dridex | ff25e9f36e8267df94a51f3252cab735e329dd5d2d2a5a4a2a7cfb1c4f7858db

Analysis

max time kernel
153s
max time network
123s
platform
windows7_x64
resource
win7-en-20211104
submitted
26-11-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff25e9f36e8267df94a51f3252cab735e329dd5d2d2a5a4a2a7cfb1c4f7858db.dll
Size

1.4MB
MD5

b833af54974479f3f905c09600bad9bb
SHA1

c8b57a99795b1cd22a7f51ce398e5d2bddbf2d4c
SHA256

ff25e9f36e8267df94a51f3252cab735e329dd5d2d2a5a4a2a7cfb1c4f7858db
SHA512

f80147e8e3aabae23361d44e11b14316a80f9aeadaa4a53ee90beb1fc8b1268f0d83a1894eac198a1a64c14ee500c5f1d72c0d90d23f2d7c2e2474b70b08b669

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1272-60-0x0000000002C30000-0x0000000002C31000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

shrpubw.exeshrpubw.exeTpmInit.exe

pid process

1104 shrpubw.exe
1336 shrpubw.exe
1488 TpmInit.exe
Loads dropped DLL 7 IoCs

Processes:

shrpubw.exeshrpubw.exeTpmInit.exe

pid process

1272
1104 shrpubw.exe
1272
1336 shrpubw.exe
1272
1488 TpmInit.exe
1272

pid	process
1104	shrpubw.exe
1336	shrpubw.exe
1488	TpmInit.exe

pid	process
1272
1104	shrpubw.exe
1272
1336	shrpubw.exe
1272
1488	TpmInit.exe
1272

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\ISIDd\\shrpubw.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

shrpubw.exeTpmInit.exerundll32.exeshrpubw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TpmInit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeshrpubw.exeshrpubw.exe

pid	process
548	rundll32.exe
548	rundll32.exe
548	rundll32.exe
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1104	shrpubw.exe
1104	shrpubw.exe
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1336	shrpubw.exe
1336	shrpubw.exe
1272

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1272

pid	process
1272

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1272 wrote to memory of 1264	1272	shrpubw.exe
PID 1272 wrote to memory of 1264	1272	shrpubw.exe
PID 1272 wrote to memory of 1264	1272	shrpubw.exe
PID 1272 wrote to memory of 1104	1272	shrpubw.exe
PID 1272 wrote to memory of 1104	1272	shrpubw.exe
PID 1272 wrote to memory of 1104	1272	shrpubw.exe
PID 1272 wrote to memory of 984	1272	shrpubw.exe
PID 1272 wrote to memory of 984	1272	shrpubw.exe
PID 1272 wrote to memory of 984	1272	shrpubw.exe
PID 1272 wrote to memory of 1336	1272	shrpubw.exe
PID 1272 wrote to memory of 1336	1272	shrpubw.exe
PID 1272 wrote to memory of 1336	1272	shrpubw.exe
PID 1272 wrote to memory of 284	1272	TpmInit.exe
PID 1272 wrote to memory of 284	1272	TpmInit.exe
PID 1272 wrote to memory of 284	1272	TpmInit.exe
PID 1272 wrote to memory of 1488	1272	TpmInit.exe
PID 1272 wrote to memory of 1488	1272	TpmInit.exe
PID 1272 wrote to memory of 1488	1272	TpmInit.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff25e9f36e8267df94a51f3252cab735e329dd5d2d2a5a4a2a7cfb1c4f7858db.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:548

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:1264

C:\Users\Admin\AppData\Local\RhaYcCZ9\shrpubw.exe
C:\Users\Admin\AppData\Local\RhaYcCZ9\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1104

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:984

C:\Users\Admin\AppData\Local\IRyiLgh\shrpubw.exe
C:\Users\Admin\AppData\Local\IRyiLgh\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1336

C:\Windows\system32\TpmInit.exe
C:\Windows\system32\TpmInit.exe
1⤵
PID:284

C:\Users\Admin\AppData\Local\GSi\TpmInit.exe
C:\Users\Admin\AppData\Local\GSi\TpmInit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1488

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GSi\ACTIVEDS.dll
MD5
0d31460ad72d41e44763ed267c0d8a6c

SHA1
77eabbd18b863af920359391f90924b5de6a8182

SHA256
ee0ca5175d9b989d56eefbbe26188dfe820e8492315557ff0fd24aa822a9444f

SHA512
69a8b2c917c90376f513cb07d38c3fe3e112c2f4ddf12a2092e013c0c20c12ea4bc294a8c0d30e72d0b3a3505d2119e4ddeed9eb89951a3cc1975b50c7a1ee9a

Download Submit
C:\Users\Admin\AppData\Local\GSi\TpmInit.exe
MD5
8b5eb38e08a678afa129e23129ca1e6d

SHA1
a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

SHA256
4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

SHA512
a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

Download Submit
C:\Users\Admin\AppData\Local\IRyiLgh\ACLUI.dll
MD5
b79b1ad083f86beeed5bcfd8f009b768

SHA1
aabdf1a36294b411a7410455338853e539fd5e29

SHA256
30e67a38b2da0d49839e5092a31841fae78bba7562f375835c3fa58075121920

SHA512
3e48c7ce0fe08d78e243837e3cef57f4236ac42f3ac25efd8135d746e0602a84213a1c0806e5bf02341767893ca84933362acf6e9aa32c643681a8db37dcec90

Download Submit
C:\Users\Admin\AppData\Local\IRyiLgh\shrpubw.exe
MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
C:\Users\Admin\AppData\Local\RhaYcCZ9\MFC42u.dll
MD5
6eaef2dd9af283a41f9c0df9b99d60b1

SHA1
305806a3a149c915c4b67d6be4bd802b40021d59

SHA256
e47c4bbe1846c28b48579b682ec892cb4b77320ce56e88ca007e158f60274771

SHA512
cfb9ec77e18e91b5c385d9147281ab3fac0089982bfbea84526ae4c149e71e488ad28f92086b78b5c97178053fc934f6d853d41e1e9dacb9c61e7724e0258df7

Download Submit
C:\Users\Admin\AppData\Local\RhaYcCZ9\shrpubw.exe
MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
\Users\Admin\AppData\Local\GSi\ACTIVEDS.dll
MD5
0d31460ad72d41e44763ed267c0d8a6c

SHA1
77eabbd18b863af920359391f90924b5de6a8182

SHA256
ee0ca5175d9b989d56eefbbe26188dfe820e8492315557ff0fd24aa822a9444f

SHA512
69a8b2c917c90376f513cb07d38c3fe3e112c2f4ddf12a2092e013c0c20c12ea4bc294a8c0d30e72d0b3a3505d2119e4ddeed9eb89951a3cc1975b50c7a1ee9a

Download Submit
\Users\Admin\AppData\Local\GSi\TpmInit.exe
MD5
8b5eb38e08a678afa129e23129ca1e6d

SHA1
a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

SHA256
4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

SHA512
a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

Download Submit
\Users\Admin\AppData\Local\IRyiLgh\ACLUI.dll
MD5
b79b1ad083f86beeed5bcfd8f009b768

SHA1
aabdf1a36294b411a7410455338853e539fd5e29

SHA256
30e67a38b2da0d49839e5092a31841fae78bba7562f375835c3fa58075121920

SHA512
3e48c7ce0fe08d78e243837e3cef57f4236ac42f3ac25efd8135d746e0602a84213a1c0806e5bf02341767893ca84933362acf6e9aa32c643681a8db37dcec90

Download Submit
\Users\Admin\AppData\Local\IRyiLgh\shrpubw.exe
MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
\Users\Admin\AppData\Local\RhaYcCZ9\MFC42u.dll
MD5
6eaef2dd9af283a41f9c0df9b99d60b1

SHA1
305806a3a149c915c4b67d6be4bd802b40021d59

SHA256
e47c4bbe1846c28b48579b682ec892cb4b77320ce56e88ca007e158f60274771

SHA512
cfb9ec77e18e91b5c385d9147281ab3fac0089982bfbea84526ae4c149e71e488ad28f92086b78b5c97178053fc934f6d853d41e1e9dacb9c61e7724e0258df7

Download Submit
\Users\Admin\AppData\Local\RhaYcCZ9\shrpubw.exe
MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\lS\TpmInit.exe
MD5
8b5eb38e08a678afa129e23129ca1e6d

SHA1
a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

SHA256
4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

SHA512
a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

Download Submit
memory/548-55-0x000007FEF6930000-0x000007FEF6A8B000-memory.dmp

Filesize
1.4MB

Download
memory/548-59-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/1104-99-0x000007FEF6C00000-0x000007FEF6D62000-memory.dmp

Filesize
1.4MB

Download
memory/1104-98-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

Filesize
8KB

Download
memory/1104-94-0x0000000000000000-mapping.dmp

Download
memory/1272-83-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-79-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-72-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-71-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-69-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-70-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-67-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-66-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-65-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-63-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-62-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-61-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-92-0x00000000777C0000-0x00000000777C2000-memory.dmp

Filesize
8KB

Download
memory/1272-75-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-76-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-78-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-80-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-73-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-81-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-86-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-87-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-60-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/1272-85-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-84-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-82-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-64-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-77-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-68-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1272-74-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1336-109-0x000007FEF6580000-0x000007FEF66DC000-memory.dmp

Filesize
1.4MB

Download
memory/1336-104-0x0000000000000000-mapping.dmp

Download
memory/1488-114-0x0000000000000000-mapping.dmp

Download
memory/1488-119-0x000007FEF6930000-0x000007FEF6A8C000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads