dridex | abadcd128b404c4966990d6664163526f2cb49d7ce235eca9f5c7f1fcb545b41

Analysis

max time kernel
152s
max time network
133s
platform
windows10_x64
resource
win10-en-20211104
submitted
26-11-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abadcd128b404c4966990d6664163526f2cb49d7ce235eca9f5c7f1fcb545b41.dll
Size

1.4MB
MD5

1e4c7c247cceb3a4b9c588c638bc878b
SHA1

f72d2ad6c232ae4772f22e32ea40e1bf5d2abf4b
SHA256

abadcd128b404c4966990d6664163526f2cb49d7ce235eca9f5c7f1fcb545b41
SHA512

3bd569ca93e16849e3fd24cee6f649b78221753b1de8ebb581dca20742a61890cb77feeda830ed21e798b0c918a2b0681d4c221a1e3aae87a005f8dd22f9ac1d

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3040-125-0x00000000009C0000-0x00000000009C1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesProtection.exeCloudNotifications.exebdeunlock.exe

pid process

1032 SystemPropertiesProtection.exe
3596 CloudNotifications.exe
3776 bdeunlock.exe
Loads dropped DLL 3 IoCs

Processes:

SystemPropertiesProtection.exeCloudNotifications.exebdeunlock.exe

pid process

1032 SystemPropertiesProtection.exe
3596 CloudNotifications.exe
3776 bdeunlock.exe

pid	process
1032	SystemPropertiesProtection.exe
3596	CloudNotifications.exe
3776	bdeunlock.exe

pid	process
1032	SystemPropertiesProtection.exe
3596	CloudNotifications.exe
3776	bdeunlock.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\NATIVE~1\\fMyFXl\\CLOUDN~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesProtection.exeCloudNotifications.exebdeunlock.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CloudNotifications.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdeunlock.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeSystemPropertiesProtection.exe

pid	process
2580	rundll32.exe
2580	rundll32.exe
2580	rundll32.exe
2580	rundll32.exe
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
1032	SystemPropertiesProtection.exe
1032	SystemPropertiesProtection.exe
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3040

pid	process
3040

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040
Token: SeShutdownPrivilege	3040
Token: SeCreatePagefilePrivilege	3040

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3040 wrote to memory of 1368	3040	SystemPropertiesProtection.exe
PID 3040 wrote to memory of 1368	3040	SystemPropertiesProtection.exe
PID 3040 wrote to memory of 1032	3040	SystemPropertiesProtection.exe
PID 3040 wrote to memory of 1032	3040	SystemPropertiesProtection.exe
PID 3040 wrote to memory of 1600	3040	CloudNotifications.exe
PID 3040 wrote to memory of 1600	3040	CloudNotifications.exe
PID 3040 wrote to memory of 3596	3040	CloudNotifications.exe
PID 3040 wrote to memory of 3596	3040	CloudNotifications.exe
PID 3040 wrote to memory of 1452	3040	bdeunlock.exe
PID 3040 wrote to memory of 1452	3040	bdeunlock.exe
PID 3040 wrote to memory of 3776	3040	bdeunlock.exe
PID 3040 wrote to memory of 3776	3040	bdeunlock.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\abadcd128b404c4966990d6664163526f2cb49d7ce235eca9f5c7f1fcb545b41.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2580

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:1368

C:\Users\Admin\AppData\Local\WATR0F3\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\WATR0F3\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1032

C:\Windows\system32\CloudNotifications.exe
C:\Windows\system32\CloudNotifications.exe
1⤵
PID:1600

C:\Users\Admin\AppData\Local\5Tk1nb5\CloudNotifications.exe
C:\Users\Admin\AppData\Local\5Tk1nb5\CloudNotifications.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3596

C:\Windows\system32\bdeunlock.exe
C:\Windows\system32\bdeunlock.exe
1⤵
PID:1452

C:\Users\Admin\AppData\Local\glwx\bdeunlock.exe
C:\Users\Admin\AppData\Local\glwx\bdeunlock.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5Tk1nb5\CloudNotifications.exe
MD5
34dd5ef46e0ed1e9e0f0d6407fe1f47d

SHA1
3732cf4c4f5d09d583d69df1a27537bb52bf90ff

SHA256
b075ef2148d8be0c6116fb8352719ced67bb9a647d358258ae7849ac06b07fae

SHA512
ac98fcb9f39209352f01a2257c3bc8995ea2de9ff3aeed317d3710027a5aa7e690776bd3e0170b85ab28331aef578033259e23fb20d008eb974df786f7f179e2

Download Submit
C:\Users\Admin\AppData\Local\5Tk1nb5\UxTheme.dll
MD5
ebb21cb700064992b39479cc6f044192

SHA1
1214d85e3b3410291649509456e4121e0ae8a741

SHA256
df487606b23cb3ecde8dec8ec47cd171b7778c5de79ddab7addd170f259640da

SHA512
5a44fb04b1591c3e0245e1dbbbc917c8738af225240d7ced08c92d7f509a6d3e2986c47dbcaf9dfabd13eb2671571d8ad3c1de405a58ba4ca4b30b3286392e51

Download Submit
C:\Users\Admin\AppData\Local\WATR0F3\SYSDM.CPL
MD5
55c7bce78805ad50cae804acbe46813c

SHA1
2f5ecbacbbcd341dd468773dfb89eef9fbfbdca9

SHA256
82248d3e7ae0a5e62bd8cc24b83fa9ee8c67e969ebad5a066e415ff743ef4ff8

SHA512
567303624235c2d9f765055eb67d4642fcae883d5e2a5de16138017c1885b1cecb5bd09e78b364bf163246c1c21547ac9c2b8ecbd7fb16b2006d8f6c67aaf87a

Download Submit
C:\Users\Admin\AppData\Local\WATR0F3\SystemPropertiesProtection.exe
MD5
37cc1b52d2032ec2546dc917a94167b4

SHA1
b5d0c21df373f323d5c9459a937a2aeaa66150ef

SHA256
d4b843ae6d94dfe8835925c4ec9ff42529bbb8fe3552cd5e819d8f332c24a884

SHA512
53f793900085e8e5c879876bd99043178cdf8f943df3d5c7faf9560abc6ae016bd208e393d7b66d7283a1d2363bf24e894c31b205db1065f900b8552cc809b2e

Download Submit
C:\Users\Admin\AppData\Local\glwx\DUI70.dll
MD5
e29357a3ace1ee38e748337994ca6d68

SHA1
853379b38f88dd069ca25e67d56f872e9abba4e3

SHA256
053d629bb7fe0a0b6940dfaa302b1cf5046ebdcafda89f9d798041320b91c26f

SHA512
ac16e1629aaa2e078ca5d8800470211aa7179afa283cfae98f994239d6e760468b126ccdf3ba21f2f4a79883d20f6378836d9e7e5244bad7b28c024a5e634095

Download Submit
C:\Users\Admin\AppData\Local\glwx\bdeunlock.exe
MD5
99aff8e54d3b41aee863a8256d31fb83

SHA1
b2f48c802a43e3e420cbc12c16d2277769631159

SHA256
c1d9fd2a52ccf1cc1e587fc598c2848778107b902d492749e1ec1a7b777bead6

SHA512
616179c5b4e94a05c101ab4d3a227f80789966c9e18c56ad5587dfe0f96c0e36b522512b126ffefedab585e85ea90ba61726f4e585dca0e894adb1bf8a742127

Download Submit
\Users\Admin\AppData\Local\5Tk1nb5\UxTheme.dll
MD5
ebb21cb700064992b39479cc6f044192

SHA1
1214d85e3b3410291649509456e4121e0ae8a741

SHA256
df487606b23cb3ecde8dec8ec47cd171b7778c5de79ddab7addd170f259640da

SHA512
5a44fb04b1591c3e0245e1dbbbc917c8738af225240d7ced08c92d7f509a6d3e2986c47dbcaf9dfabd13eb2671571d8ad3c1de405a58ba4ca4b30b3286392e51

Download Submit
\Users\Admin\AppData\Local\WATR0F3\SYSDM.CPL
MD5
55c7bce78805ad50cae804acbe46813c

SHA1
2f5ecbacbbcd341dd468773dfb89eef9fbfbdca9

SHA256
82248d3e7ae0a5e62bd8cc24b83fa9ee8c67e969ebad5a066e415ff743ef4ff8

SHA512
567303624235c2d9f765055eb67d4642fcae883d5e2a5de16138017c1885b1cecb5bd09e78b364bf163246c1c21547ac9c2b8ecbd7fb16b2006d8f6c67aaf87a

Download Submit
\Users\Admin\AppData\Local\glwx\DUI70.dll
MD5
e29357a3ace1ee38e748337994ca6d68

SHA1
853379b38f88dd069ca25e67d56f872e9abba4e3

SHA256
053d629bb7fe0a0b6940dfaa302b1cf5046ebdcafda89f9d798041320b91c26f

SHA512
ac16e1629aaa2e078ca5d8800470211aa7179afa283cfae98f994239d6e760468b126ccdf3ba21f2f4a79883d20f6378836d9e7e5244bad7b28c024a5e634095

Download Submit
memory/1032-158-0x0000000000000000-mapping.dmp

Download
memory/1032-168-0x0000023551020000-0x0000023551022000-memory.dmp

Filesize
8KB

Download
memory/1032-167-0x0000023551020000-0x0000023551022000-memory.dmp

Filesize
8KB

Download
memory/1032-166-0x0000023551020000-0x0000023551022000-memory.dmp

Filesize
8KB

Download
memory/1032-162-0x00007FFF12C50000-0x00007FFF12DB5000-memory.dmp

Filesize
1.4MB

Download
memory/2580-118-0x00007FFF12C50000-0x00007FFF12DB4000-memory.dmp

Filesize
1.4MB

Download
memory/2580-124-0x000001F141A70000-0x000001F141A77000-memory.dmp

Filesize
28KB

Download
memory/2580-123-0x000001F141A80000-0x000001F141A82000-memory.dmp

Filesize
8KB

Download
memory/2580-122-0x000001F141A80000-0x000001F141A82000-memory.dmp

Filesize
8KB

Download
memory/3040-135-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-134-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-142-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-140-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-143-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-145-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-144-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-147-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-146-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-148-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-153-0x00000000009A0000-0x00000000009A2000-memory.dmp

Filesize
8KB

Download
memory/3040-154-0x00000000009A0000-0x00000000009A2000-memory.dmp

Filesize
8KB

Download
memory/3040-155-0x00007FFF20A75000-0x00007FFF20A76000-memory.dmp

Filesize
4KB

Download
memory/3040-156-0x00000000009A0000-0x00000000009A2000-memory.dmp

Filesize
8KB

Download
memory/3040-157-0x00007FFF20BB0000-0x00007FFF20BB2000-memory.dmp

Filesize
8KB

Download
memory/3040-139-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-138-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-137-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-136-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-141-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-133-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-132-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-131-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-191-0x00000000009A0000-0x00000000009A2000-memory.dmp

Filesize
8KB

Download
memory/3040-130-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-129-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-128-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-125-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/3040-126-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3040-127-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3596-179-0x00000212056D0000-0x00000212056D2000-memory.dmp

Filesize
8KB

Download
memory/3596-177-0x00000212056D0000-0x00000212056D2000-memory.dmp

Filesize
8KB

Download
memory/3596-178-0x00000212056D0000-0x00000212056D2000-memory.dmp

Filesize
8KB

Download
memory/3596-169-0x0000000000000000-mapping.dmp

Download
memory/3776-180-0x0000000000000000-mapping.dmp

Download
memory/3776-184-0x00007FFF12B80000-0x00007FFF12D2A000-memory.dmp

Filesize
1.7MB

Download
memory/3776-188-0x000001C115640000-0x000001C115642000-memory.dmp

Filesize
8KB

Download
memory/3776-189-0x000001C115640000-0x000001C115642000-memory.dmp

Filesize
8KB

Download
memory/3776-190-0x000001C115640000-0x000001C115642000-memory.dmp

Filesize
8KB

Download