dridex | 114c890f736efbfef6a5d5bfe69d10f3b98b5cf919b25536bff9dd7ba2738fc6

Analysis

max time kernel
162s
max time network
145s
platform
windows10_x64
resource
win10-en-20211104
submitted
26-11-2021 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

114c890f736efbfef6a5d5bfe69d10f3b98b5cf919b25536bff9dd7ba2738fc6.dll
Size

1.5MB
MD5

32f0105f83bb61e4fd688219dca080c0
SHA1

4de49a52dd511040dc5d36703966d6b0fe9075a7
SHA256

114c890f736efbfef6a5d5bfe69d10f3b98b5cf919b25536bff9dd7ba2738fc6
SHA512

28556df31e2299904d61ddb80b3ef334c23a40f16bca1f0cfb395c4fe472dfe9ea37d978e44c2d2443f75e77870a4d88ccc197bd1e54462e89c44de7e733e6ec

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3044-125-0x0000000000620000-0x0000000000621000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

ApplySettingsTemplateCatalog.exemsconfig.exeInfDefaultInstall.exe

pid process

4484 ApplySettingsTemplateCatalog.exe
4456 msconfig.exe
900 InfDefaultInstall.exe
Loads dropped DLL 3 IoCs

Processes:

ApplySettingsTemplateCatalog.exemsconfig.exeInfDefaultInstall.exe

pid process

4484 ApplySettingsTemplateCatalog.exe
4456 msconfig.exe
900 InfDefaultInstall.exe

pid	process
4484	ApplySettingsTemplateCatalog.exe
4456	msconfig.exe
900	InfDefaultInstall.exe

pid	process
4484	ApplySettingsTemplateCatalog.exe
4456	msconfig.exe
900	InfDefaultInstall.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\Zq\\msconfig.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeApplySettingsTemplateCatalog.exemsconfig.exeInfDefaultInstall.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplySettingsTemplateCatalog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	InfDefaultInstall.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeApplySettingsTemplateCatalog.exe

pid	process
4016	rundll32.exe
4016	rundll32.exe
4016	rundll32.exe
4016	rundll32.exe
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
4484	ApplySettingsTemplateCatalog.exe
4484	ApplySettingsTemplateCatalog.exe
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3044

pid	process
3044

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3044 wrote to memory of 4424	3044	ApplySettingsTemplateCatalog.exe
PID 3044 wrote to memory of 4424	3044	ApplySettingsTemplateCatalog.exe
PID 3044 wrote to memory of 4484	3044	ApplySettingsTemplateCatalog.exe
PID 3044 wrote to memory of 4484	3044	ApplySettingsTemplateCatalog.exe
PID 3044 wrote to memory of 4308	3044	msconfig.exe
PID 3044 wrote to memory of 4308	3044	msconfig.exe
PID 3044 wrote to memory of 4456	3044	msconfig.exe
PID 3044 wrote to memory of 4456	3044	msconfig.exe
PID 3044 wrote to memory of 856	3044	InfDefaultInstall.exe
PID 3044 wrote to memory of 856	3044	InfDefaultInstall.exe
PID 3044 wrote to memory of 900	3044	InfDefaultInstall.exe
PID 3044 wrote to memory of 900	3044	InfDefaultInstall.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\114c890f736efbfef6a5d5bfe69d10f3b98b5cf919b25536bff9dd7ba2738fc6.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
1⤵
PID:4424

C:\Users\Admin\AppData\Local\qJsNcyoy\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\qJsNcyoy\ApplySettingsTemplateCatalog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4484

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:4308

C:\Users\Admin\AppData\Local\RB1\msconfig.exe
C:\Users\Admin\AppData\Local\RB1\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4456

C:\Windows\system32\InfDefaultInstall.exe
C:\Windows\system32\InfDefaultInstall.exe
1⤵
PID:856

C:\Users\Admin\AppData\Local\gzy1envO\InfDefaultInstall.exe
C:\Users\Admin\AppData\Local\gzy1envO\InfDefaultInstall.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\RB1\MFC42u.dll

MD5
3edeaedda45f4edb354f5a5f3069729d

SHA1
5af30d60a8151bfbf16ddc1582cf9ad58c709c63

SHA256
06782e60a2df4f0a701d06a2f425103a9995e1f2b78d16f82a09771baccf4ac0

SHA512
717c632ca36c417ff7ab90ef9273ec1215ded696a2f2adacc1c63a0c1935e66aa436d02371a7057db973259744eee712c8d362e5bb74c753d61c4dcd7837b8a2

Download Submit
C:\Users\Admin\AppData\Local\RB1\msconfig.exe

MD5
b869aef04af69e345561d01905942fef

SHA1
e61b5522c3b8b5ada95846cc6306c9c2f29265d4

SHA256
9cf1d82402469616b2b0a663e22f965395181abc91140139df226ab882a619cc

SHA512
52ad0b6b5cc6053de42d06248c312180091c06ade8a54da32a946add93854e6dd0b1af2bf02957ddb77207fd3c53ef4def6dcda0591e28b457c0e361776498f2

Download Submit
C:\Users\Admin\AppData\Local\gzy1envO\InfDefaultInstall.exe

MD5
f6ae349f1213aea7dfe83b1292e1bb7e

SHA1
12023a2d08978dba0c6a701197c249751ee30e1e

SHA256
c374b081881eafe94338f12f9bc8288c5fe510a4fb3260cb0fd0135646dd768c

SHA512
0a23f91c4f6e4780c4096fae817a6753daa72b5b290f6be0593ef055f4149fc2294e35661adf75f529c5b72801062e8fb46f4fccd83dbea7603f6e6a4aefee74

Download Submit
C:\Users\Admin\AppData\Local\gzy1envO\newdev.dll

MD5
65f1a1674fc3973de4d118893bb01d81

SHA1
44c1686ccf692955866f07720f24c8aa863c3e9d

SHA256
fdac92258e26fc1f487088f1c562ec109d223b14486eaab19eafbf5292799053

SHA512
455dab727c0c6bced48d8efb90a60b87a34c945d0af284a8b8979f70c9bbf67717b77ad266c417d19630c051cda4ff2127d39282a2b5dbee8a52a12eb7317623

Download Submit
C:\Users\Admin\AppData\Local\qJsNcyoy\ACTIVEDS.dll

MD5
8d761a5623c2153df0e37be7dca387f7

SHA1
b3e7967e94b2a492b126fc92888426ffb61a300a

SHA256
f1548c821fb48f947b6a054ba5e5c88f9e0b2ad5610e47f30d6bfb87143535bb

SHA512
029c71a31a20481a813b27125a514b3138cae08d368957df37bf3313ad9b5a715c2fd91f82557f9b7a6cae12ffc725395b1c115ba30b8bc0a531934c481f27e4

Download Submit
C:\Users\Admin\AppData\Local\qJsNcyoy\ApplySettingsTemplateCatalog.exe

MD5
ce074a9724e9335539b4318df1dc8f6c

SHA1
f04dff9c5ee02a26d5feec0ce21d07c35f4d0129

SHA256
7b72517d06869deb6efb72e6220fbd903333378afacd011950b8b2a47bf38967

SHA512
9502cf40bba8da267b9dd219abe5d7249fc3fd59d45e66120a49b8cb0609a09aa5ef18d925036141049fa985fe45444d3af9412650d1c15bce27001dfb6b072a

Download Submit
\Users\Admin\AppData\Local\RB1\MFC42u.dll

MD5
3edeaedda45f4edb354f5a5f3069729d

SHA1
5af30d60a8151bfbf16ddc1582cf9ad58c709c63

SHA256
06782e60a2df4f0a701d06a2f425103a9995e1f2b78d16f82a09771baccf4ac0

SHA512
717c632ca36c417ff7ab90ef9273ec1215ded696a2f2adacc1c63a0c1935e66aa436d02371a7057db973259744eee712c8d362e5bb74c753d61c4dcd7837b8a2

Download Submit
\Users\Admin\AppData\Local\gzy1envO\newdev.dll

MD5
65f1a1674fc3973de4d118893bb01d81

SHA1
44c1686ccf692955866f07720f24c8aa863c3e9d

SHA256
fdac92258e26fc1f487088f1c562ec109d223b14486eaab19eafbf5292799053

SHA512
455dab727c0c6bced48d8efb90a60b87a34c945d0af284a8b8979f70c9bbf67717b77ad266c417d19630c051cda4ff2127d39282a2b5dbee8a52a12eb7317623

Download Submit
\Users\Admin\AppData\Local\qJsNcyoy\ACTIVEDS.dll

MD5
8d761a5623c2153df0e37be7dca387f7

SHA1
b3e7967e94b2a492b126fc92888426ffb61a300a

SHA256
f1548c821fb48f947b6a054ba5e5c88f9e0b2ad5610e47f30d6bfb87143535bb

SHA512
029c71a31a20481a813b27125a514b3138cae08d368957df37bf3313ad9b5a715c2fd91f82557f9b7a6cae12ffc725395b1c115ba30b8bc0a531934c481f27e4

Download Submit
memory/900-172-0x0000000000000000-mapping.dmp

Download
memory/900-176-0x00007FF9EF7D0000-0x00007FF9EF95A000-memory.dmp

Filesize
1.5MB

Download
memory/900-180-0x0000013D3CC40000-0x0000013D3CC42000-memory.dmp

Filesize
8KB

Download
memory/900-181-0x0000013D3CC40000-0x0000013D3CC42000-memory.dmp

Filesize
8KB

Download
memory/900-182-0x0000013D3CC40000-0x0000013D3CC42000-memory.dmp

Filesize
8KB

Download
memory/3044-133-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3044-135-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3044-138-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3044-139-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3044-137-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3044-140-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3044-145-0x0000000000660000-0x0000000000662000-memory.dmp

Filesize
8KB

Download
memory/3044-146-0x0000000000660000-0x0000000000662000-memory.dmp

Filesize
8KB

Download
memory/3044-148-0x0000000000660000-0x0000000000662000-memory.dmp

Filesize
8KB

Download
memory/3044-147-0x00007FFA0B1E5000-0x00007FFA0B1E6000-memory.dmp

Filesize
4KB

Download
memory/3044-149-0x00007FFA0B320000-0x00007FFA0B322000-memory.dmp

Filesize
8KB

Download
memory/3044-183-0x0000000000660000-0x0000000000662000-memory.dmp

Filesize
8KB

Download
memory/3044-136-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3044-130-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3044-134-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3044-129-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3044-128-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3044-126-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3044-125-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3044-127-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3044-132-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3044-131-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4016-124-0x000002820F7E0000-0x000002820F7E7000-memory.dmp

Filesize
28KB

Download
memory/4016-123-0x000002820F7F0000-0x000002820F7F2000-memory.dmp

Filesize
8KB

Download
memory/4016-122-0x000002820F7F0000-0x000002820F7F2000-memory.dmp

Filesize
8KB

Download
memory/4016-118-0x00007FF9FD2F0000-0x00007FF9FD479000-memory.dmp

Filesize
1.5MB

Download
memory/4456-169-0x0000020353550000-0x0000020353552000-memory.dmp

Filesize
8KB

Download
memory/4456-171-0x0000020353550000-0x0000020353552000-memory.dmp

Filesize
8KB

Download
memory/4456-170-0x0000020353550000-0x0000020353552000-memory.dmp

Filesize
8KB

Download
memory/4456-165-0x00007FF9EF7D0000-0x00007FF9EF960000-memory.dmp

Filesize
1.6MB

Download
memory/4456-161-0x0000000000000000-mapping.dmp

Download
memory/4484-160-0x000002177CEE0000-0x000002177CEE2000-memory.dmp

Filesize
8KB

Download
memory/4484-159-0x000002177CEE0000-0x000002177CEE2000-memory.dmp

Filesize
8KB

Download
memory/4484-158-0x000002177CEE0000-0x000002177CEE2000-memory.dmp

Filesize
8KB

Download
memory/4484-154-0x00007FF9FD2F0000-0x00007FF9FD47A000-memory.dmp

Filesize
1.5MB

Download
memory/4484-150-0x0000000000000000-mapping.dmp

Download