dridex | ff25e9f36e8267df94a51f3252cab735e329dd5d2d2a5a4a2a7cfb1c4f7858db

Analysis

max time kernel
153s
max time network
124s
platform
windows10_x64
resource
win10-en-20211104
submitted
26-11-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff25e9f36e8267df94a51f3252cab735e329dd5d2d2a5a4a2a7cfb1c4f7858db.dll
Size

1.4MB
MD5

b833af54974479f3f905c09600bad9bb
SHA1

c8b57a99795b1cd22a7f51ce398e5d2bddbf2d4c
SHA256

ff25e9f36e8267df94a51f3252cab735e329dd5d2d2a5a4a2a7cfb1c4f7858db
SHA512

f80147e8e3aabae23361d44e11b14316a80f9aeadaa4a53ee90beb1fc8b1268f0d83a1894eac198a1a64c14ee500c5f1d72c0d90d23f2d7c2e2474b70b08b669

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3016-125-0x00000000013C0000-0x00000000013C1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

pwcreator.exeSystemSettingsAdminFlows.exetabcal.exe

pid process

3128 pwcreator.exe
3332 SystemSettingsAdminFlows.exe
1252 tabcal.exe
Loads dropped DLL 3 IoCs

Processes:

pwcreator.exeSystemSettingsAdminFlows.exetabcal.exe

pid process

3128 pwcreator.exe
3332 SystemSettingsAdminFlows.exe
1252 tabcal.exe

pid	process
3128	pwcreator.exe
3332	SystemSettingsAdminFlows.exe
1252	tabcal.exe

pid	process
3128	pwcreator.exe
3332	SystemSettingsAdminFlows.exe
1252	tabcal.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\GiHbeEBDMmX\\SystemSettingsAdminFlows.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exepwcreator.exeSystemSettingsAdminFlows.exetabcal.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pwcreator.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemSettingsAdminFlows.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exepwcreator.exe

pid	process
2668	rundll32.exe
2668	rundll32.exe
2668	rundll32.exe
2668	rundll32.exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3128	pwcreator.exe
3128	pwcreator.exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3016

pid	process
3016

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016
Token: SeShutdownPrivilege	3016
Token: SeCreatePagefilePrivilege	3016

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3016 wrote to memory of 936	3016	pwcreator.exe
PID 3016 wrote to memory of 936	3016	pwcreator.exe
PID 3016 wrote to memory of 3128	3016	pwcreator.exe
PID 3016 wrote to memory of 3128	3016	pwcreator.exe
PID 3016 wrote to memory of 1996	3016	SystemSettingsAdminFlows.exe
PID 3016 wrote to memory of 1996	3016	SystemSettingsAdminFlows.exe
PID 3016 wrote to memory of 3332	3016	SystemSettingsAdminFlows.exe
PID 3016 wrote to memory of 3332	3016	SystemSettingsAdminFlows.exe
PID 3016 wrote to memory of 596	3016	tabcal.exe
PID 3016 wrote to memory of 596	3016	tabcal.exe
PID 3016 wrote to memory of 1252	3016	tabcal.exe
PID 3016 wrote to memory of 1252	3016	tabcal.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff25e9f36e8267df94a51f3252cab735e329dd5d2d2a5a4a2a7cfb1c4f7858db.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2668

C:\Windows\system32\pwcreator.exe
C:\Windows\system32\pwcreator.exe
1⤵
PID:936

C:\Users\Admin\AppData\Local\Vld6\pwcreator.exe
C:\Users\Admin\AppData\Local\Vld6\pwcreator.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3128

C:\Windows\system32\SystemSettingsAdminFlows.exe
C:\Windows\system32\SystemSettingsAdminFlows.exe
1⤵
PID:1996

C:\Users\Admin\AppData\Local\Ok3exx\SystemSettingsAdminFlows.exe
C:\Users\Admin\AppData\Local\Ok3exx\SystemSettingsAdminFlows.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3332

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:596

C:\Users\Admin\AppData\Local\iOe4xC\tabcal.exe
C:\Users\Admin\AppData\Local\iOe4xC\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Ok3exx\DUI70.dll
MD5
85439620cbf1e53b9f137b1fbbde7cd3

SHA1
70681223c89aeced82d7127847b931dd84f6eb7f

SHA256
643a15519dd53423275bfbb9f449fda93abd992fa842ee274376c92a07564ddc

SHA512
963cfdfc452285d59558e9b8a547476ff5b3af1715963b00e614dded599e7bdad25cbe0b188210f00581c926e59df86164b404e1b4306291dbcf47038ca4b832

Download Submit
C:\Users\Admin\AppData\Local\Ok3exx\SystemSettingsAdminFlows.exe
MD5
ed20a50080dc6977c774b42810f6c94c

SHA1
a3a6fbf9a10b67b7b5bf6ef1fb0912483ff68ba4

SHA256
fd537b9a6dd9349a98d19d2023fb6de8a0cb6e7e2e230dcc3fc2621eca024f5d

SHA512
0cdd7b145567c78a6800e47819d6d2c370fdac1fdb92cf726cad6c588a38b44a69f101dc470eb64745938fb47615d28c0d1215755eef7d3a739c9f39a24d7d8e

Download Submit
C:\Users\Admin\AppData\Local\Vld6\WINBRAND.dll
MD5
ac7ea5b29f698ece2025bb899f9a882a

SHA1
d7fcf1dd3cbbc0e6d5076e27bd5e5aabd3f4003b

SHA256
f1d906017544b6799087a59106be9c8706b5491f82c04b82c820c847e9b1f79e

SHA512
49ab800a6f9efdb44f9b5ce6f207361f24133b23e07419e9d17736af779cd4c440c3a8ec373be0872630f548f31cd25b0cb9d22a83bc1e450e6d515c0a1f15cc

Download Submit
C:\Users\Admin\AppData\Local\Vld6\pwcreator.exe
MD5
5a9ef500a0436e893542fca5e8876c9c

SHA1
bf8f802f67cf5f42ad6375b5159b4b2d8c5759a4

SHA256
a0af92d50e18376d996a3bfeb9e43cc8d2ea8385646542ea850c777850d588df

SHA512
ffda4df212242e87d399ddcd72fa99b14f0d18abcfdb6c69df65ce345e8c94f2c1fccb323252af5cb18a28abeef0b148c106631ec778a522f82b392c0547fdc8

Download Submit
C:\Users\Admin\AppData\Local\iOe4xC\HID.DLL
MD5
dcbba4a68b24e420390348ed32e60fc7

SHA1
2880abee236b1576010583ed953876c0c59feace

SHA256
4a7dd390ce0a661678a5398192500fb7eeff3edef61860e2af921477bac420ea

SHA512
abc65c283cd205d2c253731bc4a5cad6e77ecda822c0e99055bfd7ec5c3810fdff480fb3903e81c2c5f866b2a79585eebb2c44ff06801416bc3838c6b2392495

Download Submit
C:\Users\Admin\AppData\Local\iOe4xC\tabcal.exe
MD5
4e5b6b3059dc055232f4fbd6c4796540

SHA1
9929b2c336e9bf4aacfaa15083224bcd5eff6aae

SHA256
bc0beeda967eecf14940d2105cd179cd0da3843651d183c3ead6df7615c866f1

SHA512
7bdb1eb8c3b84203ae9ef8d58045a5fa32bd2c206f71a3bae14c458b37d265452e183f3fbe0784a8a37fdea661dd5c34d50decbc6a296b9c7a6c353c61152374

Download Submit
\Users\Admin\AppData\Local\Ok3exx\DUI70.dll
MD5
85439620cbf1e53b9f137b1fbbde7cd3

SHA1
70681223c89aeced82d7127847b931dd84f6eb7f

SHA256
643a15519dd53423275bfbb9f449fda93abd992fa842ee274376c92a07564ddc

SHA512
963cfdfc452285d59558e9b8a547476ff5b3af1715963b00e614dded599e7bdad25cbe0b188210f00581c926e59df86164b404e1b4306291dbcf47038ca4b832

Download Submit
\Users\Admin\AppData\Local\Vld6\WINBRAND.dll
MD5
ac7ea5b29f698ece2025bb899f9a882a

SHA1
d7fcf1dd3cbbc0e6d5076e27bd5e5aabd3f4003b

SHA256
f1d906017544b6799087a59106be9c8706b5491f82c04b82c820c847e9b1f79e

SHA512
49ab800a6f9efdb44f9b5ce6f207361f24133b23e07419e9d17736af779cd4c440c3a8ec373be0872630f548f31cd25b0cb9d22a83bc1e450e6d515c0a1f15cc

Download Submit
\Users\Admin\AppData\Local\iOe4xC\HID.DLL
MD5
dcbba4a68b24e420390348ed32e60fc7

SHA1
2880abee236b1576010583ed953876c0c59feace

SHA256
4a7dd390ce0a661678a5398192500fb7eeff3edef61860e2af921477bac420ea

SHA512
abc65c283cd205d2c253731bc4a5cad6e77ecda822c0e99055bfd7ec5c3810fdff480fb3903e81c2c5f866b2a79585eebb2c44ff06801416bc3838c6b2392495

Download Submit
memory/1252-184-0x0000000000000000-mapping.dmp

Download
memory/1252-192-0x000001F252000000-0x000001F252002000-memory.dmp

Filesize
8KB

Download
memory/1252-193-0x000001F252000000-0x000001F252002000-memory.dmp

Filesize
8KB

Download
memory/1252-194-0x000001F252000000-0x000001F252002000-memory.dmp

Filesize
8KB

Download
memory/2668-118-0x00007FF88C470000-0x00007FF88C5CB000-memory.dmp

Filesize
1.4MB

Download
memory/2668-124-0x000002069A0E0000-0x000002069A0E7000-memory.dmp

Filesize
28KB

Download
memory/2668-123-0x000002069A190000-0x000002069A192000-memory.dmp

Filesize
8KB

Download
memory/2668-122-0x000002069A190000-0x000002069A192000-memory.dmp

Filesize
8KB

Download
memory/3016-151-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-137-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-138-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-141-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-142-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-143-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-144-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-145-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-146-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-147-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-148-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-149-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-150-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-139-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-152-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-157-0x00000000013D0000-0x00000000013D2000-memory.dmp

Filesize
8KB

Download
memory/3016-158-0x00000000013D0000-0x00000000013D2000-memory.dmp

Filesize
8KB

Download
memory/3016-160-0x00000000013D0000-0x00000000013D2000-memory.dmp

Filesize
8KB

Download
memory/3016-159-0x00007FF898BD5000-0x00007FF898BD6000-memory.dmp

Filesize
4KB

Download
memory/3016-161-0x00007FF898D10000-0x00007FF898D12000-memory.dmp

Filesize
8KB

Download
memory/3016-195-0x00000000013D0000-0x00000000013D2000-memory.dmp

Filesize
8KB

Download
memory/3016-140-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-126-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-136-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-125-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/3016-127-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-128-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-129-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-130-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-133-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-135-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-134-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-131-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3016-132-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/3128-170-0x0000018A35380000-0x0000018A35382000-memory.dmp

Filesize
8KB

Download
memory/3128-172-0x0000018A35380000-0x0000018A35382000-memory.dmp

Filesize
8KB

Download
memory/3128-171-0x0000018A35380000-0x0000018A35382000-memory.dmp

Filesize
8KB

Download
memory/3128-166-0x00007FF88C470000-0x00007FF88C5CC000-memory.dmp

Filesize
1.4MB

Download
memory/3128-162-0x0000000000000000-mapping.dmp

Download
memory/3332-181-0x000001FFF3B00000-0x000001FFF3B02000-memory.dmp

Filesize
8KB

Download
memory/3332-183-0x000001FFF3B00000-0x000001FFF3B02000-memory.dmp

Filesize
8KB

Download
memory/3332-182-0x000001FFF3B00000-0x000001FFF3B02000-memory.dmp

Filesize
8KB

Download
memory/3332-177-0x00007FF88AD70000-0x00007FF88AF11000-memory.dmp

Filesize
1.6MB

Download
memory/3332-173-0x0000000000000000-mapping.dmp

Download