dridex | abadcd128b404c4966990d6664163526f2cb49d7ce235eca9f5c7f1fcb545b41

Analysis

max time kernel
153s
max time network
117s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-11-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abadcd128b404c4966990d6664163526f2cb49d7ce235eca9f5c7f1fcb545b41.dll
Size

1.4MB
MD5

1e4c7c247cceb3a4b9c588c638bc878b
SHA1

f72d2ad6c232ae4772f22e32ea40e1bf5d2abf4b
SHA256

abadcd128b404c4966990d6664163526f2cb49d7ce235eca9f5c7f1fcb545b41
SHA512

3bd569ca93e16849e3fd24cee6f649b78221753b1de8ebb581dca20742a61890cb77feeda830ed21e798b0c918a2b0681d4c221a1e3aae87a005f8dd22f9ac1d

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1268-60-0x0000000002B70000-0x0000000002B71000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

VaultSysUi.exeSystemPropertiesHardware.exetcmsetup.exe

pid process

1064 VaultSysUi.exe
1356 SystemPropertiesHardware.exe
1332 tcmsetup.exe
Loads dropped DLL 8 IoCs

Processes:

VaultSysUi.exeSystemPropertiesHardware.exetcmsetup.exe

pid process

1268
1268
1064 VaultSysUi.exe
1268
1356 SystemPropertiesHardware.exe
1268
1332 tcmsetup.exe
1268

pid	process
1064	VaultSysUi.exe
1356	SystemPropertiesHardware.exe
1332	tcmsetup.exe

pid	process
1268
1268
1064	VaultSysUi.exe
1268
1356	SystemPropertiesHardware.exe
1268
1332	tcmsetup.exe
1268

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\LArDmATtq\\SystemPropertiesHardware.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeVaultSysUi.exeSystemPropertiesHardware.exetcmsetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VaultSysUi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tcmsetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeVaultSysUi.exeSystemPropertiesHardware.exe

pid	process
1600	rundll32.exe
1600	rundll32.exe
1600	rundll32.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1064	VaultSysUi.exe
1064	VaultSysUi.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1356	SystemPropertiesHardware.exe
1356	SystemPropertiesHardware.exe
1268
1268
1268
1268
1268
1268
1268
1268

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1268

pid	process
1268

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1268 wrote to memory of 1560	1268	VaultSysUi.exe
PID 1268 wrote to memory of 1560	1268	VaultSysUi.exe
PID 1268 wrote to memory of 1560	1268	VaultSysUi.exe
PID 1268 wrote to memory of 1064	1268	VaultSysUi.exe
PID 1268 wrote to memory of 1064	1268	VaultSysUi.exe
PID 1268 wrote to memory of 1064	1268	VaultSysUi.exe
PID 1268 wrote to memory of 1628	1268	SystemPropertiesHardware.exe
PID 1268 wrote to memory of 1628	1268	SystemPropertiesHardware.exe
PID 1268 wrote to memory of 1628	1268	SystemPropertiesHardware.exe
PID 1268 wrote to memory of 1356	1268	SystemPropertiesHardware.exe
PID 1268 wrote to memory of 1356	1268	SystemPropertiesHardware.exe
PID 1268 wrote to memory of 1356	1268	SystemPropertiesHardware.exe
PID 1268 wrote to memory of 1412	1268	tcmsetup.exe
PID 1268 wrote to memory of 1412	1268	tcmsetup.exe
PID 1268 wrote to memory of 1412	1268	tcmsetup.exe
PID 1268 wrote to memory of 1332	1268	tcmsetup.exe
PID 1268 wrote to memory of 1332	1268	tcmsetup.exe
PID 1268 wrote to memory of 1332	1268	tcmsetup.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\abadcd128b404c4966990d6664163526f2cb49d7ce235eca9f5c7f1fcb545b41.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1600

C:\Windows\system32\VaultSysUi.exe
C:\Windows\system32\VaultSysUi.exe
1⤵
PID:1560

C:\Users\Admin\AppData\Local\nzWQhJ5p\VaultSysUi.exe
C:\Users\Admin\AppData\Local\nzWQhJ5p\VaultSysUi.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1064

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:1628

C:\Users\Admin\AppData\Local\PqShV1\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\PqShV1\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1356

C:\Windows\system32\tcmsetup.exe
C:\Windows\system32\tcmsetup.exe
1⤵
PID:1412

C:\Users\Admin\AppData\Local\rWz33DLW6\tcmsetup.exe
C:\Users\Admin\AppData\Local\rWz33DLW6\tcmsetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1332

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PqShV1\SYSDM.CPL
MD5
ff937609e0bcd6cabaabd74c30be42bc

SHA1
08e544df19da9333d89c2c103c2b394c9edf5f53

SHA256
43d67970ac29d3e7c95c6915d74f25e1e60b4770883f5b9f674aa44d84d1190f

SHA512
94ced51c1c4e31fead1b0d5d990b5801517131df91724b1f8b98ab0a18178cb4b65924708b0f0fe3f8fa37cde455931c6832b89d1a2fac8b095d2dc078f0f165

Download Submit
C:\Users\Admin\AppData\Local\PqShV1\SystemPropertiesHardware.exe
MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
C:\Users\Admin\AppData\Local\nzWQhJ5p\VaultSysUi.exe
MD5
f40ef105d94350d36c799ee23f7fec0f

SHA1
ee3a5cfe8b807e1c1718a27eb97fa134360816e3

SHA256
eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

SHA512
f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

Download Submit
C:\Users\Admin\AppData\Local\nzWQhJ5p\credui.dll
MD5
4dd00dba31cc81145fdfbed3ff29fda7

SHA1
e3567159aeb5fa595de9d81485770873f1762c46

SHA256
dcab170efc19e58a6c27ef1cc4a15ad3ea0514b8d3d5ab870add6dc2b35d2048

SHA512
4132a76d3e35f967c3e3e638becac787b2112da2189f6c9f97ec84724a38f9749859d4d9aeb2420b7ba1fa0065395501fbbccbe48450cf8500d7b5e50fdadba0

Download Submit
C:\Users\Admin\AppData\Local\rWz33DLW6\TAPI32.dll
MD5
e39e56277f9aedbdb2ab595381657952

SHA1
e86a0a0e2378ec998356b79e85b8710f35d32789

SHA256
4435e245b2d0378bb6ed488dd1b51d5bb659bf0b7ddea879d5c3176971ea1bb0

SHA512
de952df0027209c54c27c5e69962d9444ebe69272f650fa1ce9bbcae1017e8858d77ff7f34134ccbb3e9980502182475c94626dc033bec951a2144daf24d72fb

Download Submit
C:\Users\Admin\AppData\Local\rWz33DLW6\tcmsetup.exe
MD5
0b08315da0da7f9f472fbab510bfe7b8

SHA1
33ba48fd980216becc532466a5ff8476bec0b31c

SHA256
e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

SHA512
c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

Download Submit
\Users\Admin\AppData\Local\PqShV1\SYSDM.CPL
MD5
ff937609e0bcd6cabaabd74c30be42bc

SHA1
08e544df19da9333d89c2c103c2b394c9edf5f53

SHA256
43d67970ac29d3e7c95c6915d74f25e1e60b4770883f5b9f674aa44d84d1190f

SHA512
94ced51c1c4e31fead1b0d5d990b5801517131df91724b1f8b98ab0a18178cb4b65924708b0f0fe3f8fa37cde455931c6832b89d1a2fac8b095d2dc078f0f165

Download Submit
\Users\Admin\AppData\Local\PqShV1\SystemPropertiesHardware.exe
MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
\Users\Admin\AppData\Local\nzWQhJ5p\VaultSysUi.exe
MD5
f40ef105d94350d36c799ee23f7fec0f

SHA1
ee3a5cfe8b807e1c1718a27eb97fa134360816e3

SHA256
eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

SHA512
f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

Download Submit
\Users\Admin\AppData\Local\nzWQhJ5p\VaultSysUi.exe
MD5
f40ef105d94350d36c799ee23f7fec0f

SHA1
ee3a5cfe8b807e1c1718a27eb97fa134360816e3

SHA256
eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

SHA512
f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

Download Submit
\Users\Admin\AppData\Local\nzWQhJ5p\credui.dll
MD5
4dd00dba31cc81145fdfbed3ff29fda7

SHA1
e3567159aeb5fa595de9d81485770873f1762c46

SHA256
dcab170efc19e58a6c27ef1cc4a15ad3ea0514b8d3d5ab870add6dc2b35d2048

SHA512
4132a76d3e35f967c3e3e638becac787b2112da2189f6c9f97ec84724a38f9749859d4d9aeb2420b7ba1fa0065395501fbbccbe48450cf8500d7b5e50fdadba0

Download Submit
\Users\Admin\AppData\Local\rWz33DLW6\TAPI32.dll
MD5
e39e56277f9aedbdb2ab595381657952

SHA1
e86a0a0e2378ec998356b79e85b8710f35d32789

SHA256
4435e245b2d0378bb6ed488dd1b51d5bb659bf0b7ddea879d5c3176971ea1bb0

SHA512
de952df0027209c54c27c5e69962d9444ebe69272f650fa1ce9bbcae1017e8858d77ff7f34134ccbb3e9980502182475c94626dc033bec951a2144daf24d72fb

Download Submit
\Users\Admin\AppData\Local\rWz33DLW6\tcmsetup.exe
MD5
0b08315da0da7f9f472fbab510bfe7b8

SHA1
33ba48fd980216becc532466a5ff8476bec0b31c

SHA256
e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

SHA512
c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\bgjOSJ\tcmsetup.exe
MD5
0b08315da0da7f9f472fbab510bfe7b8

SHA1
33ba48fd980216becc532466a5ff8476bec0b31c

SHA256
e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

SHA512
c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

Download Submit
memory/1064-95-0x000007FEFB000000-0x000007FEFB165000-memory.dmp

Filesize
1.4MB

Download
memory/1064-91-0x0000000000000000-mapping.dmp

Download
memory/1268-82-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-81-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-72-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-71-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-70-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-69-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-68-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-67-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-66-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-83-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-88-0x00000000776F0000-0x00000000776F2000-memory.dmp

Filesize
8KB

Download
memory/1268-74-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-75-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-76-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-77-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-73-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-60-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/1268-78-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-79-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-61-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-80-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-65-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-64-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-62-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1268-63-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1332-109-0x0000000000000000-mapping.dmp

Download
memory/1332-113-0x000007FEF6B30000-0x000007FEF6C96000-memory.dmp

Filesize
1.4MB

Download
memory/1356-104-0x000007FEF6B30000-0x000007FEF6C95000-memory.dmp

Filesize
1.4MB

Download
memory/1356-100-0x0000000000000000-mapping.dmp

Download
memory/1600-55-0x000007FEF6B30000-0x000007FEF6C94000-memory.dmp

Filesize
1.4MB

Download
memory/1600-59-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads