dridex | 4b165651a1740bfbac89a2a15423f935cf2058ce9fa79903889e04016be8344b

Analysis

max time kernel
154s
max time network
137s
platform
windows10_x64
resource
win10-en-20211014
submitted
26-11-2021 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b165651a1740bfbac89a2a15423f935cf2058ce9fa79903889e04016be8344b.dll
Size

1.3MB
MD5

6d6d268e7bafbede834d84141ade7ae5
SHA1

43f460cb03c89dbf77545944c913c7fb6f0fbca6
SHA256

4b165651a1740bfbac89a2a15423f935cf2058ce9fa79903889e04016be8344b
SHA512

24f44a7fc90d8a4de0a7d47056660db46d8b09392121da615b29a9d28f3e60106a0d03b3ff4ca297c71012cca9ea98a7fc479bb839f40595befaa9cfdd21cb78

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3008-121-0x0000000000E40000-0x0000000000E41000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

sigverif.exeRdpSa.exeslui.exe

pid process

1528 sigverif.exe
3524 RdpSa.exe
1148 slui.exe
Loads dropped DLL 3 IoCs

Processes:

sigverif.exeRdpSa.exeslui.exe

pid process

1528 sigverif.exe
3524 RdpSa.exe
1148 slui.exe

pid	process
1528	sigverif.exe
3524	RdpSa.exe
1148	slui.exe

pid	process
1528	sigverif.exe
3524	RdpSa.exe
1148	slui.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\MnGzsT\\RdpSa.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sigverif.exeRdpSa.exeslui.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RdpSa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
2148	regsvr32.exe
2148	regsvr32.exe
2148	regsvr32.exe
2148	regsvr32.exe
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

regsvr32.exesigverif.exeRdpSa.exeslui.exe

pid process

2148 regsvr32.exe
3008
1528 sigverif.exe
3524 RdpSa.exe
1148 slui.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3008 wrote to memory of 3212	3008	sigverif.exe
PID 3008 wrote to memory of 3212	3008	sigverif.exe
PID 3008 wrote to memory of 1528	3008	sigverif.exe
PID 3008 wrote to memory of 1528	3008	sigverif.exe
PID 3008 wrote to memory of 3264	3008	RdpSa.exe
PID 3008 wrote to memory of 3264	3008	RdpSa.exe
PID 3008 wrote to memory of 3524	3008	RdpSa.exe
PID 3008 wrote to memory of 3524	3008	RdpSa.exe
PID 3008 wrote to memory of 388	3008	slui.exe
PID 3008 wrote to memory of 388	3008	slui.exe
PID 3008 wrote to memory of 1148	3008	slui.exe
PID 3008 wrote to memory of 1148	3008	slui.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4b165651a1740bfbac89a2a15423f935cf2058ce9fa79903889e04016be8344b.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2148

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:3212

C:\Users\Admin\AppData\Local\aJic\sigverif.exe
C:\Users\Admin\AppData\Local\aJic\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1528

C:\Windows\system32\RdpSa.exe
C:\Windows\system32\RdpSa.exe
1⤵
PID:3264

C:\Users\Admin\AppData\Local\mzK\RdpSa.exe
C:\Users\Admin\AppData\Local\mzK\RdpSa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:3524

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:388

C:\Users\Admin\AppData\Local\CMb\slui.exe
C:\Users\Admin\AppData\Local\CMb\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CMb\WINBRAND.dll
MD5
edb0bc93e5b3aaa325c6bda707e0a7c3

SHA1
1155d5f8ea0c5d425348862713a631d35759d898

SHA256
1e1a611a1e022e8bafb321f68b04755ebd73e6cef3844f9ca701eff3ccdfc438

SHA512
97ca3cbf34fbfc95bb3c4336823402dfe9128a1ca7404bb4bf76eb82e39ced1a552ee3a05d0046d016891ce7fd3bf080ebe1ac6e0b4e232970b401ec3f8fcb27

Download Submit
C:\Users\Admin\AppData\Local\CMb\slui.exe
MD5
f162f859fb38a39f83c049f5480c11eb

SHA1
4090dacb56dbff6a5306e13ff5fa157eca4714a9

SHA256
67daef4a468f00305a44e41b369890fc0d6ed41c509432c6b1402caa1b09b7c5

SHA512
73a7ba851b560caf0a4150ff192c02bcac5475de2f265430e079ce1a20dc25b0f86873bc1dc4db0fc660031aa7c32d03a941ada8afc0bc91c63fb2e9ed8e0d80

Download Submit
C:\Users\Admin\AppData\Local\aJic\VERSION.dll
MD5
48b55334b0f5765f3777b50ee3d3d611

SHA1
27e551814ae0f362f8d00cc6e3db57e3165d0ab5

SHA256
4283e301f32c6118e2303abd4b57185cf1aafd3cae45f2321ba58d08d31421aa

SHA512
40a417096dd73a7a75bc5bdcd64bef48e90b09a4cf3755c08bdc034a41a6185f6ab94bcd06a0a9cde010e6d42d5d0edd04dd268cca4c89f8e39c3389756bf696

Download Submit
C:\Users\Admin\AppData\Local\aJic\sigverif.exe
MD5
92f7917624a4349f7b6041d08ae29714

SHA1
eac68bc72ed4d8634a59a1a37faefa4f8327bd2f

SHA256
a57403e41c7178403981cd384f6096f12092dee68d3dfbd92f94661f613dfcab

SHA512
20eb8366a8285a7d19a8d860038364a625b9b7de5e9d87ed59d2580ab4d5658b6d09d9220f6b0a6291151145373f3e0ff8ac46609c6b4a4aafecc8f2670ac56d

Download Submit
C:\Users\Admin\AppData\Local\mzK\RdpSa.exe
MD5
f1c2442f3ec5188998bf290c4cbd562a

SHA1
73fa6d853a92bfcc7671f82d3ab87ea3133bd9ad

SHA256
f6ff99a61cf82ef5889b3dd359a3bb55772439b66c710a9899eb8768c73a0a72

SHA512
310315718d7c684916f16754a1bceb9eb334c2dc8cb70634bf253b7b3d2fc8702e6ce7db52da0122a55fe53cadef1a6ec158d0056ebdbc2bcdc4832033e5d3f4

Download Submit
C:\Users\Admin\AppData\Local\mzK\WINSTA.dll
MD5
f82693dddd0ab74d6c4852e91695daae

SHA1
88b22fb45a06caee6d38175846e3b46abd1931d7

SHA256
6728804d3d9d0b2089876ec7c0c5976bd409d9243aafd9f445d3ca033c2e4811

SHA512
693bb8a17eb9b05ef59c66e1850bc8079fe49f863cdb0b37e5c50984f3d478a92eb68c13d6de724e9f6b766fd324a2942c634bc4894ae1f25fb431b5042202c9

Download Submit
\Users\Admin\AppData\Local\CMb\WINBRAND.dll
MD5
edb0bc93e5b3aaa325c6bda707e0a7c3

SHA1
1155d5f8ea0c5d425348862713a631d35759d898

SHA256
1e1a611a1e022e8bafb321f68b04755ebd73e6cef3844f9ca701eff3ccdfc438

SHA512
97ca3cbf34fbfc95bb3c4336823402dfe9128a1ca7404bb4bf76eb82e39ced1a552ee3a05d0046d016891ce7fd3bf080ebe1ac6e0b4e232970b401ec3f8fcb27

Download Submit
\Users\Admin\AppData\Local\aJic\VERSION.dll
MD5
48b55334b0f5765f3777b50ee3d3d611

SHA1
27e551814ae0f362f8d00cc6e3db57e3165d0ab5

SHA256
4283e301f32c6118e2303abd4b57185cf1aafd3cae45f2321ba58d08d31421aa

SHA512
40a417096dd73a7a75bc5bdcd64bef48e90b09a4cf3755c08bdc034a41a6185f6ab94bcd06a0a9cde010e6d42d5d0edd04dd268cca4c89f8e39c3389756bf696

Download Submit
\Users\Admin\AppData\Local\mzK\WINSTA.dll
MD5
f82693dddd0ab74d6c4852e91695daae

SHA1
88b22fb45a06caee6d38175846e3b46abd1931d7

SHA256
6728804d3d9d0b2089876ec7c0c5976bd409d9243aafd9f445d3ca033c2e4811

SHA512
693bb8a17eb9b05ef59c66e1850bc8079fe49f863cdb0b37e5c50984f3d478a92eb68c13d6de724e9f6b766fd324a2942c634bc4894ae1f25fb431b5042202c9

Download Submit
memory/1148-171-0x0000000000000000-mapping.dmp

Download
memory/1148-178-0x000001E6CDE80000-0x000001E6CDE82000-memory.dmp

Filesize
8KB

Download
memory/1148-179-0x000001E6CDE80000-0x000001E6CDE82000-memory.dmp

Filesize
8KB

Download
memory/1148-180-0x000001E6CDE80000-0x000001E6CDE82000-memory.dmp

Filesize
8KB

Download
memory/1528-151-0x0000000000000000-mapping.dmp

Download
memory/1528-160-0x000002AC81520000-0x000002AC81522000-memory.dmp

Filesize
8KB

Download
memory/1528-159-0x000002AC81520000-0x000002AC81522000-memory.dmp

Filesize
8KB

Download
memory/1528-158-0x000002AC81520000-0x000002AC81522000-memory.dmp

Filesize
8KB

Download
memory/1528-155-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2148-115-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/2148-120-0x0000000002360000-0x0000000002367000-memory.dmp

Filesize
28KB

Download
memory/2148-119-0x0000000002370000-0x0000000002372000-memory.dmp

Filesize
8KB

Download
memory/2148-118-0x0000000002370000-0x0000000002372000-memory.dmp

Filesize
8KB

Download
memory/3008-131-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3008-130-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3008-146-0x0000000000E50000-0x0000000000E52000-memory.dmp

Filesize
8KB

Download
memory/3008-147-0x0000000000E50000-0x0000000000E52000-memory.dmp

Filesize
8KB

Download
memory/3008-148-0x00007FFCE8265000-0x00007FFCE8266000-memory.dmp

Filesize
4KB

Download
memory/3008-149-0x0000000000E50000-0x0000000000E52000-memory.dmp

Filesize
8KB

Download
memory/3008-150-0x00007FFCE83A0000-0x00007FFCE83A2000-memory.dmp

Filesize
8KB

Download
memory/3008-139-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3008-138-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3008-136-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3008-137-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3008-135-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3008-134-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3008-133-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3008-132-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3008-140-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3008-181-0x0000000000E50000-0x0000000000E52000-memory.dmp

Filesize
8KB

Download
memory/3008-129-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3008-125-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3008-121-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/3008-122-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3008-123-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3008-124-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3008-128-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3008-127-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3008-126-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/3524-170-0x000001F58CB50000-0x000001F58CB52000-memory.dmp

Filesize
8KB

Download
memory/3524-169-0x000001F58CB50000-0x000001F58CB52000-memory.dmp

Filesize
8KB

Download
memory/3524-168-0x000001F58CB50000-0x000001F58CB52000-memory.dmp

Filesize
8KB

Download
memory/3524-165-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/3524-161-0x0000000000000000-mapping.dmp

Download