dridex | 6e90088bb8cc71fcebb71469a7e5668a0b6aacfa21fb274febbb523a427d8e40

Analysis

max time kernel
151s
max time network
120s
platform
windows7_x64
resource
win7-en-20211104
submitted
26-11-2021 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e90088bb8cc71fcebb71469a7e5668a0b6aacfa21fb274febbb523a427d8e40.dll
Size

1.3MB
MD5

95a8147f694adad1655a2a158ba6d369
SHA1

2911097d1da2ab8d364309a339f0f9afc78375ee
SHA256

6e90088bb8cc71fcebb71469a7e5668a0b6aacfa21fb274febbb523a427d8e40
SHA512

e7a184b61894a1ea414bc362fc6a37f7941d0ac91e07681dbaa2604930c126a88993c0562abcc579112554eb1fbb23f592d4cb5ebafb88724f5f9e921fbaf93f

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1376-59-0x0000000002590000-0x0000000002591000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

slui.exerdrleakdiag.exewscript.exe

pid process

1672 slui.exe
1460 rdrleakdiag.exe
1000 wscript.exe
Loads dropped DLL 8 IoCs

Processes:

slui.exerdrleakdiag.exewscript.exe

pid process

1376
1672 slui.exe
1376
1460 rdrleakdiag.exe
1376
1376
1000 wscript.exe
1376

pid	process
1672	slui.exe
1460	rdrleakdiag.exe
1000	wscript.exe

pid	process
1376
1672	slui.exe
1376
1460	rdrleakdiag.exe
1376
1376
1000	wscript.exe
1376

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DNTException\\8dJ\\rdrleakdiag.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rdrleakdiag.exewscript.exerundll32.exeslui.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdrleakdiag.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
776	rundll32.exe
776	rundll32.exe
776	rundll32.exe
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exeslui.exerdrleakdiag.exewscript.exe

pid process

776 rundll32.exe
1376
1672 slui.exe
1460 rdrleakdiag.exe
1000 wscript.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1376 wrote to memory of 1176	1376	slui.exe
PID 1376 wrote to memory of 1176	1376	slui.exe
PID 1376 wrote to memory of 1176	1376	slui.exe
PID 1376 wrote to memory of 1672	1376	slui.exe
PID 1376 wrote to memory of 1672	1376	slui.exe
PID 1376 wrote to memory of 1672	1376	slui.exe
PID 1376 wrote to memory of 1476	1376	rdrleakdiag.exe
PID 1376 wrote to memory of 1476	1376	rdrleakdiag.exe
PID 1376 wrote to memory of 1476	1376	rdrleakdiag.exe
PID 1376 wrote to memory of 1460	1376	rdrleakdiag.exe
PID 1376 wrote to memory of 1460	1376	rdrleakdiag.exe
PID 1376 wrote to memory of 1460	1376	rdrleakdiag.exe
PID 1376 wrote to memory of 1536	1376	wscript.exe
PID 1376 wrote to memory of 1536	1376	wscript.exe
PID 1376 wrote to memory of 1536	1376	wscript.exe
PID 1376 wrote to memory of 1000	1376	wscript.exe
PID 1376 wrote to memory of 1000	1376	wscript.exe
PID 1376 wrote to memory of 1000	1376	wscript.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6e90088bb8cc71fcebb71469a7e5668a0b6aacfa21fb274febbb523a427d8e40.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:776

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:1176

C:\Users\Admin\AppData\Local\KOk2\slui.exe
C:\Users\Admin\AppData\Local\KOk2\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1672

C:\Windows\system32\rdrleakdiag.exe
C:\Windows\system32\rdrleakdiag.exe
1⤵
PID:1476

C:\Users\Admin\AppData\Local\CqBa67B2X\rdrleakdiag.exe
C:\Users\Admin\AppData\Local\CqBa67B2X\rdrleakdiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1460

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:1536

C:\Users\Admin\AppData\Local\VFBQTnN\wscript.exe
C:\Users\Admin\AppData\Local\VFBQTnN\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1000

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CqBa67B2X\VERSION.dll
MD5
1321551712552f80c5ecf858977ef4a7

SHA1
f6e5226f8933a03c58d7dbdaf551d395d82ac6a1

SHA256
ab289acbabdfbcd3e3458b399680fd8d84a277b37fb39f1cc9a73f3dcde42bc2

SHA512
14d603d953b6efd8fe427f0c392c18ae3235a471808592ecfa1151b4fdd9a08aa9ff423a7c78d32894f01b03496f0eac4e9a8a5a6aebdcf4d324998992f152d6

Download Submit
C:\Users\Admin\AppData\Local\CqBa67B2X\rdrleakdiag.exe
MD5
5e058566af53848541fa23fba4bb5b81

SHA1
769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

SHA256
ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

SHA512
352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

Download Submit
C:\Users\Admin\AppData\Local\KOk2\WINBRAND.dll
MD5
8cb47fed3e5312e9fb2670d80b3df9eb

SHA1
4b9fe5efe3db27606d7509f20e3b127337edd9ca

SHA256
392383284353f93b3b5a791d813961e72de91ca6ca3566893d0d42be6c6b7a25

SHA512
c0de39c70a1e2c420cb60f828e8ba394d45e329629266404d3ac8fede30fad739e749dd7dabe839c0464b62e4a194e305433e8d8181e0ae60c1f91cb826e854e

Download Submit
C:\Users\Admin\AppData\Local\KOk2\slui.exe
MD5
c5ce5ce799387e82b7698a0ee5544a6d

SHA1
ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

SHA256
34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

SHA512
79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

Download Submit
C:\Users\Admin\AppData\Local\VFBQTnN\VERSION.dll
MD5
3f246f3644822d80e6ed6a5b582492fd

SHA1
3da5fde785f157f763aacd7ca47003f5fe4f9522

SHA256
18d51d0ac46d6e992ac944483cd30e3b6093449e18159fed3e7ee032df755b59

SHA512
e397661c3f1a887d83d80b212d497228e587045a31caf11866bc696654eb63bdacceb29f00c7c1d13297e78b4f2f19ee0e1ae46bed476ff9d073a2762a31cfec

Download Submit
C:\Users\Admin\AppData\Local\VFBQTnN\wscript.exe
MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\CqBa67B2X\VERSION.dll
MD5
1321551712552f80c5ecf858977ef4a7

SHA1
f6e5226f8933a03c58d7dbdaf551d395d82ac6a1

SHA256
ab289acbabdfbcd3e3458b399680fd8d84a277b37fb39f1cc9a73f3dcde42bc2

SHA512
14d603d953b6efd8fe427f0c392c18ae3235a471808592ecfa1151b4fdd9a08aa9ff423a7c78d32894f01b03496f0eac4e9a8a5a6aebdcf4d324998992f152d6

Download Submit
\Users\Admin\AppData\Local\CqBa67B2X\rdrleakdiag.exe
MD5
5e058566af53848541fa23fba4bb5b81

SHA1
769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

SHA256
ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

SHA512
352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

Download Submit
\Users\Admin\AppData\Local\KOk2\WINBRAND.dll
MD5
8cb47fed3e5312e9fb2670d80b3df9eb

SHA1
4b9fe5efe3db27606d7509f20e3b127337edd9ca

SHA256
392383284353f93b3b5a791d813961e72de91ca6ca3566893d0d42be6c6b7a25

SHA512
c0de39c70a1e2c420cb60f828e8ba394d45e329629266404d3ac8fede30fad739e749dd7dabe839c0464b62e4a194e305433e8d8181e0ae60c1f91cb826e854e

Download Submit
\Users\Admin\AppData\Local\KOk2\slui.exe
MD5
c5ce5ce799387e82b7698a0ee5544a6d

SHA1
ed37fdb169bb539271c117d3e8a5f14fd8df1c0d

SHA256
34aa7ca0ea833263a6883827e161a5c218576c5ad97e0ce386fad4250676b42c

SHA512
79453b45e1f38d164ee3dbc232f774ff121d4394c22783140f5c8c722f184a69f499f2fb9621bdb28f565065b791883526e1a1d4abef9df82289613c2ce97a5c

Download Submit
\Users\Admin\AppData\Local\VFBQTnN\VERSION.dll
MD5
3f246f3644822d80e6ed6a5b582492fd

SHA1
3da5fde785f157f763aacd7ca47003f5fe4f9522

SHA256
18d51d0ac46d6e992ac944483cd30e3b6093449e18159fed3e7ee032df755b59

SHA512
e397661c3f1a887d83d80b212d497228e587045a31caf11866bc696654eb63bdacceb29f00c7c1d13297e78b4f2f19ee0e1ae46bed476ff9d073a2762a31cfec

Download Submit
\Users\Admin\AppData\Local\VFBQTnN\wscript.exe
MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\VFBQTnN\wscript.exe
MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\Low\nlLRkTWq3t\wscript.exe
MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
memory/776-55-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/776-58-0x0000000000200000-0x0000000000207000-memory.dmp

Filesize
28KB

Download
memory/1000-99-0x0000000000000000-mapping.dmp

Download
memory/1376-61-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1376-67-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1376-70-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1376-68-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1376-60-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1376-71-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1376-65-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1376-64-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1376-66-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1376-63-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1376-62-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1376-69-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1376-59-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1376-79-0x00000000777C0000-0x00000000777C2000-memory.dmp

Filesize
8KB

Download
memory/1376-73-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1376-72-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1460-94-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/1460-90-0x0000000000000000-mapping.dmp

Download
memory/1672-83-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

Filesize
8KB

Download
memory/1672-81-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads