dridex | 77869beb8d5f5f603adcfb5e43d8e0255d5f23da1eca88f3f9623018f95acfcf

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-11-2021 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77869beb8d5f5f603adcfb5e43d8e0255d5f23da1eca88f3f9623018f95acfcf.dll
Size

1.2MB
MD5

ead4d749d5722a1c662bce029828c556
SHA1

acb3bd23f749a53eb8c7ce63eae97cc7d613142c
SHA256

77869beb8d5f5f603adcfb5e43d8e0255d5f23da1eca88f3f9623018f95acfcf
SHA512

b48fd79d75a2a48c7a1a4ec2749c2480557e334dcfa769033bdc8a4ae5050e7d8874d8b4bf65ef301981a1592d707a10163c8aecefe95add842dfd2045bc7926

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1412-59-0x00000000029A0000-0x00000000029A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesDataExecutionPrevention.exemspaint.exeMpSigStub.exe

pid process

1768 SystemPropertiesDataExecutionPrevention.exe
1556 mspaint.exe
1712 MpSigStub.exe
Loads dropped DLL 7 IoCs

Processes:

SystemPropertiesDataExecutionPrevention.exemspaint.exeMpSigStub.exe

pid process

1412
1768 SystemPropertiesDataExecutionPrevention.exe
1412
1556 mspaint.exe
1412
1712 MpSigStub.exe
1412

pid	process
1768	SystemPropertiesDataExecutionPrevention.exe
1556	mspaint.exe
1712	MpSigStub.exe

pid	process
1412
1768	SystemPropertiesDataExecutionPrevention.exe
1412
1556	mspaint.exe
1412
1712	MpSigStub.exe
1412

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\xu4\\mspaint.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesDataExecutionPrevention.exemspaint.exeMpSigStub.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesDataExecutionPrevention.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MpSigStub.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1668	rundll32.exe
1668	rundll32.exe
1668	rundll32.exe
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exeSystemPropertiesDataExecutionPrevention.exemspaint.exeMpSigStub.exe

pid process

1668 rundll32.exe
1412
1768 SystemPropertiesDataExecutionPrevention.exe
1556 mspaint.exe
1712 MpSigStub.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1412 wrote to memory of 1500	1412	SystemPropertiesDataExecutionPrevention.exe
PID 1412 wrote to memory of 1500	1412	SystemPropertiesDataExecutionPrevention.exe
PID 1412 wrote to memory of 1500	1412	SystemPropertiesDataExecutionPrevention.exe
PID 1412 wrote to memory of 1768	1412	SystemPropertiesDataExecutionPrevention.exe
PID 1412 wrote to memory of 1768	1412	SystemPropertiesDataExecutionPrevention.exe
PID 1412 wrote to memory of 1768	1412	SystemPropertiesDataExecutionPrevention.exe
PID 1412 wrote to memory of 1008	1412	mspaint.exe
PID 1412 wrote to memory of 1008	1412	mspaint.exe
PID 1412 wrote to memory of 1008	1412	mspaint.exe
PID 1412 wrote to memory of 1556	1412	mspaint.exe
PID 1412 wrote to memory of 1556	1412	mspaint.exe
PID 1412 wrote to memory of 1556	1412	mspaint.exe
PID 1412 wrote to memory of 1912	1412	MpSigStub.exe
PID 1412 wrote to memory of 1912	1412	MpSigStub.exe
PID 1412 wrote to memory of 1912	1412	MpSigStub.exe
PID 1412 wrote to memory of 1712	1412	MpSigStub.exe
PID 1412 wrote to memory of 1712	1412	MpSigStub.exe
PID 1412 wrote to memory of 1712	1412	MpSigStub.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\77869beb8d5f5f603adcfb5e43d8e0255d5f23da1eca88f3f9623018f95acfcf.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1668

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
1⤵
PID:1500

C:\Users\Admin\AppData\Local\Wbj\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\Wbj\SystemPropertiesDataExecutionPrevention.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1768

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:1008

C:\Users\Admin\AppData\Local\uBA4ZYa\mspaint.exe
C:\Users\Admin\AppData\Local\uBA4ZYa\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1556

C:\Windows\system32\MpSigStub.exe
C:\Windows\system32\MpSigStub.exe
1⤵
PID:1912

C:\Users\Admin\AppData\Local\QLA7K6M8y\MpSigStub.exe
C:\Users\Admin\AppData\Local\QLA7K6M8y\MpSigStub.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1712

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\QLA7K6M8y\MpSigStub.exe
MD5
2e6bd16aa62e5e95c7b256b10d637f8f

SHA1
350be084477b1fe581af83ca79eb58d4defe260f

SHA256
d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

SHA512
1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

Download Submit
C:\Users\Admin\AppData\Local\QLA7K6M8y\VERSION.dll
MD5
18f7718c1b76c5fa8d385fdade443dcf

SHA1
ca7c878ffa521e0c3e1a7f37e7e3b160ee530201

SHA256
2280b9bc02ed9123a647d053261a35a9ad424b00c043454fec130ee3d75b3501

SHA512
ac7a39a9ba689bb2efbe8b4d8eda32ed8e372ff61fe24cccc3ba3d6af00dd206daacd543052adcea15e603de40197d5d7f1633e8918a2aea93883bb6a23fcf16

Download Submit
C:\Users\Admin\AppData\Local\Wbj\SYSDM.CPL
MD5
ca5451433bc6cf8b2e8ddae31282425f

SHA1
577fd1e4b413ed85579dec39c3e26429a4c6c32d

SHA256
46c470fdc688c03e5903af07caf1acea9a92c3b075ff283f380e578a008fdb77

SHA512
98b67bd9b9b3511795f57c2104b0c62318e26ccbffd4ae9a4af2938af3491a204ba587aa85af23f516334a08ca402f9dc6d0d8d7c2e958c5bade5bf44444626c

Download Submit
C:\Users\Admin\AppData\Local\Wbj\SystemPropertiesDataExecutionPrevention.exe
MD5
e43ff7785fac643093b3b16a9300e133

SHA1
a30688e84c0b0a22669148fe87680b34fcca2fba

SHA256
c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

SHA512
61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

Download Submit
C:\Users\Admin\AppData\Local\uBA4ZYa\MFC42u.dll
MD5
1b0bee5c679cafaad18f092810e3e0f1

SHA1
366b8bc2f807d99ee4e8cf9f32d649f0b8d875c3

SHA256
928de95e8a04b07c3f7a141f1481dd38c8d7970a0778be618637ad3624a009cd

SHA512
d98c68b52d0797f3e8c9a0f55fcb95a30dc26c78e936ef13840fc06dbcf06331a000b224806b8ff4bd2807fd7020ed55d956e0aad241ccf6f2c016fb7755bf05

Download Submit
C:\Users\Admin\AppData\Local\uBA4ZYa\mspaint.exe
MD5
458f4590f80563eb2a0a72709bfc2bd9

SHA1
3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

SHA256
ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

SHA512
e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

Download Submit
\Users\Admin\AppData\Local\QLA7K6M8y\MpSigStub.exe
MD5
2e6bd16aa62e5e95c7b256b10d637f8f

SHA1
350be084477b1fe581af83ca79eb58d4defe260f

SHA256
d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

SHA512
1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

Download Submit
\Users\Admin\AppData\Local\QLA7K6M8y\VERSION.dll
MD5
18f7718c1b76c5fa8d385fdade443dcf

SHA1
ca7c878ffa521e0c3e1a7f37e7e3b160ee530201

SHA256
2280b9bc02ed9123a647d053261a35a9ad424b00c043454fec130ee3d75b3501

SHA512
ac7a39a9ba689bb2efbe8b4d8eda32ed8e372ff61fe24cccc3ba3d6af00dd206daacd543052adcea15e603de40197d5d7f1633e8918a2aea93883bb6a23fcf16

Download Submit
\Users\Admin\AppData\Local\Wbj\SYSDM.CPL
MD5
ca5451433bc6cf8b2e8ddae31282425f

SHA1
577fd1e4b413ed85579dec39c3e26429a4c6c32d

SHA256
46c470fdc688c03e5903af07caf1acea9a92c3b075ff283f380e578a008fdb77

SHA512
98b67bd9b9b3511795f57c2104b0c62318e26ccbffd4ae9a4af2938af3491a204ba587aa85af23f516334a08ca402f9dc6d0d8d7c2e958c5bade5bf44444626c

Download Submit
\Users\Admin\AppData\Local\Wbj\SystemPropertiesDataExecutionPrevention.exe
MD5
e43ff7785fac643093b3b16a9300e133

SHA1
a30688e84c0b0a22669148fe87680b34fcca2fba

SHA256
c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b

SHA512
61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

Download Submit
\Users\Admin\AppData\Local\uBA4ZYa\MFC42u.dll
MD5
1b0bee5c679cafaad18f092810e3e0f1

SHA1
366b8bc2f807d99ee4e8cf9f32d649f0b8d875c3

SHA256
928de95e8a04b07c3f7a141f1481dd38c8d7970a0778be618637ad3624a009cd

SHA512
d98c68b52d0797f3e8c9a0f55fcb95a30dc26c78e936ef13840fc06dbcf06331a000b224806b8ff4bd2807fd7020ed55d956e0aad241ccf6f2c016fb7755bf05

Download Submit
\Users\Admin\AppData\Local\uBA4ZYa\mspaint.exe
MD5
458f4590f80563eb2a0a72709bfc2bd9

SHA1
3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

SHA256
ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

SHA512
e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\6kz2YxUn\MpSigStub.exe
MD5
2e6bd16aa62e5e95c7b256b10d637f8f

SHA1
350be084477b1fe581af83ca79eb58d4defe260f

SHA256
d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

SHA512
1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

Download Submit
memory/1412-68-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-88-0x00000000771F0000-0x00000000771F2000-memory.dmp

Filesize
8KB

Download
memory/1412-73-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-71-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-74-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-76-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-75-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-77-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-78-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-79-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-80-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-81-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-82-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-72-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-70-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-59-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1412-69-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-61-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-67-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-62-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-66-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-63-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-65-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-64-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1412-60-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1556-102-0x000007FEFB8C1000-0x000007FEFB8C3000-memory.dmp

Filesize
8KB

Download
memory/1556-103-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1556-98-0x0000000000000000-mapping.dmp

Download
memory/1668-55-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1668-58-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1712-107-0x0000000000000000-mapping.dmp

Download
memory/1768-94-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1768-90-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads