417f8

SHA256
c575da507bf429fad5877c462bbed218dd62588665cabd91c2da5858719e17a9

SHA512
ef4769f111146ad603c3af95750c57e903b11d9e7746c12bdcbac830ca01b1a9f992afafe5f3b55e3fd0e75df18adfdf117f86429677df2b08dec8aed318fffe

Download Submit
\Users\Admin\AppData\Local\Kmt\vmicsvc.exe
MD5
79e14b291ca96a02f1eb22bd721deccd

SHA1
4c8dbff611acd8a92cd2280239f78bebd2a9947e

SHA256
d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

SHA512
f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

Download Submit
\Users\Admin\AppData\Local\e6r6zh\EhStorAuthn.exe
MD5
3abe95d92c80dc79707d8e168d79a994

SHA1
64b10c17f602d3f21c84954541e7092bc55bb5ab

SHA256
2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad

SHA512
70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

Download Submit
\Users\Admin\AppData\Local\e6r6zh\UxTheme.dll
MD5
fccc7a00d05f569622811b2a34807fb3

SHA1
27b3648fc33a678e4f4964646ec5b261854d0f37

SHA256
1c06fd1b4816465d08d854e89c9afb5f8c3d042639f540d1ae6076f03d2b17a9

SHA512
ee8e4ed9b924d006b321df34bb7365542b6b32f0175b757c898d6444a361881d11def9f2feb84b96a2c53b868fff290e862cdc4fc6ace6d3a3bf3e0476ddbf77

Download Submit
\Users\Admin\AppData\Local\ierQNA60E\UxTheme.dll
MD5
5eda72f95c36d7e489a5a8a5cffab424

SHA1
c4719858296708dbf6a6ac12815b2018ffd495ff

SHA256
e0fe1540c52110b0a2326b83d19ddc0de4239585ab2115f36fd9415971380d81

SHA512
77397700c5db5671535ef4b1f7e1ed2b94996c5d53507ac43de4f618447ed5448aaac45861103695c448572e3109fbb5e9ee57ceb8ed0a5bafbaf10a9ebe01e9

Download Submit
\Users\Admin\AppData\Local\ierQNA60E\icardagt.exe
MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Acrobat\HZs\EhStorAuthn.exe
MD5
3abe95d92c80dc79707d8e168d79a994

SHA1
64b10c17f602d3f21c84954541e7092bc55bb5ab

SHA256
2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad

SHA512
70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

Download Submit
memory/824-101-0x0000000000000000-mapping.dmp

Download
memory/1116-56-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1116-54-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1188-93-0x0000000000000000-mapping.dmp

Download
memory/1188-98-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1188-95-0x000007FEFB891000-0x000007FEFB893000-memory.dmp

Filesize
8KB

Download
memory/1336-75-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-84-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-80-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-79-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-78-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-74-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-70-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-68-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-66-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-62-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-60-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-59-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-58-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-86-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-85-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-82-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-83-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-81-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-77-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-76-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-73-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-72-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-71-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-69-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-65-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-67-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-57-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/1336-63-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-64-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1336-61-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1640-108-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads