dridex | 763bdff3e9dfaea38a2c5f1cfcac8a850c531d4a0785bd46369a9d575c4d4eda

Analysis

max time kernel
152s
max time network
143s
platform
windows7_x64
resource
win7-en-20211104
submitted
26-11-2021 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

763bdff3e9dfaea38a2c5f1cfcac8a850c531d4a0785bd46369a9d575c4d4eda.dll
Size

1.3MB
MD5

f475890b3db27bd228eab93a66e834e5
SHA1

ef69eaf983de220c59ad835ba79ea403099dd2fd
SHA256

763bdff3e9dfaea38a2c5f1cfcac8a850c531d4a0785bd46369a9d575c4d4eda
SHA512

0991bf4ba63a24f9a264bea2f4b7707ea9aa29abb883f1e166b9e1bd3c44fbdafcb25673953b8a67f7542bbb14e77457ddc9dddaf1140e390e824f4f5a50e09c

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1380-60-0x0000000002650000-0x0000000002651000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

OptionalFeatures.exeDevicePairingWizard.exeSystemPropertiesRemote.exe

pid process

1476 OptionalFeatures.exe
1540 DevicePairingWizard.exe
1720 SystemPropertiesRemote.exe
Loads dropped DLL 7 IoCs

Processes:

OptionalFeatures.exeDevicePairingWizard.exeSystemPropertiesRemote.exe

pid process

1380
1476 OptionalFeatures.exe
1380
1540 DevicePairingWizard.exe
1380
1720 SystemPropertiesRemote.exe
1380

pid	process
1476	OptionalFeatures.exe
1540	DevicePairingWizard.exe
1720	SystemPropertiesRemote.exe

pid	process
1380
1476	OptionalFeatures.exe
1380
1540	DevicePairingWizard.exe
1380
1720	SystemPropertiesRemote.exe
1380

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ADMINI~1\\METJAN~1\\DEVICE~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeOptionalFeatures.exeDevicePairingWizard.exeSystemPropertiesRemote.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OptionalFeatures.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeOptionalFeatures.exeDevicePairingWizard.exe

pid	process
876	rundll32.exe
876	rundll32.exe
876	rundll32.exe
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1476	OptionalFeatures.exe
1476	OptionalFeatures.exe
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1540	DevicePairingWizard.exe
1540	DevicePairingWizard.exe
1380
1380
1380
1380

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1380

pid	process
1380

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1380 wrote to memory of 1052	1380	OptionalFeatures.exe
PID 1380 wrote to memory of 1052	1380	OptionalFeatures.exe
PID 1380 wrote to memory of 1052	1380	OptionalFeatures.exe
PID 1380 wrote to memory of 1476	1380	OptionalFeatures.exe
PID 1380 wrote to memory of 1476	1380	OptionalFeatures.exe
PID 1380 wrote to memory of 1476	1380	OptionalFeatures.exe
PID 1380 wrote to memory of 1376	1380	DevicePairingWizard.exe
PID 1380 wrote to memory of 1376	1380	DevicePairingWizard.exe
PID 1380 wrote to memory of 1376	1380	DevicePairingWizard.exe
PID 1380 wrote to memory of 1540	1380	DevicePairingWizard.exe
PID 1380 wrote to memory of 1540	1380	DevicePairingWizard.exe
PID 1380 wrote to memory of 1540	1380	DevicePairingWizard.exe
PID 1380 wrote to memory of 1840	1380	SystemPropertiesRemote.exe
PID 1380 wrote to memory of 1840	1380	SystemPropertiesRemote.exe
PID 1380 wrote to memory of 1840	1380	SystemPropertiesRemote.exe
PID 1380 wrote to memory of 1720	1380	SystemPropertiesRemote.exe
PID 1380 wrote to memory of 1720	1380	SystemPropertiesRemote.exe
PID 1380 wrote to memory of 1720	1380	SystemPropertiesRemote.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\763bdff3e9dfaea38a2c5f1cfcac8a850c531d4a0785bd46369a9d575c4d4eda.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:876

C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
1⤵
PID:1052

C:\Users\Admin\AppData\Local\pd1AKjhGm\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\pd1AKjhGm\OptionalFeatures.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1476

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:1376

C:\Users\Admin\AppData\Local\jfL\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\jfL\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1540

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:1840

C:\Users\Admin\AppData\Local\B00JA\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\B00JA\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\B00JA\SYSDM.CPL
MD5
fcd44a9919c7078a581669144bb7d47c

SHA1
0a410f6355af8a8cc70a61cc2b965fb258eb4478

SHA256
f63941460d610a41f624d5f3dd1a58f81172a5faf6e4b3cf945b63eb6976a148

SHA512
67e0ae588bb44362d8218cbff61c2f65f7fe9692b2af931a98a0989d4a4789496e1cf310ae3eb49e559429f6cd7734f286f66c627ddd70795288d1f6d10aee09

Download Submit
C:\Users\Admin\AppData\Local\B00JA\SystemPropertiesRemote.exe
MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
C:\Users\Admin\AppData\Local\jfL\DevicePairingWizard.exe
MD5
9728725678f32e84575e0cd2d2c58e9b

SHA1
dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

SHA256
d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

SHA512
a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

Download Submit
C:\Users\Admin\AppData\Local\jfL\MFC42u.dll
MD5
b4e57f39f0e4d448a5cd92b69885f6a3

SHA1
fcefa3952cbd5fd7998329be244168cea9d54d9e

SHA256
1df6aa23df95b32848f8738e9383c0498cd9d4caa3ff9d9d6455927aa375dbd4

SHA512
16f731de45549f8ca10e38a597c786a316a419d06da545793294f6a1e00c69e6644ff066788fd7d296e7d86d6881a8d30b6928ff2434637079d5947ce9400178

Download Submit
C:\Users\Admin\AppData\Local\pd1AKjhGm\OptionalFeatures.exe
MD5
eae7af6084667c8f05412ddf096167fc

SHA1
0dbe8aba001447030e48e8ad5466fd23481e6140

SHA256
01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

SHA512
172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

Download Submit
C:\Users\Admin\AppData\Local\pd1AKjhGm\appwiz.cpl
MD5
487105effcc08b743169fa6d52689406

SHA1
6334ab4bbbe97497826c819a6acdf108166042e8

SHA256
f22fe43e5c6b1f6b1f21ea629d58da905147d25ad780d3d725d027bd3fe1cfbb

SHA512
b7c6402771ce26cf5f93ff2c6875f9fff08852c98f81be3a8a0be6dc676bedab6689650eb2145b761a6b795fa0cd0c9f01ef09278dd1aeec15ab72bf7502d48c

Download Submit
\Users\Admin\AppData\Local\B00JA\SYSDM.CPL
MD5
fcd44a9919c7078a581669144bb7d47c

SHA1
0a410f6355af8a8cc70a61cc2b965fb258eb4478

SHA256
f63941460d610a41f624d5f3dd1a58f81172a5faf6e4b3cf945b63eb6976a148

SHA512
67e0ae588bb44362d8218cbff61c2f65f7fe9692b2af931a98a0989d4a4789496e1cf310ae3eb49e559429f6cd7734f286f66c627ddd70795288d1f6d10aee09

Download Submit
\Users\Admin\AppData\Local\B00JA\SystemPropertiesRemote.exe
MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
\Users\Admin\AppData\Local\jfL\DevicePairingWizard.exe
MD5
9728725678f32e84575e0cd2d2c58e9b

SHA1
dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

SHA256
d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

SHA512
a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

Download Submit
\Users\Admin\AppData\Local\jfL\MFC42u.dll
MD5
b4e57f39f0e4d448a5cd92b69885f6a3

SHA1
fcefa3952cbd5fd7998329be244168cea9d54d9e

SHA256
1df6aa23df95b32848f8738e9383c0498cd9d4caa3ff9d9d6455927aa375dbd4

SHA512
16f731de45549f8ca10e38a597c786a316a419d06da545793294f6a1e00c69e6644ff066788fd7d296e7d86d6881a8d30b6928ff2434637079d5947ce9400178

Download Submit
\Users\Admin\AppData\Local\pd1AKjhGm\OptionalFeatures.exe
MD5
eae7af6084667c8f05412ddf096167fc

SHA1
0dbe8aba001447030e48e8ad5466fd23481e6140

SHA256
01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

SHA512
172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

Download Submit
\Users\Admin\AppData\Local\pd1AKjhGm\appwiz.cpl
MD5
487105effcc08b743169fa6d52689406

SHA1
6334ab4bbbe97497826c819a6acdf108166042e8

SHA256
f22fe43e5c6b1f6b1f21ea629d58da905147d25ad780d3d725d027bd3fe1cfbb

SHA512
b7c6402771ce26cf5f93ff2c6875f9fff08852c98f81be3a8a0be6dc676bedab6689650eb2145b761a6b795fa0cd0c9f01ef09278dd1aeec15ab72bf7502d48c

Download Submit
\Users\Admin\AppData\Roaming\Identities\pq0GWvBFLb5\SystemPropertiesRemote.exe
MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
memory/876-55-0x000007FEF6040000-0x000007FEF618B000-memory.dmp

Filesize
1.3MB

Download
memory/876-59-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1380-62-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1380-72-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1380-67-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1380-63-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1380-64-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1380-69-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1380-61-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1380-84-0x0000000076FF0000-0x0000000076FF2000-memory.dmp

Filesize
8KB

Download
memory/1380-71-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1380-60-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1380-70-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1380-74-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1380-73-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1380-66-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1380-75-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1380-65-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1380-76-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1380-78-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1380-79-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1380-68-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1380-77-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1476-90-0x000007FEF6190000-0x000007FEF62DC000-memory.dmp

Filesize
1.3MB

Download
memory/1476-86-0x0000000000000000-mapping.dmp

Download
memory/1540-99-0x000007FEF6180000-0x000007FEF62D2000-memory.dmp

Filesize
1.3MB

Download
memory/1540-95-0x0000000000000000-mapping.dmp

Download
memory/1720-104-0x0000000000000000-mapping.dmp

Download