dridex | 1424567126d25f416f5368a61891158af6cd71fcf72a337affedbaa0360db816

Analysis

max time kernel
152s
max time network
128s
platform
windows10_x64
resource
win10-en-20211014
submitted
26-11-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1424567126d25f416f5368a61891158af6cd71fcf72a337affedbaa0360db816.dll
Size

1.4MB
MD5

68e9d541c4cd375f03051c96191ba135
SHA1

8174c682609623084c550515d95dc25aca40db33
SHA256

1424567126d25f416f5368a61891158af6cd71fcf72a337affedbaa0360db816
SHA512

1b35f41092842370b49b46066c5e3325f51f24f00f96be2379c1107e1faf9620a3cfdf86d23511ddae9eb2d91e4171835cdc374d697ac4e32fa5d058bca03a86

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2792-121-0x0000000001270000-0x0000000001271000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

cttune.exePresentationHost.exeCameraSettingsUIHost.exe

pid process

1916 cttune.exe
3880 PresentationHost.exe
2716 CameraSettingsUIHost.exe
Loads dropped DLL 4 IoCs

Processes:

cttune.exePresentationHost.exeCameraSettingsUIHost.exe

pid process

1916 cttune.exe
3880 PresentationHost.exe
3880 PresentationHost.exe
2716 CameraSettingsUIHost.exe

pid	process
1916	cttune.exe
3880	PresentationHost.exe
2716	CameraSettingsUIHost.exe

pid	process
1916	cttune.exe
3880	PresentationHost.exe
3880	PresentationHost.exe
2716	CameraSettingsUIHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\mr9607SBa\\PresentationHost.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.execttune.exePresentationHost.exeCameraSettingsUIHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cttune.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CameraSettingsUIHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1744	rundll32.exe
1744	rundll32.exe
1744	rundll32.exe
1744	rundll32.exe
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792
2792

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.execttune.exePresentationHost.exeCameraSettingsUIHost.exe

pid process

1744 rundll32.exe
2792
1916 cttune.exe
3880 PresentationHost.exe
2716 CameraSettingsUIHost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2792 wrote to memory of 3532	2792	cttune.exe
PID 2792 wrote to memory of 3532	2792	cttune.exe
PID 2792 wrote to memory of 1916	2792	cttune.exe
PID 2792 wrote to memory of 1916	2792	cttune.exe
PID 2792 wrote to memory of 4068	2792	PresentationHost.exe
PID 2792 wrote to memory of 4068	2792	PresentationHost.exe
PID 2792 wrote to memory of 3880	2792	PresentationHost.exe
PID 2792 wrote to memory of 3880	2792	PresentationHost.exe
PID 2792 wrote to memory of 2812	2792	CameraSettingsUIHost.exe
PID 2792 wrote to memory of 2812	2792	CameraSettingsUIHost.exe
PID 2792 wrote to memory of 2716	2792	CameraSettingsUIHost.exe
PID 2792 wrote to memory of 2716	2792	CameraSettingsUIHost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1424567126d25f416f5368a61891158af6cd71fcf72a337affedbaa0360db816.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1744

C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
1⤵
PID:3532

C:\Users\Admin\AppData\Local\srnzg\cttune.exe
C:\Users\Admin\AppData\Local\srnzg\cttune.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1916

C:\Windows\system32\PresentationHost.exe
C:\Windows\system32\PresentationHost.exe
1⤵
PID:4068

C:\Users\Admin\AppData\Local\YyrbkZsl\PresentationHost.exe
C:\Users\Admin\AppData\Local\YyrbkZsl\PresentationHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:3880

C:\Windows\system32\CameraSettingsUIHost.exe
C:\Windows\system32\CameraSettingsUIHost.exe
1⤵
PID:2812

C:\Users\Admin\AppData\Local\TiR\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Local\TiR\CameraSettingsUIHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:2716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TiR\CameraSettingsUIHost.exe
MD5
a2f3bedc6124ad9d582ebd5086be2aa2

SHA1
5586e7796ea73cfb4aac094905b334b12de8a151

SHA256
dd3ceee2dcd4884fbd46676045ab4a02ce4c0a0a4ad13ab54364c6e136c259a0

SHA512
9dc1909e07326c55c2eff881b31d0146a595010a8ae78ae9afd64093b2b691c75f68de873acee27d2093a34c0431ee81e693d24d8241c2f4805590a11be9d07b

Download Submit
C:\Users\Admin\AppData\Local\TiR\DUI70.dll
MD5
6bbc329cf1cb1580e229297d4f655e80

SHA1
b94a0788369f6fc95c8e47b64b4f20173baac32f

SHA256
ebdb1106f12d99a9bf2a73b766ce539423fa111abce18be4be6dfefcaff4b602

SHA512
e2ad8f77148c015850b70c4fab159373f7f1ac73f6f93e6b907b6fee5da957a9c89433a746ec22ab633c82a05f81035042cd0f34a0827b00628dcdc9a4e4a391

Download Submit
C:\Users\Admin\AppData\Local\YyrbkZsl\PresentationHost.exe
MD5
7009b2746734a3538e7735cf24f3c93b

SHA1
f994c53697e0d9b6ab2b5d5dd5f31fafa30109b1

SHA256
d0011ec1f0e14a3c6a515df997268a851c98722472f21c03b0fdc6477f14fdb7

SHA512
7934cc17f7bbb6ec8b0f3fb4c775b21885693eaf3e332de97b14f294dac7a189801eeb6165dfc04e2a9aa019c444a9af65d498926fe9dc0c4fc1b71ba272f89b

Download Submit
C:\Users\Admin\AppData\Local\YyrbkZsl\VERSION.dll
MD5
3db97a3cc94128f308796acbc83f650d

SHA1
09a457cccb5b49ec31f09b4c993b3506aebd74d0

SHA256
6af4f69b38191f0d2ba765fc5b0a873bd5ef4dd5131c45b6567ee76e03ea8ae2

SHA512
27f7069eff2792243cffa342eed20010266bade6d7a5d4b0ee5987f1647fa65523d3a64ff6b5e62cb5b7864d531075f0ce794132b95dd80c9deda9a63be29cb2

Download Submit
C:\Users\Admin\AppData\Local\srnzg\OLEACC.dll
MD5
098f4ee7b7557dcef9510c0805d1786e

SHA1
a654490309e1499a6b049cf0e90821adeae211ea

SHA256
3e0d13d71b9ff1afed3b4055623ef3a6e9da8db027ea4578872aeff02bcc6754

SHA512
65936ab2ee561167ea900953023ac92af1319207141d31e21d1387c4924859c784d8a928debd0db7b304342e5a9f3748a19df5814a9c58d3840de3301fc16ea4

Download Submit
C:\Users\Admin\AppData\Local\srnzg\cttune.exe
MD5
887390cd049aedae8c83df04c85cb20d

SHA1
99402bf01ac3f8cbbd0f91259dae2d0366f5b3dd

SHA256
634a828bbd959e42e5804e3ea1426c3dc575ba4c2a0551ed3c153d823f2da423

SHA512
6541bc8f2987da431b9435cecb085898ebd9d2496d04472b14d31f69df1653f8e77b95906e2b0e38e7df022b3bb58f1180f5ca42213fbf4dbbafc28d26d0f108

Download Submit
\Users\Admin\AppData\Local\TiR\DUI70.dll
MD5
6bbc329cf1cb1580e229297d4f655e80

SHA1
b94a0788369f6fc95c8e47b64b4f20173baac32f

SHA256
ebdb1106f12d99a9bf2a73b766ce539423fa111abce18be4be6dfefcaff4b602

SHA512
e2ad8f77148c015850b70c4fab159373f7f1ac73f6f93e6b907b6fee5da957a9c89433a746ec22ab633c82a05f81035042cd0f34a0827b00628dcdc9a4e4a391

Download Submit
\Users\Admin\AppData\Local\YyrbkZsl\VERSION.dll
MD5
3db97a3cc94128f308796acbc83f650d

SHA1
09a457cccb5b49ec31f09b4c993b3506aebd74d0

SHA256
6af4f69b38191f0d2ba765fc5b0a873bd5ef4dd5131c45b6567ee76e03ea8ae2

SHA512
27f7069eff2792243cffa342eed20010266bade6d7a5d4b0ee5987f1647fa65523d3a64ff6b5e62cb5b7864d531075f0ce794132b95dd80c9deda9a63be29cb2

Download Submit
\Users\Admin\AppData\Local\YyrbkZsl\VERSION.dll
MD5
3db97a3cc94128f308796acbc83f650d

SHA1
09a457cccb5b49ec31f09b4c993b3506aebd74d0

SHA256
6af4f69b38191f0d2ba765fc5b0a873bd5ef4dd5131c45b6567ee76e03ea8ae2

SHA512
27f7069eff2792243cffa342eed20010266bade6d7a5d4b0ee5987f1647fa65523d3a64ff6b5e62cb5b7864d531075f0ce794132b95dd80c9deda9a63be29cb2

Download Submit
\Users\Admin\AppData\Local\srnzg\OLEACC.dll
MD5
098f4ee7b7557dcef9510c0805d1786e

SHA1
a654490309e1499a6b049cf0e90821adeae211ea

SHA256
3e0d13d71b9ff1afed3b4055623ef3a6e9da8db027ea4578872aeff02bcc6754

SHA512
65936ab2ee561167ea900953023ac92af1319207141d31e21d1387c4924859c784d8a928debd0db7b304342e5a9f3748a19df5814a9c58d3840de3301fc16ea4

Download Submit
memory/1744-120-0x000001CC69530000-0x000001CC69537000-memory.dmp

Filesize
28KB

Download
memory/1744-118-0x000001CC696E0000-0x000001CC696E2000-memory.dmp

Filesize
8KB

Download
memory/1744-119-0x000001CC696E0000-0x000001CC696E2000-memory.dmp

Filesize
8KB

Download
memory/1744-115-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1916-158-0x000002A80C250000-0x000002A80C252000-memory.dmp

Filesize
8KB

Download
memory/1916-159-0x000002A80C250000-0x000002A80C252000-memory.dmp

Filesize
8KB

Download
memory/1916-150-0x0000000000000000-mapping.dmp

Download
memory/1916-157-0x000002A80C250000-0x000002A80C252000-memory.dmp

Filesize
8KB

Download
memory/1916-154-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/2716-171-0x0000000000000000-mapping.dmp

Download
memory/2716-175-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/2716-178-0x00000233BF9C0000-0x00000233BF9C2000-memory.dmp

Filesize
8KB

Download
memory/2716-179-0x00000233BF9C0000-0x00000233BF9C2000-memory.dmp

Filesize
8KB

Download
memory/2716-180-0x00000233BF9C0000-0x00000233BF9C2000-memory.dmp

Filesize
8KB

Download
memory/2792-131-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2792-132-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2792-148-0x0000000001250000-0x0000000001252000-memory.dmp

Filesize
8KB

Download
memory/2792-149-0x00007FFD03D40000-0x00007FFD03D42000-memory.dmp

Filesize
8KB

Download
memory/2792-146-0x0000000001250000-0x0000000001252000-memory.dmp

Filesize
8KB

Download
memory/2792-145-0x0000000001250000-0x0000000001252000-memory.dmp

Filesize
8KB

Download
memory/2792-139-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2792-138-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2792-137-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2792-136-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2792-135-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2792-134-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2792-121-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/2792-133-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2792-127-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2792-147-0x00007FFD03C05000-0x00007FFD03C06000-memory.dmp

Filesize
4KB

Download
memory/2792-130-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2792-122-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2792-123-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2792-124-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2792-125-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2792-129-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2792-128-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/2792-126-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3880-170-0x000001A1911E0000-0x000001A1911E2000-memory.dmp

Filesize
8KB

Download
memory/3880-169-0x000001A1911E0000-0x000001A1911E2000-memory.dmp

Filesize
8KB

Download
memory/3880-168-0x000001A1911E0000-0x000001A1911E2000-memory.dmp

Filesize
8KB

Download
memory/3880-165-0x000001A1913C0000-0x000001A191522000-memory.dmp

Filesize
1.4MB

Download
memory/3880-160-0x0000000000000000-mapping.dmp

Download