dridex | 336e73eb69d5ae01d129710c15d6aaf8165fdf588080b7ae9044a610765a359b

Analysis

max time kernel
150s
max time network
26s
platform
windows7_x64
resource
win7-en-20210920
submitted
30-09-2021 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

336e73eb69d5ae01d129710c15d6aaf8165fdf588080b7ae9044a610765a359b.dll
Size

804KB
MD5

9c43c369c752cd67072cf89eccbe29cd
SHA1

47505b5142506ac934d3960d4d9c638565bf885f
SHA256

336e73eb69d5ae01d129710c15d6aaf8165fdf588080b7ae9044a610765a359b
SHA512

20694328a13e0debfaebda9c21393458c6a37b4d475aea0183a2099b752050209c3ddd5081f521a09b8c06aa8b39a453a1771dac2d84b0d0d3919d4a278e733e

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 2 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1432-53-0x0000000140000000-0x00000001400C9000-memory.dmp	dridex_payload
behavioral1/memory/1612-97-0x0000000140000000-0x00000001400CA000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1204-56-0x0000000002930000-0x0000000002931000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

shrpubw.exeSndVol.exelpksetup.exe

pid process

1612 shrpubw.exe
908 SndVol.exe
1808 lpksetup.exe
Loads dropped DLL 7 IoCs

Processes:

shrpubw.exeSndVol.exelpksetup.exe

pid process

1204
1612 shrpubw.exe
1204
908 SndVol.exe
1204
1808 lpksetup.exe
1204

pid	process
1612	shrpubw.exe
908	SndVol.exe
1808	lpksetup.exe

pid	process
1204
1612	shrpubw.exe
1204
908	SndVol.exe
1204
1808	lpksetup.exe
1204

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wbbdywj = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\vT9DYQY\\SndVol.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

shrpubw.exeSndVol.exelpksetup.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lpksetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1432	rundll32.exe
1432	rundll32.exe
1432	rundll32.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1204
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1204
1204
1204
1204
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

1204
1204
1204
1204
1204
1204

pid	process
1204

pid	process
1204
1204
1204
1204

pid	process
1204
1204
1204
1204
1204
1204

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1204 wrote to memory of 1604	1204	shrpubw.exe
PID 1204 wrote to memory of 1604	1204	shrpubw.exe
PID 1204 wrote to memory of 1604	1204	shrpubw.exe
PID 1204 wrote to memory of 1612	1204	shrpubw.exe
PID 1204 wrote to memory of 1612	1204	shrpubw.exe
PID 1204 wrote to memory of 1612	1204	shrpubw.exe
PID 1204 wrote to memory of 700	1204	SndVol.exe
PID 1204 wrote to memory of 700	1204	SndVol.exe
PID 1204 wrote to memory of 700	1204	SndVol.exe
PID 1204 wrote to memory of 908	1204	SndVol.exe
PID 1204 wrote to memory of 908	1204	SndVol.exe
PID 1204 wrote to memory of 908	1204	SndVol.exe
PID 1204 wrote to memory of 1936	1204	lpksetup.exe
PID 1204 wrote to memory of 1936	1204	lpksetup.exe
PID 1204 wrote to memory of 1936	1204	lpksetup.exe
PID 1204 wrote to memory of 1808	1204	lpksetup.exe
PID 1204 wrote to memory of 1808	1204	lpksetup.exe
PID 1204 wrote to memory of 1808	1204	lpksetup.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\336e73eb69d5ae01d129710c15d6aaf8165fdf588080b7ae9044a610765a359b.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1432

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:1604

C:\Users\Admin\AppData\Local\u0uNGykmi\shrpubw.exe
C:\Users\Admin\AppData\Local\u0uNGykmi\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1612

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:700

C:\Users\Admin\AppData\Local\V9U\SndVol.exe
C:\Users\Admin\AppData\Local\V9U\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:908

C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
1⤵
PID:1936

C:\Users\Admin\AppData\Local\acLIpl4\lpksetup.exe
C:\Users\Admin\AppData\Local\acLIpl4\lpksetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1808

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\V9U\SndVol.exe
MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
C:\Users\Admin\AppData\Local\V9U\dwmapi.dll
MD5
8c15bb798db9217be6606202c28bc077

SHA1
a874510fe178f0cb7030cc57166b011661b9591b

SHA256
5639a0000806d200653a6644af3748da256b5d4137edd85d2b4e193874a395c7

SHA512
f0a3287838c8c055610fe0f78a3f221debd9d385a4c0b00ec456432c59554c0d41d595a0b85b4ca6365a2a3f3b2fc4d21ad9cc77048a9ff91cd97fa6fc74e45d

Download Submit
C:\Users\Admin\AppData\Local\acLIpl4\dpx.dll
MD5
f1dbfc9865c6c453caafc2dfc90341bd

SHA1
c5109caeebd861588197173396b7fba9b4027d9a

SHA256
4a4fb03743f23fd993229223621bfd47502da1cee0354dc6acec5e1918af377f

SHA512
cce65efe4cbffd918a74f26e10238b258df4bcc06e1708e308e625b5ab2aa444eaf689c92576a548d896085acc14a7845a35ee886aa6e53f38941ea320fef306

Download Submit
C:\Users\Admin\AppData\Local\acLIpl4\lpksetup.exe
MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
C:\Users\Admin\AppData\Local\u0uNGykmi\ACLUI.dll
MD5
6985b2297304dca747055fa73caface1

SHA1
06b5d26d877a021d67ca7a489e27b6b63f3c17b8

SHA256
fcd0c3323a7a3ec33dfbddc6f57181318bdfccbb3cdbca55f100d7e29df4310f

SHA512
a2278549a2e1dbd794b0ab328cdd932a9cbe38eeb0dead6da3a242c016d05f3cb94e5cc2774fbf67ca8c979590b6ddaaeaac904c510d2ac84572ffe7031114fb

Download Submit
C:\Users\Admin\AppData\Local\u0uNGykmi\shrpubw.exe
MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
\Users\Admin\AppData\Local\V9U\SndVol.exe
MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
\Users\Admin\AppData\Local\V9U\dwmapi.dll
MD5
8c15bb798db9217be6606202c28bc077

SHA1
a874510fe178f0cb7030cc57166b011661b9591b

SHA256
5639a0000806d200653a6644af3748da256b5d4137edd85d2b4e193874a395c7

SHA512
f0a3287838c8c055610fe0f78a3f221debd9d385a4c0b00ec456432c59554c0d41d595a0b85b4ca6365a2a3f3b2fc4d21ad9cc77048a9ff91cd97fa6fc74e45d

Download Submit
\Users\Admin\AppData\Local\acLIpl4\dpx.dll
MD5
f1dbfc9865c6c453caafc2dfc90341bd

SHA1
c5109caeebd861588197173396b7fba9b4027d9a

SHA256
4a4fb03743f23fd993229223621bfd47502da1cee0354dc6acec5e1918af377f

SHA512
cce65efe4cbffd918a74f26e10238b258df4bcc06e1708e308e625b5ab2aa444eaf689c92576a548d896085acc14a7845a35ee886aa6e53f38941ea320fef306

Download Submit
\Users\Admin\AppData\Local\acLIpl4\lpksetup.exe
MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
\Users\Admin\AppData\Local\u0uNGykmi\ACLUI.dll
MD5
6985b2297304dca747055fa73caface1

SHA1
06b5d26d877a021d67ca7a489e27b6b63f3c17b8

SHA256
fcd0c3323a7a3ec33dfbddc6f57181318bdfccbb3cdbca55f100d7e29df4310f

SHA512
a2278549a2e1dbd794b0ab328cdd932a9cbe38eeb0dead6da3a242c016d05f3cb94e5cc2774fbf67ca8c979590b6ddaaeaac904c510d2ac84572ffe7031114fb

Download Submit
\Users\Admin\AppData\Local\u0uNGykmi\shrpubw.exe
MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\Oodhnm\lpksetup.exe
MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
memory/908-100-0x0000000000000000-mapping.dmp

Download
memory/1204-66-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-82-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-70-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-71-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-72-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-73-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-80-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-81-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-79-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-78-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-77-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-76-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-75-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-74-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-85-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-84-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-83-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-69-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-68-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-56-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/1204-67-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-57-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-58-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-65-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-59-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-64-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-63-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-62-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-60-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1204-61-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1432-53-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1432-55-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1612-97-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1612-94-0x000007FEFBFD1000-0x000007FEFBFD3000-memory.dmp

Filesize
8KB

Download
memory/1612-92-0x0000000000000000-mapping.dmp

Download
memory/1808-108-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads