dridex | 7818fc1e2f9e7df1ba5688ddc87f54b59b3e12c3d2c60393b50f9b56447ac2ab

Analysis

max time kernel
152s
max time network
129s
platform
windows10_x64
resource
win10-en-20211104
submitted
26-11-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7818fc1e2f9e7df1ba5688ddc87f54b59b3e12c3d2c60393b50f9b56447ac2ab.dll
Size

1.4MB
MD5

915d143eb22a1278b9d2d56abe7d6fef
SHA1

32cb17ebd3a9da188a833c7f66f8018a3ad06b00
SHA256

7818fc1e2f9e7df1ba5688ddc87f54b59b3e12c3d2c60393b50f9b56447ac2ab
SHA512

0c468fafedb26675d8c3d0dfaa30262f498b8c56b9d91f71e42b893e8e50aa5d05628cececb29285f773b4189edab83e659f8b3f736d8d3ab2aa8c48d7881d4e

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2264-124-0x0000000001230000-0x0000000001231000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

FXSCOVER.exeosk.exePasswordOnWakeSettingFlyout.exe

pid process

936 FXSCOVER.exe
900 osk.exe
68 PasswordOnWakeSettingFlyout.exe
Loads dropped DLL 3 IoCs

Processes:

FXSCOVER.exeosk.exePasswordOnWakeSettingFlyout.exe

pid process

936 FXSCOVER.exe
900 osk.exe
68 PasswordOnWakeSettingFlyout.exe

pid	process
936	FXSCOVER.exe
900	osk.exe
68	PasswordOnWakeSettingFlyout.exe

pid	process
936	FXSCOVER.exe
900	osk.exe
68	PasswordOnWakeSettingFlyout.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Vault\\32TXx\\osk.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeFXSCOVER.exeosk.exePasswordOnWakeSettingFlyout.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PasswordOnWakeSettingFlyout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2368	rundll32.exe
2368	rundll32.exe
2368	rundll32.exe
2368	rundll32.exe
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264
2264

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exeFXSCOVER.exeosk.exePasswordOnWakeSettingFlyout.exe

pid process

2368 rundll32.exe
2264
936 FXSCOVER.exe
900 osk.exe
68 PasswordOnWakeSettingFlyout.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2264 wrote to memory of 584	2264	FXSCOVER.exe
PID 2264 wrote to memory of 584	2264	FXSCOVER.exe
PID 2264 wrote to memory of 936	2264	FXSCOVER.exe
PID 2264 wrote to memory of 936	2264	FXSCOVER.exe
PID 2264 wrote to memory of 3216	2264	osk.exe
PID 2264 wrote to memory of 3216	2264	osk.exe
PID 2264 wrote to memory of 900	2264	osk.exe
PID 2264 wrote to memory of 900	2264	osk.exe
PID 2264 wrote to memory of 800	2264	PasswordOnWakeSettingFlyout.exe
PID 2264 wrote to memory of 800	2264	PasswordOnWakeSettingFlyout.exe
PID 2264 wrote to memory of 68	2264	PasswordOnWakeSettingFlyout.exe
PID 2264 wrote to memory of 68	2264	PasswordOnWakeSettingFlyout.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7818fc1e2f9e7df1ba5688ddc87f54b59b3e12c3d2c60393b50f9b56447ac2ab.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2368

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:584

C:\Users\Admin\AppData\Local\5KfGj\FXSCOVER.exe
C:\Users\Admin\AppData\Local\5KfGj\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:936

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:3216

C:\Users\Admin\AppData\Local\970\osk.exe
C:\Users\Admin\AppData\Local\970\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:900

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
1⤵
PID:800

C:\Users\Admin\AppData\Local\iSjY5u0D\PasswordOnWakeSettingFlyout.exe
C:\Users\Admin\AppData\Local\iSjY5u0D\PasswordOnWakeSettingFlyout.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:68

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5KfGj\FXSCOVER.exe
MD5
fd8a15f70619a553acd265264c3e435d

SHA1
394f6a1db57b502eb5196d9276d1c00afc791663

SHA256
b9eec80e92a71b7405db190ac0d1fc177ba3d1f97411c43328a340d30a9d71a4

SHA512
af30027401e97a69aa57847c00c73ccafd4113e58349efd9addf5e7c3a5809f5ff35430d181844c5acd0abba947ff9acb450ff3e0383ef7c187bd9b7808a8799

Download Submit
C:\Users\Admin\AppData\Local\5KfGj\MFC42u.dll
MD5
06c1191da436f235c2c72c9b486706aa

SHA1
b349b698fb510590386cef3b2c2b3f4b5f952522

SHA256
fcf88360b88e5ea94133539b8998025154ce34fdc21a7c47f7029b47f6d23d05

SHA512
dfea0b14f2e73872e16ee6b3686382b58c0acc4ad82589b739ef7ac527ccd16f79d3081b74ecd7ef0676e811c2ce66f07ab26f9dce772064c7713bc4e9e79f94

Download Submit
C:\Users\Admin\AppData\Local\970\OLEACC.dll
MD5
eead6a5f7740355f3fd816052b41e421

SHA1
3f03b3fd2ccd6d4fd0f69676a82b695a2e6742bc

SHA256
3af528d8f595f9288708ac128cfdfe53e8ad60f6a291f115d90d509a972b9080

SHA512
1c268f6a7e2a05ee7b3471f5eadfb93eb479efda01c78ea3cdf99c5e3fe52a5a2cc09f6d6ab905a53734d50e40ca432887a44ec0587d6dd8cb05986946250b4e

Download Submit
C:\Users\Admin\AppData\Local\970\osk.exe
MD5
4a614350289f2f92c6d7c5caccc09eff

SHA1
55e6807f31f66120e4798e37a8fb26e583ce1c81

SHA256
f259aa7bfb7f18f981d0a08888942f5027766cdcf4d4d60d2540d5eda048fd68

SHA512
ddf8fdc5b186ab9a15fa15310356d48cfbe1948fda0f0e624b1a429be11f406e5e3ce1924f48bbb9a9d14ede34a20c55c3e88f1f640e9d7d21f39bfad3c21dfc

Download Submit
C:\Users\Admin\AppData\Local\iSjY5u0D\PasswordOnWakeSettingFlyout.exe
MD5
a81fed73da02db15df427da1cd5f4141

SHA1
f831fc6377a6264be621e23635f22b437129b2ce

SHA256
1afed5b9302a4a4669ac7f966b7cf9fcaab037e94a0b3cabea3631055c97d3a5

SHA512
3c4541160f0f69d1c3a9dc4e67643864493eadb0450426f7f323d87fa7b0c81d96ef2201d33b3421a307171274615e90d4ee8bd07107ff4f75beedec0a2bf156

Download Submit
C:\Users\Admin\AppData\Local\iSjY5u0D\UxTheme.dll
MD5
1f4ccca6fdcb04dfaf491956d84ec66e

SHA1
cc116113492a5cc8c084de03f99f4aec12b47368

SHA256
acf04d7e9ae7f39c488fa89c3db1ef8c761508e27a6a03b6008623bff4ac7c7b

SHA512
c8946a9b044e30e118f773967fdc6fe11d023e993e5642637d132024cc277e9c883900e1a4f36ab5370e795fb0d9ff301d01880c0f11709bb8a28e540a186095

Download Submit
\Users\Admin\AppData\Local\5KfGj\MFC42u.dll
MD5
06c1191da436f235c2c72c9b486706aa

SHA1
b349b698fb510590386cef3b2c2b3f4b5f952522

SHA256
fcf88360b88e5ea94133539b8998025154ce34fdc21a7c47f7029b47f6d23d05

SHA512
dfea0b14f2e73872e16ee6b3686382b58c0acc4ad82589b739ef7ac527ccd16f79d3081b74ecd7ef0676e811c2ce66f07ab26f9dce772064c7713bc4e9e79f94

Download Submit
\Users\Admin\AppData\Local\970\OLEACC.dll
MD5
eead6a5f7740355f3fd816052b41e421

SHA1
3f03b3fd2ccd6d4fd0f69676a82b695a2e6742bc

SHA256
3af528d8f595f9288708ac128cfdfe53e8ad60f6a291f115d90d509a972b9080

SHA512
1c268f6a7e2a05ee7b3471f5eadfb93eb479efda01c78ea3cdf99c5e3fe52a5a2cc09f6d6ab905a53734d50e40ca432887a44ec0587d6dd8cb05986946250b4e

Download Submit
\Users\Admin\AppData\Local\iSjY5u0D\UxTheme.dll
MD5
1f4ccca6fdcb04dfaf491956d84ec66e

SHA1
cc116113492a5cc8c084de03f99f4aec12b47368

SHA256
acf04d7e9ae7f39c488fa89c3db1ef8c761508e27a6a03b6008623bff4ac7c7b

SHA512
c8946a9b044e30e118f773967fdc6fe11d023e993e5642637d132024cc277e9c883900e1a4f36ab5370e795fb0d9ff301d01880c0f11709bb8a28e540a186095

Download Submit
memory/68-181-0x0000011BE3630000-0x0000011BE3632000-memory.dmp

Filesize
8KB

Download
memory/68-174-0x0000000000000000-mapping.dmp

Download
memory/68-182-0x0000011BE3630000-0x0000011BE3632000-memory.dmp

Filesize
8KB

Download
memory/68-183-0x0000011BE3630000-0x0000011BE3632000-memory.dmp

Filesize
8KB

Download
memory/900-171-0x000001F9AD890000-0x000001F9AD892000-memory.dmp

Filesize
8KB

Download
memory/900-168-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/900-164-0x0000000000000000-mapping.dmp

Download
memory/900-172-0x000001F9AD890000-0x000001F9AD892000-memory.dmp

Filesize
8KB

Download
memory/900-173-0x000001F9AD890000-0x000001F9AD892000-memory.dmp

Filesize
8KB

Download
memory/936-163-0x0000026CF52E0000-0x0000026CF52E2000-memory.dmp

Filesize
8KB

Download
memory/936-162-0x0000026CF52E0000-0x0000026CF52E2000-memory.dmp

Filesize
8KB

Download
memory/936-161-0x0000026CF52E0000-0x0000026CF52E2000-memory.dmp

Filesize
8KB

Download
memory/936-158-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/936-154-0x0000000000000000-mapping.dmp

Download
memory/2264-133-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2264-134-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2264-150-0x0000000001280000-0x0000000001282000-memory.dmp

Filesize
8KB

Download
memory/2264-151-0x00007FFB2A145000-0x00007FFB2A146000-memory.dmp

Filesize
4KB

Download
memory/2264-152-0x0000000001280000-0x0000000001282000-memory.dmp

Filesize
8KB

Download
memory/2264-153-0x00007FFB2A090000-0x00007FFB2A0A0000-memory.dmp

Filesize
64KB

Download
memory/2264-143-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2264-142-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2264-141-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2264-140-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2264-139-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2264-138-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2264-137-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2264-136-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2264-135-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2264-149-0x0000000001280000-0x0000000001282000-memory.dmp

Filesize
8KB

Download
memory/2264-124-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download
memory/2264-132-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2264-131-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2264-130-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2264-129-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2264-128-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2264-127-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2264-125-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2264-126-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2368-118-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2368-123-0x000002497CDC0000-0x000002497CDC7000-memory.dmp

Filesize
28KB

Download
memory/2368-122-0x000002497CDD0000-0x000002497CDD2000-memory.dmp

Filesize
8KB

Download
memory/2368-121-0x000002497CDD0000-0x000002497CDD2000-memory.dmp

Filesize
8KB

Download