dridex | d613a07d9ea513fbfb187dd4fa6baee901de7a2217fd3e69dd7539efbd602f88

Analysis

max time kernel
150s
max time network
129s
platform
windows10_x64
resource
win10-en-20210920
submitted
06-10-2021 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d613a07d9ea513fbfb187dd4fa6baee901de7a2217fd3e69dd7539efbd602f88.dll
Size

1.7MB
MD5

2465cd00de8a884ccbf278484a269100
SHA1

873c9d37af344388bd010f416b5367864575bd4a
SHA256

d613a07d9ea513fbfb187dd4fa6baee901de7a2217fd3e69dd7539efbd602f88
SHA512

a2d89bfdf259be0e96abfcbfabde849ab8c3355c153baf47639b85287496a8d1512c6b7cdf7100de2daf5e0e476d4637a31cdc11252630a504fe6a3c36101c35

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3028-120-0x0000000000840000-0x0000000000841000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

DisplaySwitch.exeirftp.exemmc.exe

pid process

3984 DisplaySwitch.exe
760 irftp.exe
4204 mmc.exe

pid	process
3984	DisplaySwitch.exe
760	irftp.exe
4204	mmc.exe

Drops startup file 3 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\FYa
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\FYa\WINMM.dll
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\FYa\irftp.exe

Loads dropped DLL 3 IoCs

Processes:

DisplaySwitch.exeirftp.exemmc.exe

pid process

3984 DisplaySwitch.exe
760 irftp.exe
4204 mmc.exe

pid	process
3984	DisplaySwitch.exe
760	irftp.exe
4204	mmc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wjvmqhmsyzhtvy = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\FYa\\irftp.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeDisplaySwitch.exeirftp.exemmc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	irftp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mmc.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4076	rundll32.exe
4076	rundll32.exe
4076	rundll32.exe
4076	rundll32.exe
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3028

pid	process
3028

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3028 wrote to memory of 3952	3028	DisplaySwitch.exe
PID 3028 wrote to memory of 3952	3028	DisplaySwitch.exe
PID 3028 wrote to memory of 3984	3028	DisplaySwitch.exe
PID 3028 wrote to memory of 3984	3028	DisplaySwitch.exe
PID 3028 wrote to memory of 748	3028	irftp.exe
PID 3028 wrote to memory of 748	3028	irftp.exe
PID 3028 wrote to memory of 760	3028	irftp.exe
PID 3028 wrote to memory of 760	3028	irftp.exe
PID 3028 wrote to memory of 4220	3028	mmc.exe
PID 3028 wrote to memory of 4220	3028	mmc.exe
PID 3028 wrote to memory of 4204	3028	mmc.exe
PID 3028 wrote to memory of 4204	3028	mmc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d613a07d9ea513fbfb187dd4fa6baee901de7a2217fd3e69dd7539efbd602f88.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4076

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:3952

C:\Users\Admin\AppData\Local\jzLt3NBDO\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\jzLt3NBDO\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3984

C:\Windows\system32\irftp.exe
C:\Windows\system32\irftp.exe
1⤵
PID:748

C:\Users\Admin\AppData\Local\1Xn9tYus\irftp.exe
C:\Users\Admin\AppData\Local\1Xn9tYus\irftp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:760

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
1⤵
PID:4220

C:\Users\Admin\AppData\Local\yAwRbx\mmc.exe
C:\Users\Admin\AppData\Local\yAwRbx\mmc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4204

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1Xn9tYus\WINMM.dll
MD5
9d535da42eeaa4465bdaa3bab1ba4c8f

SHA1
9f6c73e1a529188c05208ea44cb040cb848952df

SHA256
4dae853ac0d1ed9c877c3499e421aeba20f951ab530eec0dc5f18922690d8f2d

SHA512
ddff7de77a6d3cae09c7e2bf07e111392f5b7913181b8648cfd63d84d177cae9f3d3cd89ba4c28759d9f3efb978e57f5625ec91d9dbd768d87300f6a7886c1f2

Download Submit
C:\Users\Admin\AppData\Local\1Xn9tYus\irftp.exe
MD5
dbc1bc119e305f66dabe98d43e40113a

SHA1
76cc827689d52f2aeb3acc679e6b1a69f7674052

SHA256
cb2bf82f7d678a376a9609048518b1bcc40c41a0d689248753cbd7a7f3744468

SHA512
1bdb81ee7c2505a94d224390c0ae84262986f11b4d86acc0259a483f7a264aaebf2744068504c4200b98922f713ef3f0f3e1dbb8aed50f9fb625dc458585b415

Download Submit
C:\Users\Admin\AppData\Local\jzLt3NBDO\DUI70.dll
MD5
a8d375623df39721e234e610749b5c0f

SHA1
9def13f049a1673590794538160d5a530a29aa43

SHA256
3951b84645c24f7e7dae6aded2f8b14a45c84fc6c2a714bac16a488cfc948058

SHA512
7d129a7511f9f3b9518932c78555d94b1137b15dcebb62a8f3b70227c274b65b1f2c0a7b6f75f1cb9734da582a58cc76ccc578846ff057b222f6b98abe176bf7

Download Submit
C:\Users\Admin\AppData\Local\jzLt3NBDO\DisplaySwitch.exe
MD5
9e139d8cdf910f624c4cb0a63cbab22d

SHA1
14b7259a609fddb0c561e1154dac638fa0db06b3

SHA256
3374874744179d8f880791ff4373736d9bb93ae3275be6ff26b296b4d8b9619c

SHA512
d2c7521cc65c92da10a337303f5902560f3dc30ba0dfb959196337d4dcbc13a2ef69de7e7cfdc5e983affc3fc6938a485ef8ead0cf1c485aa0893c667fe08357

Download Submit
C:\Users\Admin\AppData\Local\yAwRbx\MFC42u.dll
MD5
cb0dd3f6ef7ea584bee4c7851da18081

SHA1
c6a346b3f670d358db7a331b11ee2864eaf7e6f4

SHA256
40528f93aa6835bfceff6f92fcb609946806528862771943e5aff5f240f8feb5

SHA512
cd6d29e6ef8c67297d003dea89746b09a6cb8cb2fe2e3f73d70ffb12e187bb7b8c7e56665dbf2a96410dcb400410a6ff31b9230d6805695ad038650a66c420a0

Download Submit
C:\Users\Admin\AppData\Local\yAwRbx\mmc.exe
MD5
211adc0a46442c4050285c6b2c8874a1

SHA1
cf7ad4f94eda214bd5283cb8ad57db52d2d558fc

SHA256
e021d4b2f12d2836c279aeee9fe59cea300730519afa57f450ba7095b45a653f

SHA512
d4cc517a97e1bd439080eb027bddee96e0c773477885f52cde535c24281f86855ef035aa94b0dbedfbffb9da9d77e12878f165d9016b9c0465d3cd83bb0f27db

Download Submit
C:\Users\Admin\AppData\Local\yAwRbx\mmc.exe
MD5
211adc0a46442c4050285c6b2c8874a1

SHA1
cf7ad4f94eda214bd5283cb8ad57db52d2d558fc

SHA256
e021d4b2f12d2836c279aeee9fe59cea300730519afa57f450ba7095b45a653f

SHA512
d4cc517a97e1bd439080eb027bddee96e0c773477885f52cde535c24281f86855ef035aa94b0dbedfbffb9da9d77e12878f165d9016b9c0465d3cd83bb0f27db

Download Submit
\Users\Admin\AppData\Local\1Xn9tYus\WINMM.dll
MD5
9d535da42eeaa4465bdaa3bab1ba4c8f

SHA1
9f6c73e1a529188c05208ea44cb040cb848952df

SHA256
4dae853ac0d1ed9c877c3499e421aeba20f951ab530eec0dc5f18922690d8f2d

SHA512
ddff7de77a6d3cae09c7e2bf07e111392f5b7913181b8648cfd63d84d177cae9f3d3cd89ba4c28759d9f3efb978e57f5625ec91d9dbd768d87300f6a7886c1f2

Download Submit
\Users\Admin\AppData\Local\jzLt3NBDO\DUI70.dll
MD5
a8d375623df39721e234e610749b5c0f

SHA1
9def13f049a1673590794538160d5a530a29aa43

SHA256
3951b84645c24f7e7dae6aded2f8b14a45c84fc6c2a714bac16a488cfc948058

SHA512
7d129a7511f9f3b9518932c78555d94b1137b15dcebb62a8f3b70227c274b65b1f2c0a7b6f75f1cb9734da582a58cc76ccc578846ff057b222f6b98abe176bf7

Download Submit
\Users\Admin\AppData\Local\yAwRbx\MFC42u.dll
MD5
cb0dd3f6ef7ea584bee4c7851da18081

SHA1
c6a346b3f670d358db7a331b11ee2864eaf7e6f4

SHA256
40528f93aa6835bfceff6f92fcb609946806528862771943e5aff5f240f8feb5

SHA512
cd6d29e6ef8c67297d003dea89746b09a6cb8cb2fe2e3f73d70ffb12e187bb7b8c7e56665dbf2a96410dcb400410a6ff31b9230d6805695ad038650a66c420a0

Download Submit
memory/760-180-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/760-176-0x0000000000000000-mapping.dmp

Download
memory/3028-132-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-152-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-120-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/3028-133-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-134-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-135-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-136-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-137-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-139-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-140-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-138-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-141-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-142-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-143-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-145-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-144-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-146-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-147-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-148-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-149-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-150-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-151-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-153-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-131-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-155-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-154-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-156-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-164-0x00007FFDD8914560-0x00007FFDD8915560-memory.dmp

Filesize
4KB

Download
memory/3028-166-0x00007FFDD8860000-0x00007FFDD8870000-memory.dmp

Filesize
64KB

Download
memory/3028-121-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-130-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-129-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-128-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-122-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-127-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-126-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-125-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-124-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3028-123-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/3984-171-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3984-167-0x0000000000000000-mapping.dmp

Download
memory/4076-115-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/4076-119-0x0000020F36EB0000-0x0000020F36EB7000-memory.dmp

Filesize
28KB

Download
memory/4204-185-0x0000000000000000-mapping.dmp

Download
memory/4204-190-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads