dridex | 64eadd3a1fe874e2299e3f3321a478a3bc1c2e530ae28fefc4927d1c7771bb92

Analysis

max time kernel
154s
max time network
122s
platform
windows10_x64
resource
win10-en-20211014
submitted
26-11-2021 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64eadd3a1fe874e2299e3f3321a478a3bc1c2e530ae28fefc4927d1c7771bb92.dll
Size

1.3MB
MD5

e57e81a28fe78e44bb3ff92b0aa211b0
SHA1

087ff74a9232abeabe0bdfd835690820fa990718
SHA256

64eadd3a1fe874e2299e3f3321a478a3bc1c2e530ae28fefc4927d1c7771bb92
SHA512

fb6451f71a29ba074c500cc9328503ab33d38f55536e50c3abcf0a78b8917520d0530c132c20c15f02083469504f73fb3416d6a3068fc32ba9ee5c0ed8ea5688

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3024-124-0x0000000000D10000-0x0000000000D11000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

BitLockerWizard.exeBdeUISrv.exerdpinit.exe

pid process

904 BitLockerWizard.exe
3532 BdeUISrv.exe
2880 rdpinit.exe
Loads dropped DLL 3 IoCs

Processes:

BitLockerWizard.exeBdeUISrv.exerdpinit.exe

pid process

904 BitLockerWizard.exe
3532 BdeUISrv.exe
2880 rdpinit.exe

pid	process
904	BitLockerWizard.exe
3532	BdeUISrv.exe
2880	rdpinit.exe

pid	process
904	BitLockerWizard.exe
3532	BdeUISrv.exe
2880	rdpinit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\a8W\\BdeUISrv.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BitLockerWizard.exeBdeUISrv.exerdpinit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BdeUISrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
3032	regsvr32.exe
3032	regsvr32.exe
3032	regsvr32.exe
3032	regsvr32.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

regsvr32.exeBitLockerWizard.exeBdeUISrv.exerdpinit.exe

pid process

3032 regsvr32.exe
3024
904 BitLockerWizard.exe
3532 BdeUISrv.exe
2880 rdpinit.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3024 wrote to memory of 364	3024	BitLockerWizard.exe
PID 3024 wrote to memory of 364	3024	BitLockerWizard.exe
PID 3024 wrote to memory of 904	3024	BitLockerWizard.exe
PID 3024 wrote to memory of 904	3024	BitLockerWizard.exe
PID 3024 wrote to memory of 3456	3024	BdeUISrv.exe
PID 3024 wrote to memory of 3456	3024	BdeUISrv.exe
PID 3024 wrote to memory of 3532	3024	BdeUISrv.exe
PID 3024 wrote to memory of 3532	3024	BdeUISrv.exe
PID 3024 wrote to memory of 2868	3024	rdpinit.exe
PID 3024 wrote to memory of 2868	3024	rdpinit.exe
PID 3024 wrote to memory of 2880	3024	rdpinit.exe
PID 3024 wrote to memory of 2880	3024	rdpinit.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\64eadd3a1fe874e2299e3f3321a478a3bc1c2e530ae28fefc4927d1c7771bb92.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3032

C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
1⤵
PID:364

C:\Users\Admin\AppData\Local\N4OJ\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\N4OJ\BitLockerWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:904

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:3456

C:\Users\Admin\AppData\Local\hqYDyM32z\BdeUISrv.exe
C:\Users\Admin\AppData\Local\hqYDyM32z\BdeUISrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:3532

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:2868

C:\Users\Admin\AppData\Local\TfelQ\rdpinit.exe
C:\Users\Admin\AppData\Local\TfelQ\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:2880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\N4OJ\BitLockerWizard.exe
MD5
c213e950a565d1fbe302961f029dddc8

SHA1
edeaf01a3dbfdfca54a5e25c121d9645dd75bf86

SHA256
f90e755a99ce576c643b751d4f87f4b301d0bf7264f74023225b9b8b7f2e302d

SHA512
081f5ee07b6ffae41e494a13c720a8fb92a05c68b1f72c0bc6422050fabc2a433b84f6a3991defa4bfc9d5a721fb8cd83927613d4423f918cf8e57427e825fb0

Download Submit
C:\Users\Admin\AppData\Local\N4OJ\FVEWIZ.dll
MD5
0e5dc52fcc634ad5ef243010fed929c2

SHA1
c5583f2dae39031fd5069149967e7f5a5146731a

SHA256
1314d196a3d3b81be2f3924e4c2ecd90b1810957bab634eadc648b68eb0d52ae

SHA512
ab9b9505da38c254951cd9bf2fbe5e7d7f734a74d334f90966638b28453e999ba2a5b6ce4625489210667c61bcd16689f7d16dbe0a13c10fa5e87d04f0e4fbf7

Download Submit
C:\Users\Admin\AppData\Local\TfelQ\WINSTA.dll
MD5
424595c7c5e175f993047f30ee2d0327

SHA1
a314fb965e2c86f510efc9dfe5dd865fcdfe3080

SHA256
7ab58fa414d3c62898f2df1f8ea411b3e33285cfbd9a104db5acff277cb2e8fa

SHA512
1f05ddb78cb5b4074e1372a883e1b6eeec5d20ea7399784eb4a8cb63d1b40768ac240c476bf64e49e729a05dd79090fb75fd738e27747d26e1977bca76543f36

Download Submit
C:\Users\Admin\AppData\Local\TfelQ\rdpinit.exe
MD5
d6920b7d525e4ab8fb64305ffee184c4

SHA1
545d443e2c98f964ef90ec8f055d50d1cac254a1

SHA256
22a0ecfbc1333f7b471ac9c4b74e5f45f64dd0976c75474cd909532d54ac62a1

SHA512
d3d65b8fe84f3d086bb35958c9e9474706899e92ebfc9933490939aa8f8bc0e41aa500199df1b03401ad15535364916ae46de8f34c1fa9df39c0b4e70f428343

Download Submit
C:\Users\Admin\AppData\Local\hqYDyM32z\BdeUISrv.exe
MD5
bbdabce7ba28eb67c325fa99125d56e0

SHA1
332ea58882149d629057e8a8004a48d1bb1d6180

SHA256
9c3fe14fc4ab8e385c3baae1d5a04a66c3ee645d278b182039fa45a6c99b4994

SHA512
fd3a22baac2689f8e009cb7845aa6ca7dd4a7ba4f1956758945cdd68dfc7045e4da62cf846a4a0b507d9be3753eb68b94fe375bf01dc698017b107ff26ebd93e

Download Submit
C:\Users\Admin\AppData\Local\hqYDyM32z\WTSAPI32.dll
MD5
fc25cdabe76f75ce45bd28bcccee83e9

SHA1
67203f0c1e57fb1f719f6fd0157f0ced3d15f68f

SHA256
5ac74da99dbeab6553f15b34807d57eba6e8059672a536947d35080d247c36e0

SHA512
ae3581ca36bffb6ec22eb617c28502a6f3b976366f5dd613c4fea1697b7231be56baeb7b3e66e777fcd1763bc6fc989032bc7ecadf98c8b1754f5c037717badf

Download Submit
\Users\Admin\AppData\Local\N4OJ\FVEWIZ.dll
MD5
0e5dc52fcc634ad5ef243010fed929c2

SHA1
c5583f2dae39031fd5069149967e7f5a5146731a

SHA256
1314d196a3d3b81be2f3924e4c2ecd90b1810957bab634eadc648b68eb0d52ae

SHA512
ab9b9505da38c254951cd9bf2fbe5e7d7f734a74d334f90966638b28453e999ba2a5b6ce4625489210667c61bcd16689f7d16dbe0a13c10fa5e87d04f0e4fbf7

Download Submit
\Users\Admin\AppData\Local\TfelQ\WINSTA.dll
MD5
424595c7c5e175f993047f30ee2d0327

SHA1
a314fb965e2c86f510efc9dfe5dd865fcdfe3080

SHA256
7ab58fa414d3c62898f2df1f8ea411b3e33285cfbd9a104db5acff277cb2e8fa

SHA512
1f05ddb78cb5b4074e1372a883e1b6eeec5d20ea7399784eb4a8cb63d1b40768ac240c476bf64e49e729a05dd79090fb75fd738e27747d26e1977bca76543f36

Download Submit
\Users\Admin\AppData\Local\hqYDyM32z\WTSAPI32.dll
MD5
fc25cdabe76f75ce45bd28bcccee83e9

SHA1
67203f0c1e57fb1f719f6fd0157f0ced3d15f68f

SHA256
5ac74da99dbeab6553f15b34807d57eba6e8059672a536947d35080d247c36e0

SHA512
ae3581ca36bffb6ec22eb617c28502a6f3b976366f5dd613c4fea1697b7231be56baeb7b3e66e777fcd1763bc6fc989032bc7ecadf98c8b1754f5c037717badf

Download Submit
memory/904-152-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/904-148-0x0000000000000000-mapping.dmp

Download
memory/904-156-0x0000029627320000-0x0000029627322000-memory.dmp

Filesize
8KB

Download
memory/904-157-0x0000029627320000-0x0000029627322000-memory.dmp

Filesize
8KB

Download
memory/904-155-0x0000029627320000-0x0000029627322000-memory.dmp

Filesize
8KB

Download
memory/2880-173-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/2880-169-0x0000000000000000-mapping.dmp

Download
memory/2880-176-0x0000020178060000-0x0000020178062000-memory.dmp

Filesize
8KB

Download
memory/2880-177-0x0000020178060000-0x0000020178062000-memory.dmp

Filesize
8KB

Download
memory/2880-178-0x0000020178060000-0x0000020178062000-memory.dmp

Filesize
8KB

Download
memory/3024-147-0x0000000000D30000-0x0000000000D32000-memory.dmp

Filesize
8KB

Download
memory/3024-131-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3024-146-0x00007FFA4A8C5000-0x00007FFA4A8C6000-memory.dmp

Filesize
4KB

Download
memory/3024-124-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/3024-144-0x0000000000D30000-0x0000000000D32000-memory.dmp

Filesize
8KB

Download
memory/3024-138-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3024-137-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3024-136-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3024-135-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3024-134-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3024-133-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3024-132-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3024-158-0x00007FFA4AA00000-0x00007FFA4AA02000-memory.dmp

Filesize
8KB

Download
memory/3024-145-0x0000000000D30000-0x0000000000D32000-memory.dmp

Filesize
8KB

Download
memory/3024-125-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3024-130-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3024-129-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3024-126-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3024-127-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3024-128-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3032-118-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3032-123-0x0000000000420000-0x0000000000427000-memory.dmp

Filesize
28KB

Download
memory/3032-122-0x0000000000680000-0x0000000000682000-memory.dmp

Filesize
8KB

Download
memory/3032-121-0x0000000000680000-0x0000000000682000-memory.dmp

Filesize
8KB

Download
memory/3532-168-0x000001E95A2E0000-0x000001E95A2E2000-memory.dmp

Filesize
8KB

Download
memory/3532-167-0x000001E95A2E0000-0x000001E95A2E2000-memory.dmp

Filesize
8KB

Download
memory/3532-166-0x000001E95A2E0000-0x000001E95A2E2000-memory.dmp

Filesize
8KB

Download
memory/3532-159-0x0000000000000000-mapping.dmp

Download