dridex | 28cdb76bf1b90ef6b5e8ef101b419f5cb02b74bd3bfd2a4ca348b8402b0d2425

Analysis

max time kernel
151s
max time network
124s
platform
windows10_x64
resource
win10-en-20211104
submitted
26-11-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28cdb76bf1b90ef6b5e8ef101b419f5cb02b74bd3bfd2a4ca348b8402b0d2425.dll
Size

1.4MB
MD5

94ea5ec1d6e2773e4b1ac030ea8fb7f7
SHA1

e5b45a82aaba3716c3d62997052a874b586c0fe5
SHA256

28cdb76bf1b90ef6b5e8ef101b419f5cb02b74bd3bfd2a4ca348b8402b0d2425
SHA512

1bc71c9f32855356a94a9f85defd08814b26db562227e3286e39863d2f55856087777408a56de7ce98946edd4f8454ef954231aac12225ae6fb58da75d392352

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3044-124-0x0000000000910000-0x0000000000911000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

lpksetup.exesethc.exeWFS.exe

pid process

1888 lpksetup.exe
3476 sethc.exe
800 WFS.exe
Loads dropped DLL 3 IoCs

Processes:

lpksetup.exesethc.exeWFS.exe

pid process

1888 lpksetup.exe
3476 sethc.exe
800 WFS.exe

pid	process
1888	lpksetup.exe
3476	sethc.exe
800	WFS.exe

pid	process
1888	lpksetup.exe
3476	sethc.exe
800	WFS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\gCI6lIpo4pk\\8UH5lpz\\sethc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exelpksetup.exesethc.exeWFS.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lpksetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sethc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3064	rundll32.exe
3064	rundll32.exe
3064	rundll32.exe
3064	rundll32.exe
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exelpksetup.exesethc.exeWFS.exe

pid process

3064 rundll32.exe
3044
1888 lpksetup.exe
3476 sethc.exe
800 WFS.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3044 wrote to memory of 1336	3044	lpksetup.exe
PID 3044 wrote to memory of 1336	3044	lpksetup.exe
PID 3044 wrote to memory of 1888	3044	lpksetup.exe
PID 3044 wrote to memory of 1888	3044	lpksetup.exe
PID 3044 wrote to memory of 1584	3044	sethc.exe
PID 3044 wrote to memory of 1584	3044	sethc.exe
PID 3044 wrote to memory of 3476	3044	sethc.exe
PID 3044 wrote to memory of 3476	3044	sethc.exe
PID 3044 wrote to memory of 3020	3044	WFS.exe
PID 3044 wrote to memory of 3020	3044	WFS.exe
PID 3044 wrote to memory of 800	3044	WFS.exe
PID 3044 wrote to memory of 800	3044	WFS.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\28cdb76bf1b90ef6b5e8ef101b419f5cb02b74bd3bfd2a4ca348b8402b0d2425.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3064

C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
1⤵
PID:1336

C:\Users\Admin\AppData\Local\IbhSkB\lpksetup.exe
C:\Users\Admin\AppData\Local\IbhSkB\lpksetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1888

C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
1⤵
PID:1584

C:\Users\Admin\AppData\Local\bjs4Qv\sethc.exe
C:\Users\Admin\AppData\Local\bjs4Qv\sethc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:3476

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:3020

C:\Users\Admin\AppData\Local\8hUjUD\WFS.exe
C:\Users\Admin\AppData\Local\8hUjUD\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8hUjUD\UxTheme.dll
MD5
b0167c6e9f78b069b2b54e0f57958b46

SHA1
8668bbe2bc1a5e850b4292a6123d874d002951e6

SHA256
cfcd71b0eb0f801be9364e15d1718a34b23203e759b0eb3a1c972b2e29e61a9b

SHA512
a6a810fd31c0f6bdedb61232cbc33bc9743fd611f14977dd891e7008cec4f0494f3568ef48200b6920e2a189f3eaeffb3eb8f9ce4e5703d7838acd7351cff8fb

Download Submit
C:\Users\Admin\AppData\Local\8hUjUD\WFS.exe
MD5
f5c1b5e7334f4a7fa393cc68f16eab93

SHA1
d17180a8f7be23ebdf04162a8c66a9c3bb18d9c1

SHA256
68b593b074f7501cee6a7af0d006a611f413a0d4f22b43c041fcec3815112208

SHA512
3656d43322e9ed1da68ff58deeb458c3633c693b1e9b79fc7c557166db6af8cb7d155341742510cf803aeb985dd825c64ecfaa7eda7ccf0952dcb06249a92fc0

Download Submit
C:\Users\Admin\AppData\Local\IbhSkB\dpx.dll
MD5
9998de9ce431afc2f50181f720fc9b73

SHA1
cc44f1ef8e4d07f40a2ffed29a6be410abf205f2

SHA256
c588af8bf56fdf1d277937759121ddc52897e6adf8bf0ffabb257b880807b7f7

SHA512
401f4b40bb3e977550f9ca15ba48feb9f201a064eabc8938e63f290af160c7bc089d4d6ba9b8e7337093244693717336d3c03987de80e12e890019c7cd61e545

Download Submit
C:\Users\Admin\AppData\Local\IbhSkB\lpksetup.exe
MD5
e96f815f1f58a65c47ed4657668d40ac

SHA1
ad6bbf9c08aae0d5b3a219e192a1974dc7cb1e59

SHA256
edccb2f297de76763c0298829a5c5726942c0c4d7df4265639c1728b5028c79f

SHA512
1ab1d5ea644b7569c75d75fc39cbb64804f8f019ca2f50efb74a1b77055d6b897c3f4207be72f5b7c63b93c49b75d3b150b9fb40b21453a69f86ad93287390fd

Download Submit
C:\Users\Admin\AppData\Local\bjs4Qv\OLEACC.dll
MD5
7f6802185d75848ee051634d97cae27a

SHA1
8c31315c79f729a77bdc77737855b42f76329cf6

SHA256
13655ed2bacc02cb7f708831f5a0a4d4fe1193550d569dfc92515f71de5b6394

SHA512
8e0782a16388cbc631d4fac89f316288928fb406d6da8a3b7f206ff69847706986a9a13fe20471ef6c8a1887cbc3abfdac114cbdc8e03f1211148dbc790c24dc

Download Submit
C:\Users\Admin\AppData\Local\bjs4Qv\sethc.exe
MD5
acf1ee51ad73afb0faba2e10304df15a

SHA1
03ade95bbe89143d89a0c09c405610921e5046b3

SHA256
e0bf9845f79c1b4fa09e334f460b6ef70f418eb46cd61b696dec772c6ff3839d

SHA512
a399d58f9ce6b36a5851ef7955509a6c45764e1fa246f93900744f7a288bf3ff3f3513a5c201c4f8c7025daaec62fb0fb62aaf56cb9f6c79ffce203961fd0618

Download Submit
\Users\Admin\AppData\Local\8hUjUD\UxTheme.dll
MD5
b0167c6e9f78b069b2b54e0f57958b46

SHA1
8668bbe2bc1a5e850b4292a6123d874d002951e6

SHA256
cfcd71b0eb0f801be9364e15d1718a34b23203e759b0eb3a1c972b2e29e61a9b

SHA512
a6a810fd31c0f6bdedb61232cbc33bc9743fd611f14977dd891e7008cec4f0494f3568ef48200b6920e2a189f3eaeffb3eb8f9ce4e5703d7838acd7351cff8fb

Download Submit
\Users\Admin\AppData\Local\IbhSkB\dpx.dll
MD5
9998de9ce431afc2f50181f720fc9b73

SHA1
cc44f1ef8e4d07f40a2ffed29a6be410abf205f2

SHA256
c588af8bf56fdf1d277937759121ddc52897e6adf8bf0ffabb257b880807b7f7

SHA512
401f4b40bb3e977550f9ca15ba48feb9f201a064eabc8938e63f290af160c7bc089d4d6ba9b8e7337093244693717336d3c03987de80e12e890019c7cd61e545

Download Submit
\Users\Admin\AppData\Local\bjs4Qv\OLEACC.dll
MD5
7f6802185d75848ee051634d97cae27a

SHA1
8c31315c79f729a77bdc77737855b42f76329cf6

SHA256
13655ed2bacc02cb7f708831f5a0a4d4fe1193550d569dfc92515f71de5b6394

SHA512
8e0782a16388cbc631d4fac89f316288928fb406d6da8a3b7f206ff69847706986a9a13fe20471ef6c8a1887cbc3abfdac114cbdc8e03f1211148dbc790c24dc

Download Submit
memory/800-178-0x0000000000000000-mapping.dmp

Download
memory/800-185-0x000001EB402C0000-0x000001EB402C2000-memory.dmp

Filesize
8KB

Download
memory/800-186-0x000001EB402C0000-0x000001EB402C2000-memory.dmp

Filesize
8KB

Download
memory/800-187-0x000001EB402C0000-0x000001EB402C2000-memory.dmp

Filesize
8KB

Download
memory/1888-158-0x0000000000000000-mapping.dmp

Download
memory/1888-167-0x0000013127250000-0x0000013127252000-memory.dmp

Filesize
8KB

Download
memory/1888-166-0x0000013127250000-0x0000013127252000-memory.dmp

Filesize
8KB

Download
memory/1888-165-0x0000013127250000-0x0000013127252000-memory.dmp

Filesize
8KB

Download
memory/1888-162-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3044-133-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-135-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-141-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-142-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-143-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-144-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-134-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-145-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-146-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-147-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-153-0x0000000000930000-0x0000000000932000-memory.dmp

Filesize
8KB

Download
memory/3044-154-0x0000000000930000-0x0000000000932000-memory.dmp

Filesize
8KB

Download
memory/3044-155-0x00007FFBD4B15000-0x00007FFBD4B16000-memory.dmp

Filesize
4KB

Download
memory/3044-156-0x0000000000930000-0x0000000000932000-memory.dmp

Filesize
8KB

Download
memory/3044-157-0x00007FFBD4C50000-0x00007FFBD4C52000-memory.dmp

Filesize
8KB

Download
memory/3044-139-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-138-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-137-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-136-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-140-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-124-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/3044-132-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-131-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-125-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-130-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-129-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-128-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-126-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3044-127-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3064-118-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3064-123-0x0000012CC7C40000-0x0000012CC7C47000-memory.dmp

Filesize
28KB

Download
memory/3064-122-0x0000012CC7C50000-0x0000012CC7C52000-memory.dmp

Filesize
8KB

Download
memory/3064-121-0x0000012CC7C50000-0x0000012CC7C52000-memory.dmp

Filesize
8KB

Download
memory/3476-177-0x0000024A77C80000-0x0000024A77C82000-memory.dmp

Filesize
8KB

Download
memory/3476-176-0x0000024A77C80000-0x0000024A77C82000-memory.dmp

Filesize
8KB

Download
memory/3476-175-0x0000024A77C80000-0x0000024A77C82000-memory.dmp

Filesize
8KB

Download
memory/3476-168-0x0000000000000000-mapping.dmp

Download