dridex | e222b35f91a6abd76a3226837ef9eda5ede74ccfaae17ed01a7538fe79a2da4b

Analysis

max time kernel
154s
max time network
122s
platform
windows7_x64
resource
win7-en-20211104
submitted
26-11-2021 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e222b35f91a6abd76a3226837ef9eda5ede74ccfaae17ed01a7538fe79a2da4b.dll
Size

1.2MB
MD5

f013bd186a7cc04178679a1b24b7ef64
SHA1

30dd7d35772cfe50cac035ecb21e3ea8e17551db
SHA256

e222b35f91a6abd76a3226837ef9eda5ede74ccfaae17ed01a7538fe79a2da4b
SHA512

d8c9ad1efc9f04975590d64e21c132cdf0e301558f69321f07211716aedf1b9dfd4974660c1638e443ae331422d2be1f5d9d493129a3af21b16f1ca47d1ee79b

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1276-59-0x00000000021F0000-0x00000000021F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

spreview.exemblctr.exespreview.exe

pid process

1188 spreview.exe
1176 mblctr.exe
1392 spreview.exe
Loads dropped DLL 7 IoCs

Processes:

spreview.exemblctr.exespreview.exe

pid process

1276
1188 spreview.exe
1276
1176 mblctr.exe
1276
1392 spreview.exe
1276

pid	process
1188	spreview.exe
1176	mblctr.exe
1392	spreview.exe

pid	process
1276
1188	spreview.exe
1276
1176	mblctr.exe
1276
1392	spreview.exe
1276

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\0GMJD5~1\\mblctr.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

spreview.exerundll32.exespreview.exemblctr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spreview.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spreview.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mblctr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
864	rundll32.exe
864	rundll32.exe
864	rundll32.exe
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exespreview.exemblctr.exespreview.exe

pid process

864 rundll32.exe
1276
1188 spreview.exe
1176 mblctr.exe
1392 spreview.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1276 wrote to memory of 760	1276	spreview.exe
PID 1276 wrote to memory of 760	1276	spreview.exe
PID 1276 wrote to memory of 760	1276	spreview.exe
PID 1276 wrote to memory of 1188	1276	spreview.exe
PID 1276 wrote to memory of 1188	1276	spreview.exe
PID 1276 wrote to memory of 1188	1276	spreview.exe
PID 1276 wrote to memory of 1148	1276	mblctr.exe
PID 1276 wrote to memory of 1148	1276	mblctr.exe
PID 1276 wrote to memory of 1148	1276	mblctr.exe
PID 1276 wrote to memory of 1176	1276	mblctr.exe
PID 1276 wrote to memory of 1176	1276	mblctr.exe
PID 1276 wrote to memory of 1176	1276	mblctr.exe
PID 1276 wrote to memory of 988	1276	spreview.exe
PID 1276 wrote to memory of 988	1276	spreview.exe
PID 1276 wrote to memory of 988	1276	spreview.exe
PID 1276 wrote to memory of 1392	1276	spreview.exe
PID 1276 wrote to memory of 1392	1276	spreview.exe
PID 1276 wrote to memory of 1392	1276	spreview.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e222b35f91a6abd76a3226837ef9eda5ede74ccfaae17ed01a7538fe79a2da4b.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:864

C:\Windows\system32\spreview.exe
C:\Windows\system32\spreview.exe
1⤵
PID:760

C:\Users\Admin\AppData\Local\ADT1\spreview.exe
C:\Users\Admin\AppData\Local\ADT1\spreview.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1188

C:\Windows\system32\mblctr.exe
C:\Windows\system32\mblctr.exe
1⤵
PID:1148

C:\Users\Admin\AppData\Local\4lc\mblctr.exe
C:\Users\Admin\AppData\Local\4lc\mblctr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1176

C:\Windows\system32\spreview.exe
C:\Windows\system32\spreview.exe
1⤵
PID:988

C:\Users\Admin\AppData\Local\hkp5Wl\spreview.exe
C:\Users\Admin\AppData\Local\hkp5Wl\spreview.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1392

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4lc\WTSAPI32.dll
MD5
2cbf710fedd121764a309c869e7f22c8

SHA1
8c44240154d093adaf261f9801d69327b20509e4

SHA256
bfbf48e1305572b68811abb276f581bd72509e58b18e19e0aeb27af61b8b8752

SHA512
6f671ff061c713487bd7ec2d47820a33e299fd56ffe6f4ed051d3eaf82d060da7586c70f68fd5064af76377f09955c4dce6e1ffbdbdf4ac2adb904e505ca560c

Download Submit
C:\Users\Admin\AppData\Local\4lc\mblctr.exe
MD5
fa4c36b574bf387d9582ed2c54a347a8

SHA1
149077715ee56c668567e3a9cb9842284f4fe678

SHA256
b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f

SHA512
1f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55

Download Submit
C:\Users\Admin\AppData\Local\ADT1\VERSION.dll
MD5
faa17972e90a0c64d89d12471f76a6a1

SHA1
32e77afe565bdd7864b7a312374f8d93192c3144

SHA256
fb193ee781bc5c3e43d956dbe958daa399dc39af63a460d5cdccb024a3399cf4

SHA512
e0bcb4bcdabf15a19e4ccac9e317fefce73e34350fce77d15e1be3611fa28032bf667596798336402d44d829681523bf49c31ccc8820360f7b48c4db3f6a816d

Download Submit
C:\Users\Admin\AppData\Local\ADT1\spreview.exe
MD5
704cd4cac010e8e6d8de9b778ed17773

SHA1
81856abf70640f102b8b3defe2cf65669fe8e165

SHA256
4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

SHA512
b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

Download Submit
C:\Users\Admin\AppData\Local\hkp5Wl\VERSION.dll
MD5
b4c312e039e1da188b2223a02692f4a0

SHA1
1774583b5d8e82570422aa82931593fb02bd7cf7

SHA256
08d4ac990f7efc3f516722db1f05b003e416c9fbacd1669372331081ec6d4dd9

SHA512
3e8f74fc7d8fe6925e8ae8e2dc962948a272036938787d70f508db0f51a3a9f4123c20a50a743567bd96d62e90bb03815b79d2ba5e1da14a45d3e34e9e21cd96

Download Submit
C:\Users\Admin\AppData\Local\hkp5Wl\spreview.exe
MD5
704cd4cac010e8e6d8de9b778ed17773

SHA1
81856abf70640f102b8b3defe2cf65669fe8e165

SHA256
4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

SHA512
b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

Download Submit
\Users\Admin\AppData\Local\4lc\WTSAPI32.dll
MD5
2cbf710fedd121764a309c869e7f22c8

SHA1
8c44240154d093adaf261f9801d69327b20509e4

SHA256
bfbf48e1305572b68811abb276f581bd72509e58b18e19e0aeb27af61b8b8752

SHA512
6f671ff061c713487bd7ec2d47820a33e299fd56ffe6f4ed051d3eaf82d060da7586c70f68fd5064af76377f09955c4dce6e1ffbdbdf4ac2adb904e505ca560c

Download Submit
\Users\Admin\AppData\Local\4lc\mblctr.exe
MD5
fa4c36b574bf387d9582ed2c54a347a8

SHA1
149077715ee56c668567e3a9cb9842284f4fe678

SHA256
b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f

SHA512
1f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55

Download Submit
\Users\Admin\AppData\Local\ADT1\VERSION.dll
MD5
faa17972e90a0c64d89d12471f76a6a1

SHA1
32e77afe565bdd7864b7a312374f8d93192c3144

SHA256
fb193ee781bc5c3e43d956dbe958daa399dc39af63a460d5cdccb024a3399cf4

SHA512
e0bcb4bcdabf15a19e4ccac9e317fefce73e34350fce77d15e1be3611fa28032bf667596798336402d44d829681523bf49c31ccc8820360f7b48c4db3f6a816d

Download Submit
\Users\Admin\AppData\Local\ADT1\spreview.exe
MD5
704cd4cac010e8e6d8de9b778ed17773

SHA1
81856abf70640f102b8b3defe2cf65669fe8e165

SHA256
4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

SHA512
b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

Download Submit
\Users\Admin\AppData\Local\hkp5Wl\VERSION.dll
MD5
b4c312e039e1da188b2223a02692f4a0

SHA1
1774583b5d8e82570422aa82931593fb02bd7cf7

SHA256
08d4ac990f7efc3f516722db1f05b003e416c9fbacd1669372331081ec6d4dd9

SHA512
3e8f74fc7d8fe6925e8ae8e2dc962948a272036938787d70f508db0f51a3a9f4123c20a50a743567bd96d62e90bb03815b79d2ba5e1da14a45d3e34e9e21cd96

Download Submit
\Users\Admin\AppData\Local\hkp5Wl\spreview.exe
MD5
704cd4cac010e8e6d8de9b778ed17773

SHA1
81856abf70640f102b8b3defe2cf65669fe8e165

SHA256
4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

SHA512
b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

Download Submit
\Users\Admin\AppData\Roaming\Identities\XgNFory7784\spreview.exe
MD5
704cd4cac010e8e6d8de9b778ed17773

SHA1
81856abf70640f102b8b3defe2cf65669fe8e165

SHA256
4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

SHA512
b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

Download Submit
memory/864-55-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/864-58-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1176-94-0x0000000000000000-mapping.dmp

Download
memory/1188-90-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1188-89-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

Filesize
8KB

Download
memory/1188-85-0x0000000000000000-mapping.dmp

Download
memory/1276-75-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1276-74-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1276-83-0x0000000077080000-0x0000000077082000-memory.dmp

Filesize
8KB

Download
memory/1276-64-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1276-65-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1276-66-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1276-67-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1276-68-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1276-69-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1276-72-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1276-73-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1276-63-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1276-76-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1276-77-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1276-70-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1276-71-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1276-62-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1276-59-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/1276-61-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1276-60-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1392-103-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads