dridex | 8a4e80e4a3f944c227eb6889457ef30477e7cdc96e1b387773d14e2bab450933

Analysis

max time kernel
153s
max time network
121s
platform
windows7_x64
resource
win7-en-20211104
submitted
26-11-2021 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a4e80e4a3f944c227eb6889457ef30477e7cdc96e1b387773d14e2bab450933.dll
Size

1.3MB
MD5

bf1839ade874f6ca04aa9e4a7783a6d1
SHA1

64db32760738546c971c06b7c8af9747a37054c3
SHA256

8a4e80e4a3f944c227eb6889457ef30477e7cdc96e1b387773d14e2bab450933
SHA512

852bea55d00fae406f9c98c0d4d6a346281b69b12429d67caadb056035a1f874777bbf0acee72a86d934c046ca84022ed4bcbbfd9e78d4b33e69f51c265c37fa

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1188-60-0x0000000002AB0000-0x0000000002AB1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

msconfig.exerdpshell.exeStikyNot.exe

pid process

1080 msconfig.exe
1216 rdpshell.exe
1140 StikyNot.exe
Loads dropped DLL 7 IoCs

Processes:

msconfig.exerdpshell.exeStikyNot.exe

pid process

1188
1080 msconfig.exe
1188
1216 rdpshell.exe
1188
1140 StikyNot.exe
1188

pid	process
1080	msconfig.exe
1216	rdpshell.exe
1140	StikyNot.exe

pid	process
1188
1080	msconfig.exe
1188
1216	rdpshell.exe
1188
1140	StikyNot.exe
1188

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\2mUOWimbr\\rdpshell.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemsconfig.exerdpshell.exeStikyNot.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpshell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StikyNot.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exemsconfig.exe

pid	process
652	rundll32.exe
652	rundll32.exe
652	rundll32.exe
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1080	msconfig.exe
1080	msconfig.exe
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1188

pid	process
1188

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1188 wrote to memory of 792	1188	msconfig.exe
PID 1188 wrote to memory of 792	1188	msconfig.exe
PID 1188 wrote to memory of 792	1188	msconfig.exe
PID 1188 wrote to memory of 1080	1188	msconfig.exe
PID 1188 wrote to memory of 1080	1188	msconfig.exe
PID 1188 wrote to memory of 1080	1188	msconfig.exe
PID 1188 wrote to memory of 1820	1188	rdpshell.exe
PID 1188 wrote to memory of 1820	1188	rdpshell.exe
PID 1188 wrote to memory of 1820	1188	rdpshell.exe
PID 1188 wrote to memory of 1216	1188	rdpshell.exe
PID 1188 wrote to memory of 1216	1188	rdpshell.exe
PID 1188 wrote to memory of 1216	1188	rdpshell.exe
PID 1188 wrote to memory of 1860	1188	StikyNot.exe
PID 1188 wrote to memory of 1860	1188	StikyNot.exe
PID 1188 wrote to memory of 1860	1188	StikyNot.exe
PID 1188 wrote to memory of 1140	1188	StikyNot.exe
PID 1188 wrote to memory of 1140	1188	StikyNot.exe
PID 1188 wrote to memory of 1140	1188	StikyNot.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8a4e80e4a3f944c227eb6889457ef30477e7cdc96e1b387773d14e2bab450933.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:652

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:792

C:\Users\Admin\AppData\Local\Tx5vBT\msconfig.exe
C:\Users\Admin\AppData\Local\Tx5vBT\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1080

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:1820

C:\Users\Admin\AppData\Local\TdaE2\rdpshell.exe
C:\Users\Admin\AppData\Local\TdaE2\rdpshell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1216

C:\Windows\system32\StikyNot.exe
C:\Windows\system32\StikyNot.exe
1⤵
PID:1860

C:\Users\Admin\AppData\Local\NVg1S\StikyNot.exe
C:\Users\Admin\AppData\Local\NVg1S\StikyNot.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1140

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NVg1S\StikyNot.exe
MD5
b22cb67919ebad88b0e8bb9cda446010

SHA1
423a794d26d96d9f812d76d75fa89bffdc07d468

SHA256
2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

SHA512
f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

Download Submit
C:\Users\Admin\AppData\Local\NVg1S\UxTheme.dll
MD5
6cd46e970890c632466ee9e1394d3e3e

SHA1
0a7f1e9e9ed68d92369e5c6c85d59613741dbda7

SHA256
21cc8f0795464caf356b86b1e348b8e2faa17d241f739da7126f0b973f5a781b

SHA512
98dddcc8c0fa0264180f7361105e79b81ed1346e59a2e098c4a7009bc5d3d5ec5a1397ff84602b75d71d3b1f5a9356eaa7b7122c8af3342670ab757b788bea21

Download Submit
C:\Users\Admin\AppData\Local\TdaE2\WTSAPI32.dll
MD5
12c7f8fd980adf61ef6789c63c43ca80

SHA1
16525f1c46ff8dfe9bfa2383ac237fbf2a883e2c

SHA256
8e725329220288686587db1bf76d978edc1cf5c50bff447f6c40cd214fe0f2b9

SHA512
45542fb453a85fc87756ba737390eb60f14319d14fac4d1668e164b306e8b6a3f75d0718a29ccddfcfad434e4e45b285932322ab5fce789f11039ab3e93dffc4

Download Submit
C:\Users\Admin\AppData\Local\TdaE2\rdpshell.exe
MD5
a62dfcea3a58ba8fcf32f831f018fe3f

SHA1
75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

SHA256
f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

SHA512
9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

Download Submit
C:\Users\Admin\AppData\Local\Tx5vBT\MFC42u.dll
MD5
38364a4f0a62259fc764fd7b22d5a83f

SHA1
58d77aba86370bbcd0867ca0f9c1c1026c3f8131

SHA256
a7b57cc577232a2120dbe27f9554740ce722ed76ef0083d87b2a763d85556340

SHA512
9f7fcab093da7f5e95e58da7360148d396b1c0d3345b634f697c2354425dcd4ca581f8363bb5fd509bbfeed824d2b18bbc8e781ee73992c4603b67a240ea0745

Download Submit
C:\Users\Admin\AppData\Local\Tx5vBT\msconfig.exe
MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
\Users\Admin\AppData\Local\NVg1S\StikyNot.exe
MD5
b22cb67919ebad88b0e8bb9cda446010

SHA1
423a794d26d96d9f812d76d75fa89bffdc07d468

SHA256
2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

SHA512
f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

Download Submit
\Users\Admin\AppData\Local\NVg1S\UxTheme.dll
MD5
6cd46e970890c632466ee9e1394d3e3e

SHA1
0a7f1e9e9ed68d92369e5c6c85d59613741dbda7

SHA256
21cc8f0795464caf356b86b1e348b8e2faa17d241f739da7126f0b973f5a781b

SHA512
98dddcc8c0fa0264180f7361105e79b81ed1346e59a2e098c4a7009bc5d3d5ec5a1397ff84602b75d71d3b1f5a9356eaa7b7122c8af3342670ab757b788bea21

Download Submit
\Users\Admin\AppData\Local\TdaE2\WTSAPI32.dll
MD5
12c7f8fd980adf61ef6789c63c43ca80

SHA1
16525f1c46ff8dfe9bfa2383ac237fbf2a883e2c

SHA256
8e725329220288686587db1bf76d978edc1cf5c50bff447f6c40cd214fe0f2b9

SHA512
45542fb453a85fc87756ba737390eb60f14319d14fac4d1668e164b306e8b6a3f75d0718a29ccddfcfad434e4e45b285932322ab5fce789f11039ab3e93dffc4

Download Submit
\Users\Admin\AppData\Local\TdaE2\rdpshell.exe
MD5
a62dfcea3a58ba8fcf32f831f018fe3f

SHA1
75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

SHA256
f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

SHA512
9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

Download Submit
\Users\Admin\AppData\Local\Tx5vBT\MFC42u.dll
MD5
38364a4f0a62259fc764fd7b22d5a83f

SHA1
58d77aba86370bbcd0867ca0f9c1c1026c3f8131

SHA256
a7b57cc577232a2120dbe27f9554740ce722ed76ef0083d87b2a763d85556340

SHA512
9f7fcab093da7f5e95e58da7360148d396b1c0d3345b634f697c2354425dcd4ca581f8363bb5fd509bbfeed824d2b18bbc8e781ee73992c4603b67a240ea0745

Download Submit
\Users\Admin\AppData\Local\Tx5vBT\msconfig.exe
MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
\Users\Admin\AppData\Roaming\Adobe\PbSTEDKwS6\StikyNot.exe
MD5
b22cb67919ebad88b0e8bb9cda446010

SHA1
423a794d26d96d9f812d76d75fa89bffdc07d468

SHA256
2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

SHA512
f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

Download Submit
memory/652-55-0x000007FEF6AA0000-0x000007FEF6BEB000-memory.dmp

Filesize
1.3MB

Download
memory/652-59-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1080-91-0x000007FEF6D30000-0x000007FEF6E82000-memory.dmp

Filesize
1.3MB

Download
memory/1080-87-0x0000000000000000-mapping.dmp

Download
memory/1140-105-0x0000000000000000-mapping.dmp

Download
memory/1140-107-0x000007FEFBFF1000-0x000007FEFBFF3000-memory.dmp

Filesize
8KB

Download
memory/1188-68-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1188-71-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1188-79-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1188-80-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1188-85-0x0000000077920000-0x0000000077922000-memory.dmp

Filesize
8KB

Download
memory/1188-75-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1188-77-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1188-76-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1188-74-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1188-73-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1188-72-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1188-78-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1188-60-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/1188-70-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1188-69-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1188-61-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1188-67-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1188-66-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1188-65-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1188-63-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1188-64-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1188-62-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1216-100-0x000007FEF6AA0000-0x000007FEF6BEC000-memory.dmp

Filesize
1.3MB

Download
memory/1216-96-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads