dridex | dd7c2b5ccd52a609e2ec3dd4d2ff6b83c6f16eb1c5f6fb14a918fdc733b6f76e

Analysis

max time kernel
161s
max time network
125s
platform
windows7_x64
resource
win7-en-20211104
submitted
26-11-2021 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd7c2b5ccd52a609e2ec3dd4d2ff6b83c6f16eb1c5f6fb14a918fdc733b6f76e.dll
Size

1.3MB
MD5

bee8470b921740735b0f08302fdc378f
SHA1

a82e32a58f122d3bca865982febdc8b4e5fda106
SHA256

dd7c2b5ccd52a609e2ec3dd4d2ff6b83c6f16eb1c5f6fb14a918fdc733b6f76e
SHA512

840eb8a269191cfc7b977ca64d3b15d91ab3d5b3bc0a75e1b8d481231f631cfaa36c7c991b5ca3e0d30cdd340bbd71467be8ec076674c092237dcd548011033f

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1424-59-0x0000000002730000-0x0000000002731000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

consent.exePresentationSettings.exefvenotify.exe

pid process

1932 consent.exe
1552 PresentationSettings.exe
1636 fvenotify.exe
Loads dropped DLL 7 IoCs

Processes:

consent.exePresentationSettings.exefvenotify.exe

pid process

1424
1932 consent.exe
1424
1552 PresentationSettings.exe
1424
1636 fvenotify.exe
1424

pid	process
1932	consent.exe
1552	PresentationSettings.exe
1636	fvenotify.exe

pid	process
1424
1932	consent.exe
1424
1552	PresentationSettings.exe
1424
1636	fvenotify.exe
1424

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\4VHWH4~1\\PRESEN~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.execonsent.exePresentationSettings.exefvenotify.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	consent.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fvenotify.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
660	rundll32.exe
660	rundll32.exe
660	rundll32.exe
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424
1424

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.execonsent.exePresentationSettings.exefvenotify.exe

pid process

660 rundll32.exe
1424
1932 consent.exe
1552 PresentationSettings.exe
1636 fvenotify.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1424 wrote to memory of 1836	1424	consent.exe
PID 1424 wrote to memory of 1836	1424	consent.exe
PID 1424 wrote to memory of 1836	1424	consent.exe
PID 1424 wrote to memory of 1932	1424	consent.exe
PID 1424 wrote to memory of 1932	1424	consent.exe
PID 1424 wrote to memory of 1932	1424	consent.exe
PID 1424 wrote to memory of 1640	1424	PresentationSettings.exe
PID 1424 wrote to memory of 1640	1424	PresentationSettings.exe
PID 1424 wrote to memory of 1640	1424	PresentationSettings.exe
PID 1424 wrote to memory of 1552	1424	PresentationSettings.exe
PID 1424 wrote to memory of 1552	1424	PresentationSettings.exe
PID 1424 wrote to memory of 1552	1424	PresentationSettings.exe
PID 1424 wrote to memory of 1188	1424	fvenotify.exe
PID 1424 wrote to memory of 1188	1424	fvenotify.exe
PID 1424 wrote to memory of 1188	1424	fvenotify.exe
PID 1424 wrote to memory of 1636	1424	fvenotify.exe
PID 1424 wrote to memory of 1636	1424	fvenotify.exe
PID 1424 wrote to memory of 1636	1424	fvenotify.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dd7c2b5ccd52a609e2ec3dd4d2ff6b83c6f16eb1c5f6fb14a918fdc733b6f76e.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:660

C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
1⤵
PID:1836

C:\Users\Admin\AppData\Local\cUR0keh\consent.exe
C:\Users\Admin\AppData\Local\cUR0keh\consent.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1932

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:1640

C:\Users\Admin\AppData\Local\llr\PresentationSettings.exe
C:\Users\Admin\AppData\Local\llr\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1552

C:\Windows\system32\fvenotify.exe
C:\Windows\system32\fvenotify.exe
1⤵
PID:1188

C:\Users\Admin\AppData\Local\fHBadH9yG\fvenotify.exe
C:\Users\Admin\AppData\Local\fHBadH9yG\fvenotify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1636

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\cUR0keh\WMsgAPI.dll
MD5
1f3f5c0527ba2746b19a1fa395e02379

SHA1
f4e5e23057d08c16ba039b5b5ab77784559e994e

SHA256
43435eac2d1c91e41d963bc8197a065c5a38f87fba92d841a1224363aa82377f

SHA512
c7ba4516a1906991dc5ff971bfdd48054f4becd577ab01b1c50f6233ce28fea4c7167698a13cb70096b5ba07a18db847875229c1e8fb46777bad5e3ab0b2f944

Download Submit
C:\Users\Admin\AppData\Local\cUR0keh\consent.exe
MD5
0b5511674394666e9d221f8681b2c2e6

SHA1
6e4e720dfc424a12383f0b8194e4477e3bc346dc

SHA256
ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

SHA512
00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

Download Submit
C:\Users\Admin\AppData\Local\fHBadH9yG\fvenotify.exe
MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
C:\Users\Admin\AppData\Local\fHBadH9yG\slc.dll
MD5
414ed0a416ee11e75bcdca0195b101df

SHA1
a2d9571d4b6496b2c2cbb8d6a43e6131c9b7a12e

SHA256
6583315493ee9ec3e9a4f5cf665d77d3ea068c44c2c6db988bb6f74ae96f6960

SHA512
3dcc75c8a7ee7b492955bb251a25fb0f503177aa7f184dbb5259631764ddb454a3aa587054655894fef7c51e638a99bd3d26655a9a2f647e2fd7ae7d59fc3524

Download Submit
C:\Users\Admin\AppData\Local\llr\PresentationSettings.exe
MD5
a6f8d318f6041334889481b472000081

SHA1
b8cf08ec17b30c8811f2514246fcdff62731dd58

SHA256
208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

SHA512
60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

Download Submit
C:\Users\Admin\AppData\Local\llr\slc.dll
MD5
c44cade0e0d9dd2549214e266ab6f4a7

SHA1
921b20eae8e5e18e6aa717bf57fd2894cf772c48

SHA256
8775579380664a42ec0dfff59f0af9ff1a63430f2f09fd4e9616ce52fef3488c

SHA512
1b5e86e91a5938e5ffa70e53537cf625935408bb93e7c1ad3566e6e435570b6e0e177ec8acd3ae117f03d006388185b9cbad41b403ba8bd123a0ab3eda5f8a98

Download Submit
\Users\Admin\AppData\Local\cUR0keh\WMsgAPI.dll
MD5
1f3f5c0527ba2746b19a1fa395e02379

SHA1
f4e5e23057d08c16ba039b5b5ab77784559e994e

SHA256
43435eac2d1c91e41d963bc8197a065c5a38f87fba92d841a1224363aa82377f

SHA512
c7ba4516a1906991dc5ff971bfdd48054f4becd577ab01b1c50f6233ce28fea4c7167698a13cb70096b5ba07a18db847875229c1e8fb46777bad5e3ab0b2f944

Download Submit
\Users\Admin\AppData\Local\cUR0keh\consent.exe
MD5
0b5511674394666e9d221f8681b2c2e6

SHA1
6e4e720dfc424a12383f0b8194e4477e3bc346dc

SHA256
ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

SHA512
00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

Download Submit
\Users\Admin\AppData\Local\fHBadH9yG\fvenotify.exe
MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
\Users\Admin\AppData\Local\fHBadH9yG\slc.dll
MD5
414ed0a416ee11e75bcdca0195b101df

SHA1
a2d9571d4b6496b2c2cbb8d6a43e6131c9b7a12e

SHA256
6583315493ee9ec3e9a4f5cf665d77d3ea068c44c2c6db988bb6f74ae96f6960

SHA512
3dcc75c8a7ee7b492955bb251a25fb0f503177aa7f184dbb5259631764ddb454a3aa587054655894fef7c51e638a99bd3d26655a9a2f647e2fd7ae7d59fc3524

Download Submit
\Users\Admin\AppData\Local\llr\PresentationSettings.exe
MD5
a6f8d318f6041334889481b472000081

SHA1
b8cf08ec17b30c8811f2514246fcdff62731dd58

SHA256
208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

SHA512
60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

Download Submit
\Users\Admin\AppData\Local\llr\slc.dll
MD5
c44cade0e0d9dd2549214e266ab6f4a7

SHA1
921b20eae8e5e18e6aa717bf57fd2894cf772c48

SHA256
8775579380664a42ec0dfff59f0af9ff1a63430f2f09fd4e9616ce52fef3488c

SHA512
1b5e86e91a5938e5ffa70e53537cf625935408bb93e7c1ad3566e6e435570b6e0e177ec8acd3ae117f03d006388185b9cbad41b403ba8bd123a0ab3eda5f8a98

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\BiXpY5DJ\fvenotify.exe
MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
memory/660-55-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/660-58-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1424-60-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1424-71-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1424-64-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1424-63-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1424-61-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1424-67-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1424-83-0x00000000778E0000-0x00000000778E2000-memory.dmp

Filesize
8KB

Download
memory/1424-68-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1424-59-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/1424-70-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1424-73-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1424-72-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1424-62-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1424-65-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1424-75-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1424-69-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1424-77-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1424-76-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1424-74-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1424-66-0x0000000140000000-0x0000000140154000-memory.dmp

Filesize
1.3MB

Download
memory/1552-94-0x0000000000000000-mapping.dmp

Download
memory/1636-103-0x0000000000000000-mapping.dmp

Download
memory/1932-90-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1932-89-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmp

Filesize
8KB

Download
memory/1932-85-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads