dridex | 5ab7f5960a2652821f3477d035336e8af6c7e2b667e57149b4be94a6fac10e19

Analysis

max time kernel
152s
max time network
123s
platform
windows10_x64
resource
win10-en-20211104
submitted
26-11-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ab7f5960a2652821f3477d035336e8af6c7e2b667e57149b4be94a6fac10e19.dll
Size

1.4MB
MD5

da2840fc190af8a35f974ccabd4d3b5b
SHA1

8a6dd71bd4586434e68fe7e2f408d2927f3ab17b
SHA256

5ab7f5960a2652821f3477d035336e8af6c7e2b667e57149b4be94a6fac10e19
SHA512

edac6848add5a121bdfc32c7ceac74a9bd0824a81f078f04be213e531d0b66c773507d124aa2e877194997a3e688e41c0a1fd778133ab277897718bb02871fe3

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2060-125-0x0000000000530000-0x0000000000531000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

PresentationSettings.exerdpinput.exePresentationHost.exe

pid process

4476 PresentationSettings.exe
756 rdpinput.exe
3152 PresentationHost.exe
Loads dropped DLL 3 IoCs

Processes:

PresentationSettings.exerdpinput.exePresentationHost.exe

pid process

4476 PresentationSettings.exe
756 rdpinput.exe
3152 PresentationHost.exe

pid	process
4476	PresentationSettings.exe
756	rdpinput.exe
3152	PresentationHost.exe

pid	process
4476	PresentationSettings.exe
756	rdpinput.exe
3152	PresentationHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\SawFjZHzMA\\rdpinput.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rdpinput.exePresentationHost.exePresentationSettings.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinput.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exePresentationSettings.exe

pid	process
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
3564	regsvr32.exe
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
4476	PresentationSettings.exe
4476	PresentationSettings.exe
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2060

pid	process
2060

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2060 wrote to memory of 4488	2060	PresentationSettings.exe
PID 2060 wrote to memory of 4488	2060	PresentationSettings.exe
PID 2060 wrote to memory of 4476	2060	PresentationSettings.exe
PID 2060 wrote to memory of 4476	2060	PresentationSettings.exe
PID 2060 wrote to memory of 764	2060	rdpinput.exe
PID 2060 wrote to memory of 764	2060	rdpinput.exe
PID 2060 wrote to memory of 756	2060	rdpinput.exe
PID 2060 wrote to memory of 756	2060	rdpinput.exe
PID 2060 wrote to memory of 3172	2060	PresentationHost.exe
PID 2060 wrote to memory of 3172	2060	PresentationHost.exe
PID 2060 wrote to memory of 3152	2060	PresentationHost.exe
PID 2060 wrote to memory of 3152	2060	PresentationHost.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5ab7f5960a2652821f3477d035336e8af6c7e2b667e57149b4be94a6fac10e19.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3564

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:4488

C:\Users\Admin\AppData\Local\eXT06blc\PresentationSettings.exe
C:\Users\Admin\AppData\Local\eXT06blc\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4476

C:\Windows\system32\rdpinput.exe
C:\Windows\system32\rdpinput.exe
1⤵
PID:764

C:\Users\Admin\AppData\Local\vM46\rdpinput.exe
C:\Users\Admin\AppData\Local\vM46\rdpinput.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:756

C:\Windows\system32\PresentationHost.exe
C:\Windows\system32\PresentationHost.exe
1⤵
PID:3172

C:\Users\Admin\AppData\Local\9sfQQp\PresentationHost.exe
C:\Users\Admin\AppData\Local\9sfQQp\PresentationHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9sfQQp\PresentationHost.exe
MD5
7009b2746734a3538e7735cf24f3c93b

SHA1
f994c53697e0d9b6ab2b5d5dd5f31fafa30109b1

SHA256
d0011ec1f0e14a3c6a515df997268a851c98722472f21c03b0fdc6477f14fdb7

SHA512
7934cc17f7bbb6ec8b0f3fb4c775b21885693eaf3e332de97b14f294dac7a189801eeb6165dfc04e2a9aa019c444a9af65d498926fe9dc0c4fc1b71ba272f89b

Download Submit
C:\Users\Admin\AppData\Local\9sfQQp\VERSION.dll
MD5
f218b74a00a6d5b0cc0184ee21cac8fa

SHA1
85d8402458e381b27f2cb53e131c6b4bb8df36ba

SHA256
a77e210040919d76fb1a7379e11da4419b78ea5dd21bb88b5430c6036e83e9bb

SHA512
32dd3acb64f17224d4cca38759b66f20815b2c71c703eeb0e61dba704e2314210c5ff8e2d3c98f00c7884785007dc1c1bf07483ce9100290edcd41d05501b28f

Download Submit
C:\Users\Admin\AppData\Local\eXT06blc\PresentationSettings.exe
MD5
bd73d1773092998a116df978b49860b7

SHA1
c69255098b8528b88e12a4051fd4e880e8ebe0e7

SHA256
cebf396bdf405225c55ce25b6cac39165fa9cb26ddd52e73392df6ea4ce178ec

SHA512
dc932ddc9e512776ec5e3a09aa136e2a7a9209ab6f5168c5bcf9756f33b4007a88a332d246a1cc96f0097c0c758e03997dad10907e4be1bf2183fa3e049b5611

Download Submit
C:\Users\Admin\AppData\Local\eXT06blc\WINMM.dll
MD5
bb8d11112189e739d2539258f9bf7328

SHA1
86e1eace7302e6d2ece7dcbe311df649b64451ce

SHA256
ad4432a8f9f56bd8ff1998e5fb81c543ecc1d8718d6b462bcabd936d87284932

SHA512
c207bb8b862e7e9b072ac651947359f4a0c0ca10dc04452f355d3e27c4c8c9f6d5c9efd59c692aad16c92192119d796f5e00495a13a098f792f4a14802fc6801

Download Submit
C:\Users\Admin\AppData\Local\vM46\WINSTA.dll
MD5
9af942604a901aa4e528eb902b60a4a6

SHA1
52be066f0b2e7bf11fdef7aeb1e499f5c6222caf

SHA256
ecbb7f46113558570821bf4ad15b4824c8824c90af134f84990b9f4b1f973194

SHA512
1fd7d3140bb2b7d12ffd09d52ab9040032d3c6a96fc855d99b351b44b6df5e1a57377db3b3e44870caea33b77b31ca9824b1f8bce6dda8ca5b740a7bc3273b0b

Download Submit
C:\Users\Admin\AppData\Local\vM46\rdpinput.exe
MD5
431364c49991ebfea19b468020368e08

SHA1
c36c8a01ccd17b8ec754fe92d1e03558bb3f05ac

SHA256
6c59ea8b7807d9cc9de5c67cf679a1fb1bed4629da1f0a071e03af775de8e4fc

SHA512
6b2baeb9abc1277fef874ead7d0c4b2b5c5953b8f9db5ae056a14a0af6edb6482b303e7f4ba5237a22e62919f09cd8334692dd58053754ed18837ace14565d8f

Download Submit
\Users\Admin\AppData\Local\9sfQQp\VERSION.dll
MD5
f218b74a00a6d5b0cc0184ee21cac8fa

SHA1
85d8402458e381b27f2cb53e131c6b4bb8df36ba

SHA256
a77e210040919d76fb1a7379e11da4419b78ea5dd21bb88b5430c6036e83e9bb

SHA512
32dd3acb64f17224d4cca38759b66f20815b2c71c703eeb0e61dba704e2314210c5ff8e2d3c98f00c7884785007dc1c1bf07483ce9100290edcd41d05501b28f

Download Submit
\Users\Admin\AppData\Local\eXT06blc\WINMM.dll
MD5
bb8d11112189e739d2539258f9bf7328

SHA1
86e1eace7302e6d2ece7dcbe311df649b64451ce

SHA256
ad4432a8f9f56bd8ff1998e5fb81c543ecc1d8718d6b462bcabd936d87284932

SHA512
c207bb8b862e7e9b072ac651947359f4a0c0ca10dc04452f355d3e27c4c8c9f6d5c9efd59c692aad16c92192119d796f5e00495a13a098f792f4a14802fc6801

Download Submit
\Users\Admin\AppData\Local\vM46\WINSTA.dll
MD5
9af942604a901aa4e528eb902b60a4a6

SHA1
52be066f0b2e7bf11fdef7aeb1e499f5c6222caf

SHA256
ecbb7f46113558570821bf4ad15b4824c8824c90af134f84990b9f4b1f973194

SHA512
1fd7d3140bb2b7d12ffd09d52ab9040032d3c6a96fc855d99b351b44b6df5e1a57377db3b3e44870caea33b77b31ca9824b1f8bce6dda8ca5b740a7bc3273b0b

Download Submit
memory/756-182-0x000001E8BAEF0000-0x000001E8BAEF2000-memory.dmp

Filesize
8KB

Download
memory/756-181-0x000001E8BAEF0000-0x000001E8BAEF2000-memory.dmp

Filesize
8KB

Download
memory/756-177-0x00007FFAE21E0000-0x00007FFAE233C000-memory.dmp

Filesize
1.4MB

Download
memory/756-183-0x000001E8BAEF0000-0x000001E8BAEF2000-memory.dmp

Filesize
8KB

Download
memory/756-173-0x0000000000000000-mapping.dmp

Download
memory/2060-136-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-133-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-137-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-138-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-139-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-140-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-141-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-142-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-143-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-144-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-145-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-146-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-147-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-148-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-149-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-151-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-150-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-152-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-157-0x0000000000540000-0x0000000000542000-memory.dmp

Filesize
8KB

Download
memory/2060-158-0x0000000000540000-0x0000000000542000-memory.dmp

Filesize
8KB

Download
memory/2060-159-0x00007FFAEE845000-0x00007FFAEE846000-memory.dmp

Filesize
4KB

Download
memory/2060-160-0x0000000000540000-0x0000000000542000-memory.dmp

Filesize
8KB

Download
memory/2060-161-0x00007FFAEE980000-0x00007FFAEE982000-memory.dmp

Filesize
8KB

Download
memory/2060-195-0x0000000000540000-0x0000000000542000-memory.dmp

Filesize
8KB

Download
memory/2060-135-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-134-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-125-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2060-126-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-127-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-128-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-129-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-132-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-131-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2060-130-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3152-184-0x0000000000000000-mapping.dmp

Download
memory/3152-194-0x000001A15BAD0000-0x000001A15BAD2000-memory.dmp

Filesize
8KB

Download
memory/3152-192-0x000001A15BAD0000-0x000001A15BAD2000-memory.dmp

Filesize
8KB

Download
memory/3152-193-0x000001A15BAD0000-0x000001A15BAD2000-memory.dmp

Filesize
8KB

Download
memory/3152-188-0x00007FFAE2170000-0x00007FFAE22CB000-memory.dmp

Filesize
1.4MB

Download
memory/3564-124-0x00000000013F0000-0x00000000013F7000-memory.dmp

Filesize
28KB

Download
memory/3564-123-0x0000000001400000-0x0000000001402000-memory.dmp

Filesize
8KB

Download
memory/3564-122-0x0000000001400000-0x0000000001402000-memory.dmp

Filesize
8KB

Download
memory/3564-118-0x00007FFAE21E0000-0x00007FFAE233A000-memory.dmp

Filesize
1.4MB

Download
memory/4476-172-0x000001B834910000-0x000001B834912000-memory.dmp

Filesize
8KB

Download
memory/4476-162-0x0000000000000000-mapping.dmp

Download
memory/4476-166-0x00007FFAE0A30000-0x00007FFAE0B8C000-memory.dmp

Filesize
1.4MB

Download
memory/4476-170-0x000001B834910000-0x000001B834912000-memory.dmp

Filesize
8KB

Download
memory/4476-171-0x000001B834910000-0x000001B834912000-memory.dmp

Filesize
8KB

Download