dridex | a435f616d20bb7534e2a3a7ac480e52792c472ee0fd1e83c3203167af1c93407

Analysis

max time kernel
151s
max time network
124s
platform
windows10_x64
resource
win10-en-20211014
submitted
26-11-2021 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a435f616d20bb7534e2a3a7ac480e52792c472ee0fd1e83c3203167af1c93407.dll
Size

1.3MB
MD5

96a1a6247fd9266b2df8e83e40ec5066
SHA1

5af3279ed13f24ed21fc1c5de232f81e9a8defca
SHA256

a435f616d20bb7534e2a3a7ac480e52792c472ee0fd1e83c3203167af1c93407
SHA512

5256356f114d86110fa1d0f640dad9833b20366a0c9687dbdfcdc6cc71d6ef0d6ef8eefa2cc79afa3202f415af638a1384ab6b6a1517a8566f186a54a72cf6a9

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3004-122-0x0000000000640000-0x0000000000641000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

omadmclient.exeApplySettingsTemplateCatalog.exeslui.exe

pid process

368 omadmclient.exe
3788 ApplySettingsTemplateCatalog.exe
3256 slui.exe
Loads dropped DLL 3 IoCs

Processes:

omadmclient.exeApplySettingsTemplateCatalog.exeslui.exe

pid process

368 omadmclient.exe
3788 ApplySettingsTemplateCatalog.exe
3256 slui.exe

pid	process
368	omadmclient.exe
3788	ApplySettingsTemplateCatalog.exe
3256	slui.exe

pid	process
368	omadmclient.exe
3788	ApplySettingsTemplateCatalog.exe
3256	slui.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Tg\\ApplySettingsTemplateCatalog.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeomadmclient.exeApplySettingsTemplateCatalog.exeslui.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	omadmclient.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplySettingsTemplateCatalog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeomadmclient.exe

pid	process
2748	rundll32.exe
2748	rundll32.exe
2748	rundll32.exe
2748	rundll32.exe
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
368	omadmclient.exe
368	omadmclient.exe
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004
3004

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3004

pid	process
3004

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3004 wrote to memory of 3204	3004	omadmclient.exe
PID 3004 wrote to memory of 3204	3004	omadmclient.exe
PID 3004 wrote to memory of 368	3004	omadmclient.exe
PID 3004 wrote to memory of 368	3004	omadmclient.exe
PID 3004 wrote to memory of 1488	3004	ApplySettingsTemplateCatalog.exe
PID 3004 wrote to memory of 1488	3004	ApplySettingsTemplateCatalog.exe
PID 3004 wrote to memory of 3788	3004	ApplySettingsTemplateCatalog.exe
PID 3004 wrote to memory of 3788	3004	ApplySettingsTemplateCatalog.exe
PID 3004 wrote to memory of 2820	3004	slui.exe
PID 3004 wrote to memory of 2820	3004	slui.exe
PID 3004 wrote to memory of 3256	3004	slui.exe
PID 3004 wrote to memory of 3256	3004	slui.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a435f616d20bb7534e2a3a7ac480e52792c472ee0fd1e83c3203167af1c93407.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2748

C:\Windows\system32\omadmclient.exe
C:\Windows\system32\omadmclient.exe
1⤵
PID:3204

C:\Users\Admin\AppData\Local\Hcq\omadmclient.exe
C:\Users\Admin\AppData\Local\Hcq\omadmclient.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:368

C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
1⤵
PID:1488

C:\Users\Admin\AppData\Local\Nt69gO\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\Nt69gO\ApplySettingsTemplateCatalog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3788

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:2820

C:\Users\Admin\AppData\Local\uOkNuNsHl\slui.exe
C:\Users\Admin\AppData\Local\uOkNuNsHl\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Hcq\XmlLite.dll
MD5
f74391c1ad050ae89cb80073a2e84eea

SHA1
5df189e847d23090cbc64f27670a12d682bb0890

SHA256
0dbd8079a2961fce813c1909b1d0fb6b28a06665edec866b220d7ca6cf526c7a

SHA512
faf4d43100d94ca6a07cc6811326c6df2a21d7ec9cb3b026b4e7d6afbffb2975d7fc2803f446bb889e4477497af6a97159b2866f038ff5b218c6b76594e0dd94

Download Submit
C:\Users\Admin\AppData\Local\Hcq\omadmclient.exe
MD5
0f8c6315c9458cab5b3aae2df853edb6

SHA1
ff59734b75896b422e8d7a642c4ea59bf6dab759

SHA256
76eb6879858ab42089e369984f6e0e775b32b6756a605ed5f2fb1a06c1151498

SHA512
966045c25685a0f01bcd49f6e9ec5bbdaa8a3e261129c03db85031fb1d8705bfba967894d2530c2691e16fdbed11a9df9122d9093db2b46c6ce1b641db36bb3c

Download Submit
C:\Users\Admin\AppData\Local\Nt69gO\ACTIVEDS.dll
MD5
59946ae836058a006134591c851c94c8

SHA1
b2b4f36d3f0d7d9524927f2088b96c84c50ab634

SHA256
d02e78921f0d1ce11057771ebe40f6ad97837ffe07f202d19fe336d96c19fd57

SHA512
b6a5d8e6782e475edd64604ce2abb4100ff38f27550c8a683b9660919c717e8d39318569d1a8c119468744f4e905e411136868121ecc6ac5fe1179f5b8671b1c

Download Submit
C:\Users\Admin\AppData\Local\Nt69gO\ApplySettingsTemplateCatalog.exe
MD5
ce074a9724e9335539b4318df1dc8f6c

SHA1
f04dff9c5ee02a26d5feec0ce21d07c35f4d0129

SHA256
7b72517d06869deb6efb72e6220fbd903333378afacd011950b8b2a47bf38967

SHA512
9502cf40bba8da267b9dd219abe5d7249fc3fd59d45e66120a49b8cb0609a09aa5ef18d925036141049fa985fe45444d3af9412650d1c15bce27001dfb6b072a

Download Submit
C:\Users\Admin\AppData\Local\uOkNuNsHl\WTSAPI32.dll
MD5
b6347cbdfbcedef265bdb3847f713ad0

SHA1
9b5736f3da219b1a6377b2bde5b478f9bc64e31f

SHA256
0684456c27434c75650e008c6e2ba69af79e78d03c22dd5e43e111c17231a8c5

SHA512
2ade411ca09579b5f6d1e4f37a8f558301c23d55564c9b90efaaa23da57c1f6a78fc55f36eda8ab0f648b988636650a36cf182389dcbbee81b7c3c0a7f79504e

Download Submit
C:\Users\Admin\AppData\Local\uOkNuNsHl\slui.exe
MD5
f162f859fb38a39f83c049f5480c11eb

SHA1
4090dacb56dbff6a5306e13ff5fa157eca4714a9

SHA256
67daef4a468f00305a44e41b369890fc0d6ed41c509432c6b1402caa1b09b7c5

SHA512
73a7ba851b560caf0a4150ff192c02bcac5475de2f265430e079ce1a20dc25b0f86873bc1dc4db0fc660031aa7c32d03a941ada8afc0bc91c63fb2e9ed8e0d80

Download Submit
\Users\Admin\AppData\Local\Hcq\XmlLite.dll
MD5
f74391c1ad050ae89cb80073a2e84eea

SHA1
5df189e847d23090cbc64f27670a12d682bb0890

SHA256
0dbd8079a2961fce813c1909b1d0fb6b28a06665edec866b220d7ca6cf526c7a

SHA512
faf4d43100d94ca6a07cc6811326c6df2a21d7ec9cb3b026b4e7d6afbffb2975d7fc2803f446bb889e4477497af6a97159b2866f038ff5b218c6b76594e0dd94

Download Submit
\Users\Admin\AppData\Local\Nt69gO\ACTIVEDS.dll
MD5
59946ae836058a006134591c851c94c8

SHA1
b2b4f36d3f0d7d9524927f2088b96c84c50ab634

SHA256
d02e78921f0d1ce11057771ebe40f6ad97837ffe07f202d19fe336d96c19fd57

SHA512
b6a5d8e6782e475edd64604ce2abb4100ff38f27550c8a683b9660919c717e8d39318569d1a8c119468744f4e905e411136868121ecc6ac5fe1179f5b8671b1c

Download Submit
\Users\Admin\AppData\Local\uOkNuNsHl\WTSAPI32.dll
MD5
b6347cbdfbcedef265bdb3847f713ad0

SHA1
9b5736f3da219b1a6377b2bde5b478f9bc64e31f

SHA256
0684456c27434c75650e008c6e2ba69af79e78d03c22dd5e43e111c17231a8c5

SHA512
2ade411ca09579b5f6d1e4f37a8f558301c23d55564c9b90efaaa23da57c1f6a78fc55f36eda8ab0f648b988636650a36cf182389dcbbee81b7c3c0a7f79504e

Download Submit
memory/368-148-0x0000000000000000-mapping.dmp

Download
memory/368-159-0x000001B398D50000-0x000001B398D52000-memory.dmp

Filesize
8KB

Download
memory/368-158-0x000001B398D50000-0x000001B398D52000-memory.dmp

Filesize
8KB

Download
memory/368-157-0x000001B398D50000-0x000001B398D52000-memory.dmp

Filesize
8KB

Download
memory/368-153-0x00007FFD2BCE0000-0x00007FFD2BE29000-memory.dmp

Filesize
1.3MB

Download
memory/2748-115-0x00007FFD2BD30000-0x00007FFD2BE78000-memory.dmp

Filesize
1.3MB

Download
memory/2748-121-0x000001D923EA0000-0x000001D923EA7000-memory.dmp

Filesize
28KB

Download
memory/2748-120-0x000001D924100000-0x000001D924102000-memory.dmp

Filesize
8KB

Download
memory/2748-119-0x000001D924100000-0x000001D924102000-memory.dmp

Filesize
8KB

Download
memory/3004-130-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3004-129-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3004-138-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3004-139-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3004-144-0x0000000000870000-0x0000000000872000-memory.dmp

Filesize
8KB

Download
memory/3004-145-0x0000000000870000-0x0000000000872000-memory.dmp

Filesize
8KB

Download
memory/3004-146-0x00007FFD39785000-0x00007FFD39786000-memory.dmp

Filesize
4KB

Download
memory/3004-147-0x0000000000870000-0x0000000000872000-memory.dmp

Filesize
8KB

Download
memory/3004-136-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3004-135-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3004-134-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3004-133-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3004-152-0x00007FFD398C0000-0x00007FFD398C2000-memory.dmp

Filesize
8KB

Download
memory/3004-132-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3004-131-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3004-137-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3004-128-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3004-122-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/3004-127-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3004-126-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3004-125-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3004-124-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3004-123-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3256-171-0x0000000000000000-mapping.dmp

Download
memory/3256-179-0x0000023FE36E0000-0x0000023FE36E2000-memory.dmp

Filesize
8KB

Download
memory/3256-180-0x0000023FE36E0000-0x0000023FE36E2000-memory.dmp

Filesize
8KB

Download
memory/3256-181-0x0000023FE36E0000-0x0000023FE36E2000-memory.dmp

Filesize
8KB

Download
memory/3788-170-0x0000017A725B0000-0x0000017A725B2000-memory.dmp

Filesize
8KB

Download
memory/3788-169-0x0000017A725B0000-0x0000017A725B2000-memory.dmp

Filesize
8KB

Download
memory/3788-168-0x0000017A725B0000-0x0000017A725B2000-memory.dmp

Filesize
8KB

Download
memory/3788-164-0x00007FFD2BD30000-0x00007FFD2BE79000-memory.dmp

Filesize
1.3MB

Download
memory/3788-160-0x0000000000000000-mapping.dmp

Download