dridex | 96de5810e971a8db608ef7932e4fe14a7fd9c48cf630df5b46f75ab9d60cedaf

Analysis

max time kernel
153s
max time network
125s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-11-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96de5810e971a8db608ef7932e4fe14a7fd9c48cf630df5b46f75ab9d60cedaf.dll
Size

1.4MB
MD5

310ff2d4c32854b9bdbcc78fbcb58bcc
SHA1

b85029ce9032492b65d29e10e8686b17b23eda8b
SHA256

96de5810e971a8db608ef7932e4fe14a7fd9c48cf630df5b46f75ab9d60cedaf
SHA512

8d755fd88063723b3dffbe35d997b9fffe8768e4d9e631da2175c36944704d11ccdda04211a14bb84f2b86a40a97d15272fcbef1c233d3e13cb9a55d3a199667

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1204-60-0x0000000002C00000-0x0000000002C01000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

FXSCOVER.exewbengine.exewscript.exe

pid process

1660 FXSCOVER.exe
1812 wbengine.exe
948 wscript.exe
Loads dropped DLL 8 IoCs

Processes:

FXSCOVER.exewbengine.exewscript.exe

pid process

1204
1660 FXSCOVER.exe
1204
1812 wbengine.exe
1204
1204
948 wscript.exe
1204

pid	process
1660	FXSCOVER.exe
1812	wbengine.exe
948	wscript.exe

pid	process
1204
1660	FXSCOVER.exe
1204
1812	wbengine.exe
1204
1204
948	wscript.exe
1204

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\SystemExtensionsDev\\XngMk\\wbengine.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeFXSCOVER.exewbengine.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wbengine.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeFXSCOVER.exe

pid	process
672	rundll32.exe
672	rundll32.exe
672	rundll32.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1660	FXSCOVER.exe
1660	FXSCOVER.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1204

pid	process
1204

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1204 wrote to memory of 1692	1204	FXSCOVER.exe
PID 1204 wrote to memory of 1692	1204	FXSCOVER.exe
PID 1204 wrote to memory of 1692	1204	FXSCOVER.exe
PID 1204 wrote to memory of 1660	1204	FXSCOVER.exe
PID 1204 wrote to memory of 1660	1204	FXSCOVER.exe
PID 1204 wrote to memory of 1660	1204	FXSCOVER.exe
PID 1204 wrote to memory of 1008	1204	wbengine.exe
PID 1204 wrote to memory of 1008	1204	wbengine.exe
PID 1204 wrote to memory of 1008	1204	wbengine.exe
PID 1204 wrote to memory of 1812	1204	wbengine.exe
PID 1204 wrote to memory of 1812	1204	wbengine.exe
PID 1204 wrote to memory of 1812	1204	wbengine.exe
PID 1204 wrote to memory of 572	1204	wscript.exe
PID 1204 wrote to memory of 572	1204	wscript.exe
PID 1204 wrote to memory of 572	1204	wscript.exe
PID 1204 wrote to memory of 948	1204	wscript.exe
PID 1204 wrote to memory of 948	1204	wscript.exe
PID 1204 wrote to memory of 948	1204	wscript.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\96de5810e971a8db608ef7932e4fe14a7fd9c48cf630df5b46f75ab9d60cedaf.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:672

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:1692

C:\Users\Admin\AppData\Local\jKEzP\FXSCOVER.exe
C:\Users\Admin\AppData\Local\jKEzP\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1660

C:\Windows\system32\wbengine.exe
C:\Windows\system32\wbengine.exe
1⤵
PID:1008

C:\Users\Admin\AppData\Local\TMgLdHn3B\wbengine.exe
C:\Users\Admin\AppData\Local\TMgLdHn3B\wbengine.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1812

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:572

C:\Users\Admin\AppData\Local\NcOezW\wscript.exe
C:\Users\Admin\AppData\Local\NcOezW\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:948

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NcOezW\VERSION.dll
MD5
defa02727d8085d5adf1ed0f11b7491e

SHA1
34a99f5f9ef6db3e0ffcb4f2e7fa3d118f370776

SHA256
d20978c183de8723e85df975ed4e18907e9ed2f1aca694f420303500ecc55b19

SHA512
aa9c168cd5390da80876e5a299ee28455c444eda6b3df52b0911e29ca6150e50efbbda180074b0796e1d04a5f75f70e3644f2561d75b782593079a2f3176674f

Download Submit
C:\Users\Admin\AppData\Local\NcOezW\wscript.exe
MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
C:\Users\Admin\AppData\Local\TMgLdHn3B\XmlLite.dll
MD5
c00cc273a4b010d2e16360acc593f1b9

SHA1
40ff5d644fd84124a81af3aa32f6380bc090db0e

SHA256
d2c0527407f28898259ab66bba55aebba424d37395f7d0f97d7f0b5ad2b538b1

SHA512
043f84c14aee7d82387383c87132052ec6e58db7b126787e363aa9da5878657d2ba62cf6d5e6479e5ee32562a7037669594af86ae37c31a61ca9692222a26496

Download Submit
C:\Users\Admin\AppData\Local\TMgLdHn3B\wbengine.exe
MD5
78f4e7f5c56cb9716238eb57da4b6a75

SHA1
98b0b9db6ec5961dbb274eff433a8bc21f7e557b

SHA256
46a4e78ce5f2a4b26f4e9c3ff04a99d9b727a82ac2e390a82a1611c3f6e0c9af

SHA512
1a24ea71624dbbca188ee3b4812e09bc42e7d38ceac02b69940d7693475c792685a23141c8faa85a87ab6aace3f951c1a81facb610d757ac6df37cf2aa65ccd2

Download Submit
C:\Users\Admin\AppData\Local\jKEzP\FXSCOVER.exe
MD5
5e2c61be8e093dbfe7fc37585be42869

SHA1
ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

SHA256
3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

SHA512
90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

Download Submit
C:\Users\Admin\AppData\Local\jKEzP\MFC42u.dll
MD5
831ac710e6ed38d1a1e73a718134e645

SHA1
a9ca0fa092a467d54a702d31ac3bd4158ba6cf01

SHA256
b4a6fde4e9d32eac29c9a5add1bbb65a27ce70b52e68a8aaac189518fbdb041e

SHA512
b095d2cdec2e22dcce0615ae52d9b0725823f197aba6299d3c103bfaec9f2834a0001e981a5d723465d62713b06e592a93136d3cc6cfc7ac873fe6ba547d677c

Download Submit
\Users\Admin\AppData\Local\NcOezW\VERSION.dll
MD5
defa02727d8085d5adf1ed0f11b7491e

SHA1
34a99f5f9ef6db3e0ffcb4f2e7fa3d118f370776

SHA256
d20978c183de8723e85df975ed4e18907e9ed2f1aca694f420303500ecc55b19

SHA512
aa9c168cd5390da80876e5a299ee28455c444eda6b3df52b0911e29ca6150e50efbbda180074b0796e1d04a5f75f70e3644f2561d75b782593079a2f3176674f

Download Submit
\Users\Admin\AppData\Local\NcOezW\wscript.exe
MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\NcOezW\wscript.exe
MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\TMgLdHn3B\XmlLite.dll
MD5
c00cc273a4b010d2e16360acc593f1b9

SHA1
40ff5d644fd84124a81af3aa32f6380bc090db0e

SHA256
d2c0527407f28898259ab66bba55aebba424d37395f7d0f97d7f0b5ad2b538b1

SHA512
043f84c14aee7d82387383c87132052ec6e58db7b126787e363aa9da5878657d2ba62cf6d5e6479e5ee32562a7037669594af86ae37c31a61ca9692222a26496

Download Submit
\Users\Admin\AppData\Local\TMgLdHn3B\wbengine.exe
MD5
78f4e7f5c56cb9716238eb57da4b6a75

SHA1
98b0b9db6ec5961dbb274eff433a8bc21f7e557b

SHA256
46a4e78ce5f2a4b26f4e9c3ff04a99d9b727a82ac2e390a82a1611c3f6e0c9af

SHA512
1a24ea71624dbbca188ee3b4812e09bc42e7d38ceac02b69940d7693475c792685a23141c8faa85a87ab6aace3f951c1a81facb610d757ac6df37cf2aa65ccd2

Download Submit
\Users\Admin\AppData\Local\jKEzP\FXSCOVER.exe
MD5
5e2c61be8e093dbfe7fc37585be42869

SHA1
ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

SHA256
3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

SHA512
90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

Download Submit
\Users\Admin\AppData\Local\jKEzP\MFC42u.dll
MD5
831ac710e6ed38d1a1e73a718134e645

SHA1
a9ca0fa092a467d54a702d31ac3bd4158ba6cf01

SHA256
b4a6fde4e9d32eac29c9a5add1bbb65a27ce70b52e68a8aaac189518fbdb041e

SHA512
b095d2cdec2e22dcce0615ae52d9b0725823f197aba6299d3c103bfaec9f2834a0001e981a5d723465d62713b06e592a93136d3cc6cfc7ac873fe6ba547d677c

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\xQC4jL\wscript.exe
MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
memory/672-59-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/672-55-0x000007FEF6A30000-0x000007FEF6B8A000-memory.dmp

Filesize
1.4MB

Download
memory/948-115-0x0000000000000000-mapping.dmp

Download
memory/1204-83-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-72-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-77-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-78-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-79-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-80-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-86-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-85-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-84-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-75-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-82-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-81-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-87-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-92-0x0000000077110000-0x0000000077112000-memory.dmp

Filesize
8KB

Download
memory/1204-74-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-60-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/1204-73-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-76-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-71-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-68-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-67-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-66-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-69-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-65-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-70-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-61-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-62-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-64-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1204-63-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1660-100-0x000007FEF6A20000-0x000007FEF6B81000-memory.dmp

Filesize
1.4MB

Download
memory/1660-99-0x000000013FD21000-0x000000013FD23000-memory.dmp

Filesize
8KB

Download
memory/1660-98-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmp

Filesize
8KB

Download
memory/1660-94-0x0000000000000000-mapping.dmp

Download
memory/1812-109-0x000007FEF6A30000-0x000007FEF6B8B000-memory.dmp

Filesize
1.4MB

Download
memory/1812-105-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads