dridex | c876113220b534ba1da612f3ca0eb30a735548a20e6b70b5bf547bc7ce3e1794

Analysis

max time kernel
158s
max time network
127s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-11-2021 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c876113220b534ba1da612f3ca0eb30a735548a20e6b70b5bf547bc7ce3e1794.dll
Size

1.5MB
MD5

9b7b23ecfe0f8461fd0d9a7e5e590e31
SHA1

616a00949db4ce3fb3e13ddfda0f288ad39d2877
SHA256

c876113220b534ba1da612f3ca0eb30a735548a20e6b70b5bf547bc7ce3e1794
SHA512

1f715cf068481951a697caa17ed94ddf3afec21186de5674d4d138a2ae8635e8f5879053fca0ec99bf33169737d8298146f000702a900487a8c5f45d5bc53875

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1368-59-0x00000000029B0000-0x00000000029B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

psr.exeMpSigStub.exeBitLockerWizard.exe

pid process

276 psr.exe
1068 MpSigStub.exe
1920 BitLockerWizard.exe
Loads dropped DLL 7 IoCs

Processes:

psr.exeMpSigStub.exeBitLockerWizard.exe

pid process

1368
276 psr.exe
1368
1068 MpSigStub.exe
1368
1920 BitLockerWizard.exe
1368

pid	process
276	psr.exe
1068	MpSigStub.exe
1920	BitLockerWizard.exe

pid	process
1368
276	psr.exe
1368
1068	MpSigStub.exe
1368
1920	BitLockerWizard.exe
1368

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\8Sfau\\MpSigStub.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exepsr.exeMpSigStub.exeBitLockerWizard.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MpSigStub.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizard.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
608	rundll32.exe
608	rundll32.exe
608	rundll32.exe
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exepsr.exeMpSigStub.exeBitLockerWizard.exe

pid process

608 rundll32.exe
1368
276 psr.exe
1068 MpSigStub.exe
1920 BitLockerWizard.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1368 wrote to memory of 1972	1368	psr.exe
PID 1368 wrote to memory of 1972	1368	psr.exe
PID 1368 wrote to memory of 1972	1368	psr.exe
PID 1368 wrote to memory of 276	1368	psr.exe
PID 1368 wrote to memory of 276	1368	psr.exe
PID 1368 wrote to memory of 276	1368	psr.exe
PID 1368 wrote to memory of 1528	1368	MpSigStub.exe
PID 1368 wrote to memory of 1528	1368	MpSigStub.exe
PID 1368 wrote to memory of 1528	1368	MpSigStub.exe
PID 1368 wrote to memory of 1068	1368	MpSigStub.exe
PID 1368 wrote to memory of 1068	1368	MpSigStub.exe
PID 1368 wrote to memory of 1068	1368	MpSigStub.exe
PID 1368 wrote to memory of 296	1368	BitLockerWizard.exe
PID 1368 wrote to memory of 296	1368	BitLockerWizard.exe
PID 1368 wrote to memory of 296	1368	BitLockerWizard.exe
PID 1368 wrote to memory of 1920	1368	BitLockerWizard.exe
PID 1368 wrote to memory of 1920	1368	BitLockerWizard.exe
PID 1368 wrote to memory of 1920	1368	BitLockerWizard.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c876113220b534ba1da612f3ca0eb30a735548a20e6b70b5bf547bc7ce3e1794.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:608

C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
1⤵
PID:1972

C:\Users\Admin\AppData\Local\0tayHRLNz\psr.exe
C:\Users\Admin\AppData\Local\0tayHRLNz\psr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:276

C:\Windows\system32\MpSigStub.exe
C:\Windows\system32\MpSigStub.exe
1⤵
PID:1528

C:\Users\Admin\AppData\Local\LRe5e\MpSigStub.exe
C:\Users\Admin\AppData\Local\LRe5e\MpSigStub.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1068

C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
1⤵
PID:296

C:\Users\Admin\AppData\Local\dyIuG\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\dyIuG\BitLockerWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0tayHRLNz\VERSION.dll

MD5
d90670502a3acb3e443a66815ed12d51

SHA1
558d26b3df593fb4349b7e080b54d41991d9a4ab

SHA256
d7f7ca3bc349ecb5fc4a25ea8cf73a15144113d0fbe53ab214d040a802be2341

SHA512
a5d6c307eb6e00237d754f1c3e11760029965d521c0ee193e5d7753c7dfd8b8e856d8659f6dbab5b093b4008a9e100a56bb3edaacb397ec2791e954b48bb0cd5

Download Submit
C:\Users\Admin\AppData\Local\0tayHRLNz\psr.exe

MD5
a80527109d75cba125d940b007eea151

SHA1
facf32a9ede6abfaa09368bfdfcfec8554107272

SHA256
68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

SHA512
77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

Download Submit
C:\Users\Admin\AppData\Local\LRe5e\MpSigStub.exe

MD5
2e6bd16aa62e5e95c7b256b10d637f8f

SHA1
350be084477b1fe581af83ca79eb58d4defe260f

SHA256
d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

SHA512
1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

Download Submit
C:\Users\Admin\AppData\Local\LRe5e\VERSION.dll

MD5
2129503c0514a0ffa0820885851de2dd

SHA1
6e202d58579f4f79941aa93a3e30aab05c298b7f

SHA256
eddce2e401484a82cba45b4bb145bea169c46cba3e731e68ba36b87a309c60bf

SHA512
e7866d72e3c93b54cb6c4e5379bf36c02633ccf65d466e083d15f6ffea463e593a5fb9cc92bda47e54f38c6c88c2845837e646792bb3c5e76c13b3079085f4df

Download Submit
C:\Users\Admin\AppData\Local\dyIuG\BitLockerWizard.exe

MD5
08a761595ad21d152db2417d6fdb239a

SHA1
d84c1bc2e8c9afce9fb79916df9bca169f93a936

SHA256
ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

SHA512
8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

Download Submit
C:\Users\Admin\AppData\Local\dyIuG\FVEWIZ.dll

MD5
ab02968a50c4c1dc2d9b3028fae95f70

SHA1
43fe7fcdc7f43bd281ada87faba4c866aceaa953

SHA256
76cdec78a482f7dd0d44e7e92c0e0398ad75001fc3d044d06e90502242b3177c

SHA512
17d7d0015113fe84eb127a1434309cbd6745a51ae64b631ed6088434c931669c872dd05a778aaf58d6104adfc8604c1ee4e1dfedda82c5b3c05ee16e0d075c06

Download Submit
\Users\Admin\AppData\Local\0tayHRLNz\VERSION.dll

MD5
d90670502a3acb3e443a66815ed12d51

SHA1
558d26b3df593fb4349b7e080b54d41991d9a4ab

SHA256
d7f7ca3bc349ecb5fc4a25ea8cf73a15144113d0fbe53ab214d040a802be2341

SHA512
a5d6c307eb6e00237d754f1c3e11760029965d521c0ee193e5d7753c7dfd8b8e856d8659f6dbab5b093b4008a9e100a56bb3edaacb397ec2791e954b48bb0cd5

Download Submit
\Users\Admin\AppData\Local\0tayHRLNz\psr.exe

MD5
a80527109d75cba125d940b007eea151

SHA1
facf32a9ede6abfaa09368bfdfcfec8554107272

SHA256
68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

SHA512
77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

Download Submit
\Users\Admin\AppData\Local\LRe5e\MpSigStub.exe

MD5
2e6bd16aa62e5e95c7b256b10d637f8f

SHA1
350be084477b1fe581af83ca79eb58d4defe260f

SHA256
d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

SHA512
1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

Download Submit
\Users\Admin\AppData\Local\LRe5e\VERSION.dll

MD5
2129503c0514a0ffa0820885851de2dd

SHA1
6e202d58579f4f79941aa93a3e30aab05c298b7f

SHA256
eddce2e401484a82cba45b4bb145bea169c46cba3e731e68ba36b87a309c60bf

SHA512
e7866d72e3c93b54cb6c4e5379bf36c02633ccf65d466e083d15f6ffea463e593a5fb9cc92bda47e54f38c6c88c2845837e646792bb3c5e76c13b3079085f4df

Download Submit
\Users\Admin\AppData\Local\dyIuG\BitLockerWizard.exe

MD5
08a761595ad21d152db2417d6fdb239a

SHA1
d84c1bc2e8c9afce9fb79916df9bca169f93a936

SHA256
ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

SHA512
8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

Download Submit
\Users\Admin\AppData\Local\dyIuG\FVEWIZ.dll

MD5
ab02968a50c4c1dc2d9b3028fae95f70

SHA1
43fe7fcdc7f43bd281ada87faba4c866aceaa953

SHA256
76cdec78a482f7dd0d44e7e92c0e0398ad75001fc3d044d06e90502242b3177c

SHA512
17d7d0015113fe84eb127a1434309cbd6745a51ae64b631ed6088434c931669c872dd05a778aaf58d6104adfc8604c1ee4e1dfedda82c5b3c05ee16e0d075c06

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\9sn\BitLockerWizard.exe

MD5
08a761595ad21d152db2417d6fdb239a

SHA1
d84c1bc2e8c9afce9fb79916df9bca169f93a936

SHA256
ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

SHA512
8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

Download Submit
memory/276-90-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/276-87-0x000007FEFB831000-0x000007FEFB833000-memory.dmp

Filesize
8KB

Download
memory/276-85-0x0000000000000000-mapping.dmp

Download
memory/608-55-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/608-58-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1068-94-0x0000000000000000-mapping.dmp

Download
memory/1368-68-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1368-69-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1368-83-0x0000000077160000-0x0000000077162000-memory.dmp

Filesize
8KB

Download
memory/1368-77-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1368-75-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1368-74-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1368-73-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1368-72-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1368-71-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1368-65-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1368-70-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1368-76-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1368-66-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1368-67-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1368-64-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1368-60-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1368-59-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1368-63-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1368-61-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1368-62-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1920-102-0x0000000000000000-mapping.dmp

Download