dridex | 8a4e80e4a3f944c227eb6889457ef30477e7cdc96e1b387773d14e2bab450933

Analysis

max time kernel
154s
max time network
124s
platform
windows10_x64
resource
win10-en-20211014
submitted
26-11-2021 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a4e80e4a3f944c227eb6889457ef30477e7cdc96e1b387773d14e2bab450933.dll
Size

1.3MB
MD5

bf1839ade874f6ca04aa9e4a7783a6d1
SHA1

64db32760738546c971c06b7c8af9747a37054c3
SHA256

8a4e80e4a3f944c227eb6889457ef30477e7cdc96e1b387773d14e2bab450933
SHA512

852bea55d00fae406f9c98c0d4d6a346281b69b12429d67caadb056035a1f874777bbf0acee72a86d934c046ca84022ed4bcbbfd9e78d4b33e69f51c265c37fa

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3064-122-0x0000000000870000-0x0000000000871000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

cmstp.exemsconfig.exeSystemPropertiesAdvanced.exe

pid process

3872 cmstp.exe
3972 msconfig.exe
196 SystemPropertiesAdvanced.exe
Loads dropped DLL 3 IoCs

Processes:

cmstp.exemsconfig.exeSystemPropertiesAdvanced.exe

pid process

3872 cmstp.exe
3972 msconfig.exe
196 SystemPropertiesAdvanced.exe

pid	process
3872	cmstp.exe
3972	msconfig.exe
196	SystemPropertiesAdvanced.exe

pid	process
3872	cmstp.exe
3972	msconfig.exe
196	SystemPropertiesAdvanced.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\InputMethod\\8YlugyMSH\\msconfig.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.execmstp.exemsconfig.exeSystemPropertiesAdvanced.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.execmstp.exe

pid	process
2220	rundll32.exe
2220	rundll32.exe
2220	rundll32.exe
2220	rundll32.exe
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3872	cmstp.exe
3872	cmstp.exe
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3064

pid	process
3064

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3064 wrote to memory of 3764	3064	cmstp.exe
PID 3064 wrote to memory of 3764	3064	cmstp.exe
PID 3064 wrote to memory of 3872	3064	cmstp.exe
PID 3064 wrote to memory of 3872	3064	cmstp.exe
PID 3064 wrote to memory of 2200	3064	msconfig.exe
PID 3064 wrote to memory of 2200	3064	msconfig.exe
PID 3064 wrote to memory of 3972	3064	msconfig.exe
PID 3064 wrote to memory of 3972	3064	msconfig.exe
PID 3064 wrote to memory of 184	3064	SystemPropertiesAdvanced.exe
PID 3064 wrote to memory of 184	3064	SystemPropertiesAdvanced.exe
PID 3064 wrote to memory of 196	3064	SystemPropertiesAdvanced.exe
PID 3064 wrote to memory of 196	3064	SystemPropertiesAdvanced.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8a4e80e4a3f944c227eb6889457ef30477e7cdc96e1b387773d14e2bab450933.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2220

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:3764

C:\Users\Admin\AppData\Local\EhpAUNG\cmstp.exe
C:\Users\Admin\AppData\Local\EhpAUNG\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3872

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:2200

C:\Users\Admin\AppData\Local\hpt2TLb0V\msconfig.exe
C:\Users\Admin\AppData\Local\hpt2TLb0V\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3972

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:184

C:\Users\Admin\AppData\Local\608\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\608\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:196

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\608\SYSDM.CPL
MD5
b96f3c575ed544e69ef40c85770661e4

SHA1
73f960b6e00ed5dd6e03528584d91d5e02441175

SHA256
36a06643848d6f087f34164947c1bfe161c727b3bbf9eb669a4649a9e3adb359

SHA512
f0c93edd0e5652925efb3600236eba994d17595d09ee02b6f085b553a6555c5e9bdc8b74df2e8abd9f2e878a085e84ec41173a85882a2d4839fb2de6c409d12c

Download Submit
C:\Users\Admin\AppData\Local\608\SystemPropertiesAdvanced.exe
MD5
375b58f4fced878a37108c3e5ad9b20c

SHA1
8a05b43085e2ccf4ad1b041cabb4fe91498e98e5

SHA256
480aa5e419e066e1dd84ae98f07cca9e21e6b72e82f6fbc9b54bbbefbe2f79b9

SHA512
e803d80e72c17cde65190678389182188dd3035465598fd2a89c31f80518a6eda07be06373e133403dbcdb5f076ee4204c5d702524b12ccb6a2ba21e4c815441

Download Submit
C:\Users\Admin\AppData\Local\EhpAUNG\VERSION.dll
MD5
05775223bc86415a72b2e5a377cd45ee

SHA1
f52279147f90d9fc08c150fa0243712a8e710c42

SHA256
fe2c71917cd000dcabfa5eca6897c35a7aed7374e77788bf0a16a0e003d50861

SHA512
5becde63112782163ea25d9cd9a5303abcda8c9407d8653e58ad9b99b73c2c680ebf635d9e94caeb1fb2b3cc39ce4e411498450196f2a55def62fc8d54e4005a

Download Submit
C:\Users\Admin\AppData\Local\EhpAUNG\cmstp.exe
MD5
1474ec07a09879ee8637fae8bcb9fbb7

SHA1
ddf0885d51430a4d51a908065a2cf66b95cb90a0

SHA256
bccd3610cd2b5ef1a7f1b224a5c68f97da484200bb525423659e51283d22d3e7

SHA512
c6959f44b8a77399507a563c3094f9646d5feda36d221e34db1e61da7148e1fd13f7d1a7befeb0617015f06005547f477ff26130e1b55f4130a0205bb1e51369

Download Submit
C:\Users\Admin\AppData\Local\hpt2TLb0V\VERSION.dll
MD5
a024eba7894957ee215283660d31304c

SHA1
d55a9526c5faf62cb9aaf3aa52c01cc420525633

SHA256
14b8f48f02ff73e097e2e130c5b42eb3a5e3e5b547f8f4e925eb53251bb44fe4

SHA512
6acec5f09682896fbc4e42693c7e06bf07faf513c9e6c2e8e471707a9c80003ea8918d4d1b9da9f818e0075c2cb36a47b521d8986dcb387e4b62afc0a34063d3

Download Submit
C:\Users\Admin\AppData\Local\hpt2TLb0V\msconfig.exe
MD5
b869aef04af69e345561d01905942fef

SHA1
e61b5522c3b8b5ada95846cc6306c9c2f29265d4

SHA256
9cf1d82402469616b2b0a663e22f965395181abc91140139df226ab882a619cc

SHA512
52ad0b6b5cc6053de42d06248c312180091c06ade8a54da32a946add93854e6dd0b1af2bf02957ddb77207fd3c53ef4def6dcda0591e28b457c0e361776498f2

Download Submit
\Users\Admin\AppData\Local\608\SYSDM.CPL
MD5
b96f3c575ed544e69ef40c85770661e4

SHA1
73f960b6e00ed5dd6e03528584d91d5e02441175

SHA256
36a06643848d6f087f34164947c1bfe161c727b3bbf9eb669a4649a9e3adb359

SHA512
f0c93edd0e5652925efb3600236eba994d17595d09ee02b6f085b553a6555c5e9bdc8b74df2e8abd9f2e878a085e84ec41173a85882a2d4839fb2de6c409d12c

Download Submit
\Users\Admin\AppData\Local\EhpAUNG\VERSION.dll
MD5
05775223bc86415a72b2e5a377cd45ee

SHA1
f52279147f90d9fc08c150fa0243712a8e710c42

SHA256
fe2c71917cd000dcabfa5eca6897c35a7aed7374e77788bf0a16a0e003d50861

SHA512
5becde63112782163ea25d9cd9a5303abcda8c9407d8653e58ad9b99b73c2c680ebf635d9e94caeb1fb2b3cc39ce4e411498450196f2a55def62fc8d54e4005a

Download Submit
\Users\Admin\AppData\Local\hpt2TLb0V\VERSION.dll
MD5
a024eba7894957ee215283660d31304c

SHA1
d55a9526c5faf62cb9aaf3aa52c01cc420525633

SHA256
14b8f48f02ff73e097e2e130c5b42eb3a5e3e5b547f8f4e925eb53251bb44fe4

SHA512
6acec5f09682896fbc4e42693c7e06bf07faf513c9e6c2e8e471707a9c80003ea8918d4d1b9da9f818e0075c2cb36a47b521d8986dcb387e4b62afc0a34063d3

Download Submit
memory/196-184-0x00000264353C0000-0x00000264353C2000-memory.dmp

Filesize
8KB

Download
memory/196-182-0x00000264353C0000-0x00000264353C2000-memory.dmp

Filesize
8KB

Download
memory/196-183-0x00000264353C0000-0x00000264353C2000-memory.dmp

Filesize
8KB

Download
memory/196-174-0x0000000000000000-mapping.dmp

Download
memory/2220-121-0x000002D023B10000-0x000002D023B17000-memory.dmp

Filesize
28KB

Download
memory/2220-119-0x000002D023B20000-0x000002D023B22000-memory.dmp

Filesize
8KB

Download
memory/2220-115-0x00007FFB28370000-0x00007FFB284BB000-memory.dmp

Filesize
1.3MB

Download
memory/2220-120-0x000002D023B20000-0x000002D023B22000-memory.dmp

Filesize
8KB

Download
memory/3064-131-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3064-185-0x0000000000850000-0x0000000000852000-memory.dmp

Filesize
8KB

Download
memory/3064-138-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3064-139-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3064-140-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3064-141-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3064-134-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3064-142-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3064-147-0x0000000000850000-0x0000000000852000-memory.dmp

Filesize
8KB

Download
memory/3064-148-0x0000000000850000-0x0000000000852000-memory.dmp

Filesize
8KB

Download
memory/3064-149-0x00007FFB361D5000-0x00007FFB361D6000-memory.dmp

Filesize
4KB

Download
memory/3064-150-0x0000000000850000-0x0000000000852000-memory.dmp

Filesize
8KB

Download
memory/3064-151-0x00007FFB36310000-0x00007FFB36312000-memory.dmp

Filesize
8KB

Download
memory/3064-123-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3064-136-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3064-135-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3064-133-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3064-137-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3064-122-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/3064-124-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3064-125-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3064-126-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3064-132-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3064-130-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3064-129-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3064-127-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3064-128-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3872-156-0x00007FFB28370000-0x00007FFB284BC000-memory.dmp

Filesize
1.3MB

Download
memory/3872-162-0x0000017C2B130000-0x0000017C2B132000-memory.dmp

Filesize
8KB

Download
memory/3872-161-0x0000017C2B130000-0x0000017C2B132000-memory.dmp

Filesize
8KB

Download
memory/3872-160-0x0000017C2B130000-0x0000017C2B132000-memory.dmp

Filesize
8KB

Download
memory/3872-152-0x0000000000000000-mapping.dmp

Download
memory/3972-173-0x000001FD2C5B0000-0x000001FD2C5B2000-memory.dmp

Filesize
8KB

Download
memory/3972-172-0x000001FD2C5B0000-0x000001FD2C5B2000-memory.dmp

Filesize
8KB

Download
memory/3972-171-0x000001FD2C5B0000-0x000001FD2C5B2000-memory.dmp

Filesize
8KB

Download
memory/3972-163-0x0000000000000000-mapping.dmp

Download