dridex | 2c32f681c7821bdbcb2038414964456759d7fb48d656ceb200f0eff871e1eae1

Analysis

max time kernel
154s
max time network
133s
platform
windows10_x64
resource
win10-en-20211014
submitted
26-11-2021 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c32f681c7821bdbcb2038414964456759d7fb48d656ceb200f0eff871e1eae1.dll
Size

1.3MB
MD5

b6b41e427a208e21b75fdff54a69e35c
SHA1

ee4fbf79a3ed6ed84741800f3dc401f4ae844c8d
SHA256

2c32f681c7821bdbcb2038414964456759d7fb48d656ceb200f0eff871e1eae1
SHA512

30c76b52f842840e47ca0fe8e265b2a6330d82290aef3bb230ff8ff22d705e10b6850612bc17e22fd2c6fc5f590f6e1066a4f332b800fd6bccec6250337eb4fd

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2568-121-0x0000000001140000-0x0000000001141000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

msinfo32.exeNarrator.exeTaskmgr.exeie4uinit.exe

pid process

2424 msinfo32.exe
2884 Narrator.exe
620 Taskmgr.exe
3544 ie4uinit.exe
Loads dropped DLL 5 IoCs

Processes:

msinfo32.exeTaskmgr.exeie4uinit.exe

pid process

2424 msinfo32.exe
620 Taskmgr.exe
3544 ie4uinit.exe
3544 ie4uinit.exe
3544 ie4uinit.exe

pid	process
2424	msinfo32.exe
2884	Narrator.exe
620	Taskmgr.exe
3544	ie4uinit.exe

pid	process
2424	msinfo32.exe
620	Taskmgr.exe
3544	ie4uinit.exe
3544	ie4uinit.exe
3544	ie4uinit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\qlhrmcO2\\Taskmgr.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msinfo32.exeTaskmgr.exeie4uinit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ie4uinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
4088	regsvr32.exe
4088	regsvr32.exe
4088	regsvr32.exe
4088	regsvr32.exe
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568
2568

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

regsvr32.exemsinfo32.exeTaskmgr.exeie4uinit.exe

pid process

4088 regsvr32.exe
2568
2424 msinfo32.exe
620 Taskmgr.exe
3544 ie4uinit.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

description	pid	target process
PID 2568 wrote to memory of 2560	2568	msinfo32.exe
PID 2568 wrote to memory of 2560	2568	msinfo32.exe
PID 2568 wrote to memory of 2424	2568	msinfo32.exe
PID 2568 wrote to memory of 2424	2568	msinfo32.exe
PID 2568 wrote to memory of 3320	2568	Narrator.exe
PID 2568 wrote to memory of 3320	2568	Narrator.exe
PID 2568 wrote to memory of 1916	2568	Taskmgr.exe
PID 2568 wrote to memory of 1916	2568	Taskmgr.exe
PID 2568 wrote to memory of 620	2568	Taskmgr.exe
PID 2568 wrote to memory of 620	2568	Taskmgr.exe
PID 2568 wrote to memory of 1156	2568	ie4uinit.exe
PID 2568 wrote to memory of 1156	2568	ie4uinit.exe
PID 2568 wrote to memory of 3544	2568	ie4uinit.exe
PID 2568 wrote to memory of 3544	2568	ie4uinit.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2c32f681c7821bdbcb2038414964456759d7fb48d656ceb200f0eff871e1eae1.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:4088

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:2560

C:\Users\Admin\AppData\Local\ou4\msinfo32.exe
C:\Users\Admin\AppData\Local\ou4\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:2424

C:\Windows\system32\Narrator.exe
C:\Windows\system32\Narrator.exe
1⤵
PID:3320

C:\Users\Admin\AppData\Local\QbZ8s\Narrator.exe
C:\Users\Admin\AppData\Local\QbZ8s\Narrator.exe
1⤵
- Executes dropped EXE
PID:2884

C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\Taskmgr.exe
1⤵
PID:1916

C:\Users\Admin\AppData\Local\e7uJirkaT\Taskmgr.exe
C:\Users\Admin\AppData\Local\e7uJirkaT\Taskmgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:620

C:\Windows\system32\ie4uinit.exe
C:\Windows\system32\ie4uinit.exe
1⤵
PID:1156

C:\Users\Admin\AppData\Local\5ctTYK\ie4uinit.exe
C:\Users\Admin\AppData\Local\5ctTYK\ie4uinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:3544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5ctTYK\VERSION.dll
MD5
1a14c9002434627d10d6b69891047a91

SHA1
d70f02d38976073dfe24a0ddd900bc2e39587c71

SHA256
9b61782b60958bd192f4a08ad7294180714af8ab473d8abe37b1d79c50fd7c8c

SHA512
1cae90439208e246ba134b3d161a542a4462572033e19c77273212e3b6fd2dbbf80b404152fe20982d6e43ad8a80bb5af1a00b41ef4ae0bd61616c5396a82940

Download Submit
C:\Users\Admin\AppData\Local\5ctTYK\ie4uinit.exe
MD5
e259e65dbf6958b4bbd816c6d890d3f8

SHA1
ad0b061cdf69ab50977d64600fd33ad1e55773b1

SHA256
26e2ba63d70090b4acaaab1746f07a42ca8d0b5d1ef3711847edf4d0784c2106

SHA512
8a708480f8e595ac8d2c2a9b9d460ca3c933ffebb1f1d266b8fe77ee1a4b164ad58a4335c15d3843684488c34cc1bcfc79cfa66e750e41a203a5137b7c912a3b

Download Submit
C:\Users\Admin\AppData\Local\QbZ8s\Narrator.exe
MD5
856e08496a86552ad918c634a21fc2fb

SHA1
b826d7d1a657bc9cec0326ad6847b6cadbbd0bd8

SHA256
2d3b80aea1c704b6e5ceec22723e70dcbd0dd901562a0b6e584b9e6ccb120bc8

SHA512
d3e7c69427ea54d5cb0e97febf93f47233bb31b21df49fd8994d07ed7af25a1d0c189b0e2dba86c50ae46a50d9663e99dff7ac789d0f7ebd054d3cf4bfbe4793

Download Submit
C:\Users\Admin\AppData\Local\e7uJirkaT\Taskmgr.exe
MD5
d3ef2efc7232674315e0573e464e8aa7

SHA1
237ee3acc4743d05858056e09147a071b6e956e7

SHA256
feecaba50bc95bd6540e5a075693d6dc961a9d5ef86f1bfb38f7bcde6e757472

SHA512
1e03b1ad8059c28bfaa42f63626f2025cf1659266323255871a90b5ef2db9ab754ba4ffe9abe37bf3f5d92e494231c5fb81ba4d893f3a9833c2a5edf23825cc5

Download Submit
C:\Users\Admin\AppData\Local\e7uJirkaT\UxTheme.dll
MD5
367913cd117c0894890bdbbcb6cca44f

SHA1
1eba4d45c6b20f6f90dbb65c8f9fc2b5cee7521f

SHA256
543399a3c7cf0a51c843ca59bfe7e03e39c49236fe37a456dd111014064df353

SHA512
a43880ed7d8a447443f0bc22d4f916ff19d8695052349fc4360855dbff8198ddf830743d3d52e899e8f94cf7b06b2db3226be194ac317e81508c32ca204ecff3

Download Submit
C:\Users\Admin\AppData\Local\ou4\SLC.dll
MD5
5f746fa8037466425fe0a4d85a624a00

SHA1
596bba890d6bcef2f6f20de19cae879a2e1e85ab

SHA256
6e7f400429ec4b2bdb1b07a045587c6f1c1e4ac516da71f79af62d72cb9fca49

SHA512
239b8c21763f482b0125b742a27ac0b0db996196f24967e2df60da7b94980186f1ae8c81e4990b7072090532b3da9a4ef6498dc6ba4b440d2f33efa3f5b474b4

Download Submit
C:\Users\Admin\AppData\Local\ou4\msinfo32.exe
MD5
255861c59cdfbf86c03560d39a92932a

SHA1
18353cb8a58d25ab62687b69fee44d007b994f19

SHA256
57aeba5f7f9de579f3c334e7e013114f6b2257b810b2fc8c1f96331ad1c4909c

SHA512
f695394f344f07036684dc4ba4ba011bc0b5b0b27898c82714cbd072c6218870234deb18044c00bf3fda618480e4e517cba50d577c228a63ee3e2676029e430b

Download Submit
\Users\Admin\AppData\Local\5ctTYK\VERSION.dll
MD5
1a14c9002434627d10d6b69891047a91

SHA1
d70f02d38976073dfe24a0ddd900bc2e39587c71

SHA256
9b61782b60958bd192f4a08ad7294180714af8ab473d8abe37b1d79c50fd7c8c

SHA512
1cae90439208e246ba134b3d161a542a4462572033e19c77273212e3b6fd2dbbf80b404152fe20982d6e43ad8a80bb5af1a00b41ef4ae0bd61616c5396a82940

Download Submit
\Users\Admin\AppData\Local\5ctTYK\VERSION.dll
MD5
1a14c9002434627d10d6b69891047a91

SHA1
d70f02d38976073dfe24a0ddd900bc2e39587c71

SHA256
9b61782b60958bd192f4a08ad7294180714af8ab473d8abe37b1d79c50fd7c8c

SHA512
1cae90439208e246ba134b3d161a542a4462572033e19c77273212e3b6fd2dbbf80b404152fe20982d6e43ad8a80bb5af1a00b41ef4ae0bd61616c5396a82940

Download Submit
\Users\Admin\AppData\Local\5ctTYK\VERSION.dll
MD5
1a14c9002434627d10d6b69891047a91

SHA1
d70f02d38976073dfe24a0ddd900bc2e39587c71

SHA256
9b61782b60958bd192f4a08ad7294180714af8ab473d8abe37b1d79c50fd7c8c

SHA512
1cae90439208e246ba134b3d161a542a4462572033e19c77273212e3b6fd2dbbf80b404152fe20982d6e43ad8a80bb5af1a00b41ef4ae0bd61616c5396a82940

Download Submit
\Users\Admin\AppData\Local\e7uJirkaT\UxTheme.dll
MD5
367913cd117c0894890bdbbcb6cca44f

SHA1
1eba4d45c6b20f6f90dbb65c8f9fc2b5cee7521f

SHA256
543399a3c7cf0a51c843ca59bfe7e03e39c49236fe37a456dd111014064df353

SHA512
a43880ed7d8a447443f0bc22d4f916ff19d8695052349fc4360855dbff8198ddf830743d3d52e899e8f94cf7b06b2db3226be194ac317e81508c32ca204ecff3

Download Submit
\Users\Admin\AppData\Local\ou4\SLC.dll
MD5
5f746fa8037466425fe0a4d85a624a00

SHA1
596bba890d6bcef2f6f20de19cae879a2e1e85ab

SHA256
6e7f400429ec4b2bdb1b07a045587c6f1c1e4ac516da71f79af62d72cb9fca49

SHA512
239b8c21763f482b0125b742a27ac0b0db996196f24967e2df60da7b94980186f1ae8c81e4990b7072090532b3da9a4ef6498dc6ba4b440d2f33efa3f5b474b4

Download Submit
memory/620-164-0x000001979FF10000-0x000001979FF12000-memory.dmp

Filesize
8KB

Download
memory/620-157-0x0000000000000000-mapping.dmp

Download
memory/620-165-0x000001979FF10000-0x000001979FF12000-memory.dmp

Filesize
8KB

Download
memory/620-166-0x000001979FF10000-0x000001979FF12000-memory.dmp

Filesize
8KB

Download
memory/2424-146-0x0000000000000000-mapping.dmp

Download
memory/2424-150-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/2424-155-0x000001A0FA930000-0x000001A0FA932000-memory.dmp

Filesize
8KB

Download
memory/2424-154-0x000001A0FA930000-0x000001A0FA932000-memory.dmp

Filesize
8KB

Download
memory/2424-153-0x000001A0FA930000-0x000001A0FA932000-memory.dmp

Filesize
8KB

Download
memory/2568-129-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2568-126-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2568-145-0x00007FF923710000-0x00007FF923720000-memory.dmp

Filesize
64KB

Download
memory/2568-179-0x00000000010E0000-0x00000000010E2000-memory.dmp

Filesize
8KB

Download
memory/2568-133-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2568-131-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2568-132-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2568-143-0x00007FF9237C5000-0x00007FF9237C6000-memory.dmp

Filesize
4KB

Download
memory/2568-142-0x00000000010E0000-0x00000000010E2000-memory.dmp

Filesize
8KB

Download
memory/2568-141-0x00000000010E0000-0x00000000010E2000-memory.dmp

Filesize
8KB

Download
memory/2568-135-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2568-130-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2568-134-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2568-128-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2568-127-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2568-144-0x00000000010E0000-0x00000000010E2000-memory.dmp

Filesize
8KB

Download
memory/2568-125-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2568-124-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2568-123-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2568-121-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/2568-122-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3544-167-0x0000000000000000-mapping.dmp

Download
memory/3544-173-0x0000027A81760000-0x0000027A818A6000-memory.dmp

Filesize
1.3MB

Download
memory/3544-177-0x0000027A815E0000-0x0000027A815E2000-memory.dmp

Filesize
8KB

Download
memory/3544-176-0x0000027A815E0000-0x0000027A815E2000-memory.dmp

Filesize
8KB

Download
memory/3544-178-0x0000027A815E0000-0x0000027A815E2000-memory.dmp

Filesize
8KB

Download
memory/4088-120-0x0000000000F60000-0x0000000000F67000-memory.dmp

Filesize
28KB

Download
memory/4088-119-0x0000000000F70000-0x0000000000F72000-memory.dmp

Filesize
8KB

Download
memory/4088-118-0x0000000000F70000-0x0000000000F72000-memory.dmp

Filesize
8KB

Download
memory/4088-115-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download