Behavioral Report

Analysis

max time kernel
155s
max time network
156s
platform
windows10_x64
resource
win10-en-20211104
submitted
26-11-2021 09:31

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

77869beb8d5f5f603adcfb5e43d8e0255d5f23da1eca88f3f9623018f95acfcf.dll
Size

1MB
MD5

ead4d749d5722a1c662bce029828c556
SHA1

acb3bd23f749a53eb8c7ce63eae97cc7d613142c
SHA256

77869beb8d5f5f603adcfb5e43d8e0255d5f23da1eca88f3f9623018f95acfcf
SHA512

b48fd79d75a2a48c7a1a4ec2749c2480557e334dcfa769033bdc8a4ae5050e7d8874d8b4bf65ef301981a1592d707a10163c8aecefe95add842dfd2045bc7926

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral2/memory/3040-124-0x0000000000CE0000-0x0000000000CE1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

rstrui.exerstrui.exebdeunlock.exe

pid process

416 rstrui.exe
860 rstrui.exe
3020 bdeunlock.exe
Loads dropped DLL 4 IoCs

Processes:

rstrui.exerstrui.exebdeunlock.exe

pid process

416 rstrui.exe
860 rstrui.exe
860 rstrui.exe
3020 bdeunlock.exe

resource	yara_rule
behavioral2/memory/3040-124-0x0000000000CE0000-0x0000000000CE1000-memory.dmp	dridex_stager_shellcode

pid	process
416	rstrui.exe
860	rstrui.exe
3020	bdeunlock.exe

pid	process
416	rstrui.exe
860	rstrui.exe
860	rstrui.exe
3020	bdeunlock.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\SYSTEM~1\\e7Ys\\rstrui.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

TTPs:

System Information Discovery

Processes:

rstrui.exerstrui.exebdeunlock.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rstrui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rstrui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdeunlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2636	rundll32.exe
2636	rundll32.exe
2636	rundll32.exe
2636	rundll32.exe
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040
3040

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exerstrui.exerstrui.exebdeunlock.exe

pid process

2636 rundll32.exe
3040
416 rstrui.exe
860 rstrui.exe
3020 bdeunlock.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3040 wrote to memory of 292	3040	rstrui.exe
PID 3040 wrote to memory of 292	3040	rstrui.exe
PID 3040 wrote to memory of 416	3040	rstrui.exe
PID 3040 wrote to memory of 416	3040	rstrui.exe
PID 3040 wrote to memory of 640	3040	rstrui.exe
PID 3040 wrote to memory of 640	3040	rstrui.exe
PID 3040 wrote to memory of 860	3040	rstrui.exe
PID 3040 wrote to memory of 860	3040	rstrui.exe
PID 3040 wrote to memory of 3568	3040	bdeunlock.exe
PID 3040 wrote to memory of 3568	3040	bdeunlock.exe
PID 3040 wrote to memory of 3020	3040	bdeunlock.exe
PID 3040 wrote to memory of 3020	3040	bdeunlock.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\77869beb8d5f5f603adcfb5e43d8e0255d5f23da1eca88f3f9623018f95acfcf.dll,#1

Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam

PID:2636

C:\Windows\system32\rstrui.exe

C:\Windows\system32\rstrui.exe

PID:292

C:\Users\Admin\AppData\Local\xD2c\rstrui.exe

C:\Users\Admin\AppData\Local\xD2c\rstrui.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:416

C:\Windows\system32\rstrui.exe

C:\Windows\system32\rstrui.exe

PID:640

C:\Users\Admin\AppData\Local\eq7PhSwg\rstrui.exe

C:\Users\Admin\AppData\Local\eq7PhSwg\rstrui.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:860

C:\Windows\system32\bdeunlock.exe

C:\Windows\system32\bdeunlock.exe

PID:3568

C:\Users\Admin\AppData\Local\X4yEq\bdeunlock.exe

C:\Users\Admin\AppData\Local\X4yEq\bdeunlock.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:3020

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

T1112

Discovery

System Information Discovery

T1082

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\X4yEq\DUser.dll
MD5
0d4e23efe54925a8c08526f36d212f1b

SHA1
a3e0eb2a008726fa287f1ebd2cd9444abcbc90d1

SHA256
04dfdf46d35c807f4fcd061067f8fe64533beee765570f654feafbef83e514ee

SHA512
743899e3af24b9e576396db26b173fa462dcc559b6bff7d41c80ec4c83123dea88fa1a9a72fed072a8249b7a08e8be53279e9db50b7b03c2005ba31c98b9ad56

Download Submit
C:\Users\Admin\AppData\Local\X4yEq\bdeunlock.exe
MD5
99aff8e54d3b41aee863a8256d31fb83

SHA1
b2f48c802a43e3e420cbc12c16d2277769631159

SHA256
c1d9fd2a52ccf1cc1e587fc598c2848778107b902d492749e1ec1a7b777bead6

SHA512
616179c5b4e94a05c101ab4d3a227f80789966c9e18c56ad5587dfe0f96c0e36b522512b126ffefedab585e85ea90ba61726f4e585dca0e894adb1bf8a742127

Download Submit
C:\Users\Admin\AppData\Local\eq7PhSwg\SPP.dll
MD5
bf3a4b052263754cbc24985c331e8149

SHA1
c9c85c2e33d469b375b815c1c1f30cfc61ea11ba

SHA256
1a7b3c2e65a9b884cc2450e88f0589610ad04e8178c4451670556502030d35b2

SHA512
53285c19f48f6a2596dfe6d9cff779968c75528bca1c38a41acdc2d7e71fce1e1db8e65b986d9d6e5ec001e23a84a542757c87b0c97b41fe4aa093f450a8ae53

Download Submit
C:\Users\Admin\AppData\Local\eq7PhSwg\rstrui.exe
MD5
c0167cf19678a97a78a675ef18b7fc85

SHA1
f7589dcdff216ca879dba1d68764b2cf69652d3b

SHA256
b1aacd2735f524f8460c031a4f66e78fb09cffbc7350fac5695d448a287fb7cb

SHA512
f71ca6d233784312dce0e5867d2710de40c738bb567aac212ccd78804176ac51b9ae82bc2ba0498cdd24893f3d3fa6cfddd0d7a9d2c1bd9148916961d6ee0c44

Download Submit
C:\Users\Admin\AppData\Local\xD2c\SRCORE.dll
MD5
bd9e93dcd8ef67407ad807d36f62dad7

SHA1
acb902267b1e3b8687193ce574ea0ad25484475e

SHA256
b65f8c5145fba4c8f15547cbb121c6cf421891984627986815e26103f8b295aa

SHA512
384f04da0c85fa2d96835bb42354aec737a9fc4823eced054e097bbd7478f9184aab19583ae249c0af4c12146211ccb011bbe43ee4e96edd0f82ce48822ff9f6

Download Submit
C:\Users\Admin\AppData\Local\xD2c\rstrui.exe
MD5
c0167cf19678a97a78a675ef18b7fc85

SHA1
f7589dcdff216ca879dba1d68764b2cf69652d3b

SHA256
b1aacd2735f524f8460c031a4f66e78fb09cffbc7350fac5695d448a287fb7cb

SHA512
f71ca6d233784312dce0e5867d2710de40c738bb567aac212ccd78804176ac51b9ae82bc2ba0498cdd24893f3d3fa6cfddd0d7a9d2c1bd9148916961d6ee0c44

Download Submit
\Users\Admin\AppData\Local\X4yEq\DUser.dll
MD5
0d4e23efe54925a8c08526f36d212f1b

SHA1
a3e0eb2a008726fa287f1ebd2cd9444abcbc90d1

SHA256
04dfdf46d35c807f4fcd061067f8fe64533beee765570f654feafbef83e514ee

SHA512
743899e3af24b9e576396db26b173fa462dcc559b6bff7d41c80ec4c83123dea88fa1a9a72fed072a8249b7a08e8be53279e9db50b7b03c2005ba31c98b9ad56

Download Submit
\Users\Admin\AppData\Local\eq7PhSwg\SPP.dll
MD5
bf3a4b052263754cbc24985c331e8149

SHA1
c9c85c2e33d469b375b815c1c1f30cfc61ea11ba

SHA256
1a7b3c2e65a9b884cc2450e88f0589610ad04e8178c4451670556502030d35b2

SHA512
53285c19f48f6a2596dfe6d9cff779968c75528bca1c38a41acdc2d7e71fce1e1db8e65b986d9d6e5ec001e23a84a542757c87b0c97b41fe4aa093f450a8ae53

Download Submit
\Users\Admin\AppData\Local\eq7PhSwg\SPP.dll
MD5
bf3a4b052263754cbc24985c331e8149

SHA1
c9c85c2e33d469b375b815c1c1f30cfc61ea11ba

SHA256
1a7b3c2e65a9b884cc2450e88f0589610ad04e8178c4451670556502030d35b2

SHA512
53285c19f48f6a2596dfe6d9cff779968c75528bca1c38a41acdc2d7e71fce1e1db8e65b986d9d6e5ec001e23a84a542757c87b0c97b41fe4aa093f450a8ae53

Download Submit
\Users\Admin\AppData\Local\xD2c\SRCORE.dll
MD5
bd9e93dcd8ef67407ad807d36f62dad7

SHA1
acb902267b1e3b8687193ce574ea0ad25484475e

SHA256
b65f8c5145fba4c8f15547cbb121c6cf421891984627986815e26103f8b295aa

SHA512
384f04da0c85fa2d96835bb42354aec737a9fc4823eced054e097bbd7478f9184aab19583ae249c0af4c12146211ccb011bbe43ee4e96edd0f82ce48822ff9f6

Download Submit
memory/416-166-0x000001E39C420000-0x000001E39C422000-memory.dmp

Filesize
8KB

Download
memory/416-158-0x0000000000000000-mapping.dmp

Download
memory/416-167-0x000001E39C420000-0x000001E39C422000-memory.dmp

Filesize
8KB

Download
memory/416-165-0x000001E39C420000-0x000001E39C422000-memory.dmp

Filesize
8KB

Download
memory/416-162-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1MB

Download
memory/860-168-0x0000000000000000-mapping.dmp

Download
memory/860-179-0x000001A480D20000-0x000001A480E4E000-memory.dmp

Filesize
1MB

Download
memory/860-178-0x000001A4825C0000-0x000001A4825C2000-memory.dmp

Filesize
8KB

Download
memory/860-177-0x000001A4825C0000-0x000001A4825C2000-memory.dmp

Filesize
8KB

Download
memory/860-176-0x000001A4825C0000-0x000001A4825C2000-memory.dmp

Filesize
8KB

Download
memory/2636-118-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/2636-123-0x000001E39C6C0000-0x000001E39C6C7000-memory.dmp

Filesize
28KB

Download
memory/2636-122-0x000001E39C870000-0x000001E39C872000-memory.dmp

Filesize
8KB

Download
memory/2636-121-0x000001E39C870000-0x000001E39C872000-memory.dmp

Filesize
8KB

Download
memory/3020-180-0x0000000000000000-mapping.dmp

Download
memory/3020-184-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1MB

Download
memory/3020-188-0x0000021A04490000-0x0000021A04492000-memory.dmp

Filesize
8KB

Download
memory/3020-187-0x0000021A04490000-0x0000021A04492000-memory.dmp

Filesize
8KB

Download
memory/3020-189-0x0000021A04490000-0x0000021A04492000-memory.dmp

Filesize
8KB

Download
memory/3040-134-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-139-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-156-0x0000000000D90000-0x0000000000D92000-memory.dmp

Filesize
8KB

Download
memory/3040-157-0x00007FFF05270000-0x00007FFF05272000-memory.dmp

Filesize
8KB

Download
memory/3040-154-0x0000000000D90000-0x0000000000D92000-memory.dmp

Filesize
8KB

Download
memory/3040-153-0x0000000000D90000-0x0000000000D92000-memory.dmp

Filesize
8KB

Download
memory/3040-147-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-145-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-146-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-144-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-141-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-143-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-142-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-140-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-138-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-155-0x00007FFF05135000-0x00007FFF05136000-memory.dmp

Filesize
4KB

Download
memory/3040-137-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-136-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-135-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-133-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-132-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-131-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-128-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-130-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-129-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-125-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-127-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-126-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1MB

Download
memory/3040-124-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/3040-190-0x0000000000D90000-0x0000000000D92000-memory.dmp

Filesize
8KB

Download