dridex | 3b855a23e994dea8c214afcbb01123d1317ec701166de6b77d8b3f0c1125698e

Analysis

max time kernel
151s
max time network
121s
platform
windows7_x64
resource
win7-en-20211104
submitted
26-11-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b855a23e994dea8c214afcbb01123d1317ec701166de6b77d8b3f0c1125698e.dll
Size

1.4MB
MD5

d69796752faea68d9010a9671045e0b9
SHA1

1e24007994f3d530bbf2fb05ecd42e9c4b40a63e
SHA256

3b855a23e994dea8c214afcbb01123d1317ec701166de6b77d8b3f0c1125698e
SHA512

6f1715ec37f2c4a3a98f18ad9ef30a112b80a61e21a28bdd74d4e5bfbc33c168df2df1f8fb65b83ad045fbefb000c6ae9e60a26523f22e58cb408e70d558b9dc

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1340-60-0x00000000026D0000-0x00000000026D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

wextract.exejavaws.exemstsc.exe

pid process

1248 wextract.exe
1168 javaws.exe
2012 mstsc.exe
Loads dropped DLL 7 IoCs

Processes:

wextract.exejavaws.exemstsc.exe

pid process

1340
1248 wextract.exe
1340
1168 javaws.exe
1340
2012 mstsc.exe
1340

pid	process
1248	wextract.exe
1168	javaws.exe
2012	mstsc.exe

pid	process
1340
1248	wextract.exe
1340
1168	javaws.exe
1340
2012	mstsc.exe
1340

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\XWJF3M~1\\javaws.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exewextract.exejavaws.exemstsc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	javaws.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstsc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewextract.exejavaws.exe

pid	process
1412	rundll32.exe
1412	rundll32.exe
1412	rundll32.exe
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1248	wextract.exe
1248	wextract.exe
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1168	javaws.exe
1168	javaws.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1340

pid	process
1340

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1340 wrote to memory of 972	1340	wextract.exe
PID 1340 wrote to memory of 972	1340	wextract.exe
PID 1340 wrote to memory of 972	1340	wextract.exe
PID 1340 wrote to memory of 1248	1340	wextract.exe
PID 1340 wrote to memory of 1248	1340	wextract.exe
PID 1340 wrote to memory of 1248	1340	wextract.exe
PID 1340 wrote to memory of 840	1340	javaws.exe
PID 1340 wrote to memory of 840	1340	javaws.exe
PID 1340 wrote to memory of 840	1340	javaws.exe
PID 1340 wrote to memory of 1168	1340	javaws.exe
PID 1340 wrote to memory of 1168	1340	javaws.exe
PID 1340 wrote to memory of 1168	1340	javaws.exe
PID 1340 wrote to memory of 1824	1340	mstsc.exe
PID 1340 wrote to memory of 1824	1340	mstsc.exe
PID 1340 wrote to memory of 1824	1340	mstsc.exe
PID 1340 wrote to memory of 2012	1340	mstsc.exe
PID 1340 wrote to memory of 2012	1340	mstsc.exe
PID 1340 wrote to memory of 2012	1340	mstsc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b855a23e994dea8c214afcbb01123d1317ec701166de6b77d8b3f0c1125698e.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1412

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:972

C:\Users\Admin\AppData\Local\PUpSn\wextract.exe
C:\Users\Admin\AppData\Local\PUpSn\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1248

C:\Windows\system32\javaws.exe
C:\Windows\system32\javaws.exe
1⤵
PID:840

C:\Users\Admin\AppData\Local\bRipW\javaws.exe
C:\Users\Admin\AppData\Local\bRipW\javaws.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1168

C:\Windows\system32\mstsc.exe
C:\Windows\system32\mstsc.exe
1⤵
PID:1824

C:\Users\Admin\AppData\Local\l9Q\mstsc.exe
C:\Users\Admin\AppData\Local\l9Q\mstsc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2012

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PUpSn\VERSION.dll
MD5
73c6b6e5da7c41a3efe10b7c3dc1a1f7

SHA1
5225f501f439c6c1fdb91e46debc244b6a79793d

SHA256
9702cd444793cb1150f506f6d420b5cd9a162c135367b02d5d30edafac4b6eed

SHA512
15b471a4f0a8393b44c02214554abe87a7436baaeafd46968d0f0c878c8a58f9f5191bafe7ffcf2f48d63a683df960bf8f90cd6eeaef64e75af7799388cf54b4

Download Submit
C:\Users\Admin\AppData\Local\PUpSn\wextract.exe
MD5
1ea6500c25a80e8bdb65099c509af993

SHA1
6a090ef561feb4ae1c6794de5b19c5e893c4aafc

SHA256
99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

SHA512
b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

Download Submit
C:\Users\Admin\AppData\Local\bRipW\VERSION.dll
MD5
d3dd022fcc3b8dedddf654332a63ef2c

SHA1
f0551b26198b6c0a492283182f18ed073fc9bfdd

SHA256
55235a8db0cb45731a011a9611d12ce6e3d5178a2d3e93f673cefdc57b610191

SHA512
f7ee45ab4e8ce1ef8e2e1bb0ada8f6eab2cb45e360a4ce8416945849fa64eacb3098adb132ab128a9d5308ad90f9896d82c3075814479120e53eafa0c8497cd7

Download Submit
C:\Users\Admin\AppData\Local\bRipW\javaws.exe
MD5
f94bc1a70c942621c4279236df284e04

SHA1
8f46d89c7db415a7f48ccd638963028f63df4e4f

SHA256
be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c

SHA512
60edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52

Download Submit
C:\Users\Admin\AppData\Local\l9Q\WINMM.dll
MD5
038ca7e124ab9884713f192a1160642d

SHA1
a79f9b04ab0e5220c101307836454af23850c79a

SHA256
fcb4ea2753f361780b28d5109deeb7b0ee0af4071ebe77e1363cdfa00c777b6d

SHA512
3e31f6712c50299f0d41442807ad75803a1c725aacfd0cb9e037890f25cd54b812f223e927ceee7cb5116413e574a8d8f7615b04c3372c7d680e5c0d510715c6

Download Submit
C:\Users\Admin\AppData\Local\l9Q\mstsc.exe
MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\Users\Admin\AppData\Local\PUpSn\VERSION.dll
MD5
73c6b6e5da7c41a3efe10b7c3dc1a1f7

SHA1
5225f501f439c6c1fdb91e46debc244b6a79793d

SHA256
9702cd444793cb1150f506f6d420b5cd9a162c135367b02d5d30edafac4b6eed

SHA512
15b471a4f0a8393b44c02214554abe87a7436baaeafd46968d0f0c878c8a58f9f5191bafe7ffcf2f48d63a683df960bf8f90cd6eeaef64e75af7799388cf54b4

Download Submit
\Users\Admin\AppData\Local\PUpSn\wextract.exe
MD5
1ea6500c25a80e8bdb65099c509af993

SHA1
6a090ef561feb4ae1c6794de5b19c5e893c4aafc

SHA256
99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

SHA512
b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

Download Submit
\Users\Admin\AppData\Local\bRipW\VERSION.dll
MD5
d3dd022fcc3b8dedddf654332a63ef2c

SHA1
f0551b26198b6c0a492283182f18ed073fc9bfdd

SHA256
55235a8db0cb45731a011a9611d12ce6e3d5178a2d3e93f673cefdc57b610191

SHA512
f7ee45ab4e8ce1ef8e2e1bb0ada8f6eab2cb45e360a4ce8416945849fa64eacb3098adb132ab128a9d5308ad90f9896d82c3075814479120e53eafa0c8497cd7

Download Submit
\Users\Admin\AppData\Local\bRipW\javaws.exe
MD5
f94bc1a70c942621c4279236df284e04

SHA1
8f46d89c7db415a7f48ccd638963028f63df4e4f

SHA256
be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c

SHA512
60edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52

Download Submit
\Users\Admin\AppData\Local\l9Q\WINMM.dll
MD5
038ca7e124ab9884713f192a1160642d

SHA1
a79f9b04ab0e5220c101307836454af23850c79a

SHA256
fcb4ea2753f361780b28d5109deeb7b0ee0af4071ebe77e1363cdfa00c777b6d

SHA512
3e31f6712c50299f0d41442807ad75803a1c725aacfd0cb9e037890f25cd54b812f223e927ceee7cb5116413e574a8d8f7615b04c3372c7d680e5c0d510715c6

Download Submit
\Users\Admin\AppData\Local\l9Q\mstsc.exe
MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Q7NJb\mstsc.exe
MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
memory/1168-96-0x0000000000000000-mapping.dmp

Download
memory/1248-91-0x000007FEF6390000-0x000007FEF64EF000-memory.dmp

Filesize
1.4MB

Download
memory/1248-88-0x000007FEFB8D1000-0x000007FEFB8D3000-memory.dmp

Filesize
8KB

Download
memory/1248-86-0x0000000000000000-mapping.dmp

Download
memory/1340-68-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1340-70-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1340-74-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1340-73-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1340-69-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1340-84-0x0000000077200000-0x0000000077202000-memory.dmp

Filesize
8KB

Download
memory/1340-77-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1340-79-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1340-78-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1340-75-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1340-72-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1340-61-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1340-71-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1340-76-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1340-67-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1340-66-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1340-65-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1340-64-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1340-63-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1340-60-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1340-62-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/1412-55-0x000007FEF6390000-0x000007FEF64EE000-memory.dmp

Filesize
1.4MB

Download
memory/1412-59-0x0000000000380000-0x0000000000387000-memory.dmp

Filesize
28KB

Download
memory/2012-105-0x0000000000000000-mapping.dmp

Download
memory/2012-110-0x000007FEF6350000-0x000007FEF64B0000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads