dridex | 3b855a23e994dea8c214afcbb01123d1317ec701166de6b77d8b3f0c1125698e

Analysis

max time kernel
152s
max time network
125s
platform
windows10_x64
resource
win10-en-20211014
submitted
26-11-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b855a23e994dea8c214afcbb01123d1317ec701166de6b77d8b3f0c1125698e.dll
Size

1.4MB
MD5

d69796752faea68d9010a9671045e0b9
SHA1

1e24007994f3d530bbf2fb05ecd42e9c4b40a63e
SHA256

3b855a23e994dea8c214afcbb01123d1317ec701166de6b77d8b3f0c1125698e
SHA512

6f1715ec37f2c4a3a98f18ad9ef30a112b80a61e21a28bdd74d4e5bfbc33c168df2df1f8fb65b83ad045fbefb000c6ae9e60a26523f22e58cb408e70d558b9dc

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2568-122-0x0000000001140000-0x0000000001141000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

sppsvc.exemstsc.exeWFS.exe

pid process

1540 sppsvc.exe
1184 mstsc.exe
664 WFS.exe
Loads dropped DLL 3 IoCs

Processes:

sppsvc.exemstsc.exeWFS.exe

pid process

1540 sppsvc.exe
1184 mstsc.exe
664 WFS.exe

pid	process
1540	sppsvc.exe
1184	mstsc.exe
664	WFS.exe

pid	process
1540	sppsvc.exe
1184	mstsc.exe
664	WFS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\SJYMI4~1\\mstsc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WFS.exerundll32.exesppsvc.exemstsc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstsc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exesppsvc.exe

pid	process
3396	rundll32.exe
3396	rundll32.exe
3396	rundll32.exe
3396	rundll32.exe
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
1540	sppsvc.exe
1540	sppsvc.exe
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2568

pid	process
2568

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

description	pid	target process
PID 2568 wrote to memory of 1540	2568	sppsvc.exe
PID 2568 wrote to memory of 1540	2568	sppsvc.exe
PID 2568 wrote to memory of 68	2568	mstsc.exe
PID 2568 wrote to memory of 68	2568	mstsc.exe
PID 2568 wrote to memory of 1184	2568	mstsc.exe
PID 2568 wrote to memory of 1184	2568	mstsc.exe
PID 2568 wrote to memory of 688	2568	WFS.exe
PID 2568 wrote to memory of 688	2568	WFS.exe
PID 2568 wrote to memory of 664	2568	WFS.exe
PID 2568 wrote to memory of 664	2568	WFS.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3b855a23e994dea8c214afcbb01123d1317ec701166de6b77d8b3f0c1125698e.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3396

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:3740

C:\Users\Admin\AppData\Local\iQ3nY9g\sppsvc.exe
C:\Users\Admin\AppData\Local\iQ3nY9g\sppsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1540

C:\Windows\system32\mstsc.exe
C:\Windows\system32\mstsc.exe
1⤵
PID:68

C:\Users\Admin\AppData\Local\1mtfJSy\mstsc.exe
C:\Users\Admin\AppData\Local\1mtfJSy\mstsc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1184

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:688

C:\Users\Admin\AppData\Local\ktC7\WFS.exe
C:\Users\Admin\AppData\Local\ktC7\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1mtfJSy\WINMM.dll
MD5
b59974047f960976245670e9cdc30090

SHA1
bb33058f7a6e7c5fafc65058d12d9aeb4741bf51

SHA256
57a965400f639ceed09349c09ee44e12991e071b5d6d574f4b538a5acaae9194

SHA512
dc6a92244bc48dc30cd6425bbeb1e21920cd76ab3f81072cd073a14f55045a61d5eb50a67c34496924c294064875bcfc45e52a661bfb35dd0de203c2c7b7d378

Download Submit
C:\Users\Admin\AppData\Local\1mtfJSy\mstsc.exe
MD5
bcec91a53b9250c137f6d9c5263f9199

SHA1
a559f7d6986d1b907c8a22d7615d450a098f28a8

SHA256
9280b4fb09595491d8eee9ba451ef0fcfc467f5751cd00b7db9bd63636073472

SHA512
22756c628cf20ec0b4f306eb15aa19e953378782bf504ad8aaa61b7bde936e7f0613bf2838a051711f4c7a47a17f6ac2254ec88cbcd97bfc694e3878d88ba844

Download Submit
C:\Users\Admin\AppData\Local\iQ3nY9g\XmlLite.dll
MD5
af991dd07262f06e47d62aaaa1feedd0

SHA1
760ea693527b2c4c572f313b775dda86a8561975

SHA256
f7e3f29923f2a05fcb3146237c42c1fc9b9b9f2ccfa9816a5a21b4b92c27573f

SHA512
104ae5c0b0356d3809fdd8148f666346bf9ecfa8b306689f0a5ca7057758c4f2ea804d38642839933f9580805994cd6b731f231b81831cc17b23a9d05b81400b

Download Submit
C:\Users\Admin\AppData\Local\iQ3nY9g\sppsvc.exe
MD5
e910861720de6edfb5cc6158ce3c7e17

SHA1
9b5b7c08da7cf36ca302c6e57cbc8bcfa5a69a9d

SHA256
526ba8eeb9ee5312fec39753d728e05f49ad81132346a354c95d4d4938001e2b

SHA512
e2a34b7e37781072494685ddab68bdb711910ae29f2ee9e05ec514442956047fb5b58ee8606110db48029f40990857184256c53f48910e8e050269f2a7aa0435

Download Submit
C:\Users\Admin\AppData\Local\ktC7\MFC42u.dll
MD5
4cd437296f329ca2e6faabb6b2091df8

SHA1
9134c90937f9bcf8110e1f1eb0ac391094a32e30

SHA256
06570e6e2304d6783bdbb996704631aeceab4dd9f98ae3e78b9b1448a99dc654

SHA512
15b1028468fdfcb098029ef6c644c280bb1476babc7f0c82b37761a3ff40422dfabf17bddf7ca753988a87917b72f0f52bce3692f7f6cf83950172161fbc1b30

Download Submit
C:\Users\Admin\AppData\Local\ktC7\WFS.exe
MD5
f5c1b5e7334f4a7fa393cc68f16eab93

SHA1
d17180a8f7be23ebdf04162a8c66a9c3bb18d9c1

SHA256
68b593b074f7501cee6a7af0d006a611f413a0d4f22b43c041fcec3815112208

SHA512
3656d43322e9ed1da68ff58deeb458c3633c693b1e9b79fc7c557166db6af8cb7d155341742510cf803aeb985dd825c64ecfaa7eda7ccf0952dcb06249a92fc0

Download Submit
\Users\Admin\AppData\Local\1mtfJSy\WINMM.dll
MD5
b59974047f960976245670e9cdc30090

SHA1
bb33058f7a6e7c5fafc65058d12d9aeb4741bf51

SHA256
57a965400f639ceed09349c09ee44e12991e071b5d6d574f4b538a5acaae9194

SHA512
dc6a92244bc48dc30cd6425bbeb1e21920cd76ab3f81072cd073a14f55045a61d5eb50a67c34496924c294064875bcfc45e52a661bfb35dd0de203c2c7b7d378

Download Submit
\Users\Admin\AppData\Local\iQ3nY9g\XmlLite.dll
MD5
af991dd07262f06e47d62aaaa1feedd0

SHA1
760ea693527b2c4c572f313b775dda86a8561975

SHA256
f7e3f29923f2a05fcb3146237c42c1fc9b9b9f2ccfa9816a5a21b4b92c27573f

SHA512
104ae5c0b0356d3809fdd8148f666346bf9ecfa8b306689f0a5ca7057758c4f2ea804d38642839933f9580805994cd6b731f231b81831cc17b23a9d05b81400b

Download Submit
\Users\Admin\AppData\Local\ktC7\MFC42u.dll
MD5
4cd437296f329ca2e6faabb6b2091df8

SHA1
9134c90937f9bcf8110e1f1eb0ac391094a32e30

SHA256
06570e6e2304d6783bdbb996704631aeceab4dd9f98ae3e78b9b1448a99dc654

SHA512
15b1028468fdfcb098029ef6c644c280bb1476babc7f0c82b37761a3ff40422dfabf17bddf7ca753988a87917b72f0f52bce3692f7f6cf83950172161fbc1b30

Download Submit
memory/664-181-0x0000000000000000-mapping.dmp

Download
memory/664-188-0x00007FF908280000-0x00007FF9083E5000-memory.dmp

Filesize
1.4MB

Download
memory/1184-166-0x00007FF9159E0000-0x00007FF915B40000-memory.dmp

Filesize
1.4MB

Download
memory/1184-170-0x0000028061D70000-0x0000028061D72000-memory.dmp

Filesize
8KB

Download
memory/1184-172-0x0000028061D70000-0x0000028061D72000-memory.dmp

Filesize
8KB

Download
memory/1184-162-0x0000000000000000-mapping.dmp

Download
memory/1184-171-0x0000028061D70000-0x0000028061D72000-memory.dmp

Filesize
8KB

Download
memory/1540-161-0x000001727BA60000-0x000001727BA62000-memory.dmp

Filesize
8KB

Download
memory/1540-160-0x000001727BA60000-0x000001727BA62000-memory.dmp

Filesize
8KB

Download
memory/1540-159-0x000001727BA60000-0x000001727BA62000-memory.dmp

Filesize
8KB

Download
memory/1540-155-0x00007FF9159E0000-0x00007FF915B3F000-memory.dmp

Filesize
1.4MB

Download
memory/1540-151-0x0000000000000000-mapping.dmp

Download
memory/2568-130-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2568-132-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2568-141-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2568-147-0x0000000001150000-0x0000000001152000-memory.dmp

Filesize
8KB

Download
memory/2568-146-0x0000000001150000-0x0000000001152000-memory.dmp

Filesize
8KB

Download
memory/2568-149-0x0000000001150000-0x0000000001152000-memory.dmp

Filesize
8KB

Download
memory/2568-148-0x00007FF9237C5000-0x00007FF9237C6000-memory.dmp

Filesize
4KB

Download
memory/2568-150-0x00007FF923710000-0x00007FF923720000-memory.dmp

Filesize
64KB

Download
memory/2568-139-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2568-138-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2568-137-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2568-136-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2568-135-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2568-134-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2568-133-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2568-140-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2568-131-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2568-122-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/2568-129-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2568-128-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2568-127-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2568-126-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2568-125-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2568-124-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/2568-173-0x0000000001150000-0x0000000001152000-memory.dmp

Filesize
8KB

Download
memory/2568-123-0x0000000140000000-0x000000014015E000-memory.dmp

Filesize
1.4MB

Download
memory/3396-115-0x00007FF9159E0000-0x00007FF915B3E000-memory.dmp

Filesize
1.4MB

Download
memory/3396-121-0x000001E6D10A0000-0x000001E6D10A7000-memory.dmp

Filesize
28KB

Download
memory/3396-119-0x000001E6D10B0000-0x000001E6D10B2000-memory.dmp

Filesize
8KB

Download
memory/3396-120-0x000001E6D10B0000-0x000001E6D10B2000-memory.dmp

Filesize
8KB

Download