dridex | 4e16c7179564c280431462f14d51eb4da50bbc1524b4961b289a0ad0fb96ed35

Analysis

max time kernel
157s
max time network
147s
platform
windows10_x64
resource
win10-en-20211014
submitted
26-11-2021 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e16c7179564c280431462f14d51eb4da50bbc1524b4961b289a0ad0fb96ed35.dll
Size

1.4MB
MD5

ec7196719cd7072437a15963ec474858
SHA1

371c3f1ace0a466b1da2ea4773966c3762602c72
SHA256

4e16c7179564c280431462f14d51eb4da50bbc1524b4961b289a0ad0fb96ed35
SHA512

e398d4295a42f215a1adce34107b5111df0c4b66b891b714ee572c6863921ed904b96c6873f143c3ae7ba9c6a5351a0e50a7d1834ae19d149ed8b95a86b1fa32

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3024-124-0x00000000007B0000-0x00000000007B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

Taskmgr.exeSystemPropertiesHardware.exeSppExtComObj.Exe

pid process

1048 Taskmgr.exe
1780 SystemPropertiesHardware.exe
2220 SppExtComObj.Exe

pid	process
1048	Taskmgr.exe
1780	SystemPropertiesHardware.exe
2220	SppExtComObj.Exe

Drops startup file 3 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\ATy
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\ATy\ACTIVEDS.dll
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\ATy\SppExtComObj.Exe

Loads dropped DLL 3 IoCs

Processes:

Taskmgr.exeSystemPropertiesHardware.exeSppExtComObj.Exe

pid process

1048 Taskmgr.exe
1780 SystemPropertiesHardware.exe
2220 SppExtComObj.Exe

pid	process
1048	Taskmgr.exe
1780	SystemPropertiesHardware.exe
2220	SppExtComObj.Exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\WINDOW~1\\F9RV4PH\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SppExtComObj.Exerundll32.exeTaskmgr.exeSystemPropertiesHardware.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.Exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3388	rundll32.exe
3388	rundll32.exe
3388	rundll32.exe
3388	rundll32.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exeTaskmgr.exeSystemPropertiesHardware.exeSppExtComObj.Exe

pid process

3388 rundll32.exe
3024
1048 Taskmgr.exe
1780 SystemPropertiesHardware.exe
2220 SppExtComObj.Exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3024 wrote to memory of 2936	3024	Taskmgr.exe
PID 3024 wrote to memory of 2936	3024	Taskmgr.exe
PID 3024 wrote to memory of 1048	3024	Taskmgr.exe
PID 3024 wrote to memory of 1048	3024	Taskmgr.exe
PID 3024 wrote to memory of 3960	3024	SystemPropertiesHardware.exe
PID 3024 wrote to memory of 3960	3024	SystemPropertiesHardware.exe
PID 3024 wrote to memory of 1780	3024	SystemPropertiesHardware.exe
PID 3024 wrote to memory of 1780	3024	SystemPropertiesHardware.exe
PID 3024 wrote to memory of 1168	3024	SppExtComObj.Exe
PID 3024 wrote to memory of 1168	3024	SppExtComObj.Exe
PID 3024 wrote to memory of 2220	3024	SppExtComObj.Exe
PID 3024 wrote to memory of 2220	3024	SppExtComObj.Exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4e16c7179564c280431462f14d51eb4da50bbc1524b4961b289a0ad0fb96ed35.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3388

C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\Taskmgr.exe
1⤵
PID:2936

C:\Users\Admin\AppData\Local\yqH0NmOAr\Taskmgr.exe
C:\Users\Admin\AppData\Local\yqH0NmOAr\Taskmgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1048

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:3960

C:\Users\Admin\AppData\Local\LHOEnZx\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\LHOEnZx\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1780

C:\Windows\system32\SppExtComObj.Exe
C:\Windows\system32\SppExtComObj.Exe
1⤵
PID:1168

C:\Users\Admin\AppData\Local\gVHW23\SppExtComObj.Exe
C:\Users\Admin\AppData\Local\gVHW23\SppExtComObj.Exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:2220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\LHOEnZx\SYSDM.CPL
MD5
1ea241ecfeb587e8c29f2ab5141d2da9

SHA1
c052922c330300f37d23ee65788df217699100d7

SHA256
89c06433513e6e11186e07532fb65e7322f2bb28b1d4340cacd2936ee408ad36

SHA512
d178d37872b0f7b3f4343735ec37324575662efbfcbc1a54f3b17e057459702577d78026f3a461e6c8bf6d751f34ab3497855643f9a489590cd340758c39fc85

Download Submit
C:\Users\Admin\AppData\Local\LHOEnZx\SystemPropertiesHardware.exe
MD5
77d266ce67f1e90754104f1ca9826f40

SHA1
dc91784a12a428138041d6f7a906225166ca971f

SHA256
3b6aee5955c5b3cba16714741d7d7dca78a1c9f0c413e2c84c96fad246dd6392

SHA512
681be179bcc038f3ed6e7d60224c166fa158e50a1d51c9f452d5377a87e961f6b0c0378f8878fb2bffe1ac7da7b8ab47d56ca9db31260a2158917a563a5799a8

Download Submit
C:\Users\Admin\AppData\Local\gVHW23\ACTIVEDS.dll
MD5
f11b6661a1b6f3408228934017f178f3

SHA1
5e40da6569db8d0c6938e43e6a6eab86c41ca2a5

SHA256
99110ae509069921a7a61b56b3e7774effcd629e854f6621789dca5cd8e1a3f1

SHA512
d71025b313da9d03a941b80de5047ed068cc44994e043b537ecdaeaf669bceb5653ee3cef5f931a994dc09fdab29f2110fcc28b6ade94f16a32280a82c32fdbb

Download Submit
C:\Users\Admin\AppData\Local\gVHW23\SppExtComObj.Exe
MD5
923824efa9f60f1ef53a467253941553

SHA1
6405859f261189d3dc15e6fa8040fc2cb23c6499

SHA256
28b704870730b01d31e24a51502fd4bfcf23f15d2f482ea4aadc12da0f5f8065

SHA512
8bc7eba28740aa2b569ce8cf57e4a5fc7230efe8251dc7d00b50a1ea7c560266d1970e48a7b1900c75eac3267ff9542fe420abd5a1e2b27380d6c4ab748eb3c3

Download Submit
C:\Users\Admin\AppData\Local\yqH0NmOAr\DUser.dll
MD5
e79fce25df8b2f5824eb580d292ba2d6

SHA1
ade1a76468219b50d6730dda32ea375b4956dab4

SHA256
70cb3d7c074a793f39e40dc9aa5c3d188ed8bb4eeff4b72063f3e9a4d304000c

SHA512
77d33d0470156abe831edd05537d9c71566ff4bb4fbccb382b7ce5751ba70d54b14de86531d3121eb5a9b5e65f5c524ec141382f38b7318b02193ad8dee416be

Download Submit
C:\Users\Admin\AppData\Local\yqH0NmOAr\Taskmgr.exe
MD5
d3ef2efc7232674315e0573e464e8aa7

SHA1
237ee3acc4743d05858056e09147a071b6e956e7

SHA256
feecaba50bc95bd6540e5a075693d6dc961a9d5ef86f1bfb38f7bcde6e757472

SHA512
1e03b1ad8059c28bfaa42f63626f2025cf1659266323255871a90b5ef2db9ab754ba4ffe9abe37bf3f5d92e494231c5fb81ba4d893f3a9833c2a5edf23825cc5

Download Submit
\Users\Admin\AppData\Local\LHOEnZx\SYSDM.CPL
MD5
1ea241ecfeb587e8c29f2ab5141d2da9

SHA1
c052922c330300f37d23ee65788df217699100d7

SHA256
89c06433513e6e11186e07532fb65e7322f2bb28b1d4340cacd2936ee408ad36

SHA512
d178d37872b0f7b3f4343735ec37324575662efbfcbc1a54f3b17e057459702577d78026f3a461e6c8bf6d751f34ab3497855643f9a489590cd340758c39fc85

Download Submit
\Users\Admin\AppData\Local\gVHW23\ACTIVEDS.dll
MD5
f11b6661a1b6f3408228934017f178f3

SHA1
5e40da6569db8d0c6938e43e6a6eab86c41ca2a5

SHA256
99110ae509069921a7a61b56b3e7774effcd629e854f6621789dca5cd8e1a3f1

SHA512
d71025b313da9d03a941b80de5047ed068cc44994e043b537ecdaeaf669bceb5653ee3cef5f931a994dc09fdab29f2110fcc28b6ade94f16a32280a82c32fdbb

Download Submit
\Users\Admin\AppData\Local\yqH0NmOAr\DUser.dll
MD5
e79fce25df8b2f5824eb580d292ba2d6

SHA1
ade1a76468219b50d6730dda32ea375b4956dab4

SHA256
70cb3d7c074a793f39e40dc9aa5c3d188ed8bb4eeff4b72063f3e9a4d304000c

SHA512
77d33d0470156abe831edd05537d9c71566ff4bb4fbccb382b7ce5751ba70d54b14de86531d3121eb5a9b5e65f5c524ec141382f38b7318b02193ad8dee416be

Download Submit
memory/1048-165-0x000001E498540000-0x000001E498542000-memory.dmp

Filesize
8KB

Download
memory/1048-156-0x0000000000000000-mapping.dmp

Download
memory/1048-164-0x000001E498540000-0x000001E498542000-memory.dmp

Filesize
8KB

Download
memory/1048-163-0x000001E498540000-0x000001E498542000-memory.dmp

Filesize
8KB

Download
memory/1048-160-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/1780-173-0x000002ABF7940000-0x000002ABF7942000-memory.dmp

Filesize
8KB

Download
memory/1780-174-0x000002ABF7940000-0x000002ABF7942000-memory.dmp

Filesize
8KB

Download
memory/1780-175-0x000002ABF7940000-0x000002ABF7942000-memory.dmp

Filesize
8KB

Download
memory/1780-166-0x0000000000000000-mapping.dmp

Download
memory/2220-176-0x0000000000000000-mapping.dmp

Download
memory/2220-184-0x000001CF6BFA0000-0x000001CF6BFA2000-memory.dmp

Filesize
8KB

Download
memory/2220-183-0x000001CF6BFA0000-0x000001CF6BFA2000-memory.dmp

Filesize
8KB

Download
memory/2220-185-0x000001CF6BFA0000-0x000001CF6BFA2000-memory.dmp

Filesize
8KB

Download
memory/3024-133-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3024-136-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3024-144-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3024-145-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3024-151-0x0000000000810000-0x0000000000812000-memory.dmp

Filesize
8KB

Download
memory/3024-152-0x0000000000810000-0x0000000000812000-memory.dmp

Filesize
8KB

Download
memory/3024-153-0x00007FFA99115000-0x00007FFA99116000-memory.dmp

Filesize
4KB

Download
memory/3024-154-0x0000000000810000-0x0000000000812000-memory.dmp

Filesize
8KB

Download
memory/3024-155-0x00007FFA99030000-0x00007FFA99040000-memory.dmp

Filesize
64KB

Download
memory/3024-142-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3024-141-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3024-140-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3024-139-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3024-138-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3024-137-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3024-143-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3024-135-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3024-134-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3024-124-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/3024-132-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3024-131-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3024-130-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3024-129-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3024-128-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3024-127-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3024-125-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3024-126-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3388-118-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/3388-123-0x0000016FE0490000-0x0000016FE0497000-memory.dmp

Filesize
28KB

Download
memory/3388-122-0x0000016FE04A0000-0x0000016FE04A2000-memory.dmp

Filesize
8KB

Download
memory/3388-121-0x0000016FE04A0000-0x0000016FE04A2000-memory.dmp

Filesize
8KB

Download