dridex | 336e73eb69d5ae01d129710c15d6aaf8165fdf588080b7ae9044a610765a359b

Analysis

max time kernel
150s
max time network
118s
platform
windows10_x64
resource
win10-en-20210920
submitted
30-09-2021 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

336e73eb69d5ae01d129710c15d6aaf8165fdf588080b7ae9044a610765a359b.dll
Size

804KB
MD5

9c43c369c752cd67072cf89eccbe29cd
SHA1

47505b5142506ac934d3960d4d9c638565bf885f
SHA256

336e73eb69d5ae01d129710c15d6aaf8165fdf588080b7ae9044a610765a359b
SHA512

20694328a13e0debfaebda9c21393458c6a37b4d475aea0183a2099b752050209c3ddd5081f521a09b8c06aa8b39a453a1771dac2d84b0d0d3919d4a278e733e

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 4 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/1776-115-0x0000000140000000-0x00000001400C9000-memory.dmp	dridex_payload
behavioral2/memory/4080-165-0x0000000140000000-0x00000001400CA000-memory.dmp	dridex_payload
behavioral2/memory/380-174-0x0000000140000000-0x00000001400D0000-memory.dmp	dridex_payload
behavioral2/memory/2068-183-0x0000000140000000-0x000000014010F000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3040-121-0x0000000000D40000-0x0000000000D41000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SndVol.exemsinfo32.exeLicensingUI.exe

pid process

4080 SndVol.exe
380 msinfo32.exe
2068 LicensingUI.exe
Loads dropped DLL 3 IoCs

Processes:

SndVol.exemsinfo32.exeLicensingUI.exe

pid process

4080 SndVol.exe
380 msinfo32.exe
2068 LicensingUI.exe

pid	process
4080	SndVol.exe
380	msinfo32.exe
2068	LicensingUI.exe

pid	process
4080	SndVol.exe
380	msinfo32.exe
2068	LicensingUI.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wjvmqhmsyzhtvy = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Java\\Deployment\\QRb1M8iM\\msinfo32.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSndVol.exemsinfo32.exeLicensingUI.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LicensingUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1776	rundll32.exe
1776	rundll32.exe
1776	rundll32.exe
1776	rundll32.exe
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3040

pid	process
3040

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3040 wrote to memory of 3428	3040	SndVol.exe
PID 3040 wrote to memory of 3428	3040	SndVol.exe
PID 3040 wrote to memory of 4080	3040	SndVol.exe
PID 3040 wrote to memory of 4080	3040	SndVol.exe
PID 3040 wrote to memory of 824	3040	msinfo32.exe
PID 3040 wrote to memory of 824	3040	msinfo32.exe
PID 3040 wrote to memory of 380	3040	msinfo32.exe
PID 3040 wrote to memory of 380	3040	msinfo32.exe
PID 3040 wrote to memory of 2300	3040	LicensingUI.exe
PID 3040 wrote to memory of 2300	3040	LicensingUI.exe
PID 3040 wrote to memory of 2068	3040	LicensingUI.exe
PID 3040 wrote to memory of 2068	3040	LicensingUI.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\336e73eb69d5ae01d129710c15d6aaf8165fdf588080b7ae9044a610765a359b.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1776

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:3428

C:\Users\Admin\AppData\Local\509BlLHtj\SndVol.exe
C:\Users\Admin\AppData\Local\509BlLHtj\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4080

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:824

C:\Users\Admin\AppData\Local\1Q0\msinfo32.exe
C:\Users\Admin\AppData\Local\1Q0\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:380

C:\Windows\system32\LicensingUI.exe
C:\Windows\system32\LicensingUI.exe
1⤵
PID:2300

C:\Users\Admin\AppData\Local\t46j\LicensingUI.exe
C:\Users\Admin\AppData\Local\t46j\LicensingUI.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1Q0\MFC42u.dll
MD5
b2668009f1bd60a2a91a3f4b114a6834

SHA1
eb07859a640a48798c97aacadfa743998882764f

SHA256
58c9a6eae66567592991461d5a507143f967c4818e016251e2c2cbab45b8a258

SHA512
423fd70130f0d12e88769453a90f539ac806d629c882228cc41a3d3e75da9084bc94de79e476c931ee458974c74af3ba88148f9033e29b315d4518cd971f0f9e

Download Submit
C:\Users\Admin\AppData\Local\1Q0\msinfo32.exe
MD5
255861c59cdfbf86c03560d39a92932a

SHA1
18353cb8a58d25ab62687b69fee44d007b994f19

SHA256
57aeba5f7f9de579f3c334e7e013114f6b2257b810b2fc8c1f96331ad1c4909c

SHA512
f695394f344f07036684dc4ba4ba011bc0b5b0b27898c82714cbd072c6218870234deb18044c00bf3fda618480e4e517cba50d577c228a63ee3e2676029e430b

Download Submit
C:\Users\Admin\AppData\Local\509BlLHtj\SndVol.exe
MD5
27205270f880954ac16dbe3436a8699a

SHA1
c94dee99c7a19f85be8feef0019969b972894437

SHA256
9520ffcee5ece79190dcccc9020e212d43aa6f58e2e633e2a5ed701e909abb6f

SHA512
5e9cbc33cb583c93db4df7781c8960185703da554db81b31087545cc82d4eaf7a3d94aa7aff2b9c999446c621896c264940f0b1c1b4ba0e71cb09ab3dcc6b44b

Download Submit
C:\Users\Admin\AppData\Local\509BlLHtj\dwmapi.dll
MD5
e07e8ad15932d136abd0991ebdf42c04

SHA1
e87c208c8b475416871e126e2d4b372fb120e3e2

SHA256
cabff932f4cc4e97f6c33c8a535a3db79d770dba0378b3ecb4c9d2b8fe4de3c0

SHA512
a7a9f935dc8a029491092132b590a0c5c1e9d23411bf339e48a3d490df7d4be75394e4f623570b59dcc69be4f6002889273c39e721c170ce5e64f0147d0681fd

Download Submit
C:\Users\Admin\AppData\Local\t46j\DUI70.dll
MD5
1d31ec382dacee361671b5a6575f75a0

SHA1
b53946fe531c90c947982b35357c81214df1798d

SHA256
38d0ef8115639d2142ada1180adb2dd300a3a8ea6f355e77d53385b989dee9ad

SHA512
f0501068a2a6c27a28bde97693b32b8ac52ed879cc008efa0d9b5a6a0fe899b8af1b69ec3363c16c83e887acc946b97d0696b02c9a7fff2a712630cc25b9f38e

Download Submit
C:\Users\Admin\AppData\Local\t46j\LicensingUI.exe
MD5
ef2ecf6c8b8dea519e92d9d7ec242b8c

SHA1
1483c4409f153cf074f2b9c070001b2fdb4af0db

SHA256
0baca1d940b763595d84d3f0d4371bd6e4d17b5496e69d0d6023a5eec8cc43e9

SHA512
1f2aded8f74e90e46b6f74dda4a11412db23e8b68b61bcd792ffdc1e150d4076424b57cbc6e43505856f742127b305f5c4aa06bbc4829a94cfe01a93f4bfdf6a

Download Submit
\Users\Admin\AppData\Local\1Q0\MFC42u.dll
MD5
b2668009f1bd60a2a91a3f4b114a6834

SHA1
eb07859a640a48798c97aacadfa743998882764f

SHA256
58c9a6eae66567592991461d5a507143f967c4818e016251e2c2cbab45b8a258

SHA512
423fd70130f0d12e88769453a90f539ac806d629c882228cc41a3d3e75da9084bc94de79e476c931ee458974c74af3ba88148f9033e29b315d4518cd971f0f9e

Download Submit
\Users\Admin\AppData\Local\509BlLHtj\dwmapi.dll
MD5
e07e8ad15932d136abd0991ebdf42c04

SHA1
e87c208c8b475416871e126e2d4b372fb120e3e2

SHA256
cabff932f4cc4e97f6c33c8a535a3db79d770dba0378b3ecb4c9d2b8fe4de3c0

SHA512
a7a9f935dc8a029491092132b590a0c5c1e9d23411bf339e48a3d490df7d4be75394e4f623570b59dcc69be4f6002889273c39e721c170ce5e64f0147d0681fd

Download Submit
\Users\Admin\AppData\Local\t46j\DUI70.dll
MD5
1d31ec382dacee361671b5a6575f75a0

SHA1
b53946fe531c90c947982b35357c81214df1798d

SHA256
38d0ef8115639d2142ada1180adb2dd300a3a8ea6f355e77d53385b989dee9ad

SHA512
f0501068a2a6c27a28bde97693b32b8ac52ed879cc008efa0d9b5a6a0fe899b8af1b69ec3363c16c83e887acc946b97d0696b02c9a7fff2a712630cc25b9f38e

Download Submit
memory/380-174-0x0000000140000000-0x00000001400D0000-memory.dmp

Filesize
832KB

Download
memory/380-170-0x0000000000000000-mapping.dmp

Download
memory/1776-115-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/1776-120-0x000001E6D2240000-0x000001E6D2247000-memory.dmp

Filesize
28KB

Download
memory/2068-179-0x0000000000000000-mapping.dmp

Download
memory/2068-183-0x0000000140000000-0x000000014010F000-memory.dmp

Filesize
1.1MB

Download
memory/3040-131-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-159-0x00007FF9631B4320-0x00007FF9631B5320-memory.dmp

Filesize
4KB

Download
memory/3040-136-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-137-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-138-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-139-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-140-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-141-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-142-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-143-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-144-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-145-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-146-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-147-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-148-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-149-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-150-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-135-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-160-0x00007FF963184320-0x00007FF963185320-memory.dmp

Filesize
4KB

Download
memory/3040-121-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/3040-134-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-133-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-132-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-122-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-130-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-129-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-128-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-127-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-126-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-125-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-124-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/3040-123-0x0000000140000000-0x00000001400C9000-memory.dmp

Filesize
804KB

Download
memory/4080-165-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4080-161-0x0000000000000000-mapping.dmp

Download