dridex | 494d90eeeb3acbdcf85d81839a17e2cf4843713b12fa03fe3ebaaff3711807b3

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-en-20211104
submitted
26-11-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

494d90eeeb3acbdcf85d81839a17e2cf4843713b12fa03fe3ebaaff3711807b3.dll
Size

1.4MB
MD5

aec8754bce47765e6d1ff6641449f71b
SHA1

00de05368600c975e06c625974489e683177e331
SHA256

494d90eeeb3acbdcf85d81839a17e2cf4843713b12fa03fe3ebaaff3711807b3
SHA512

189971741bb1933c3c306bc423ad2d252bbefe00cc272c9733253afacd8eceb9f0a7efb37d9a742df85df6093b6d4be31475f993972c91fe5d02586063264c84

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1248-59-0x00000000029E0000-0x00000000029E1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

irftp.exeBitLockerWizardElev.exeComputerDefaults.exe

pid process

1332 irftp.exe
972 BitLockerWizardElev.exe
1568 ComputerDefaults.exe
Loads dropped DLL 7 IoCs

Processes:

irftp.exeBitLockerWizardElev.exeComputerDefaults.exe

pid process

1248
1332 irftp.exe
1248
972 BitLockerWizardElev.exe
1248
1568 ComputerDefaults.exe
1248

pid	process
1332	irftp.exe
972	BitLockerWizardElev.exe
1568	ComputerDefaults.exe

pid	process
1248
1332	irftp.exe
1248
972	BitLockerWizardElev.exe
1248
1568	ComputerDefaults.exe
1248

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\sPcDz\\BitLockerWizardElev.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

irftp.exeBitLockerWizardElev.exeComputerDefaults.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	irftp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ComputerDefaults.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1664	rundll32.exe
1664	rundll32.exe
1664	rundll32.exe
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exeirftp.exeBitLockerWizardElev.exeComputerDefaults.exe

pid process

1664 rundll32.exe
1248
1332 irftp.exe
972 BitLockerWizardElev.exe
1568 ComputerDefaults.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1248 wrote to memory of 1152	1248	irftp.exe
PID 1248 wrote to memory of 1152	1248	irftp.exe
PID 1248 wrote to memory of 1152	1248	irftp.exe
PID 1248 wrote to memory of 1332	1248	irftp.exe
PID 1248 wrote to memory of 1332	1248	irftp.exe
PID 1248 wrote to memory of 1332	1248	irftp.exe
PID 1248 wrote to memory of 1748	1248	BitLockerWizardElev.exe
PID 1248 wrote to memory of 1748	1248	BitLockerWizardElev.exe
PID 1248 wrote to memory of 1748	1248	BitLockerWizardElev.exe
PID 1248 wrote to memory of 972	1248	BitLockerWizardElev.exe
PID 1248 wrote to memory of 972	1248	BitLockerWizardElev.exe
PID 1248 wrote to memory of 972	1248	BitLockerWizardElev.exe
PID 1248 wrote to memory of 1552	1248	ComputerDefaults.exe
PID 1248 wrote to memory of 1552	1248	ComputerDefaults.exe
PID 1248 wrote to memory of 1552	1248	ComputerDefaults.exe
PID 1248 wrote to memory of 1568	1248	ComputerDefaults.exe
PID 1248 wrote to memory of 1568	1248	ComputerDefaults.exe
PID 1248 wrote to memory of 1568	1248	ComputerDefaults.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\494d90eeeb3acbdcf85d81839a17e2cf4843713b12fa03fe3ebaaff3711807b3.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1664

C:\Windows\system32\irftp.exe
C:\Windows\system32\irftp.exe
1⤵
PID:1152

C:\Users\Admin\AppData\Local\2cswv\irftp.exe
C:\Users\Admin\AppData\Local\2cswv\irftp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1332

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:1748

C:\Users\Admin\AppData\Local\GfGlaj8\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\GfGlaj8\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:972

C:\Windows\system32\ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
1⤵
PID:1552

C:\Users\Admin\AppData\Local\qlks\ComputerDefaults.exe
C:\Users\Admin\AppData\Local\qlks\ComputerDefaults.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1568

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2cswv\MFC42u.dll
MD5
282d13cbcdd400d91b8d928b607415a9

SHA1
e8073b0d717ce76f597ab67481339cd752db81fb

SHA256
ec51a0f06e1bd3ea0b92b74585ec06bda8a45a0685014c3dc1549432fe295fd4

SHA512
fd1dc0513a4aa58b65e8e43503f69ce403760055a46c0933dd17d23477ec06c3802b5b5908ad124aba070095756cb3f82b7b0599d95c2062e7d8be9fa5f7a398

Download Submit
C:\Users\Admin\AppData\Local\2cswv\irftp.exe
MD5
0cae1fb725c56d260bfd6feba7ae9a75

SHA1
102ac676a1de3ec3d56401f8efd518c31c8b0b80

SHA256
312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

SHA512
db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

Download Submit
C:\Users\Admin\AppData\Local\GfGlaj8\BitLockerWizardElev.exe
MD5
73f13d791e36d3486743244f16875239

SHA1
ed5ec55dbc6b3bda505f0a4c699c257c90c02020

SHA256
2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

SHA512
911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

Download Submit
C:\Users\Admin\AppData\Local\GfGlaj8\FVEWIZ.dll
MD5
87cea42c67f8211bc6f33b1515666544

SHA1
1e8f062a3337ed1f0c463aecc24c225586eba77c

SHA256
6f12746a4b923258b7d78061a5d1a81a80db6d05abd08a84a1d8b6b4ae3c82f5

SHA512
b5e64eba481595fc47d1f0d984ebfd648d2fb35b428d72da5baffd852782d59a5b3f03e59820e83d3bfe8e02aaffeadb34ea77364ac74b1c75a1700a4fa9a1ef

Download Submit
C:\Users\Admin\AppData\Local\qlks\ComputerDefaults.exe
MD5
86bd981f55341273753ac42ea200a81e

SHA1
14fe410efc9aeb0a905b984ac27719ff0dd10ea7

SHA256
40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

SHA512
49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

Download Submit
C:\Users\Admin\AppData\Local\qlks\appwiz.cpl
MD5
a7b4e8cc8b8ffe4eb3589cef39e8e42a

SHA1
433322bd6c4f4adf1d38b6b72ff359d6acf3fa1d

SHA256
6a9ae6b9777cfe5842e731b223a32c12769cbd4df1a96cb5044baaf116d2d723

SHA512
1276fbb1b65be8880504fb75d8a8e59d8a5fbc737ffb70d385b586092b3f40632ec9a12c6ed05dc984b597f6d14fe0e86f3fa061fb748b930a6dece9c96e6e03

Download Submit
\Users\Admin\AppData\Local\2cswv\MFC42u.dll
MD5
282d13cbcdd400d91b8d928b607415a9

SHA1
e8073b0d717ce76f597ab67481339cd752db81fb

SHA256
ec51a0f06e1bd3ea0b92b74585ec06bda8a45a0685014c3dc1549432fe295fd4

SHA512
fd1dc0513a4aa58b65e8e43503f69ce403760055a46c0933dd17d23477ec06c3802b5b5908ad124aba070095756cb3f82b7b0599d95c2062e7d8be9fa5f7a398

Download Submit
\Users\Admin\AppData\Local\2cswv\irftp.exe
MD5
0cae1fb725c56d260bfd6feba7ae9a75

SHA1
102ac676a1de3ec3d56401f8efd518c31c8b0b80

SHA256
312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

SHA512
db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

Download Submit
\Users\Admin\AppData\Local\GfGlaj8\BitLockerWizardElev.exe
MD5
73f13d791e36d3486743244f16875239

SHA1
ed5ec55dbc6b3bda505f0a4c699c257c90c02020

SHA256
2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

SHA512
911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

Download Submit
\Users\Admin\AppData\Local\GfGlaj8\FVEWIZ.dll
MD5
87cea42c67f8211bc6f33b1515666544

SHA1
1e8f062a3337ed1f0c463aecc24c225586eba77c

SHA256
6f12746a4b923258b7d78061a5d1a81a80db6d05abd08a84a1d8b6b4ae3c82f5

SHA512
b5e64eba481595fc47d1f0d984ebfd648d2fb35b428d72da5baffd852782d59a5b3f03e59820e83d3bfe8e02aaffeadb34ea77364ac74b1c75a1700a4fa9a1ef

Download Submit
\Users\Admin\AppData\Local\qlks\ComputerDefaults.exe
MD5
86bd981f55341273753ac42ea200a81e

SHA1
14fe410efc9aeb0a905b984ac27719ff0dd10ea7

SHA256
40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

SHA512
49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

Download Submit
\Users\Admin\AppData\Local\qlks\appwiz.cpl
MD5
a7b4e8cc8b8ffe4eb3589cef39e8e42a

SHA1
433322bd6c4f4adf1d38b6b72ff359d6acf3fa1d

SHA256
6a9ae6b9777cfe5842e731b223a32c12769cbd4df1a96cb5044baaf116d2d723

SHA512
1276fbb1b65be8880504fb75d8a8e59d8a5fbc737ffb70d385b586092b3f40632ec9a12c6ed05dc984b597f6d14fe0e86f3fa061fb748b930a6dece9c96e6e03

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\4mYL4ZXdMv2\ComputerDefaults.exe
MD5
86bd981f55341273753ac42ea200a81e

SHA1
14fe410efc9aeb0a905b984ac27719ff0dd10ea7

SHA256
40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

SHA512
49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

Download Submit
memory/972-97-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/972-93-0x0000000000000000-mapping.dmp

Download
memory/1248-73-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/1248-75-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/1248-65-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/1248-62-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/1248-61-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/1248-60-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/1248-83-0x0000000077090000-0x0000000077092000-memory.dmp

Filesize
8KB

Download
memory/1248-69-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/1248-59-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/1248-77-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/1248-74-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/1248-76-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/1248-64-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/1248-66-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/1248-63-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/1248-70-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/1248-72-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/1248-71-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/1248-68-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/1248-67-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/1332-89-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/1332-85-0x0000000000000000-mapping.dmp

Download
memory/1568-101-0x0000000000000000-mapping.dmp

Download
memory/1664-55-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/1664-58-0x0000000001B50000-0x0000000001B57000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads