dridex | 114957fd7fb9c6830b6da37b828ad27a8c8a61f01abb6f52424ca1c5da9f523f

Analysis

max time kernel
154s
max time network
139s
platform
windows10_x64
resource
win10-en-20211014
submitted
26-11-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

114957fd7fb9c6830b6da37b828ad27a8c8a61f01abb6f52424ca1c5da9f523f.dll
Size

1.3MB
MD5

4bcdeb39da135fecdcaad9f1a96c3186
SHA1

8432f49550f40d8da39ccbc9fdfaf6fc631def1f
SHA256

114957fd7fb9c6830b6da37b828ad27a8c8a61f01abb6f52424ca1c5da9f523f
SHA512

c2b8da83cf40228071c27de1592b81bf9ed622e9506ca9942e2f6409ef2d6ccb7cf655cf3eedc4089b8f91eaf470d2ebce1ac06bc5837b468f4f1d46d7124c2a

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2800-121-0x0000000000A70000-0x0000000000A71000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

cmstp.exeEaseOfAccessDialog.exeDisplaySwitch.exe

pid process

676 cmstp.exe
2460 EaseOfAccessDialog.exe
724 DisplaySwitch.exe
Loads dropped DLL 4 IoCs

Processes:

cmstp.exeEaseOfAccessDialog.exeDisplaySwitch.exe

pid process

676 cmstp.exe
676 cmstp.exe
2460 EaseOfAccessDialog.exe
724 DisplaySwitch.exe

pid	process
676	cmstp.exe
2460	EaseOfAccessDialog.exe
724	DisplaySwitch.exe

pid	process
676	cmstp.exe
676	cmstp.exe
2460	EaseOfAccessDialog.exe
724	DisplaySwitch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-941723256-3451054534-3089625102-1000\\ubN6mcutg\\EaseOfAccessDialog.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.execmstp.exeEaseOfAccessDialog.exeDisplaySwitch.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EaseOfAccessDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800
2800

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.execmstp.exeEaseOfAccessDialog.exeDisplaySwitch.exe

pid process

2288 rundll32.exe
2800
676 cmstp.exe
2460 EaseOfAccessDialog.exe
724 DisplaySwitch.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2800 wrote to memory of 1240	2800	cmstp.exe
PID 2800 wrote to memory of 1240	2800	cmstp.exe
PID 2800 wrote to memory of 676	2800	cmstp.exe
PID 2800 wrote to memory of 676	2800	cmstp.exe
PID 2800 wrote to memory of 2704	2800	EaseOfAccessDialog.exe
PID 2800 wrote to memory of 2704	2800	EaseOfAccessDialog.exe
PID 2800 wrote to memory of 2460	2800	EaseOfAccessDialog.exe
PID 2800 wrote to memory of 2460	2800	EaseOfAccessDialog.exe
PID 2800 wrote to memory of 2336	2800	DisplaySwitch.exe
PID 2800 wrote to memory of 2336	2800	DisplaySwitch.exe
PID 2800 wrote to memory of 724	2800	DisplaySwitch.exe
PID 2800 wrote to memory of 724	2800	DisplaySwitch.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\114957fd7fb9c6830b6da37b828ad27a8c8a61f01abb6f52424ca1c5da9f523f.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2288

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:1240

C:\Users\Admin\AppData\Local\iSlh\cmstp.exe
C:\Users\Admin\AppData\Local\iSlh\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:676

C:\Windows\system32\EaseOfAccessDialog.exe
C:\Windows\system32\EaseOfAccessDialog.exe
1⤵
PID:2704

C:\Users\Admin\AppData\Local\S73k5Uonz\EaseOfAccessDialog.exe
C:\Users\Admin\AppData\Local\S73k5Uonz\EaseOfAccessDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:2460

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:2336

C:\Users\Admin\AppData\Local\ZgjX\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\ZgjX\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\S73k5Uonz\EaseOfAccessDialog.exe
MD5
7eea1db3812b97249530920bb6984f1b

SHA1
64a217bb388459aee06f2e838404f5136faaee4d

SHA256
45d3a9f983aa6307ecba03bd5c8fe1dcaa510753178c8a126b55c565b7cf01c5

SHA512
911d60bb9780b9dda5e7f5cdc791d2c90fc161504d24a6d66a5f3c78dc3c2d30b5222247d4372486ba3c784a53a09a67c953aad7410e9a53c58fd49298bf421d

Download Submit
C:\Users\Admin\AppData\Local\S73k5Uonz\OLEACC.dll
MD5
81fe2d8ea1eece125026abdced7bd848

SHA1
6f181227ecc799884b550efaed9063a5e89a5b22

SHA256
ec7c19319fb6edcdac01edd9860c61be4e5bb1ed1a9cc9661f8674a658975968

SHA512
00e2179fe1399125e9a4acbcaa3e519519b66e3029094ccfa06c59ad4ed963de24df96eafae4a2c57e7efa781d251feec8dc97ca1de70ed836ea970eb3e3fd13

Download Submit
C:\Users\Admin\AppData\Local\ZgjX\DisplaySwitch.exe
MD5
9e139d8cdf910f624c4cb0a63cbab22d

SHA1
14b7259a609fddb0c561e1154dac638fa0db06b3

SHA256
3374874744179d8f880791ff4373736d9bb93ae3275be6ff26b296b4d8b9619c

SHA512
d2c7521cc65c92da10a337303f5902560f3dc30ba0dfb959196337d4dcbc13a2ef69de7e7cfdc5e983affc3fc6938a485ef8ead0cf1c485aa0893c667fe08357

Download Submit
C:\Users\Admin\AppData\Local\ZgjX\UxTheme.dll
MD5
83553c9df5a93cc8a4f6cf3c82a2f11e

SHA1
f1143c0791ccd126e1e76afdbe7782a4c93c67a9

SHA256
0d5305f18f2e3b8cd76969d0095b1a06dd8b0d047dd0c6403b7bce9619ace2f1

SHA512
3a8aa97d7581f5da2caea3c440d7157f6a30aa2903480ced0b374fca7a6c3c4c117e540f5c40230ec8d07ad9b2b8ffd83e7e2f1dc22e179728061f6b3bed1d7d

Download Submit
C:\Users\Admin\AppData\Local\iSlh\VERSION.dll
MD5
98defe5b83ef4303151149c36291387f

SHA1
127017a6f16521b67de98722444ba69e03429396

SHA256
f3cb787663e61c9cfe6042851d3a3f6f50e4c9ba1a40697e063a1c68fc3e9fbc

SHA512
5ed1b329a9a4e65c9c3c30b4704c7fab615c2583fcf6e144b9002691b796cf518b63dde1ea9b77a29010824a68b27707d0522201c1e23d74024ba0a7d6137332

Download Submit
C:\Users\Admin\AppData\Local\iSlh\cmstp.exe
MD5
1474ec07a09879ee8637fae8bcb9fbb7

SHA1
ddf0885d51430a4d51a908065a2cf66b95cb90a0

SHA256
bccd3610cd2b5ef1a7f1b224a5c68f97da484200bb525423659e51283d22d3e7

SHA512
c6959f44b8a77399507a563c3094f9646d5feda36d221e34db1e61da7148e1fd13f7d1a7befeb0617015f06005547f477ff26130e1b55f4130a0205bb1e51369

Download Submit
\Users\Admin\AppData\Local\S73k5Uonz\OLEACC.dll
MD5
81fe2d8ea1eece125026abdced7bd848

SHA1
6f181227ecc799884b550efaed9063a5e89a5b22

SHA256
ec7c19319fb6edcdac01edd9860c61be4e5bb1ed1a9cc9661f8674a658975968

SHA512
00e2179fe1399125e9a4acbcaa3e519519b66e3029094ccfa06c59ad4ed963de24df96eafae4a2c57e7efa781d251feec8dc97ca1de70ed836ea970eb3e3fd13

Download Submit
\Users\Admin\AppData\Local\ZgjX\UxTheme.dll
MD5
83553c9df5a93cc8a4f6cf3c82a2f11e

SHA1
f1143c0791ccd126e1e76afdbe7782a4c93c67a9

SHA256
0d5305f18f2e3b8cd76969d0095b1a06dd8b0d047dd0c6403b7bce9619ace2f1

SHA512
3a8aa97d7581f5da2caea3c440d7157f6a30aa2903480ced0b374fca7a6c3c4c117e540f5c40230ec8d07ad9b2b8ffd83e7e2f1dc22e179728061f6b3bed1d7d

Download Submit
\Users\Admin\AppData\Local\iSlh\VERSION.dll
MD5
98defe5b83ef4303151149c36291387f

SHA1
127017a6f16521b67de98722444ba69e03429396

SHA256
f3cb787663e61c9cfe6042851d3a3f6f50e4c9ba1a40697e063a1c68fc3e9fbc

SHA512
5ed1b329a9a4e65c9c3c30b4704c7fab615c2583fcf6e144b9002691b796cf518b63dde1ea9b77a29010824a68b27707d0522201c1e23d74024ba0a7d6137332

Download Submit
\Users\Admin\AppData\Local\iSlh\VERSION.dll
MD5
98defe5b83ef4303151149c36291387f

SHA1
127017a6f16521b67de98722444ba69e03429396

SHA256
f3cb787663e61c9cfe6042851d3a3f6f50e4c9ba1a40697e063a1c68fc3e9fbc

SHA512
5ed1b329a9a4e65c9c3c30b4704c7fab615c2583fcf6e144b9002691b796cf518b63dde1ea9b77a29010824a68b27707d0522201c1e23d74024ba0a7d6137332

Download Submit
memory/676-159-0x000001F125340000-0x000001F125342000-memory.dmp

Filesize
8KB

Download
memory/676-155-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/676-158-0x000001F125340000-0x000001F125342000-memory.dmp

Filesize
8KB

Download
memory/676-150-0x0000000000000000-mapping.dmp

Download
memory/676-161-0x000001F125290000-0x000001F1253E9000-memory.dmp

Filesize
1.3MB

Download
memory/676-160-0x000001F125340000-0x000001F125342000-memory.dmp

Filesize
8KB

Download
memory/724-179-0x000001F90CA00000-0x000001F90CA02000-memory.dmp

Filesize
8KB

Download
memory/724-180-0x000001F90CA00000-0x000001F90CA02000-memory.dmp

Filesize
8KB

Download
memory/724-172-0x0000000000000000-mapping.dmp

Download
memory/724-181-0x000001F90CA00000-0x000001F90CA02000-memory.dmp

Filesize
8KB

Download
memory/2288-115-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2288-120-0x00000282E5840000-0x00000282E5847000-memory.dmp

Filesize
28KB

Download
memory/2288-119-0x00000282E5850000-0x00000282E5852000-memory.dmp

Filesize
8KB

Download
memory/2288-118-0x00000282E5850000-0x00000282E5852000-memory.dmp

Filesize
8KB

Download
memory/2460-162-0x0000000000000000-mapping.dmp

Download
memory/2460-170-0x000001E086E20000-0x000001E086E22000-memory.dmp

Filesize
8KB

Download
memory/2460-169-0x000001E086E20000-0x000001E086E22000-memory.dmp

Filesize
8KB

Download
memory/2460-171-0x000001E086E20000-0x000001E086E22000-memory.dmp

Filesize
8KB

Download
memory/2800-130-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2800-149-0x00007FF8AEB80000-0x00007FF8AEB82000-memory.dmp

Filesize
8KB

Download
memory/2800-148-0x0000000000A50000-0x0000000000A52000-memory.dmp

Filesize
8KB

Download
memory/2800-147-0x00007FF8AEA45000-0x00007FF8AEA46000-memory.dmp

Filesize
4KB

Download
memory/2800-146-0x0000000000A50000-0x0000000000A52000-memory.dmp

Filesize
8KB

Download
memory/2800-145-0x0000000000A50000-0x0000000000A52000-memory.dmp

Filesize
8KB

Download
memory/2800-139-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2800-138-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2800-137-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2800-136-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2800-135-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2800-134-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2800-133-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2800-132-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2800-131-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2800-129-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2800-128-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2800-127-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2800-126-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2800-125-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2800-122-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2800-124-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2800-123-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2800-121-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/2800-182-0x0000000000A50000-0x0000000000A52000-memory.dmp

Filesize
8KB

Download