dridex | 31a694cd04044831b2125f6cf16bc9dd342aee9ea89181e1aa302c82951cd956

Analysis

max time kernel
154s
max time network
133s
platform
windows7_x64
resource
win7-en-20211104
submitted
26-11-2021 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31a694cd04044831b2125f6cf16bc9dd342aee9ea89181e1aa302c82951cd956.dll
Size

1.3MB
MD5

d6d2b7aa9232eeda14644138ddbc6569
SHA1

6b419ed314f2bc61d236344b4cf302f0e9f2c237
SHA256

31a694cd04044831b2125f6cf16bc9dd342aee9ea89181e1aa302c82951cd956
SHA512

1a8fc090d443475b0a90d5b1aebe0d0e06f3caa3fef851df95070649de7a93c033519afe8df3f56984261b4db46b38b1e008a085e058e78a02ee274d7e45fc14

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1412-60-0x00000000025D0000-0x00000000025D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

EhStorAuthn.exeStikyNot.exeosk.exe

pid process

1308 EhStorAuthn.exe
1536 StikyNot.exe
1072 osk.exe
Loads dropped DLL 7 IoCs

Processes:

EhStorAuthn.exeStikyNot.exeosk.exe

pid process

1412
1308 EhStorAuthn.exe
1412
1536 StikyNot.exe
1412
1072 osk.exe
1412

pid	process
1308	EhStorAuthn.exe
1536	StikyNot.exe
1072	osk.exe

pid	process
1412
1308	EhStorAuthn.exe
1412
1536	StikyNot.exe
1412
1072	osk.exe
1412

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\TMu5p\\StikyNot.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeEhStorAuthn.exeStikyNot.exeosk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StikyNot.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeEhStorAuthn.exeStikyNot.exe

pid	process
596	rundll32.exe
596	rundll32.exe
596	rundll32.exe
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1308	EhStorAuthn.exe
1308	EhStorAuthn.exe
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1536	StikyNot.exe
1536	StikyNot.exe
1412
1412
1412
1412
1412
1412

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1412

pid	process
1412

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1412 wrote to memory of 1052	1412	EhStorAuthn.exe
PID 1412 wrote to memory of 1052	1412	EhStorAuthn.exe
PID 1412 wrote to memory of 1052	1412	EhStorAuthn.exe
PID 1412 wrote to memory of 1308	1412	EhStorAuthn.exe
PID 1412 wrote to memory of 1308	1412	EhStorAuthn.exe
PID 1412 wrote to memory of 1308	1412	EhStorAuthn.exe
PID 1412 wrote to memory of 1220	1412	StikyNot.exe
PID 1412 wrote to memory of 1220	1412	StikyNot.exe
PID 1412 wrote to memory of 1220	1412	StikyNot.exe
PID 1412 wrote to memory of 1536	1412	StikyNot.exe
PID 1412 wrote to memory of 1536	1412	StikyNot.exe
PID 1412 wrote to memory of 1536	1412	StikyNot.exe
PID 1412 wrote to memory of 928	1412	osk.exe
PID 1412 wrote to memory of 928	1412	osk.exe
PID 1412 wrote to memory of 928	1412	osk.exe
PID 1412 wrote to memory of 1072	1412	osk.exe
PID 1412 wrote to memory of 1072	1412	osk.exe
PID 1412 wrote to memory of 1072	1412	osk.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\31a694cd04044831b2125f6cf16bc9dd342aee9ea89181e1aa302c82951cd956.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:596

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:1052

C:\Users\Admin\AppData\Local\wlHNdT1Kx\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\wlHNdT1Kx\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1308

C:\Windows\system32\StikyNot.exe
C:\Windows\system32\StikyNot.exe
1⤵
PID:1220

C:\Users\Admin\AppData\Local\5GfuJ\StikyNot.exe
C:\Users\Admin\AppData\Local\5GfuJ\StikyNot.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1536

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:928

C:\Users\Admin\AppData\Local\rTTMG\osk.exe
C:\Users\Admin\AppData\Local\rTTMG\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1072

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5GfuJ\StikyNot.exe
MD5
b22cb67919ebad88b0e8bb9cda446010

SHA1
423a794d26d96d9f812d76d75fa89bffdc07d468

SHA256
2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

SHA512
f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

Download Submit
C:\Users\Admin\AppData\Local\5GfuJ\slc.dll
MD5
f0262cbe17f5fe19c5ac41b309c1d778

SHA1
c91317b2ca8526a3be13976342e924d438edec8c

SHA256
bbfd6d07b1116e988fed15b8f48faa69a81a2e0ee821605ec9b8cd93c32ac441

SHA512
e11e50940dd310dc7598796b700342e507b1db99d053d95adec73cc4d8c69511d4ee207be8ae616115adb686f900593aad8dbc3cc4d5b2d6caa6e7efab98f1d0

Download Submit
C:\Users\Admin\AppData\Local\rTTMG\WMsgAPI.dll
MD5
95a1a2eb1fe6c2020ed0fab0f3c4ce0d

SHA1
0fbd7231979ee4b9abce16b7cfbb718ec10f6562

SHA256
eb85a748e74957b90de0ff4e76b8108a9d11cc9ad5177a384ea4789c5a09ecee

SHA512
e4b962a3e2c770ba7a87295ddb127e97899963c868616fb2695e065b2cc25ea82b6dffb3df1daa97ab466f6db1cdd01e6ca2601a2e2457e8687f38b8ea7863db

Download Submit
C:\Users\Admin\AppData\Local\rTTMG\osk.exe
MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
C:\Users\Admin\AppData\Local\wlHNdT1Kx\EhStorAuthn.exe
MD5
3abe95d92c80dc79707d8e168d79a994

SHA1
64b10c17f602d3f21c84954541e7092bc55bb5ab

SHA256
2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad

SHA512
70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

Download Submit
C:\Users\Admin\AppData\Local\wlHNdT1Kx\UxTheme.dll
MD5
3690a891c731852ef6943719737a2c9e

SHA1
f498a455ed5ea3475b0843136714c51fa7b931f7

SHA256
b4363485d4bec0c7f56a5cbd72594954034d94d95fa7393d58692938d1738b01

SHA512
a61d11767786c8d343c15b79840dcf497c1ddb2e0469e51e06f563c74bc10df876b3bff7614f3ad5faf5d312e1958ae06d499534335da2ecdd3b3de8d290d568

Download Submit
\Users\Admin\AppData\Local\5GfuJ\StikyNot.exe
MD5
b22cb67919ebad88b0e8bb9cda446010

SHA1
423a794d26d96d9f812d76d75fa89bffdc07d468

SHA256
2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

SHA512
f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

Download Submit
\Users\Admin\AppData\Local\5GfuJ\slc.dll
MD5
f0262cbe17f5fe19c5ac41b309c1d778

SHA1
c91317b2ca8526a3be13976342e924d438edec8c

SHA256
bbfd6d07b1116e988fed15b8f48faa69a81a2e0ee821605ec9b8cd93c32ac441

SHA512
e11e50940dd310dc7598796b700342e507b1db99d053d95adec73cc4d8c69511d4ee207be8ae616115adb686f900593aad8dbc3cc4d5b2d6caa6e7efab98f1d0

Download Submit
\Users\Admin\AppData\Local\rTTMG\WMsgAPI.dll
MD5
95a1a2eb1fe6c2020ed0fab0f3c4ce0d

SHA1
0fbd7231979ee4b9abce16b7cfbb718ec10f6562

SHA256
eb85a748e74957b90de0ff4e76b8108a9d11cc9ad5177a384ea4789c5a09ecee

SHA512
e4b962a3e2c770ba7a87295ddb127e97899963c868616fb2695e065b2cc25ea82b6dffb3df1daa97ab466f6db1cdd01e6ca2601a2e2457e8687f38b8ea7863db

Download Submit
\Users\Admin\AppData\Local\rTTMG\osk.exe
MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
\Users\Admin\AppData\Local\wlHNdT1Kx\EhStorAuthn.exe
MD5
3abe95d92c80dc79707d8e168d79a994

SHA1
64b10c17f602d3f21c84954541e7092bc55bb5ab

SHA256
2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad

SHA512
70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

Download Submit
\Users\Admin\AppData\Local\wlHNdT1Kx\UxTheme.dll
MD5
3690a891c731852ef6943719737a2c9e

SHA1
f498a455ed5ea3475b0843136714c51fa7b931f7

SHA256
b4363485d4bec0c7f56a5cbd72594954034d94d95fa7393d58692938d1738b01

SHA512
a61d11767786c8d343c15b79840dcf497c1ddb2e0469e51e06f563c74bc10df876b3bff7614f3ad5faf5d312e1958ae06d499534335da2ecdd3b3de8d290d568

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\fyr\osk.exe
MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
memory/596-55-0x000007FEF6580000-0x000007FEF66CD000-memory.dmp

Filesize
1.3MB

Download
memory/596-59-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1072-108-0x0000000000000000-mapping.dmp

Download
memory/1308-93-0x000007FEF6860000-0x000007FEF69AE000-memory.dmp

Filesize
1.3MB

Download
memory/1308-92-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmp

Filesize
8KB

Download
memory/1308-87-0x0000000000000000-mapping.dmp

Download
memory/1412-62-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1412-80-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1412-64-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1412-70-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1412-61-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1412-69-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1412-71-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1412-72-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1412-73-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1412-89-0x00000000773E0000-0x00000000773E2000-memory.dmp

Filesize
8KB

Download
memory/1412-75-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1412-76-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1412-81-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1412-67-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1412-60-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1412-78-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1412-79-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1412-77-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1412-63-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1412-74-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1412-68-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1412-65-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1412-66-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/1536-103-0x000007FEF6580000-0x000007FEF66CE000-memory.dmp

Filesize
1.3MB

Download
memory/1536-98-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads