dridex | d6b765e0c278fe4383427e864d9baf366cd2ce7895cf9d038aa29c15174e2caa

Analysis

max time kernel
155s
max time network
126s
platform
windows10_x64
resource
win10-en-20211104
submitted
26-11-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6b765e0c278fe4383427e864d9baf366cd2ce7895cf9d038aa29c15174e2caa.dll
Size

1.4MB
MD5

596b0cac5ca82de0f301f5ae4f72ec31
SHA1

ef280c3f84f2aa68dac81b7c511a55d18035c644
SHA256

d6b765e0c278fe4383427e864d9baf366cd2ce7895cf9d038aa29c15174e2caa
SHA512

344a058bd165805bb442eb0ccd07a61349c0283a32ec502447c32a408dc17cf0a303422ffe3fb535fa80716584a8735eaca57adb67faf44ba52b966a007f6bcb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2056-124-0x0000000001350000-0x0000000001351000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

wermgr.exeRdpSa.exewextract.exe

pid process

2472 wermgr.exe
3820 RdpSa.exe
4024 wextract.exe
Loads dropped DLL 3 IoCs

Processes:

wermgr.exeRdpSa.exewextract.exe

pid process

2472 wermgr.exe
3820 RdpSa.exe
4024 wextract.exe

pid	process
2472	wermgr.exe
3820	RdpSa.exe
4024	wextract.exe

pid	process
2472	wermgr.exe
3820	RdpSa.exe
4024	wextract.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\9A7XKA3eix\\RdpSa.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exewermgr.exeRdpSa.exewextract.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wermgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RdpSa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3592	rundll32.exe
3592	rundll32.exe
3592	rundll32.exe
3592	rundll32.exe
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exewermgr.exeRdpSa.exewextract.exe

pid process

3592 rundll32.exe
2056
2472 wermgr.exe
3820 RdpSa.exe
4024 wextract.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2056 wrote to memory of 2276	2056	wermgr.exe
PID 2056 wrote to memory of 2276	2056	wermgr.exe
PID 2056 wrote to memory of 2472	2056	wermgr.exe
PID 2056 wrote to memory of 2472	2056	wermgr.exe
PID 2056 wrote to memory of 424	2056	RdpSa.exe
PID 2056 wrote to memory of 424	2056	RdpSa.exe
PID 2056 wrote to memory of 3820	2056	RdpSa.exe
PID 2056 wrote to memory of 3820	2056	RdpSa.exe
PID 2056 wrote to memory of 2204	2056	wextract.exe
PID 2056 wrote to memory of 2204	2056	wextract.exe
PID 2056 wrote to memory of 4024	2056	wextract.exe
PID 2056 wrote to memory of 4024	2056	wextract.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d6b765e0c278fe4383427e864d9baf366cd2ce7895cf9d038aa29c15174e2caa.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3592

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
1⤵
PID:2276

C:\Users\Admin\AppData\Local\rBs9p8Ae\wermgr.exe
C:\Users\Admin\AppData\Local\rBs9p8Ae\wermgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:2472

C:\Windows\system32\RdpSa.exe
C:\Windows\system32\RdpSa.exe
1⤵
PID:424

C:\Users\Admin\AppData\Local\Lw0\RdpSa.exe
C:\Users\Admin\AppData\Local\Lw0\RdpSa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:3820

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:2204

C:\Users\Admin\AppData\Local\uRyvqYs\wextract.exe
C:\Users\Admin\AppData\Local\uRyvqYs\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:4024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Lw0\RdpSa.exe
MD5
f1c2442f3ec5188998bf290c4cbd562a

SHA1
73fa6d853a92bfcc7671f82d3ab87ea3133bd9ad

SHA256
f6ff99a61cf82ef5889b3dd359a3bb55772439b66c710a9899eb8768c73a0a72

SHA512
310315718d7c684916f16754a1bceb9eb334c2dc8cb70634bf253b7b3d2fc8702e6ce7db52da0122a55fe53cadef1a6ec158d0056ebdbc2bcdc4832033e5d3f4

Download Submit
C:\Users\Admin\AppData\Local\Lw0\WINSTA.dll
MD5
fe826d758f4935250fda52b502759d88

SHA1
bf03ae4825c392286892ab323e3c62f259ff98ef

SHA256
98e1563768fabee13b409ad2bf045417436c01830ce25428260f035a0ad356eb

SHA512
5db5aae4b328f318b885b734466de778c65dd6a07a079a0f969e3bd2686a74500162db5f1f7cb29c423894fe3219c9dca3fe2acfcb3e828bd314590d8e9d0c27

Download Submit
C:\Users\Admin\AppData\Local\rBs9p8Ae\wer.dll
MD5
78be8742b2d9b5701e752e4dd840920f

SHA1
73868d630bab3438e876db5e4f2fcbe41103febc

SHA256
ba73ff3db6a9252b45d0ee6ea0cd7e18589397e1aa7ae5b730b3a68d190fe9fb

SHA512
1cdde53f8976554eff3b28239604e659d0e0bd210a37d3bbd5596f954e76a98cbadf843a764b3567eaf4c622a9cfa1509b00814ac2af279b7ba249b2abe53ebb

Download Submit
C:\Users\Admin\AppData\Local\rBs9p8Ae\wermgr.exe
MD5
b6b07bd48ece5e19f8fbbe3b9d4dee8b

SHA1
a9d344ae382ffaf64d7977f632d98a422b4e09fd

SHA256
ab6443218f56d9743fa4605a7696c82b016f621ddefcb3207a9aa77666a7bca1

SHA512
a0092bb7fca2160e1a9bf6db4399bfde9a15d6a885932e58152b80bfb3fb5f4d67836b1c31c261550bb5cea71f74bd985911daf624ad02f4938db2d23b76fdd4

Download Submit
C:\Users\Admin\AppData\Local\uRyvqYs\VERSION.dll
MD5
49f47433a7bb55cc616e4d8ada296b86

SHA1
27e5de766876b59b8d715ebc3370062789f4a449

SHA256
0b1dd64fbc783ab0d2c9001fcddf8d6411ee37634cdebb9dc9b0a756549f167d

SHA512
e18062d25596451a0e5c77b36118ac2fe3676c440f44e75d77c6dd4eb84043b7f2a1ace09267cf119a10aee713639b0488de5bc9a43a2aa8121e44cdb6d792fa

Download Submit
C:\Users\Admin\AppData\Local\uRyvqYs\wextract.exe
MD5
e78764b49f5806ce029cd547004493c9

SHA1
8c1f3f989913bebf827a707c04754047507a8cf3

SHA256
ab519b1c2711219a9f262b23bf72343eec3c0df4c7ddd135d30d05e700ec302e

SHA512
71040e5f0d2d409efaba70a7daaebe7a4675cb19009436a826a679671cc0d7c960498364ec7a29fb163ce8dada65218b75bebb973e6c8b194734e01970fd3a6b

Download Submit
\Users\Admin\AppData\Local\Lw0\WINSTA.dll
MD5
fe826d758f4935250fda52b502759d88

SHA1
bf03ae4825c392286892ab323e3c62f259ff98ef

SHA256
98e1563768fabee13b409ad2bf045417436c01830ce25428260f035a0ad356eb

SHA512
5db5aae4b328f318b885b734466de778c65dd6a07a079a0f969e3bd2686a74500162db5f1f7cb29c423894fe3219c9dca3fe2acfcb3e828bd314590d8e9d0c27

Download Submit
\Users\Admin\AppData\Local\rBs9p8Ae\wer.dll
MD5
78be8742b2d9b5701e752e4dd840920f

SHA1
73868d630bab3438e876db5e4f2fcbe41103febc

SHA256
ba73ff3db6a9252b45d0ee6ea0cd7e18589397e1aa7ae5b730b3a68d190fe9fb

SHA512
1cdde53f8976554eff3b28239604e659d0e0bd210a37d3bbd5596f954e76a98cbadf843a764b3567eaf4c622a9cfa1509b00814ac2af279b7ba249b2abe53ebb

Download Submit
\Users\Admin\AppData\Local\uRyvqYs\VERSION.dll
MD5
49f47433a7bb55cc616e4d8ada296b86

SHA1
27e5de766876b59b8d715ebc3370062789f4a449

SHA256
0b1dd64fbc783ab0d2c9001fcddf8d6411ee37634cdebb9dc9b0a756549f167d

SHA512
e18062d25596451a0e5c77b36118ac2fe3676c440f44e75d77c6dd4eb84043b7f2a1ace09267cf119a10aee713639b0488de5bc9a43a2aa8121e44cdb6d792fa

Download Submit
memory/2056-134-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2056-128-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2056-131-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2056-133-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2056-124-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/2056-135-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2056-136-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2056-132-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2056-137-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2056-138-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2056-139-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2056-140-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2056-141-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2056-143-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2056-142-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2056-149-0x0000000001400000-0x0000000001402000-memory.dmp

Filesize
8KB

Download
memory/2056-150-0x0000000001400000-0x0000000001402000-memory.dmp

Filesize
8KB

Download
memory/2056-151-0x00007FFA00E35000-0x00007FFA00E36000-memory.dmp

Filesize
4KB

Download
memory/2056-152-0x0000000001400000-0x0000000001402000-memory.dmp

Filesize
8KB

Download
memory/2056-153-0x00007FFA00F70000-0x00007FFA00F72000-memory.dmp

Filesize
8KB

Download
memory/2056-126-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2056-130-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2056-129-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2056-125-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2056-127-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/2472-154-0x0000000000000000-mapping.dmp

Download
memory/2472-161-0x000001DDB89C0000-0x000001DDB89C2000-memory.dmp

Filesize
8KB

Download
memory/2472-163-0x000001DDB89C0000-0x000001DDB89C2000-memory.dmp

Filesize
8KB

Download
memory/2472-162-0x000001DDB89C0000-0x000001DDB89C2000-memory.dmp

Filesize
8KB

Download
memory/2472-158-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3592-122-0x0000019756D80000-0x0000019756D82000-memory.dmp

Filesize
8KB

Download
memory/3592-118-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3592-123-0x0000019756D70000-0x0000019756D77000-memory.dmp

Filesize
28KB

Download
memory/3592-121-0x0000019756D80000-0x0000019756D82000-memory.dmp

Filesize
8KB

Download
memory/3820-171-0x000001C2BD290000-0x000001C2BD292000-memory.dmp

Filesize
8KB

Download
memory/3820-172-0x000001C2BD290000-0x000001C2BD292000-memory.dmp

Filesize
8KB

Download
memory/3820-173-0x000001C2BD290000-0x000001C2BD292000-memory.dmp

Filesize
8KB

Download
memory/3820-164-0x0000000000000000-mapping.dmp

Download
memory/4024-174-0x0000000000000000-mapping.dmp

Download
memory/4024-178-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/4024-181-0x000001E961170000-0x000001E961172000-memory.dmp

Filesize
8KB

Download
memory/4024-182-0x000001E961170000-0x000001E961172000-memory.dmp

Filesize
8KB

Download
memory/4024-183-0x000001E961170000-0x000001E961172000-memory.dmp

Filesize
8KB

Download