dridex | d6b765e0c278fe4383427e864d9baf366cd2ce7895cf9d038aa29c15174e2caa

Analysis

max time kernel
153s
max time network
125s
platform
windows7_x64
resource
win7-en-20211104
submitted
26-11-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6b765e0c278fe4383427e864d9baf366cd2ce7895cf9d038aa29c15174e2caa.dll
Size

1.4MB
MD5

596b0cac5ca82de0f301f5ae4f72ec31
SHA1

ef280c3f84f2aa68dac81b7c511a55d18035c644
SHA256

d6b765e0c278fe4383427e864d9baf366cd2ce7895cf9d038aa29c15174e2caa
SHA512

344a058bd165805bb442eb0ccd07a61349c0283a32ec502447c32a408dc17cf0a303422ffe3fb535fa80716584a8735eaca57adb67faf44ba52b966a007f6bcb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1368-59-0x00000000029B0000-0x00000000029B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

sdclt.exemsinfo32.exeslui.exe

pid process

1496 sdclt.exe
632 msinfo32.exe
1532 slui.exe

pid	process
1496	sdclt.exe
632	msinfo32.exe
1532	slui.exe

Drops startup file 3 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iQG17QcFm
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iQG17QcFm\MFC42u.dll
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iQG17QcFm\msinfo32.exe

Loads dropped DLL 7 IoCs

Processes:

sdclt.exemsinfo32.exeslui.exe

pid process

1368
1496 sdclt.exe
1368
632 msinfo32.exe
1368
1532 slui.exe
1368

pid	process
1368
1496	sdclt.exe
1368
632	msinfo32.exe
1368
1532	slui.exe
1368

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Startup\\IQG17Q~1\\msinfo32.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exesdclt.exemsinfo32.exeslui.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
452	rundll32.exe
452	rundll32.exe
452	rundll32.exe
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exesdclt.exemsinfo32.exeslui.exe

pid process

452 rundll32.exe
1368
1496 sdclt.exe
632 msinfo32.exe
1532 slui.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1368 wrote to memory of 2040	1368	sdclt.exe
PID 1368 wrote to memory of 2040	1368	sdclt.exe
PID 1368 wrote to memory of 2040	1368	sdclt.exe
PID 1368 wrote to memory of 1496	1368	sdclt.exe
PID 1368 wrote to memory of 1496	1368	sdclt.exe
PID 1368 wrote to memory of 1496	1368	sdclt.exe
PID 1368 wrote to memory of 1124	1368	msinfo32.exe
PID 1368 wrote to memory of 1124	1368	msinfo32.exe
PID 1368 wrote to memory of 1124	1368	msinfo32.exe
PID 1368 wrote to memory of 632	1368	msinfo32.exe
PID 1368 wrote to memory of 632	1368	msinfo32.exe
PID 1368 wrote to memory of 632	1368	msinfo32.exe
PID 1368 wrote to memory of 1424	1368	slui.exe
PID 1368 wrote to memory of 1424	1368	slui.exe
PID 1368 wrote to memory of 1424	1368	slui.exe
PID 1368 wrote to memory of 1532	1368	slui.exe
PID 1368 wrote to memory of 1532	1368	slui.exe
PID 1368 wrote to memory of 1532	1368	slui.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6b765e0c278fe4383427e864d9baf366cd2ce7895cf9d038aa29c15174e2caa.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:452

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:2040

C:\Users\Admin\AppData\Local\oiyXZ6\sdclt.exe
C:\Users\Admin\AppData\Local\oiyXZ6\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1496

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:1124

C:\Users\Admin\AppData\Local\NkGdO\msinfo32.exe
C:\Users\Admin\AppData\Local\NkGdO\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:632

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:1424

C:\Users\Admin\AppData\Local\9ZWzDax\slui.exe
C:\Users\Admin\AppData\Local\9ZWzDax\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1532

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9ZWzDax\slc.dll
MD5
fde023f7f6a9b51613e8195ac064e570

SHA1
1931ec2739bb3096b3ebec3682b51364ae3bb2ed

SHA256
326977b7f734c8d8ce31b55d3fef2f3f0d93ae0383baddc4f31f0c9b6ed90cb4

SHA512
af91825f470f7e02c9df2628de77c37b20c2dfe2f52484d60712a773a34284c583a3fc0720dca541c0adcc02230c083b78479234428f765901e53da76b635911

Download Submit
C:\Users\Admin\AppData\Local\9ZWzDax\slui.exe
MD5
c5ce5ce799387e82b7698a0ee5544a6d

SHA1
ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

SHA256
34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

SHA512
79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

Download Submit
C:\Users\Admin\AppData\Local\NkGdO\MFC42u.dll
MD5
ba0c96924a72dc75bb53b3dff5ecd66d

SHA1
72387ffcd13ccadc5f670dd98c286c189cba6011

SHA256
30b3c1b5250c3515c438175548bc6157da53679599bb93fdc2df4b7397fb25e7

SHA512
3587bd708d7a7eb2b7e0ec7b367079629d45d0b6695d9beabc363c81adf99f33c13d532b758ee4648a3e5e24657cc7d260a78c75c0a3a7da738a7dff756daf55

Download Submit
C:\Users\Admin\AppData\Local\NkGdO\msinfo32.exe
MD5
d291620d4c51c5f5ffa62ccdc52c5c13

SHA1
2081c97f15b1c2a2eadce366baf3c510da553cc7

SHA256
76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

SHA512
75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

Download Submit
C:\Users\Admin\AppData\Local\oiyXZ6\ReAgent.dll
MD5
f2bef6076c9e1e5247d86153c0194a94

SHA1
4103ddf4536b5a07240299f36c925a8df7c5fe28

SHA256
6d482744ce41066cb6838a2a77e7c370df92a520eaf627b1ff98d5a0a6e80b6a

SHA512
a87c466e09677fbf2e11a9e3f98fdac989da5358e82e6220e5fae6b5c036a751ff9ea610df7c2d9bed86c81662a4fe4ccd166348c0743a455898b2510d3c88ea

Download Submit
C:\Users\Admin\AppData\Local\oiyXZ6\sdclt.exe
MD5
cdebd55ffbda3889aa2a8ce52b9dc097

SHA1
4b3cbfff5e57fa0cb058e93e445e3851063646cf

SHA256
61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

SHA512
2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

Download Submit
\Users\Admin\AppData\Local\9ZWzDax\slc.dll
MD5
fde023f7f6a9b51613e8195ac064e570

SHA1
1931ec2739bb3096b3ebec3682b51364ae3bb2ed

SHA256
326977b7f734c8d8ce31b55d3fef2f3f0d93ae0383baddc4f31f0c9b6ed90cb4

SHA512
af91825f470f7e02c9df2628de77c37b20c2dfe2f52484d60712a773a34284c583a3fc0720dca541c0adcc02230c083b78479234428f765901e53da76b635911

Download Submit
\Users\Admin\AppData\Local\9ZWzDax\slui.exe
MD5
c5ce5ce799387e82b7698a0ee5544a6d

SHA1
ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

SHA256
34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

SHA512
79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

Download Submit
\Users\Admin\AppData\Local\NkGdO\MFC42u.dll
MD5
ba0c96924a72dc75bb53b3dff5ecd66d

SHA1
72387ffcd13ccadc5f670dd98c286c189cba6011

SHA256
30b3c1b5250c3515c438175548bc6157da53679599bb93fdc2df4b7397fb25e7

SHA512
3587bd708d7a7eb2b7e0ec7b367079629d45d0b6695d9beabc363c81adf99f33c13d532b758ee4648a3e5e24657cc7d260a78c75c0a3a7da738a7dff756daf55

Download Submit
\Users\Admin\AppData\Local\NkGdO\msinfo32.exe
MD5
d291620d4c51c5f5ffa62ccdc52c5c13

SHA1
2081c97f15b1c2a2eadce366baf3c510da553cc7

SHA256
76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

SHA512
75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

Download Submit
\Users\Admin\AppData\Local\oiyXZ6\ReAgent.dll
MD5
f2bef6076c9e1e5247d86153c0194a94

SHA1
4103ddf4536b5a07240299f36c925a8df7c5fe28

SHA256
6d482744ce41066cb6838a2a77e7c370df92a520eaf627b1ff98d5a0a6e80b6a

SHA512
a87c466e09677fbf2e11a9e3f98fdac989da5358e82e6220e5fae6b5c036a751ff9ea610df7c2d9bed86c81662a4fe4ccd166348c0743a455898b2510d3c88ea

Download Submit
\Users\Admin\AppData\Local\oiyXZ6\sdclt.exe
MD5
cdebd55ffbda3889aa2a8ce52b9dc097

SHA1
4b3cbfff5e57fa0cb058e93e445e3851063646cf

SHA256
61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

SHA512
2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\6YjC\slui.exe
MD5
c5ce5ce799387e82b7698a0ee5544a6d

SHA1
ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

SHA256
34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

SHA512
79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

Download Submit
memory/452-55-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/452-58-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/632-100-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/632-95-0x0000000000000000-mapping.dmp

Download
memory/1368-73-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1368-76-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1368-62-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1368-61-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1368-60-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1368-84-0x0000000076F70000-0x0000000076F72000-memory.dmp

Filesize
8KB

Download
memory/1368-65-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1368-59-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1368-66-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1368-64-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1368-67-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1368-68-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1368-69-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1368-70-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1368-72-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1368-71-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1368-75-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1368-77-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1368-78-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1368-63-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1368-74-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1496-91-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/1496-88-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmp

Filesize
8KB

Download
memory/1496-86-0x0000000000000000-mapping.dmp

Download
memory/1532-104-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads