dridex | 402d6617014b320ae65709f7029fd2cf3661f5d69932abfa2e2e770236718d65

Analysis

max time kernel
152s
max time network
123s
platform
windows10_x64
resource
win10-en-20211104
submitted
26-11-2021 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

402d6617014b320ae65709f7029fd2cf3661f5d69932abfa2e2e770236718d65.dll
Size

1.2MB
MD5

156ccf8324c479a229603a59485b1b68
SHA1

bd071acdbd27c66fa091ab07c1a079c57475f9a7
SHA256

402d6617014b320ae65709f7029fd2cf3661f5d69932abfa2e2e770236718d65
SHA512

b5f138f7e609f461f155e9059cb2dd9852582fcd01145bf85f92e17809a86fe767d3d5b37ddb7789f38bcc9897da2f482152ccf0621ec967dbb613d54c9e86de

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3036-125-0x00000000003A0000-0x00000000003A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

ComputerDefaults.exemfpmp.exeDisplaySwitch.exe

pid process

432 ComputerDefaults.exe
2220 mfpmp.exe
1592 DisplaySwitch.exe
Loads dropped DLL 3 IoCs

Processes:

ComputerDefaults.exemfpmp.exeDisplaySwitch.exe

pid process

432 ComputerDefaults.exe
2220 mfpmp.exe
1592 DisplaySwitch.exe

pid	process
432	ComputerDefaults.exe
2220	mfpmp.exe
1592	DisplaySwitch.exe

pid	process
432	ComputerDefaults.exe
2220	mfpmp.exe
1592	DisplaySwitch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\YcEcIIU8v\\mfpmp.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeComputerDefaults.exemfpmp.exeDisplaySwitch.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ComputerDefaults.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeComputerDefaults.exe

pid	process
2748	rundll32.exe
2748	rundll32.exe
2748	rundll32.exe
2748	rundll32.exe
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
432	ComputerDefaults.exe
432	ComputerDefaults.exe
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036
3036

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3036

pid	process
3036

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3036 wrote to memory of 3168	3036	ComputerDefaults.exe
PID 3036 wrote to memory of 3168	3036	ComputerDefaults.exe
PID 3036 wrote to memory of 432	3036	ComputerDefaults.exe
PID 3036 wrote to memory of 432	3036	ComputerDefaults.exe
PID 3036 wrote to memory of 1092	3036	mfpmp.exe
PID 3036 wrote to memory of 1092	3036	mfpmp.exe
PID 3036 wrote to memory of 2220	3036	mfpmp.exe
PID 3036 wrote to memory of 2220	3036	mfpmp.exe
PID 3036 wrote to memory of 3980	3036	DisplaySwitch.exe
PID 3036 wrote to memory of 3980	3036	DisplaySwitch.exe
PID 3036 wrote to memory of 1592	3036	DisplaySwitch.exe
PID 3036 wrote to memory of 1592	3036	DisplaySwitch.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\402d6617014b320ae65709f7029fd2cf3661f5d69932abfa2e2e770236718d65.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2748

C:\Windows\system32\ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
1⤵
PID:3168

C:\Users\Admin\AppData\Local\CaW6q5QQC\ComputerDefaults.exe
C:\Users\Admin\AppData\Local\CaW6q5QQC\ComputerDefaults.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:432

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:1092

C:\Users\Admin\AppData\Local\zNKbS308\mfpmp.exe
C:\Users\Admin\AppData\Local\zNKbS308\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2220

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:3980

C:\Users\Admin\AppData\Local\rbenr\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\rbenr\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CaW6q5QQC\ComputerDefaults.exe
MD5
56d03e4218082266a9cdd8600537d891

SHA1
c153719f971dcee8f6985d7c79f64fc88dd8663c

SHA256
210d5714497505022aa068167f7ed5bb826abcf53cfe741c9860a2c8dce3f54a

SHA512
f2c64a4dbab789635bf97b3d615fcc96dfe8c4094b67a464eb34bc84501eb7648e7fa692971e917c1ebfac0548187721ecc552aaad35767f8a40846d922613d3

Download Submit
C:\Users\Admin\AppData\Local\CaW6q5QQC\appwiz.cpl
MD5
cce02ea21f237d9ecd4c8749b7ba9a22

SHA1
c92a6ff072c4533f43c9c382597a7ec92ff21d1c

SHA256
35e9a615ff4832f7862fb75ae66488a8cf8242ed74db778ca8f18b83bbc00be1

SHA512
77f35ee5b8ea071e6de7bb04560cc9cb5c72310e21b117cd82fc8f18291ddd065280e0b56c22b9fac69586154fd9ba356571d920a03a02b5d087b0ce30db573e

Download Submit
C:\Users\Admin\AppData\Local\rbenr\DisplaySwitch.exe
MD5
9e139d8cdf910f624c4cb0a63cbab22d

SHA1
14b7259a609fddb0c561e1154dac638fa0db06b3

SHA256
3374874744179d8f880791ff4373736d9bb93ae3275be6ff26b296b4d8b9619c

SHA512
d2c7521cc65c92da10a337303f5902560f3dc30ba0dfb959196337d4dcbc13a2ef69de7e7cfdc5e983affc3fc6938a485ef8ead0cf1c485aa0893c667fe08357

Download Submit
C:\Users\Admin\AppData\Local\rbenr\UxTheme.dll
MD5
4242f320dee4c0d10c527d94b58cd655

SHA1
4275a9b2b2a2f04658931f64bd92390a458a3832

SHA256
8083fe1a0c910615f8dda55a2c10f84c11fab2b6a4aa908e32c2ebada4e3d714

SHA512
47f6f0e2af1214e5f49ac34e0d7d3ac8a57f48767d790f77b1f1aed80c5f928752e72344cd6e1560cf4503121a56d760ec6cdce7a4506da94b9a128c4a080ea4

Download Submit
C:\Users\Admin\AppData\Local\zNKbS308\MFPlat.DLL
MD5
23085b4670d3855183eec01e8d78817c

SHA1
1051ecfe23cd579447880506d09b34c127a7dac4

SHA256
5203920b910feffa76a4fc561b43f302c6d9047a61019c7c78ef8695ac3b7d01

SHA512
7a479868d537608b3988e48ae9c868aa63dc45b08e50079abec1d6f2a7402307533798c8505854a092291bb13f77793c26befb131d3aca7470ca0508fb67a37e

Download Submit
C:\Users\Admin\AppData\Local\zNKbS308\mfpmp.exe
MD5
0a51780965f4a75557ac6b1a710a7c7b

SHA1
30e7be939ada607cbafd07261da463396878f4f5

SHA256
45b8b316c617f703af064aafab9a35c465d5f7835b758995e82ac0dedbaad037

SHA512
e62c2252b66809cca9e7f625392ef09891eba1eec3c210798684a9c71a9c5315598ca259c8ebd09af5d8aaf94261fca91f30bd0dd22a917d5287e9443ae18326

Download Submit
\Users\Admin\AppData\Local\CaW6q5QQC\appwiz.cpl
MD5
cce02ea21f237d9ecd4c8749b7ba9a22

SHA1
c92a6ff072c4533f43c9c382597a7ec92ff21d1c

SHA256
35e9a615ff4832f7862fb75ae66488a8cf8242ed74db778ca8f18b83bbc00be1

SHA512
77f35ee5b8ea071e6de7bb04560cc9cb5c72310e21b117cd82fc8f18291ddd065280e0b56c22b9fac69586154fd9ba356571d920a03a02b5d087b0ce30db573e

Download Submit
\Users\Admin\AppData\Local\rbenr\UxTheme.dll
MD5
4242f320dee4c0d10c527d94b58cd655

SHA1
4275a9b2b2a2f04658931f64bd92390a458a3832

SHA256
8083fe1a0c910615f8dda55a2c10f84c11fab2b6a4aa908e32c2ebada4e3d714

SHA512
47f6f0e2af1214e5f49ac34e0d7d3ac8a57f48767d790f77b1f1aed80c5f928752e72344cd6e1560cf4503121a56d760ec6cdce7a4506da94b9a128c4a080ea4

Download Submit
\Users\Admin\AppData\Local\zNKbS308\MFPlat.DLL
MD5
23085b4670d3855183eec01e8d78817c

SHA1
1051ecfe23cd579447880506d09b34c127a7dac4

SHA256
5203920b910feffa76a4fc561b43f302c6d9047a61019c7c78ef8695ac3b7d01

SHA512
7a479868d537608b3988e48ae9c868aa63dc45b08e50079abec1d6f2a7402307533798c8505854a092291bb13f77793c26befb131d3aca7470ca0508fb67a37e

Download Submit
memory/432-159-0x000002408F9B0000-0x000002408F9B2000-memory.dmp

Filesize
8KB

Download
memory/432-160-0x000002408F9B0000-0x000002408F9B2000-memory.dmp

Filesize
8KB

Download
memory/432-155-0x00007FF86F720000-0x00007FF86F854000-memory.dmp

Filesize
1.2MB

Download
memory/432-161-0x000002408F9B0000-0x000002408F9B2000-memory.dmp

Filesize
8KB

Download
memory/432-151-0x0000000000000000-mapping.dmp

Download
memory/1592-175-0x0000000000000000-mapping.dmp

Download
memory/1592-183-0x0000025454D50000-0x0000025454D52000-memory.dmp

Filesize
8KB

Download
memory/1592-184-0x0000025454D50000-0x0000025454D52000-memory.dmp

Filesize
8KB

Download
memory/1592-185-0x0000025454D50000-0x0000025454D52000-memory.dmp

Filesize
8KB

Download
memory/2220-172-0x000001BA6F8A0000-0x000001BA6F8A2000-memory.dmp

Filesize
8KB

Download
memory/2220-166-0x000001BA6F8A0000-0x000001BA6F8A2000-memory.dmp

Filesize
8KB

Download
memory/2220-167-0x000001BA6F8A0000-0x000001BA6F8A2000-memory.dmp

Filesize
8KB

Download
memory/2220-162-0x0000000000000000-mapping.dmp

Download
memory/2220-168-0x00007FF86F720000-0x00007FF86F855000-memory.dmp

Filesize
1.2MB

Download
memory/2220-173-0x000001BA6F8A0000-0x000001BA6F8A2000-memory.dmp

Filesize
8KB

Download
memory/2220-174-0x000001BA6F8A0000-0x000001BA6F8A2000-memory.dmp

Filesize
8KB

Download
memory/2748-118-0x00007FF86F720000-0x00007FF86F853000-memory.dmp

Filesize
1.2MB

Download
memory/2748-124-0x0000021800040000-0x0000021800047000-memory.dmp

Filesize
28KB

Download
memory/2748-122-0x0000021800050000-0x0000021800052000-memory.dmp

Filesize
8KB

Download
memory/2748-123-0x0000021800050000-0x0000021800052000-memory.dmp

Filesize
8KB

Download
memory/3036-134-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3036-150-0x00007FF87D480000-0x00007FF87D490000-memory.dmp

Filesize
64KB

Download
memory/3036-149-0x0000000000600000-0x0000000000602000-memory.dmp

Filesize
8KB

Download
memory/3036-148-0x00007FF87D535000-0x00007FF87D536000-memory.dmp

Filesize
4KB

Download
memory/3036-147-0x0000000000600000-0x0000000000602000-memory.dmp

Filesize
8KB

Download
memory/3036-146-0x0000000000600000-0x0000000000602000-memory.dmp

Filesize
8KB

Download
memory/3036-141-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3036-132-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3036-140-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3036-139-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3036-138-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3036-137-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3036-136-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3036-135-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3036-133-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3036-131-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3036-130-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3036-129-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3036-128-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3036-126-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3036-127-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/3036-125-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download