dridex | 96f10e16e783acebd689db4f3e11b3b949badbd76e4ebf642a604314ce6df395

Analysis

max time kernel
158s
max time network
139s
platform
windows10_x64
resource
win10-en-20211104
submitted
26-11-2021 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96f10e16e783acebd689db4f3e11b3b949badbd76e4ebf642a604314ce6df395.dll
Size

1.3MB
MD5

1f6485c87621bff97a63f506040b8288
SHA1

43e5b5a0abf8ef0cbf6fc3ca95f009022b89dec4
SHA256

96f10e16e783acebd689db4f3e11b3b949badbd76e4ebf642a604314ce6df395
SHA512

48bfcf96bc030cc1e84d30d00c42c54abc5f144c4f550d803d8db207fcc0e1bcf65bc4510b39a1204f967bb8028218ded870319423ef72f6b6164963390c091c

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3016-125-0x0000000001260000-0x0000000001261000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

sppsvc.exemsra.exemblctr.exe

pid process

1208 sppsvc.exe
296 msra.exe
1216 mblctr.exe
Loads dropped DLL 3 IoCs

Processes:

sppsvc.exemsra.exemblctr.exe

pid process

1208 sppsvc.exe
296 msra.exe
1216 mblctr.exe

pid	process
1208	sppsvc.exe
296	msra.exe
1216	mblctr.exe

pid	process
1208	sppsvc.exe
296	msra.exe
1216	mblctr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\YCO\\msra.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msra.exemblctr.exerundll32.exesppsvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mblctr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exesppsvc.exe

pid	process
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
2396	rundll32.exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
1208	sppsvc.exe
1208	sppsvc.exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3016

pid	process
3016

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

description	pid	target process
PID 3016 wrote to memory of 1208	3016	sppsvc.exe
PID 3016 wrote to memory of 1208	3016	sppsvc.exe
PID 3016 wrote to memory of 3008	3016	msra.exe
PID 3016 wrote to memory of 3008	3016	msra.exe
PID 3016 wrote to memory of 296	3016	msra.exe
PID 3016 wrote to memory of 296	3016	msra.exe
PID 3016 wrote to memory of 3700	3016	mblctr.exe
PID 3016 wrote to memory of 3700	3016	mblctr.exe
PID 3016 wrote to memory of 1216	3016	mblctr.exe
PID 3016 wrote to memory of 1216	3016	mblctr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\96f10e16e783acebd689db4f3e11b3b949badbd76e4ebf642a604314ce6df395.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2396

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:1376

C:\Users\Admin\AppData\Local\E4NED3\sppsvc.exe
C:\Users\Admin\AppData\Local\E4NED3\sppsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1208

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:3008

C:\Users\Admin\AppData\Local\tUNU\msra.exe
C:\Users\Admin\AppData\Local\tUNU\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:296

C:\Windows\system32\mblctr.exe
C:\Windows\system32\mblctr.exe
1⤵
PID:3700

C:\Users\Admin\AppData\Local\9MbM4FKw\mblctr.exe
C:\Users\Admin\AppData\Local\9MbM4FKw\mblctr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9MbM4FKw\WTSAPI32.dll
MD5
e2b99f7ba4e5eec2c1dd48a37a653345

SHA1
73f099111b16c157cf25c1175f6dbe48981dad7e

SHA256
1020b6bfecd57a0681aec4113d4779c616eac1e750b83f66d1a3c2ded06543d5

SHA512
fd2a185a9086b10f74fd8e017060fad11b72846215bc208cf58a1ecbc024a4c992a953ed117d7ba9164b641a2ef6ed81d44f24ba0cc54d3ee51848790ba2340f

Download Submit
C:\Users\Admin\AppData\Local\9MbM4FKw\mblctr.exe
MD5
b0c3fd37171b242f88f2757ecdc1e9bd

SHA1
33fb495368f8e28603c5e6bec0fa01c501ef6306

SHA256
d6f2cf2dca7c6fca164da85c60f7463b2575c0a5a19c038b025b41fa586d54fc

SHA512
7ad8562907a6fbf94ae65f19df63c5ef27e65d34eb20ae52404456b1e52f0d1c1b351a87afb86e96e459063c32666303d0731730a95566ed67aac1fb7ba2e0c4

Download Submit
C:\Users\Admin\AppData\Local\E4NED3\XmlLite.dll
MD5
73c818d6bc2e261a7ba86a828e0e733b

SHA1
81dd90e648dff71919ca9c61f07d781110545776

SHA256
2635d2001c7f842dfd81f62fb21fb52d3aeee3ff1416f0ab714c1e767a1ceee4

SHA512
c64788c75cf23182e94769c808fdfd0422ac3211b4324b4e1f40602cab8a98ed37a56e987d5f6337e02f55a088b95459ed814e493c056c6af2136354575a1599

Download Submit
C:\Users\Admin\AppData\Local\E4NED3\sppsvc.exe
MD5
e910861720de6edfb5cc6158ce3c7e17

SHA1
9b5b7c08da7cf36ca302c6e57cbc8bcfa5a69a9d

SHA256
526ba8eeb9ee5312fec39753d728e05f49ad81132346a354c95d4d4938001e2b

SHA512
e2a34b7e37781072494685ddab68bdb711910ae29f2ee9e05ec514442956047fb5b58ee8606110db48029f40990857184256c53f48910e8e050269f2a7aa0435

Download Submit
C:\Users\Admin\AppData\Local\tUNU\NDFAPI.DLL
MD5
cd9c10629e6da1c42fd859026107cfc0

SHA1
7383f861b59ac41351ded9fd0bd011d9cea9936e

SHA256
b9d93da431a5e313ccbb825b3974ad84966b2bbb162c0a3f60a44ad5004c4653

SHA512
df71d144dde75a3b75c9f8aa50cd25747b1979349349a6091816363a7ae6fb8eae4c198aee6dcf67077ded94f0a159e1e3670f217e0639af4b2df0b7d8ff650a

Download Submit
C:\Users\Admin\AppData\Local\tUNU\msra.exe
MD5
b00eb640229462c7080dc17e5805dfc9

SHA1
28b438b47d145b17c94cbec39b204ced6eccb5f1

SHA256
529378155b8aa91ff47d1f015c96a373fdb12acef3811d2f8a7e3dff67fded3b

SHA512
e962f71be1f25787710b8cb92453bcc19ff38921d01b2c892a4c61bfa09959377a73a95a02c0a62b1c93aaef7d9b4a43c196ca76ac7c7327abe85340bf94b6d2

Download Submit
\Users\Admin\AppData\Local\9MbM4FKw\WTSAPI32.dll
MD5
e2b99f7ba4e5eec2c1dd48a37a653345

SHA1
73f099111b16c157cf25c1175f6dbe48981dad7e

SHA256
1020b6bfecd57a0681aec4113d4779c616eac1e750b83f66d1a3c2ded06543d5

SHA512
fd2a185a9086b10f74fd8e017060fad11b72846215bc208cf58a1ecbc024a4c992a953ed117d7ba9164b641a2ef6ed81d44f24ba0cc54d3ee51848790ba2340f

Download Submit
\Users\Admin\AppData\Local\E4NED3\XmlLite.dll
MD5
73c818d6bc2e261a7ba86a828e0e733b

SHA1
81dd90e648dff71919ca9c61f07d781110545776

SHA256
2635d2001c7f842dfd81f62fb21fb52d3aeee3ff1416f0ab714c1e767a1ceee4

SHA512
c64788c75cf23182e94769c808fdfd0422ac3211b4324b4e1f40602cab8a98ed37a56e987d5f6337e02f55a088b95459ed814e493c056c6af2136354575a1599

Download Submit
\Users\Admin\AppData\Local\tUNU\NDFAPI.DLL
MD5
cd9c10629e6da1c42fd859026107cfc0

SHA1
7383f861b59ac41351ded9fd0bd011d9cea9936e

SHA256
b9d93da431a5e313ccbb825b3974ad84966b2bbb162c0a3f60a44ad5004c4653

SHA512
df71d144dde75a3b75c9f8aa50cd25747b1979349349a6091816363a7ae6fb8eae4c198aee6dcf67077ded94f0a159e1e3670f217e0639af4b2df0b7d8ff650a

Download Submit
memory/296-174-0x000002578F110000-0x000002578F112000-memory.dmp

Filesize
8KB

Download
memory/296-165-0x0000000000000000-mapping.dmp

Download
memory/296-175-0x000002578F110000-0x000002578F112000-memory.dmp

Filesize
8KB

Download
memory/296-173-0x000002578F110000-0x000002578F112000-memory.dmp

Filesize
8KB

Download
memory/1208-158-0x00007FF94C5E0000-0x00007FF94C72B000-memory.dmp

Filesize
1.3MB

Download
memory/1208-162-0x00000269B6710000-0x00000269B6712000-memory.dmp

Filesize
8KB

Download
memory/1208-164-0x00000269B6710000-0x00000269B6712000-memory.dmp

Filesize
8KB

Download
memory/1208-154-0x0000000000000000-mapping.dmp

Download
memory/1208-163-0x00000269B6710000-0x00000269B6712000-memory.dmp

Filesize
8KB

Download
memory/1216-184-0x00000184D5630000-0x00000184D5632000-memory.dmp

Filesize
8KB

Download
memory/1216-176-0x0000000000000000-mapping.dmp

Download
memory/1216-185-0x00000184D5630000-0x00000184D5632000-memory.dmp

Filesize
8KB

Download
memory/1216-186-0x00000184D5630000-0x00000184D5632000-memory.dmp

Filesize
8KB

Download
memory/2396-118-0x00007FF94C5E0000-0x00007FF94C72A000-memory.dmp

Filesize
1.3MB

Download
memory/2396-124-0x0000024FC1130000-0x0000024FC1137000-memory.dmp

Filesize
28KB

Download
memory/2396-123-0x0000024FC1140000-0x0000024FC1142000-memory.dmp

Filesize
8KB

Download
memory/2396-122-0x0000024FC1140000-0x0000024FC1142000-memory.dmp

Filesize
8KB

Download
memory/3016-133-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3016-151-0x00007FF958875000-0x00007FF958876000-memory.dmp

Filesize
4KB

Download
memory/3016-153-0x00007FF9589B0000-0x00007FF9589B2000-memory.dmp

Filesize
8KB

Download
memory/3016-152-0x0000000001270000-0x0000000001272000-memory.dmp

Filesize
8KB

Download
memory/3016-150-0x0000000001270000-0x0000000001272000-memory.dmp

Filesize
8KB

Download
memory/3016-149-0x0000000001270000-0x0000000001272000-memory.dmp

Filesize
8KB

Download
memory/3016-144-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3016-143-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3016-142-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3016-141-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3016-140-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3016-139-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3016-138-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3016-136-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3016-137-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3016-135-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3016-134-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3016-132-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3016-131-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3016-125-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/3016-130-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3016-129-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3016-127-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3016-128-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3016-126-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download