dridex | fcd217409b7b0f3697ebf5d9f23419b1befde51cb25b202d9a68ef0d450e41d0

Analysis

max time kernel
155s
max time network
128s
platform
windows7_x64
resource
win7-en-20211104
submitted
26-11-2021 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcd217409b7b0f3697ebf5d9f23419b1befde51cb25b202d9a68ef0d450e41d0.dll
Size

1.3MB
MD5

b7cb0b38c91fe5183f257cffed75d9e7
SHA1

b844563703d0c31daa1e00d29c67730053060b58
SHA256

fcd217409b7b0f3697ebf5d9f23419b1befde51cb25b202d9a68ef0d450e41d0
SHA512

dc3023a3262604d538cc5f1860184d2c4491184cebc4c01c1c4087a3255a68681d78d037c4ef8755058082421bb31e991524ac9593c42d73c54dc2bf00597969

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1300-59-0x0000000002190000-0x0000000002191000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

eudcedit.exeSystemPropertiesProtection.exetcmsetup.exe

pid process

736 eudcedit.exe
1676 SystemPropertiesProtection.exe
988 tcmsetup.exe
Loads dropped DLL 7 IoCs

Processes:

eudcedit.exeSystemPropertiesProtection.exetcmsetup.exe

pid process

1300
736 eudcedit.exe
1300
1676 SystemPropertiesProtection.exe
1300
988 tcmsetup.exe
1300

pid	process
736	eudcedit.exe
1676	SystemPropertiesProtection.exe
988	tcmsetup.exe

pid	process
1300
736	eudcedit.exe
1300
1676	SystemPropertiesProtection.exe
1300
988	tcmsetup.exe
1300

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEDownloadHistory\\QZC9\\SystemPropertiesProtection.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeeudcedit.exeSystemPropertiesProtection.exetcmsetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eudcedit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tcmsetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1860	rundll32.exe
1860	rundll32.exe
1860	rundll32.exe
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exeeudcedit.exeSystemPropertiesProtection.exetcmsetup.exe

pid process

1860 rundll32.exe
1300
736 eudcedit.exe
1676 SystemPropertiesProtection.exe
988 tcmsetup.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1300 wrote to memory of 536	1300	eudcedit.exe
PID 1300 wrote to memory of 536	1300	eudcedit.exe
PID 1300 wrote to memory of 536	1300	eudcedit.exe
PID 1300 wrote to memory of 736	1300	eudcedit.exe
PID 1300 wrote to memory of 736	1300	eudcedit.exe
PID 1300 wrote to memory of 736	1300	eudcedit.exe
PID 1300 wrote to memory of 1452	1300	SystemPropertiesProtection.exe
PID 1300 wrote to memory of 1452	1300	SystemPropertiesProtection.exe
PID 1300 wrote to memory of 1452	1300	SystemPropertiesProtection.exe
PID 1300 wrote to memory of 1676	1300	SystemPropertiesProtection.exe
PID 1300 wrote to memory of 1676	1300	SystemPropertiesProtection.exe
PID 1300 wrote to memory of 1676	1300	SystemPropertiesProtection.exe
PID 1300 wrote to memory of 2044	1300	tcmsetup.exe
PID 1300 wrote to memory of 2044	1300	tcmsetup.exe
PID 1300 wrote to memory of 2044	1300	tcmsetup.exe
PID 1300 wrote to memory of 988	1300	tcmsetup.exe
PID 1300 wrote to memory of 988	1300	tcmsetup.exe
PID 1300 wrote to memory of 988	1300	tcmsetup.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fcd217409b7b0f3697ebf5d9f23419b1befde51cb25b202d9a68ef0d450e41d0.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1860

C:\Windows\system32\eudcedit.exe
C:\Windows\system32\eudcedit.exe
1⤵
PID:536

C:\Users\Admin\AppData\Local\9aQ3ggV\eudcedit.exe
C:\Users\Admin\AppData\Local\9aQ3ggV\eudcedit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:736

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:1452

C:\Users\Admin\AppData\Local\HfV\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\HfV\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1676

C:\Windows\system32\tcmsetup.exe
C:\Windows\system32\tcmsetup.exe
1⤵
PID:2044

C:\Users\Admin\AppData\Local\V4k\tcmsetup.exe
C:\Users\Admin\AppData\Local\V4k\tcmsetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:988

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9aQ3ggV\MFC42u.dll
MD5
2985227a54e6ea2395b2e929057b4072

SHA1
64552dd9d669c85fd44282aaa363373ac325fd52

SHA256
e463b380c3fa5432ae5bf9d3c5f37be83a7827cca81dbdd22d809bd7a091d16d

SHA512
0f0e75ac0aa5a12d0793dc08923fe9f9d14b1bb781ab42477fa70f739f0eca6a846e3a863d038eeec2db79010bf14ffa57b6f9a6cd25b7fbcbcae8f7da809523

Download Submit
C:\Users\Admin\AppData\Local\9aQ3ggV\eudcedit.exe
MD5
35e397d6ca8407b86d8a7972f0c90711

SHA1
6b39830003906ef82442522d22b80460c03f6082

SHA256
1f64118bdc3515e8e9fce6ad182f6d0c8a6528d638fedb4901a6152cde4c7cde

SHA512
71b0c4ac120e5841308b0c19718bdc28366b0d79c8177091328ef5421392b9ee5e4758816ffb8c0977f178e1b33ed064f64781eaf7d6952878dc8aea402f035e

Download Submit
C:\Users\Admin\AppData\Local\HfV\SYSDM.CPL
MD5
2c42baf34419a5998cd65c4a8af0ad7d

SHA1
649d5f12c025eb9ef2db53435d6945314de8c83e

SHA256
6d866bba2546ebb645ba7d9dcbfcf7af7e010aa7a4024ddeba16c0499a413c9c

SHA512
7fdd51336fe4a24e707d72b7ecc0d9a097e3a9cdd40ec3ba31701c6ae5399144c6fbe60251794875939fc1496e3cfde71a00f03e323bb414733883fc4ef50dd5

Download Submit
C:\Users\Admin\AppData\Local\HfV\SystemPropertiesProtection.exe
MD5
05138d8f952d3fff1362f7c50158bc38

SHA1
780bc59fcddf06a7494d09771b8340acffdcc720

SHA256
753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

SHA512
27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

Download Submit
C:\Users\Admin\AppData\Local\V4k\TAPI32.dll
MD5
74275b132ba8aaaccb13a687c8116f58

SHA1
845293013c6b3a894615c3953524302ba57f37da

SHA256
ae9a1095c4ab1148e6d03d0fe7eb85e013b0b51219c93ec9ba1f1decb3107f42

SHA512
6e3bfd11189f80563de9943bb947a3d8580daf09e0281d40e4cd102a2666c98de1246191f8b7193dca41c17ff75bca14bd2c50a1edd8431ebdab97e2ca4a0cef

Download Submit
C:\Users\Admin\AppData\Local\V4k\tcmsetup.exe
MD5
0b08315da0da7f9f472fbab510bfe7b8

SHA1
33ba48fd980216becc532466a5ff8476bec0b31c

SHA256
e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

SHA512
c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

Download Submit
\Users\Admin\AppData\Local\9aQ3ggV\MFC42u.dll
MD5
2985227a54e6ea2395b2e929057b4072

SHA1
64552dd9d669c85fd44282aaa363373ac325fd52

SHA256
e463b380c3fa5432ae5bf9d3c5f37be83a7827cca81dbdd22d809bd7a091d16d

SHA512
0f0e75ac0aa5a12d0793dc08923fe9f9d14b1bb781ab42477fa70f739f0eca6a846e3a863d038eeec2db79010bf14ffa57b6f9a6cd25b7fbcbcae8f7da809523

Download Submit
\Users\Admin\AppData\Local\9aQ3ggV\eudcedit.exe
MD5
35e397d6ca8407b86d8a7972f0c90711

SHA1
6b39830003906ef82442522d22b80460c03f6082

SHA256
1f64118bdc3515e8e9fce6ad182f6d0c8a6528d638fedb4901a6152cde4c7cde

SHA512
71b0c4ac120e5841308b0c19718bdc28366b0d79c8177091328ef5421392b9ee5e4758816ffb8c0977f178e1b33ed064f64781eaf7d6952878dc8aea402f035e

Download Submit
\Users\Admin\AppData\Local\HfV\SYSDM.CPL
MD5
2c42baf34419a5998cd65c4a8af0ad7d

SHA1
649d5f12c025eb9ef2db53435d6945314de8c83e

SHA256
6d866bba2546ebb645ba7d9dcbfcf7af7e010aa7a4024ddeba16c0499a413c9c

SHA512
7fdd51336fe4a24e707d72b7ecc0d9a097e3a9cdd40ec3ba31701c6ae5399144c6fbe60251794875939fc1496e3cfde71a00f03e323bb414733883fc4ef50dd5

Download Submit
\Users\Admin\AppData\Local\HfV\SystemPropertiesProtection.exe
MD5
05138d8f952d3fff1362f7c50158bc38

SHA1
780bc59fcddf06a7494d09771b8340acffdcc720

SHA256
753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

SHA512
27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

Download Submit
\Users\Admin\AppData\Local\V4k\TAPI32.dll
MD5
74275b132ba8aaaccb13a687c8116f58

SHA1
845293013c6b3a894615c3953524302ba57f37da

SHA256
ae9a1095c4ab1148e6d03d0fe7eb85e013b0b51219c93ec9ba1f1decb3107f42

SHA512
6e3bfd11189f80563de9943bb947a3d8580daf09e0281d40e4cd102a2666c98de1246191f8b7193dca41c17ff75bca14bd2c50a1edd8431ebdab97e2ca4a0cef

Download Submit
\Users\Admin\AppData\Local\V4k\tcmsetup.exe
MD5
0b08315da0da7f9f472fbab510bfe7b8

SHA1
33ba48fd980216becc532466a5ff8476bec0b31c

SHA256
e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

SHA512
c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\zadgUPG8jU\tcmsetup.exe
MD5
0b08315da0da7f9f472fbab510bfe7b8

SHA1
33ba48fd980216becc532466a5ff8476bec0b31c

SHA256
e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

SHA512
c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

Download Submit
memory/736-81-0x0000000000000000-mapping.dmp

Download
memory/736-87-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/736-86-0x00000000FFB41000-0x00000000FFB43000-memory.dmp

Filesize
8KB

Download
memory/736-83-0x000007FEFB7E1000-0x000007FEFB7E3000-memory.dmp

Filesize
8KB

Download
memory/988-99-0x0000000000000000-mapping.dmp

Download
memory/988-103-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1300-71-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-70-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-60-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-61-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-63-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-64-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-65-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-67-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-59-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/1300-79-0x0000000077110000-0x0000000077112000-memory.dmp

Filesize
8KB

Download
memory/1300-62-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-73-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-66-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-72-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-69-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-68-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1676-95-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/1676-91-0x0000000000000000-mapping.dmp

Download
memory/1860-55-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1860-58-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads