dridex | 80078c8c2ae41981fe8bb5cbcf23f5999cd40f2ceb5c35183d890d75e64cd665

Analysis

max time kernel
152s
max time network
133s
platform
windows10_x64
resource
win10-en-20211104
submitted
26-11-2021 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80078c8c2ae41981fe8bb5cbcf23f5999cd40f2ceb5c35183d890d75e64cd665.dll
Size

1.3MB
MD5

d746a159642a08b5fcbf2efd9059b785
SHA1

af0e1db7af9c76413de1daefde55e4956cfc1135
SHA256

80078c8c2ae41981fe8bb5cbcf23f5999cd40f2ceb5c35183d890d75e64cd665
SHA512

95202c25095d26ba975772b8a71e2c33feac958de99f9b47db71bfe73f596c28b8881a163e80e3f37b57aa2e73dcf69489c88c29b7e6ee814568a01391d92be3

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3060-125-0x0000000000590000-0x0000000000591000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

mspaint.exeSystemPropertiesAdvanced.exeshrpubw.exe

pid process

4028 mspaint.exe
3808 SystemPropertiesAdvanced.exe
3960 shrpubw.exe
Loads dropped DLL 3 IoCs

Processes:

mspaint.exeSystemPropertiesAdvanced.exeshrpubw.exe

pid process

4028 mspaint.exe
3808 SystemPropertiesAdvanced.exe
3960 shrpubw.exe

pid	process
4028	mspaint.exe
3808	SystemPropertiesAdvanced.exe
3960	shrpubw.exe

pid	process
4028	mspaint.exe
3808	SystemPropertiesAdvanced.exe
3960	shrpubw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\j22mlgOEVZF\\SystemPropertiesAdvanced.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

mspaint.exeSystemPropertiesAdvanced.exeshrpubw.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exemspaint.exe

pid	process
3524	rundll32.exe
3524	rundll32.exe
3524	rundll32.exe
3524	rundll32.exe
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
4028	mspaint.exe
4028	mspaint.exe
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3060

pid	process
3060

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060
Token: SeShutdownPrivilege	3060
Token: SeCreatePagefilePrivilege	3060

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3060 wrote to memory of 2000	3060	mspaint.exe
PID 3060 wrote to memory of 2000	3060	mspaint.exe
PID 3060 wrote to memory of 4028	3060	mspaint.exe
PID 3060 wrote to memory of 4028	3060	mspaint.exe
PID 3060 wrote to memory of 60	3060	SystemPropertiesAdvanced.exe
PID 3060 wrote to memory of 60	3060	SystemPropertiesAdvanced.exe
PID 3060 wrote to memory of 3808	3060	SystemPropertiesAdvanced.exe
PID 3060 wrote to memory of 3808	3060	SystemPropertiesAdvanced.exe
PID 3060 wrote to memory of 3176	3060	shrpubw.exe
PID 3060 wrote to memory of 3176	3060	shrpubw.exe
PID 3060 wrote to memory of 3960	3060	shrpubw.exe
PID 3060 wrote to memory of 3960	3060	shrpubw.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\80078c8c2ae41981fe8bb5cbcf23f5999cd40f2ceb5c35183d890d75e64cd665.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3524

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:2000

C:\Users\Admin\AppData\Local\CV5CzV\mspaint.exe
C:\Users\Admin\AppData\Local\CV5CzV\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4028

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:60

C:\Users\Admin\AppData\Local\40uJ\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\40uJ\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3808

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:3176

C:\Users\Admin\AppData\Local\24HLw\shrpubw.exe
C:\Users\Admin\AppData\Local\24HLw\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\24HLw\MFC42u.dll
MD5
79ed3f25c4336f9f450a815fbdb9b799

SHA1
05dcee8785097e30590c2d4d44fce7ed4a0c4f3a

SHA256
5f0460676271a177962054576cfcc908290de9dfc3931f14f1fbf310a0919583

SHA512
bc171d1a7cf559ec866b00d7309dd7377c5c7f988a9334db07c849a5f0d63976c65fe306e430af97f207d46518383fdbb89f2902d60a32262e8027f4fda3b22d

Download Submit
C:\Users\Admin\AppData\Local\24HLw\shrpubw.exe
MD5
2cc2e7c22c71491178be7c112206354d

SHA1
3925a3ae53c412f39bdef5db553b52f24b5a6c92

SHA256
7880cfe0caa95a3319a5d2862cdc335b40ceb9c7afcbb57129c968628d69acab

SHA512
8cfedb0a15cabda1040e458b0a707889492e609622eed637d00c67ef29d7f64443145e07e1c701bc1ec481116dc45a3222d820228c80c0bed3c2bd86c271a88f

Download Submit
C:\Users\Admin\AppData\Local\40uJ\SYSDM.CPL
MD5
225cce532383afe2e8b57f7c20ca9572

SHA1
e76d83b7919554a7be941ab08ba23d599b04310e

SHA256
e31d11fc878dc6b30ceadc00ab7854df3ab74bea4e326c8656ef80003c43dcb0

SHA512
5436caabc8b8b9fb3c5bcfd039c7f9c50ca8fa3e2e1f63bc7a58ef2a501b3315552ba2f7cf3877029ddaaed43599d7e6ab612947e30f4ad6532f25aeebf23d43

Download Submit
C:\Users\Admin\AppData\Local\40uJ\SystemPropertiesAdvanced.exe
MD5
375b58f4fced878a37108c3e5ad9b20c

SHA1
8a05b43085e2ccf4ad1b041cabb4fe91498e98e5

SHA256
480aa5e419e066e1dd84ae98f07cca9e21e6b72e82f6fbc9b54bbbefbe2f79b9

SHA512
e803d80e72c17cde65190678389182188dd3035465598fd2a89c31f80518a6eda07be06373e133403dbcdb5f076ee4204c5d702524b12ccb6a2ba21e4c815441

Download Submit
C:\Users\Admin\AppData\Local\CV5CzV\WINMM.dll
MD5
1a9d8c6c8351bcb057fff6669d16f78f

SHA1
5c9d5d5f9cfb798c87757e36729f1804d5229cd1

SHA256
c643f05dec7ed577933174071fcfb50f67e304f08e5b73466df780ad87474683

SHA512
7b0aca015988c8797de962df23ac88b9b9bdc3a8e400c9d35064ce47d4fb811eb2264e9091cbbb71b3c0824f1ce647605f4896a8f277c00a8da0c5eb1237eb27

Download Submit
C:\Users\Admin\AppData\Local\CV5CzV\mspaint.exe
MD5
d19c421c2609048fbb88f37baeb53c29

SHA1
3a29ebe10d225242d88714e17b9d612b16c1947b

SHA256
b80c76fc0bc57f7d74f5aca9f60d9609dcff4a8683dcd5de2e0b9eeb1621bca7

SHA512
7b2327a658e3236ec678179de9221b92bc5c0ca36cf2c7af238e4c9f630ecb06e0558f2c3e2617941f6021f3a4132d0e3b6a117c6dbe684f63eb5380ea42d288

Download Submit
C:\Users\Admin\AppData\Local\CV5CzV\mspaint.exe
MD5
d19c421c2609048fbb88f37baeb53c29

SHA1
3a29ebe10d225242d88714e17b9d612b16c1947b

SHA256
b80c76fc0bc57f7d74f5aca9f60d9609dcff4a8683dcd5de2e0b9eeb1621bca7

SHA512
7b2327a658e3236ec678179de9221b92bc5c0ca36cf2c7af238e4c9f630ecb06e0558f2c3e2617941f6021f3a4132d0e3b6a117c6dbe684f63eb5380ea42d288

Download Submit
\Users\Admin\AppData\Local\24HLw\MFC42u.dll
MD5
79ed3f25c4336f9f450a815fbdb9b799

SHA1
05dcee8785097e30590c2d4d44fce7ed4a0c4f3a

SHA256
5f0460676271a177962054576cfcc908290de9dfc3931f14f1fbf310a0919583

SHA512
bc171d1a7cf559ec866b00d7309dd7377c5c7f988a9334db07c849a5f0d63976c65fe306e430af97f207d46518383fdbb89f2902d60a32262e8027f4fda3b22d

Download Submit
\Users\Admin\AppData\Local\40uJ\SYSDM.CPL
MD5
225cce532383afe2e8b57f7c20ca9572

SHA1
e76d83b7919554a7be941ab08ba23d599b04310e

SHA256
e31d11fc878dc6b30ceadc00ab7854df3ab74bea4e326c8656ef80003c43dcb0

SHA512
5436caabc8b8b9fb3c5bcfd039c7f9c50ca8fa3e2e1f63bc7a58ef2a501b3315552ba2f7cf3877029ddaaed43599d7e6ab612947e30f4ad6532f25aeebf23d43

Download Submit
\Users\Admin\AppData\Local\CV5CzV\WINMM.dll
MD5
1a9d8c6c8351bcb057fff6669d16f78f

SHA1
5c9d5d5f9cfb798c87757e36729f1804d5229cd1

SHA256
c643f05dec7ed577933174071fcfb50f67e304f08e5b73466df780ad87474683

SHA512
7b0aca015988c8797de962df23ac88b9b9bdc3a8e400c9d35064ce47d4fb811eb2264e9091cbbb71b3c0824f1ce647605f4896a8f277c00a8da0c5eb1237eb27

Download Submit
memory/3060-134-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3060-129-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3060-133-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3060-186-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download
memory/3060-135-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3060-136-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3060-137-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3060-139-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3060-140-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3060-138-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3060-141-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3060-142-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3060-147-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download
memory/3060-148-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download
memory/3060-150-0x00000000005D0000-0x00000000005D2000-memory.dmp

Filesize
8KB

Download
memory/3060-149-0x00007FFB5DED5000-0x00007FFB5DED6000-memory.dmp

Filesize
4KB

Download
memory/3060-151-0x00007FFB5E010000-0x00007FFB5E012000-memory.dmp

Filesize
8KB

Download
memory/3060-131-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3060-125-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/3060-130-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3060-126-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3060-132-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3060-127-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3060-128-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3524-124-0x000002BE2DBC0000-0x000002BE2DBC7000-memory.dmp

Filesize
28KB

Download
memory/3524-118-0x00007FFB50120000-0x00007FFB50269000-memory.dmp

Filesize
1.3MB

Download
memory/3524-122-0x000002BE2DBD0000-0x000002BE2DBD2000-memory.dmp

Filesize
8KB

Download
memory/3524-123-0x000002BE2DBD0000-0x000002BE2DBD2000-memory.dmp

Filesize
8KB

Download
memory/3808-173-0x000001753DEC0000-0x000001753DEC2000-memory.dmp

Filesize
8KB

Download
memory/3808-168-0x00007FFB50120000-0x00007FFB5026A000-memory.dmp

Filesize
1.3MB

Download
memory/3808-172-0x000001753DEC0000-0x000001753DEC2000-memory.dmp

Filesize
8KB

Download
memory/3808-174-0x000001753DEC0000-0x000001753DEC2000-memory.dmp

Filesize
8KB

Download
memory/3808-164-0x0000000000000000-mapping.dmp

Download
memory/3960-179-0x00007FFB50120000-0x00007FFB50270000-memory.dmp

Filesize
1.3MB

Download
memory/3960-185-0x000001BF0CE20000-0x000001BF0CE22000-memory.dmp

Filesize
8KB

Download
memory/3960-175-0x0000000000000000-mapping.dmp

Download
memory/3960-184-0x000001BF0CE20000-0x000001BF0CE22000-memory.dmp

Filesize
8KB

Download
memory/3960-183-0x000001BF0CE20000-0x000001BF0CE22000-memory.dmp

Filesize
8KB

Download
memory/4028-162-0x0000014608EA0000-0x0000014608EA2000-memory.dmp

Filesize
8KB

Download
memory/4028-161-0x0000014608EA0000-0x0000014608EA2000-memory.dmp

Filesize
8KB

Download
memory/4028-157-0x00007FFB50120000-0x00007FFB5026B000-memory.dmp

Filesize
1.3MB

Download
memory/4028-152-0x0000000000000000-mapping.dmp

Download
memory/4028-163-0x0000014608EA0000-0x0000014608EA2000-memory.dmp

Filesize
8KB

Download