dridex | 6b52c3cdedbe90056bc1059f944e484e5afbd88a4665ed54e8d6ad94346785f4

Analysis

max time kernel
156s
max time network
136s
platform
windows10_x64
resource
win10-en-20211104
submitted
26-11-2021 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b52c3cdedbe90056bc1059f944e484e5afbd88a4665ed54e8d6ad94346785f4.dll
Size

1.3MB
MD5

1512aa31502548e90535fb698dcd81e9
SHA1

736f8631610b6f8aa8cdfffc7aa28c7fb3235afd
SHA256

6b52c3cdedbe90056bc1059f944e484e5afbd88a4665ed54e8d6ad94346785f4
SHA512

45ed80a73c180d2569eaf6a7ddce6f9e422bb47b8880a19fc4058a5addea812c2c8d60c4bfe0a5a441253f5aca8922dc2095f8a3ce915de3428ce4f3798b9010

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3028-125-0x0000000000770000-0x0000000000771000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

sdclt.exeSystemPropertiesRemote.exeDisplaySwitch.exe

pid process

2188 sdclt.exe
2252 SystemPropertiesRemote.exe
1804 DisplaySwitch.exe
Loads dropped DLL 3 IoCs

Processes:

sdclt.exeSystemPropertiesRemote.exeDisplaySwitch.exe

pid process

2188 sdclt.exe
2252 SystemPropertiesRemote.exe
1804 DisplaySwitch.exe

pid	process
2188	sdclt.exe
2252	SystemPropertiesRemote.exe
1804	DisplaySwitch.exe

pid	process
2188	sdclt.exe
2252	SystemPropertiesRemote.exe
1804	DisplaySwitch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\i6BmF\\SystemPropertiesRemote.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesRemote.exeDisplaySwitch.exerundll32.exesdclt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exesdclt.exe

pid	process
1912	rundll32.exe
1912	rundll32.exe
1912	rundll32.exe
1912	rundll32.exe
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
2188	sdclt.exe
2188	sdclt.exe
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028
3028

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3028

pid	process
3028

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028
Token: SeShutdownPrivilege	3028
Token: SeCreatePagefilePrivilege	3028

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3028 wrote to memory of 2312	3028	sdclt.exe
PID 3028 wrote to memory of 2312	3028	sdclt.exe
PID 3028 wrote to memory of 2188	3028	sdclt.exe
PID 3028 wrote to memory of 2188	3028	sdclt.exe
PID 3028 wrote to memory of 3004	3028	SystemPropertiesRemote.exe
PID 3028 wrote to memory of 3004	3028	SystemPropertiesRemote.exe
PID 3028 wrote to memory of 2252	3028	SystemPropertiesRemote.exe
PID 3028 wrote to memory of 2252	3028	SystemPropertiesRemote.exe
PID 3028 wrote to memory of 3384	3028	DisplaySwitch.exe
PID 3028 wrote to memory of 3384	3028	DisplaySwitch.exe
PID 3028 wrote to memory of 1804	3028	DisplaySwitch.exe
PID 3028 wrote to memory of 1804	3028	DisplaySwitch.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b52c3cdedbe90056bc1059f944e484e5afbd88a4665ed54e8d6ad94346785f4.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1912

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:2312

C:\Users\Admin\AppData\Local\SSFzoa\sdclt.exe
C:\Users\Admin\AppData\Local\SSFzoa\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2188

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:3004

C:\Users\Admin\AppData\Local\MfnCSD\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\MfnCSD\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2252

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:3384

C:\Users\Admin\AppData\Local\2aa\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\2aa\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2aa\DUI70.dll
MD5
95fe29dcbb8185be9b0f06c384fadf39

SHA1
2ccb95e70dc2fd419839469357c61e884fdf7bf4

SHA256
8fc94b2e57e27ebe593c82edffc6d0a7392c3732fe98a14dd25c2e35376cab58

SHA512
b2d8c08f1ca572860d10ef701cf4acaa8ac2c14499673a4d535d27ef9d45047e6605201920acd1ac7638997fd54acab877397089e8aa95623a3ba1d980368ab5

Download Submit
C:\Users\Admin\AppData\Local\2aa\DisplaySwitch.exe
MD5
9e139d8cdf910f624c4cb0a63cbab22d

SHA1
14b7259a609fddb0c561e1154dac638fa0db06b3

SHA256
3374874744179d8f880791ff4373736d9bb93ae3275be6ff26b296b4d8b9619c

SHA512
d2c7521cc65c92da10a337303f5902560f3dc30ba0dfb959196337d4dcbc13a2ef69de7e7cfdc5e983affc3fc6938a485ef8ead0cf1c485aa0893c667fe08357

Download Submit
C:\Users\Admin\AppData\Local\MfnCSD\SYSDM.CPL
MD5
22405fdff42a18803b5a3ca668043135

SHA1
8d72eec59937d3c216705203451fb82c502767ac

SHA256
e65f43e177bd59f5c0dddb64547439c4eb5dc18dcbc674390495a262b09c3f12

SHA512
1ff4c527a3714b41bbb5e2dcb08a316c8ba16454632bd3ec1972b68643f92fcb84121a7f627d3d24636ac6cb7fd986ab10eadce6f07240e9e1990e2d66d6216f

Download Submit
C:\Users\Admin\AppData\Local\MfnCSD\SystemPropertiesRemote.exe
MD5
274c1b0f3436f2030089f456389e2231

SHA1
e341c9b6961d4956e48e2b89933e7a8f22faadf5

SHA256
8f6116c500f4a778725b753501fc095da4dfda36cf5ddd9bafca881c99b3e6b3

SHA512
249a77e4bc4294ba68a5bca073c574c0436306a17aec34c8c2d14149bd81417acab81a68257788ebafbd225873f7b1c7437ed6d8bb8d854b14d2c56ef214a2e5

Download Submit
C:\Users\Admin\AppData\Local\SSFzoa\UxTheme.dll
MD5
1648b28994cc02d6c7dd19f682441641

SHA1
e600bc62dc00ed984b13e5c884f1268e2679e322

SHA256
84db318d38aa3c20b67c536f0fc1a8c3407070dbcd9bdf1fb6457ae890679eda

SHA512
017ee9200f7e7b907bc6db771303be90596325a94feff02fbda6a577de09a7ab44d1c1450024f90ed98d7f5775e468ab7580964ec41c1eab06e54dfb45fdbb6b

Download Submit
C:\Users\Admin\AppData\Local\SSFzoa\sdclt.exe
MD5
d583261d1da3e49fa34d0ed9fc550173

SHA1
64d55723f6fec895c7e8b50f42a815b125ce0b29

SHA256
8577ef50c0dd969617fa313ebd927d6e4ca2faae24fa4516f643328a967c5e6a

SHA512
77aceaf9992b40c859c95d6ee6d6b31c06add7a1227f8e2d1fc49245163a8ffdbf347bfdb0cffb400a9550b715cede3941e4c3f0499d0942dc5f7853db5cd0b5

Download Submit
\Users\Admin\AppData\Local\2aa\DUI70.dll
MD5
95fe29dcbb8185be9b0f06c384fadf39

SHA1
2ccb95e70dc2fd419839469357c61e884fdf7bf4

SHA256
8fc94b2e57e27ebe593c82edffc6d0a7392c3732fe98a14dd25c2e35376cab58

SHA512
b2d8c08f1ca572860d10ef701cf4acaa8ac2c14499673a4d535d27ef9d45047e6605201920acd1ac7638997fd54acab877397089e8aa95623a3ba1d980368ab5

Download Submit
\Users\Admin\AppData\Local\MfnCSD\SYSDM.CPL
MD5
22405fdff42a18803b5a3ca668043135

SHA1
8d72eec59937d3c216705203451fb82c502767ac

SHA256
e65f43e177bd59f5c0dddb64547439c4eb5dc18dcbc674390495a262b09c3f12

SHA512
1ff4c527a3714b41bbb5e2dcb08a316c8ba16454632bd3ec1972b68643f92fcb84121a7f627d3d24636ac6cb7fd986ab10eadce6f07240e9e1990e2d66d6216f

Download Submit
\Users\Admin\AppData\Local\SSFzoa\UxTheme.dll
MD5
1648b28994cc02d6c7dd19f682441641

SHA1
e600bc62dc00ed984b13e5c884f1268e2679e322

SHA256
84db318d38aa3c20b67c536f0fc1a8c3407070dbcd9bdf1fb6457ae890679eda

SHA512
017ee9200f7e7b907bc6db771303be90596325a94feff02fbda6a577de09a7ab44d1c1450024f90ed98d7f5775e468ab7580964ec41c1eab06e54dfb45fdbb6b

Download Submit
memory/1804-184-0x000001946E5A0000-0x000001946E5A2000-memory.dmp

Filesize
8KB

Download
memory/1804-178-0x00007FFB85F10000-0x00007FFB8609E000-memory.dmp

Filesize
1.6MB

Download
memory/1804-174-0x0000000000000000-mapping.dmp

Download
memory/1804-182-0x000001946E5A0000-0x000001946E5A2000-memory.dmp

Filesize
8KB

Download
memory/1804-183-0x000001946E5A0000-0x000001946E5A2000-memory.dmp

Filesize
8KB

Download
memory/1912-118-0x00007FFB85F50000-0x00007FFB86098000-memory.dmp

Filesize
1.3MB

Download
memory/1912-124-0x000001911AED0000-0x000001911AED7000-memory.dmp

Filesize
28KB

Download
memory/1912-123-0x000001911B120000-0x000001911B122000-memory.dmp

Filesize
8KB

Download
memory/1912-122-0x000001911B120000-0x000001911B122000-memory.dmp

Filesize
8KB

Download
memory/2188-162-0x000001C1E3990000-0x000001C1E3992000-memory.dmp

Filesize
8KB

Download
memory/2188-161-0x000001C1E3990000-0x000001C1E3992000-memory.dmp

Filesize
8KB

Download
memory/2188-160-0x000001C1E3990000-0x000001C1E3992000-memory.dmp

Filesize
8KB

Download
memory/2188-156-0x00007FFB784C0000-0x00007FFB78609000-memory.dmp

Filesize
1.3MB

Download
memory/2188-152-0x0000000000000000-mapping.dmp

Download
memory/2252-167-0x00007FFB85F50000-0x00007FFB86099000-memory.dmp

Filesize
1.3MB

Download
memory/2252-163-0x0000000000000000-mapping.dmp

Download
memory/2252-171-0x0000018227A00000-0x0000018227A02000-memory.dmp

Filesize
8KB

Download
memory/2252-172-0x0000018227A00000-0x0000018227A02000-memory.dmp

Filesize
8KB

Download
memory/2252-173-0x0000018227A00000-0x0000018227A02000-memory.dmp

Filesize
8KB

Download
memory/3028-133-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3028-151-0x00007FFB93FB0000-0x00007FFB93FB2000-memory.dmp

Filesize
8KB

Download
memory/3028-149-0x00007FFB93E75000-0x00007FFB93E76000-memory.dmp

Filesize
4KB

Download
memory/3028-150-0x00000000007B0000-0x00000000007B2000-memory.dmp

Filesize
8KB

Download
memory/3028-147-0x00000000007B0000-0x00000000007B2000-memory.dmp

Filesize
8KB

Download
memory/3028-148-0x00000000007B0000-0x00000000007B2000-memory.dmp

Filesize
8KB

Download
memory/3028-142-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3028-141-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3028-140-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3028-139-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3028-138-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3028-137-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3028-136-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3028-135-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3028-134-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3028-132-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3028-131-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3028-130-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3028-129-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3028-128-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3028-127-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3028-126-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3028-125-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download