dridex | e222b35f91a6abd76a3226837ef9eda5ede74ccfaae17ed01a7538fe79a2da4b

Analysis

max time kernel
157s
max time network
132s
platform
windows10_x64
resource
win10-en-20211104
submitted
26-11-2021 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e222b35f91a6abd76a3226837ef9eda5ede74ccfaae17ed01a7538fe79a2da4b.dll
Size

1.2MB
MD5

f013bd186a7cc04178679a1b24b7ef64
SHA1

30dd7d35772cfe50cac035ecb21e3ea8e17551db
SHA256

e222b35f91a6abd76a3226837ef9eda5ede74ccfaae17ed01a7538fe79a2da4b
SHA512

d8c9ad1efc9f04975590d64e21c132cdf0e301558f69321f07211716aedf1b9dfd4974660c1638e443ae331422d2be1f5d9d493129a3af21b16f1ca47d1ee79b

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/1920-124-0x0000000000CE0000-0x0000000000CE1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

wlrmdr.exemmc.exewextract.exe

pid process

1124 wlrmdr.exe
1500 mmc.exe
2304 wextract.exe
Loads dropped DLL 3 IoCs

Processes:

wlrmdr.exemmc.exewextract.exe

pid process

1124 wlrmdr.exe
1500 mmc.exe
2304 wextract.exe

pid	process
1124	wlrmdr.exe
1500	mmc.exe
2304	wextract.exe

pid	process
1124	wlrmdr.exe
1500	mmc.exe
2304	wextract.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\nb5\\mmc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

mmc.exewextract.exerundll32.exewlrmdr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mmc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wlrmdr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2724	rundll32.exe
2724	rundll32.exe
2724	rundll32.exe
2724	rundll32.exe
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920
1920

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exewlrmdr.exemmc.exewextract.exe

pid process

2724 rundll32.exe
1920
1124 wlrmdr.exe
1500 mmc.exe
2304 wextract.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 1920 wrote to memory of 1084	1920	wlrmdr.exe
PID 1920 wrote to memory of 1084	1920	wlrmdr.exe
PID 1920 wrote to memory of 1124	1920	wlrmdr.exe
PID 1920 wrote to memory of 1124	1920	wlrmdr.exe
PID 1920 wrote to memory of 740	1920	mmc.exe
PID 1920 wrote to memory of 740	1920	mmc.exe
PID 1920 wrote to memory of 1500	1920	mmc.exe
PID 1920 wrote to memory of 1500	1920	mmc.exe
PID 1920 wrote to memory of 3636	1920	wextract.exe
PID 1920 wrote to memory of 3636	1920	wextract.exe
PID 1920 wrote to memory of 2304	1920	wextract.exe
PID 1920 wrote to memory of 2304	1920	wextract.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e222b35f91a6abd76a3226837ef9eda5ede74ccfaae17ed01a7538fe79a2da4b.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2724

C:\Windows\system32\wlrmdr.exe
C:\Windows\system32\wlrmdr.exe
1⤵
PID:1084

C:\Users\Admin\AppData\Local\0dpn3KZ\wlrmdr.exe
C:\Users\Admin\AppData\Local\0dpn3KZ\wlrmdr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1124

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
1⤵
PID:740

C:\Users\Admin\AppData\Local\4hlbHSz\mmc.exe
C:\Users\Admin\AppData\Local\4hlbHSz\mmc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1500

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:3636

C:\Users\Admin\AppData\Local\NAMh\wextract.exe
C:\Users\Admin\AppData\Local\NAMh\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:2304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0dpn3KZ\DUI70.dll
MD5
c6a6fac44ae69b4a9ce29dfc4cdda8d9

SHA1
9c19efba6e707949ab80c20d659d36543b35d195

SHA256
7e5e6dff40a1c81dfaeb599b0e36ed7163179c1db16cf2cfcb5baf2401e9670b

SHA512
e0fa3d704df4ca5b42389feb4d5ee46a1e91b63921c94f4ffa8044c4dbb0a31fbcbc46b3f76089032f8fb7386b9b438f4fff19e416d1b5dc8d702c84c34154fa

Download Submit
C:\Users\Admin\AppData\Local\0dpn3KZ\wlrmdr.exe
MD5
506de5c8d74692144936000b0db1071b

SHA1
8616d846c02d506319495626a9ecb67912f17855

SHA256
6b695ceb635f11d33ac0e4f1481de11eb31e03027a9a40f0a969de12b7c35458

SHA512
f286919a5e22b719016d29b15d9a6c7fe5067c470397669b2aead895e2195e7d2ed476cfccb285c48ee0c9efa181bf559012716714314c3d64946a26796f1c13

Download Submit
C:\Users\Admin\AppData\Local\4hlbHSz\DUser.dll
MD5
37b9474f181384a64afc40c48df801e7

SHA1
87dae0d4ba70ee6bf0047b0127605f7ef1d4b694

SHA256
7a2d07899895eaabf6aec38981403928262d9518e39410953e0caffec498e324

SHA512
a2f2237a46db34a6d01daf4d66e2326e07768a074e89f8597a62687ee852a858c3c9f58feead6e7695d8fe860f63a80712eb0dc94cebdc9318fc40c4c1dbfd74

Download Submit
C:\Users\Admin\AppData\Local\4hlbHSz\mmc.exe
MD5
211adc0a46442c4050285c6b2c8874a1

SHA1
cf7ad4f94eda214bd5283cb8ad57db52d2d558fc

SHA256
e021d4b2f12d2836c279aeee9fe59cea300730519afa57f450ba7095b45a653f

SHA512
d4cc517a97e1bd439080eb027bddee96e0c773477885f52cde535c24281f86855ef035aa94b0dbedfbffb9da9d77e12878f165d9016b9c0465d3cd83bb0f27db

Download Submit
C:\Users\Admin\AppData\Local\4hlbHSz\mmc.exe
MD5
211adc0a46442c4050285c6b2c8874a1

SHA1
cf7ad4f94eda214bd5283cb8ad57db52d2d558fc

SHA256
e021d4b2f12d2836c279aeee9fe59cea300730519afa57f450ba7095b45a653f

SHA512
d4cc517a97e1bd439080eb027bddee96e0c773477885f52cde535c24281f86855ef035aa94b0dbedfbffb9da9d77e12878f165d9016b9c0465d3cd83bb0f27db

Download Submit
C:\Users\Admin\AppData\Local\NAMh\VERSION.dll
MD5
9318477695ea85271c2d8fc5eb6caf1b

SHA1
2f5b727170844d86240b392a445bd32bdc12c4cd

SHA256
0da16f969faa56eaa3dab3fa5db8abfa39d8e5ebfae030d70712ea79ede92789

SHA512
7b4c0ca2e8cfaadc3899a4b3c456f66a7d8f9090661957b0eee273cb3174aa303ea8305866798f8112dc073da5ba79008889e7adeffd395eadc0f66cd7d2328e

Download Submit
C:\Users\Admin\AppData\Local\NAMh\wextract.exe
MD5
e78764b49f5806ce029cd547004493c9

SHA1
8c1f3f989913bebf827a707c04754047507a8cf3

SHA256
ab519b1c2711219a9f262b23bf72343eec3c0df4c7ddd135d30d05e700ec302e

SHA512
71040e5f0d2d409efaba70a7daaebe7a4675cb19009436a826a679671cc0d7c960498364ec7a29fb163ce8dada65218b75bebb973e6c8b194734e01970fd3a6b

Download Submit
\Users\Admin\AppData\Local\0dpn3KZ\DUI70.dll
MD5
c6a6fac44ae69b4a9ce29dfc4cdda8d9

SHA1
9c19efba6e707949ab80c20d659d36543b35d195

SHA256
7e5e6dff40a1c81dfaeb599b0e36ed7163179c1db16cf2cfcb5baf2401e9670b

SHA512
e0fa3d704df4ca5b42389feb4d5ee46a1e91b63921c94f4ffa8044c4dbb0a31fbcbc46b3f76089032f8fb7386b9b438f4fff19e416d1b5dc8d702c84c34154fa

Download Submit
\Users\Admin\AppData\Local\4hlbHSz\DUser.dll
MD5
37b9474f181384a64afc40c48df801e7

SHA1
87dae0d4ba70ee6bf0047b0127605f7ef1d4b694

SHA256
7a2d07899895eaabf6aec38981403928262d9518e39410953e0caffec498e324

SHA512
a2f2237a46db34a6d01daf4d66e2326e07768a074e89f8597a62687ee852a858c3c9f58feead6e7695d8fe860f63a80712eb0dc94cebdc9318fc40c4c1dbfd74

Download Submit
\Users\Admin\AppData\Local\NAMh\VERSION.dll
MD5
9318477695ea85271c2d8fc5eb6caf1b

SHA1
2f5b727170844d86240b392a445bd32bdc12c4cd

SHA256
0da16f969faa56eaa3dab3fa5db8abfa39d8e5ebfae030d70712ea79ede92789

SHA512
7b4c0ca2e8cfaadc3899a4b3c456f66a7d8f9090661957b0eee273cb3174aa303ea8305866798f8112dc073da5ba79008889e7adeffd395eadc0f66cd7d2328e

Download Submit
memory/1124-160-0x000002E385A10000-0x000002E385A12000-memory.dmp

Filesize
8KB

Download
memory/1124-162-0x000002E385A10000-0x000002E385A12000-memory.dmp

Filesize
8KB

Download
memory/1124-161-0x000002E385A10000-0x000002E385A12000-memory.dmp

Filesize
8KB

Download
memory/1124-157-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/1124-153-0x0000000000000000-mapping.dmp

Download
memory/1500-168-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1500-163-0x0000000000000000-mapping.dmp

Download
memory/1500-171-0x00000000030F0000-0x00000000030F2000-memory.dmp

Filesize
8KB

Download
memory/1500-172-0x00000000030F0000-0x00000000030F2000-memory.dmp

Filesize
8KB

Download
memory/1500-173-0x00000000030F0000-0x00000000030F2000-memory.dmp

Filesize
8KB

Download
memory/1920-133-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1920-131-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1920-137-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1920-148-0x0000000000CF0000-0x0000000000CF2000-memory.dmp

Filesize
8KB

Download
memory/1920-149-0x0000000000CF0000-0x0000000000CF2000-memory.dmp

Filesize
8KB

Download
memory/1920-150-0x00007FF8B58E5000-0x00007FF8B58E6000-memory.dmp

Filesize
4KB

Download
memory/1920-151-0x0000000000CF0000-0x0000000000CF2000-memory.dmp

Filesize
8KB

Download
memory/1920-152-0x00007FF8B5A20000-0x00007FF8B5A22000-memory.dmp

Filesize
8KB

Download
memory/1920-141-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1920-140-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1920-139-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1920-138-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1920-136-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1920-135-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1920-134-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1920-124-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/1920-132-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1920-142-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1920-130-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1920-129-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1920-128-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1920-127-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1920-126-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1920-125-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/2304-174-0x0000000000000000-mapping.dmp

Download
memory/2304-178-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/2304-181-0x000001A0B0C30000-0x000001A0B0C32000-memory.dmp

Filesize
8KB

Download
memory/2304-182-0x000001A0B0C30000-0x000001A0B0C32000-memory.dmp

Filesize
8KB

Download
memory/2304-183-0x000001A0B0C30000-0x000001A0B0C32000-memory.dmp

Filesize
8KB

Download
memory/2724-118-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/2724-123-0x0000021149140000-0x0000021149147000-memory.dmp

Filesize
28KB

Download
memory/2724-122-0x0000021149150000-0x0000021149152000-memory.dmp

Filesize
8KB

Download
memory/2724-121-0x0000021149150000-0x0000021149152000-memory.dmp

Filesize
8KB

Download