dridex | 80078c8c2ae41981fe8bb5cbcf23f5999cd40f2ceb5c35183d890d75e64cd665

Analysis

max time kernel
152s
max time network
119s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-11-2021 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80078c8c2ae41981fe8bb5cbcf23f5999cd40f2ceb5c35183d890d75e64cd665.dll
Size

1.3MB
MD5

d746a159642a08b5fcbf2efd9059b785
SHA1

af0e1db7af9c76413de1daefde55e4956cfc1135
SHA256

80078c8c2ae41981fe8bb5cbcf23f5999cd40f2ceb5c35183d890d75e64cd665
SHA512

95202c25095d26ba975772b8a71e2c33feac958de99f9b47db71bfe73f596c28b8881a163e80e3f37b57aa2e73dcf69489c88c29b7e6ee814568a01391d92be3

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1272-60-0x0000000002B50000-0x0000000002B51000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

irftp.exeSystemPropertiesAdvanced.exeBitLockerWizardElev.exe

pid process

1148 irftp.exe
1524 SystemPropertiesAdvanced.exe
1824 BitLockerWizardElev.exe
Loads dropped DLL 7 IoCs

Processes:

irftp.exeSystemPropertiesAdvanced.exeBitLockerWizardElev.exe

pid process

1272
1148 irftp.exe
1272
1524 SystemPropertiesAdvanced.exe
1272
1824 BitLockerWizardElev.exe
1272

pid	process
1148	irftp.exe
1524	SystemPropertiesAdvanced.exe
1824	BitLockerWizardElev.exe

pid	process
1272
1148	irftp.exe
1272
1524	SystemPropertiesAdvanced.exe
1272
1824	BitLockerWizardElev.exe
1272

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\ACCESS~1\\VMVJAZ~1\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeirftp.exeSystemPropertiesAdvanced.exeBitLockerWizardElev.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	irftp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeirftp.exeSystemPropertiesAdvanced.exe

pid	process
1616	rundll32.exe
1616	rundll32.exe
1616	rundll32.exe
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1148	irftp.exe
1148	irftp.exe
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1524	SystemPropertiesAdvanced.exe
1524	SystemPropertiesAdvanced.exe
1272
1272
1272
1272
1272
1272
1272
1272

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1272

pid	process
1272

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1272 wrote to memory of 1636	1272	irftp.exe
PID 1272 wrote to memory of 1636	1272	irftp.exe
PID 1272 wrote to memory of 1636	1272	irftp.exe
PID 1272 wrote to memory of 1148	1272	irftp.exe
PID 1272 wrote to memory of 1148	1272	irftp.exe
PID 1272 wrote to memory of 1148	1272	irftp.exe
PID 1272 wrote to memory of 1480	1272	SystemPropertiesAdvanced.exe
PID 1272 wrote to memory of 1480	1272	SystemPropertiesAdvanced.exe
PID 1272 wrote to memory of 1480	1272	SystemPropertiesAdvanced.exe
PID 1272 wrote to memory of 1524	1272	SystemPropertiesAdvanced.exe
PID 1272 wrote to memory of 1524	1272	SystemPropertiesAdvanced.exe
PID 1272 wrote to memory of 1524	1272	SystemPropertiesAdvanced.exe
PID 1272 wrote to memory of 1088	1272	BitLockerWizardElev.exe
PID 1272 wrote to memory of 1088	1272	BitLockerWizardElev.exe
PID 1272 wrote to memory of 1088	1272	BitLockerWizardElev.exe
PID 1272 wrote to memory of 1824	1272	BitLockerWizardElev.exe
PID 1272 wrote to memory of 1824	1272	BitLockerWizardElev.exe
PID 1272 wrote to memory of 1824	1272	BitLockerWizardElev.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\80078c8c2ae41981fe8bb5cbcf23f5999cd40f2ceb5c35183d890d75e64cd665.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1616

C:\Windows\system32\irftp.exe
C:\Windows\system32\irftp.exe
1⤵
PID:1636

C:\Users\Admin\AppData\Local\cOd\irftp.exe
C:\Users\Admin\AppData\Local\cOd\irftp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1148

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:1480

C:\Users\Admin\AppData\Local\cM8\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\cM8\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1524

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:1088

C:\Users\Admin\AppData\Local\iBwm0vc\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\iBwm0vc\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1824

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\cM8\SYSDM.CPL
MD5
595b0c36cea7b08352c4ddec04966610

SHA1
ecb2f28027202219c67a1895e6feba56160bd5f7

SHA256
5bd627481d6553b050be7f4ceee379cd63df874610332d3fa7041626d8b2ba4c

SHA512
593444966875b39c096fe5eeb13cd2f5406d72a7d068c7a4f949166cb5fb31a3875501948f002fa6d1bc6c13dd3db5eaf57622bf40e1353081bb420f560c657f

Download Submit
C:\Users\Admin\AppData\Local\cM8\SystemPropertiesAdvanced.exe
MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
C:\Users\Admin\AppData\Local\cOd\WINMM.dll
MD5
60e8d0c7567c12ec01c2e7646ed2c83c

SHA1
1b76fa28560c2aebc35708414134becf941b6118

SHA256
da64c85d323bd7eae0de04db77bce9b9a35f1aad05fb522029907cb29ac72707

SHA512
1d105650dd92b7bb2a3a030ce5bcfb5e2ad44e2fa714964257409b0a61d7929e409a7203879a3b86daae2275a68cb4eab351db477a2735aca022a8d028394490

Download Submit
C:\Users\Admin\AppData\Local\cOd\irftp.exe
MD5
0cae1fb725c56d260bfd6feba7ae9a75

SHA1
102ac676a1de3ec3d56401f8efd518c31c8b0b80

SHA256
312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

SHA512
db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

Download Submit
C:\Users\Admin\AppData\Local\iBwm0vc\BitLockerWizardElev.exe
MD5
73f13d791e36d3486743244f16875239

SHA1
ed5ec55dbc6b3bda505f0a4c699c257c90c02020

SHA256
2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

SHA512
911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

Download Submit
C:\Users\Admin\AppData\Local\iBwm0vc\FVEWIZ.dll
MD5
7fd0b41e2fc6df4e1bf23a81e83845e7

SHA1
5b4fc554da4ab892375cae774dc3f1179e10e12d

SHA256
388471d007bd2a1547223be151960cce59b1e3e2316b24150d2d0b310928336b

SHA512
d8e0628f919504cabbf06c030d51bdb979ede4422747fea3a578fb0a85c018ebe16315ced064122bedf4fbb82d9987c3ec8559477d685c35f7fd1ac6a57bf3e6

Download Submit
\Users\Admin\AppData\Local\cM8\SYSDM.CPL
MD5
595b0c36cea7b08352c4ddec04966610

SHA1
ecb2f28027202219c67a1895e6feba56160bd5f7

SHA256
5bd627481d6553b050be7f4ceee379cd63df874610332d3fa7041626d8b2ba4c

SHA512
593444966875b39c096fe5eeb13cd2f5406d72a7d068c7a4f949166cb5fb31a3875501948f002fa6d1bc6c13dd3db5eaf57622bf40e1353081bb420f560c657f

Download Submit
\Users\Admin\AppData\Local\cM8\SystemPropertiesAdvanced.exe
MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
\Users\Admin\AppData\Local\cOd\WINMM.dll
MD5
60e8d0c7567c12ec01c2e7646ed2c83c

SHA1
1b76fa28560c2aebc35708414134becf941b6118

SHA256
da64c85d323bd7eae0de04db77bce9b9a35f1aad05fb522029907cb29ac72707

SHA512
1d105650dd92b7bb2a3a030ce5bcfb5e2ad44e2fa714964257409b0a61d7929e409a7203879a3b86daae2275a68cb4eab351db477a2735aca022a8d028394490

Download Submit
\Users\Admin\AppData\Local\cOd\irftp.exe
MD5
0cae1fb725c56d260bfd6feba7ae9a75

SHA1
102ac676a1de3ec3d56401f8efd518c31c8b0b80

SHA256
312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

SHA512
db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

Download Submit
\Users\Admin\AppData\Local\iBwm0vc\BitLockerWizardElev.exe
MD5
73f13d791e36d3486743244f16875239

SHA1
ed5ec55dbc6b3bda505f0a4c699c257c90c02020

SHA256
2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

SHA512
911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

Download Submit
\Users\Admin\AppData\Local\iBwm0vc\FVEWIZ.dll
MD5
7fd0b41e2fc6df4e1bf23a81e83845e7

SHA1
5b4fc554da4ab892375cae774dc3f1179e10e12d

SHA256
388471d007bd2a1547223be151960cce59b1e3e2316b24150d2d0b310928336b

SHA512
d8e0628f919504cabbf06c030d51bdb979ede4422747fea3a578fb0a85c018ebe16315ced064122bedf4fbb82d9987c3ec8559477d685c35f7fd1ac6a57bf3e6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\obW5jxdgz\BitLockerWizardElev.exe
MD5
73f13d791e36d3486743244f16875239

SHA1
ed5ec55dbc6b3bda505f0a4c699c257c90c02020

SHA256
2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

SHA512
911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

Download Submit
memory/1148-88-0x000007FEF6E90000-0x000007FEF6FDB000-memory.dmp

Filesize
1.3MB

Download
memory/1148-84-0x0000000000000000-mapping.dmp

Download
memory/1272-68-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1272-69-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1272-75-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1272-76-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1272-77-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1272-82-0x0000000077DB0000-0x0000000077DB2000-memory.dmp

Filesize
8KB

Download
memory/1272-73-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1272-71-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1272-72-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1272-67-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1272-70-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1272-74-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1272-60-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download
memory/1272-63-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1272-66-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1272-61-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1272-62-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1272-64-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1272-65-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1524-97-0x000007FEF6F50000-0x000007FEF709A000-memory.dmp

Filesize
1.3MB

Download
memory/1524-93-0x0000000000000000-mapping.dmp

Download
memory/1616-55-0x000007FEF6F50000-0x000007FEF7099000-memory.dmp

Filesize
1.3MB

Download
memory/1616-59-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/1824-102-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads