dridex | ec8dbc3e4d86b25d943dfbb2eff71a10b09ac5acc5a9648ed6e4537da666cf9a

Analysis

max time kernel
159s
max time network
122s
platform
windows7_x64
resource
win7-en-20211104
submitted
26-11-2021 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec8dbc3e4d86b25d943dfbb2eff71a10b09ac5acc5a9648ed6e4537da666cf9a.dll
Size

1.3MB
MD5

fb0979bd562c4f18393ec92c8de9989f
SHA1

e5f1e762d8f0a522806e77cf6930ef6f05299993
SHA256

ec8dbc3e4d86b25d943dfbb2eff71a10b09ac5acc5a9648ed6e4537da666cf9a
SHA512

a4920527466c441a7a07cb76316bc37d981f2a2aff442e13fc740c2e1b72e64bcdb96613c3ebf9cef0110bb171d8cb9c4a042703774c683ce4c2be7c30b850dd

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1276-59-0x00000000021F0000-0x00000000021F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesProtection.exeSystemPropertiesPerformance.exep2phost.exe

pid process

1172 SystemPropertiesProtection.exe
1148 SystemPropertiesPerformance.exe
1796 p2phost.exe
Loads dropped DLL 7 IoCs

Processes:

SystemPropertiesProtection.exeSystemPropertiesPerformance.exep2phost.exe

pid process

1276
1172 SystemPropertiesProtection.exe
1276
1148 SystemPropertiesPerformance.exe
1276
1796 p2phost.exe
1276

pid	process
1172	SystemPropertiesProtection.exe
1148	SystemPropertiesPerformance.exe
1796	p2phost.exe

pid	process
1276
1172	SystemPropertiesProtection.exe
1276
1148	SystemPropertiesPerformance.exe
1276
1796	p2phost.exe
1276

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\7SPSwr0\\SystemPropertiesPerformance.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesProtection.exeSystemPropertiesPerformance.exep2phost.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	p2phost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
472	rundll32.exe
472	rundll32.exe
472	rundll32.exe
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exeSystemPropertiesProtection.exeSystemPropertiesPerformance.exep2phost.exe

pid process

472 rundll32.exe
1276
1172 SystemPropertiesProtection.exe
1148 SystemPropertiesPerformance.exe
1796 p2phost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1276 wrote to memory of 1076	1276	SystemPropertiesProtection.exe
PID 1276 wrote to memory of 1076	1276	SystemPropertiesProtection.exe
PID 1276 wrote to memory of 1076	1276	SystemPropertiesProtection.exe
PID 1276 wrote to memory of 1172	1276	SystemPropertiesProtection.exe
PID 1276 wrote to memory of 1172	1276	SystemPropertiesProtection.exe
PID 1276 wrote to memory of 1172	1276	SystemPropertiesProtection.exe
PID 1276 wrote to memory of 1892	1276	SystemPropertiesPerformance.exe
PID 1276 wrote to memory of 1892	1276	SystemPropertiesPerformance.exe
PID 1276 wrote to memory of 1892	1276	SystemPropertiesPerformance.exe
PID 1276 wrote to memory of 1148	1276	SystemPropertiesPerformance.exe
PID 1276 wrote to memory of 1148	1276	SystemPropertiesPerformance.exe
PID 1276 wrote to memory of 1148	1276	SystemPropertiesPerformance.exe
PID 1276 wrote to memory of 1292	1276	p2phost.exe
PID 1276 wrote to memory of 1292	1276	p2phost.exe
PID 1276 wrote to memory of 1292	1276	p2phost.exe
PID 1276 wrote to memory of 1796	1276	p2phost.exe
PID 1276 wrote to memory of 1796	1276	p2phost.exe
PID 1276 wrote to memory of 1796	1276	p2phost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ec8dbc3e4d86b25d943dfbb2eff71a10b09ac5acc5a9648ed6e4537da666cf9a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:472

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:1076

C:\Users\Admin\AppData\Local\KShU\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\KShU\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1172

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:1892

C:\Users\Admin\AppData\Local\PdxRHi6uN\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\PdxRHi6uN\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1148

C:\Windows\system32\p2phost.exe
C:\Windows\system32\p2phost.exe
1⤵
PID:1292

C:\Users\Admin\AppData\Local\4qosDruF7\p2phost.exe
C:\Users\Admin\AppData\Local\4qosDruF7\p2phost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1796

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4qosDruF7\P2P.dll
MD5
569bb0aa3cde5da5625131833d0dda57

SHA1
a90b64e2946c2de329df6737a0c8968958d45152

SHA256
e282b493458fb7720bc07203e4794285c970e8b84eef933fe4f03a54289e49c5

SHA512
b33b96af26bfe9b9bd580f872565c915daca510ce0e9dc2b1fc408d47c25b25397769ba939bca015943f40eb22ab4eb556aefff964641bb8330113e63d2f3cc8

Download Submit
C:\Users\Admin\AppData\Local\4qosDruF7\p2phost.exe
MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
C:\Users\Admin\AppData\Local\KShU\SYSDM.CPL
MD5
ea3ef6e713d1692ddce1095aa0178a64

SHA1
b856f9a85efef1a087c1c57af62c3d040bf317d5

SHA256
f8843f2f5809fe1c801512d064b235c072a8c6e336e038512cf2ff857e759dd1

SHA512
c3cb296a35f0c7a3ba0d9686e525c88f14974ec3e7fee8cf1976a3b9a8c00ea21d519dcacdea9db9688f040a486c2f28537fc559fa50d2d105602914513cccfc

Download Submit
C:\Users\Admin\AppData\Local\KShU\SystemPropertiesProtection.exe
MD5
05138d8f952d3fff1362f7c50158bc38

SHA1
780bc59fcddf06a7494d09771b8340acffdcc720

SHA256
753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

SHA512
27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

Download Submit
C:\Users\Admin\AppData\Local\PdxRHi6uN\SYSDM.CPL
MD5
12ca25d7afd4468195e4f9dc21643720

SHA1
369b11d8ff7333b96edb265dd617a486c08aa8b4

SHA256
17a32e4cf283979bad94ab1de2ba605e5e7cd6fe081a08adf8641726081c3f1c

SHA512
fe148dac34197fb3b12c6edf00f7de8ae9c922d97f4bb9338d19771f96a249e7f5923553a84f6a67c05585a7df968259771034310f23b3efc9e8b82f1a4ffeea

Download Submit
C:\Users\Admin\AppData\Local\PdxRHi6uN\SystemPropertiesPerformance.exe
MD5
870726cdcc241a92785572628b89cc07

SHA1
63d47cc4fe9beb75862add1abca1d8ae8235710a

SHA256
1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

SHA512
89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

Download Submit
\Users\Admin\AppData\Local\4qosDruF7\P2P.dll
MD5
569bb0aa3cde5da5625131833d0dda57

SHA1
a90b64e2946c2de329df6737a0c8968958d45152

SHA256
e282b493458fb7720bc07203e4794285c970e8b84eef933fe4f03a54289e49c5

SHA512
b33b96af26bfe9b9bd580f872565c915daca510ce0e9dc2b1fc408d47c25b25397769ba939bca015943f40eb22ab4eb556aefff964641bb8330113e63d2f3cc8

Download Submit
\Users\Admin\AppData\Local\4qosDruF7\p2phost.exe
MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
\Users\Admin\AppData\Local\KShU\SYSDM.CPL
MD5
ea3ef6e713d1692ddce1095aa0178a64

SHA1
b856f9a85efef1a087c1c57af62c3d040bf317d5

SHA256
f8843f2f5809fe1c801512d064b235c072a8c6e336e038512cf2ff857e759dd1

SHA512
c3cb296a35f0c7a3ba0d9686e525c88f14974ec3e7fee8cf1976a3b9a8c00ea21d519dcacdea9db9688f040a486c2f28537fc559fa50d2d105602914513cccfc

Download Submit
\Users\Admin\AppData\Local\KShU\SystemPropertiesProtection.exe
MD5
05138d8f952d3fff1362f7c50158bc38

SHA1
780bc59fcddf06a7494d09771b8340acffdcc720

SHA256
753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

SHA512
27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

Download Submit
\Users\Admin\AppData\Local\PdxRHi6uN\SYSDM.CPL
MD5
12ca25d7afd4468195e4f9dc21643720

SHA1
369b11d8ff7333b96edb265dd617a486c08aa8b4

SHA256
17a32e4cf283979bad94ab1de2ba605e5e7cd6fe081a08adf8641726081c3f1c

SHA512
fe148dac34197fb3b12c6edf00f7de8ae9c922d97f4bb9338d19771f96a249e7f5923553a84f6a67c05585a7df968259771034310f23b3efc9e8b82f1a4ffeea

Download Submit
\Users\Admin\AppData\Local\PdxRHi6uN\SystemPropertiesPerformance.exe
MD5
870726cdcc241a92785572628b89cc07

SHA1
63d47cc4fe9beb75862add1abca1d8ae8235710a

SHA256
1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

SHA512
89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\W0EOXui\p2phost.exe
MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
memory/472-55-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/472-58-0x0000000000320000-0x0000000000327000-memory.dmp

Filesize
28KB

Download
memory/1148-94-0x0000000000000000-mapping.dmp

Download
memory/1172-90-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1172-86-0x0000000000000000-mapping.dmp

Download
memory/1276-77-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1276-75-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1276-65-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1276-64-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1276-84-0x0000000077080000-0x0000000077082000-memory.dmp

Filesize
8KB

Download
memory/1276-67-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1276-68-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1276-69-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1276-72-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1276-73-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1276-74-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1276-66-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1276-76-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1276-78-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1276-70-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1276-71-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1276-63-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1276-62-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1276-59-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/1276-60-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1276-61-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1796-102-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads