dridex | 075742803b0beb6494f4f67850a13e79d0e4b30d6e3c46d3910062a798d99eca

Analysis

max time kernel
153s
max time network
91s
platform
windows10_x64
resource
win10v20210408
submitted
30-09-2021 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

075742803b0beb6494f4f67850a13e79d0e4b30d6e3c46d3910062a798d99eca.dll
Size

812KB
MD5

5c4c982abfebbc1780ad0b08e5addb47
SHA1

e38543d77ba0d529febe02806862f51e816ecf99
SHA256

075742803b0beb6494f4f67850a13e79d0e4b30d6e3c46d3910062a798d99eca
SHA512

f685774bc5643b5c349c982c1ce2c2e78e01715da9b9173ed15b1b985ee86cd9430fd1701fac5d9a50ed8da4dd1b2f563edfa5adfcbf64521d07968357f0a37a

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 2 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/4016-114-0x0000000140000000-0x00000001400CB000-memory.dmp	dridex_payload
behavioral2/memory/1360-163-0x0000000140000000-0x00000001400CC000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3028-120-0x0000000000DF0000-0x0000000000DF1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

EhStorAuthn.exetabcal.exeomadmclient.exe

pid process

1360 EhStorAuthn.exe
1720 tabcal.exe
2176 omadmclient.exe
Loads dropped DLL 3 IoCs

Processes:

EhStorAuthn.exetabcal.exeomadmclient.exe

pid process

1360 EhStorAuthn.exe
1720 tabcal.exe
2176 omadmclient.exe

pid	process
1360	EhStorAuthn.exe
1720	tabcal.exe
2176	omadmclient.exe

pid	process
1360	EhStorAuthn.exe
1720	tabcal.exe
2176	omadmclient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rvhohwdqaanc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\ZKSPEe9\\tabcal.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeEhStorAuthn.exetabcal.exeomadmclient.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	omadmclient.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4016	rundll32.exe
4016	rundll32.exe
4016	rundll32.exe
4016	rundll32.exe
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3028

pid	process
3028

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

3028
3028
3028
3028

pid	process
3028
3028
3028
3028

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3028 wrote to memory of 1248	3028	EhStorAuthn.exe
PID 3028 wrote to memory of 1248	3028	EhStorAuthn.exe
PID 3028 wrote to memory of 1360	3028	EhStorAuthn.exe
PID 3028 wrote to memory of 1360	3028	EhStorAuthn.exe
PID 3028 wrote to memory of 1712	3028	tabcal.exe
PID 3028 wrote to memory of 1712	3028	tabcal.exe
PID 3028 wrote to memory of 1720	3028	tabcal.exe
PID 3028 wrote to memory of 1720	3028	tabcal.exe
PID 3028 wrote to memory of 2088	3028	omadmclient.exe
PID 3028 wrote to memory of 2088	3028	omadmclient.exe
PID 3028 wrote to memory of 2176	3028	omadmclient.exe
PID 3028 wrote to memory of 2176	3028	omadmclient.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\075742803b0beb6494f4f67850a13e79d0e4b30d6e3c46d3910062a798d99eca.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:1248

C:\Users\Admin\AppData\Local\Cow7zEQ\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\Cow7zEQ\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1360

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:1712

C:\Users\Admin\AppData\Local\wTj67n\tabcal.exe
C:\Users\Admin\AppData\Local\wTj67n\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1720

C:\Windows\system32\omadmclient.exe
C:\Windows\system32\omadmclient.exe
1⤵
PID:2088

C:\Users\Admin\AppData\Local\IR0LWsNI\omadmclient.exe
C:\Users\Admin\AppData\Local\IR0LWsNI\omadmclient.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2176

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Cow7zEQ\EhStorAuthn.exe
MD5
118b5c1b372cb01ce63d5eaa2358633b

SHA1
3c51c58c5e17c435e004dc08b16cf9609229281c

SHA256
0c92e6ef942d548686bcfc277fef5b830d79e04a42efc358045f8a170a218d30

SHA512
33ac3b760ac48544885a3edc4bc04d4dd37786109cb2016f4aabfc3ab02b1140dc43963474a54c5cd808a41b3755f0e6cb9cc1e2ebd4e86fd2d2c5973ff8401e

Download Submit
C:\Users\Admin\AppData\Local\Cow7zEQ\UxTheme.dll
MD5
b44d4db53a519034da45d89b3c9d2093

SHA1
726fcee99109f1643f0bf9b541791ce86fc3848c

SHA256
06decabd582f4fe3504488bca693a83c216f5f6f8a460cc0059087b8e7c1afca

SHA512
b5522a6b111767d7aeb22d8aa1aac79d8fbbcf3ef6c7380dc6a182ee6e3a72f97b9687f185b51dfd7365ed92858fa47f777ef2ad86901c5d1b8741998e2faeaa

Download Submit
C:\Users\Admin\AppData\Local\IR0LWsNI\XmlLite.dll
MD5
a27ccc45f5403595723715b007b15d4c

SHA1
fa0f5430b2f21ba91164c7cbd45486d04e9047ed

SHA256
eb48f4847660e30c19b485ff4c22d6333ce6618ff83c7d6caa0fbea11d00f3ae

SHA512
2a134e72dc0a97231be3ac1f9352b4a4d07085fb1c0e8ac9c1e36c5dab9ebf656ba0597754a3cb5c70d103990ab7d9b4de7b047c0d5eed761650f4f43390ff30

Download Submit
C:\Users\Admin\AppData\Local\IR0LWsNI\omadmclient.exe
MD5
0f8c6315c9458cab5b3aae2df853edb6

SHA1
ff59734b75896b422e8d7a642c4ea59bf6dab759

SHA256
76eb6879858ab42089e369984f6e0e775b32b6756a605ed5f2fb1a06c1151498

SHA512
966045c25685a0f01bcd49f6e9ec5bbdaa8a3e261129c03db85031fb1d8705bfba967894d2530c2691e16fdbed11a9df9122d9093db2b46c6ce1b641db36bb3c

Download Submit
C:\Users\Admin\AppData\Local\wTj67n\HID.DLL
MD5
c2e2187505a5bfcbddb5a04de039cfc2

SHA1
c496ca839d8ed379f61294a77cc92c12b811a2a4

SHA256
4bf93c2a4d1c3771448e100634491f3b40f637ed04bad8922cd162be952aa97d

SHA512
e65b4fe7a4bbd07544d6846f8cf684ed51fc6e4e5865dd0f491ca2ae1261bb77a4f3f86c9632564d59c67098bb5ae20ddbe7b777c16e6d9ff302230be03c9468

Download Submit
C:\Users\Admin\AppData\Local\wTj67n\tabcal.exe
MD5
4e5b6b3059dc055232f4fbd6c4796540

SHA1
9929b2c336e9bf4aacfaa15083224bcd5eff6aae

SHA256
bc0beeda967eecf14940d2105cd179cd0da3843651d183c3ead6df7615c866f1

SHA512
7bdb1eb8c3b84203ae9ef8d58045a5fa32bd2c206f71a3bae14c458b37d265452e183f3fbe0784a8a37fdea661dd5c34d50decbc6a296b9c7a6c353c61152374

Download Submit
\Users\Admin\AppData\Local\Cow7zEQ\UxTheme.dll
MD5
b44d4db53a519034da45d89b3c9d2093

SHA1
726fcee99109f1643f0bf9b541791ce86fc3848c

SHA256
06decabd582f4fe3504488bca693a83c216f5f6f8a460cc0059087b8e7c1afca

SHA512
b5522a6b111767d7aeb22d8aa1aac79d8fbbcf3ef6c7380dc6a182ee6e3a72f97b9687f185b51dfd7365ed92858fa47f777ef2ad86901c5d1b8741998e2faeaa

Download Submit
\Users\Admin\AppData\Local\IR0LWsNI\XmlLite.dll
MD5
a27ccc45f5403595723715b007b15d4c

SHA1
fa0f5430b2f21ba91164c7cbd45486d04e9047ed

SHA256
eb48f4847660e30c19b485ff4c22d6333ce6618ff83c7d6caa0fbea11d00f3ae

SHA512
2a134e72dc0a97231be3ac1f9352b4a4d07085fb1c0e8ac9c1e36c5dab9ebf656ba0597754a3cb5c70d103990ab7d9b4de7b047c0d5eed761650f4f43390ff30

Download Submit
\Users\Admin\AppData\Local\wTj67n\HID.DLL
MD5
c2e2187505a5bfcbddb5a04de039cfc2

SHA1
c496ca839d8ed379f61294a77cc92c12b811a2a4

SHA256
4bf93c2a4d1c3771448e100634491f3b40f637ed04bad8922cd162be952aa97d

SHA512
e65b4fe7a4bbd07544d6846f8cf684ed51fc6e4e5865dd0f491ca2ae1261bb77a4f3f86c9632564d59c67098bb5ae20ddbe7b777c16e6d9ff302230be03c9468

Download Submit
memory/1360-159-0x0000000000000000-mapping.dmp

Download
memory/1360-163-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/1720-168-0x0000000000000000-mapping.dmp

Download
memory/2176-177-0x0000000000000000-mapping.dmp

Download
memory/3028-129-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-148-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-133-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-134-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-135-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-136-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-137-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-138-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-139-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-140-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-141-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-142-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-143-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-144-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-145-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-146-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-147-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-132-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-149-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-158-0x00007FFB9C5C4320-0x00007FFB9C5C5320-memory.dmp

Filesize
4KB

Download
memory/3028-131-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-130-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-120-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/3028-128-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-127-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-126-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-125-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-124-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-123-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-122-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3028-121-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/4016-114-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/4016-119-0x000002058AB50000-0x000002058AB57000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads