dridex | fcd217409b7b0f3697ebf5d9f23419b1befde51cb25b202d9a68ef0d450e41d0

Analysis

max time kernel
154s
max time network
141s
platform
windows10_x64
resource
win10-en-20211014
submitted
26-11-2021 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcd217409b7b0f3697ebf5d9f23419b1befde51cb25b202d9a68ef0d450e41d0.dll
Size

1.3MB
MD5

b7cb0b38c91fe5183f257cffed75d9e7
SHA1

b844563703d0c31daa1e00d29c67730053060b58
SHA256

fcd217409b7b0f3697ebf5d9f23419b1befde51cb25b202d9a68ef0d450e41d0
SHA512

dc3023a3262604d538cc5f1860184d2c4491184cebc4c01c1c4087a3255a68681d78d037c4ef8755058082421bb31e991524ac9593c42d73c54dc2bf00597969

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2872-124-0x00000000001B0000-0x00000000001B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

ProximityUxHost.exebdechangepin.execmstp.exe

pid process

2088 ProximityUxHost.exe
4524 bdechangepin.exe
4360 cmstp.exe
Loads dropped DLL 3 IoCs

Processes:

ProximityUxHost.exebdechangepin.execmstp.exe

pid process

2088 ProximityUxHost.exe
4524 bdechangepin.exe
4360 cmstp.exe

pid	process
2088	ProximityUxHost.exe
4524	bdechangepin.exe
4360	cmstp.exe

pid	process
2088	ProximityUxHost.exe
4524	bdechangepin.exe
4360	cmstp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\GLP6HT~1\\BDECHA~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cmstp.exerundll32.exeProximityUxHost.exebdechangepin.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ProximityUxHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdechangepin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3152	rundll32.exe
3152	rundll32.exe
3152	rundll32.exe
3152	rundll32.exe
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872
2872

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exeProximityUxHost.exebdechangepin.execmstp.exe

pid process

3152 rundll32.exe
2872
2088 ProximityUxHost.exe
4524 bdechangepin.exe
4360 cmstp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2872 wrote to memory of 3196	2872	ProximityUxHost.exe
PID 2872 wrote to memory of 3196	2872	ProximityUxHost.exe
PID 2872 wrote to memory of 2088	2872	ProximityUxHost.exe
PID 2872 wrote to memory of 2088	2872	ProximityUxHost.exe
PID 2872 wrote to memory of 4504	2872	bdechangepin.exe
PID 2872 wrote to memory of 4504	2872	bdechangepin.exe
PID 2872 wrote to memory of 4524	2872	bdechangepin.exe
PID 2872 wrote to memory of 4524	2872	bdechangepin.exe
PID 2872 wrote to memory of 4340	2872	cmstp.exe
PID 2872 wrote to memory of 4340	2872	cmstp.exe
PID 2872 wrote to memory of 4360	2872	cmstp.exe
PID 2872 wrote to memory of 4360	2872	cmstp.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fcd217409b7b0f3697ebf5d9f23419b1befde51cb25b202d9a68ef0d450e41d0.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3152

C:\Windows\system32\ProximityUxHost.exe
C:\Windows\system32\ProximityUxHost.exe
1⤵
PID:3196

C:\Users\Admin\AppData\Local\1SdfWrCS\ProximityUxHost.exe
C:\Users\Admin\AppData\Local\1SdfWrCS\ProximityUxHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:2088

C:\Windows\system32\bdechangepin.exe
C:\Windows\system32\bdechangepin.exe
1⤵
PID:4504

C:\Users\Admin\AppData\Local\fTY\bdechangepin.exe
C:\Users\Admin\AppData\Local\fTY\bdechangepin.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:4524

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:4340

C:\Users\Admin\AppData\Local\sMC49LPgU\cmstp.exe
C:\Users\Admin\AppData\Local\sMC49LPgU\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:4360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1SdfWrCS\DUI70.dll
MD5
0636d28818ab0bc67b4dc7fcd065702e

SHA1
64b612db5e460e3037466f7a2edbcacfb3ab4246

SHA256
b02ef5235c39b37fd4b0c44266c69d3bd7e4d07a3d9f34c92ff6fc99bae57bbd

SHA512
e7a796457e7029c378347af2dfb9c9957c08cae07c3ba4224cad8b831304773885a701105f2c68757a439e1805dc5ca8ee759ba34e94ba01c352c30ca4988fc7

Download Submit
C:\Users\Admin\AppData\Local\1SdfWrCS\ProximityUxHost.exe
MD5
8a990b37066b57cf2d0ca84c3f7f91da

SHA1
12a5ab083cda21fdb7c92f153f1c200837905618

SHA256
aad97c2832beb45a772c6c99692d0193a3f74562e6cb81c217fd612eae9a646c

SHA512
c53d0163ad2519a4894b6b91849a43491e7955a726f5d223c82fa83119ed8e8fa1449fdcbe6f07abf68b977ebcda736c3516aa487b0621957ccaccfe3193c38d

Download Submit
C:\Users\Admin\AppData\Local\fTY\DUI70.dll
MD5
e0903eade8b0984d5cc7dbaf66a39267

SHA1
ffa020a49358512b105cb42f133ded63f90d7aae

SHA256
e34d903bc1bc167fd3619282f79a0910a727e207dfb4e316d8b82806d3bba91e

SHA512
39eaac0fa994cf86f6a95ec89727088bd2c9e1b160c8b6fb21d3f3b52a37805dd4c1f51ffcf3070cdf96badad2e1729e02e31fcc4f5aec4e303147243f9b5640

Download Submit
C:\Users\Admin\AppData\Local\fTY\bdechangepin.exe
MD5
c1c59d7307da404788e5a4294f671213

SHA1
d7d7d2b898c072ecd1fa1207dfa6277b1b328af8

SHA256
dc5078956ac057a7560285440fbb315db6f2718c1fc6bd88d50b1e49f8f8ad1b

SHA512
d138e672a81f9b957c96d9c236bb6dc5141ebb1c19b1446c7ace1a10bc6522c527a27d969a990fafdae04c03bfe5c664b955d9ac2aa3c8dfc3e282ad81693989

Download Submit
C:\Users\Admin\AppData\Local\sMC49LPgU\VERSION.dll
MD5
2377b71a43b2c595352bfcd35c442dc8

SHA1
1fda19d2bdab6199ea46b8c030edf4190a90274e

SHA256
7987af768e8f71c793e3b6ca91de8461fec301d2f72cf9d180665a2a88c8162c

SHA512
e143dd15bb97552ef630f7e081c619f27ba86e36dd70de88e1259387cb22afa38c0e47e290e11f82042e357f8eef0121d2d12a604fe53ea0bcb0fc9f7d81cde7

Download Submit
C:\Users\Admin\AppData\Local\sMC49LPgU\cmstp.exe
MD5
1474ec07a09879ee8637fae8bcb9fbb7

SHA1
ddf0885d51430a4d51a908065a2cf66b95cb90a0

SHA256
bccd3610cd2b5ef1a7f1b224a5c68f97da484200bb525423659e51283d22d3e7

SHA512
c6959f44b8a77399507a563c3094f9646d5feda36d221e34db1e61da7148e1fd13f7d1a7befeb0617015f06005547f477ff26130e1b55f4130a0205bb1e51369

Download Submit
\Users\Admin\AppData\Local\1SdfWrCS\DUI70.dll
MD5
0636d28818ab0bc67b4dc7fcd065702e

SHA1
64b612db5e460e3037466f7a2edbcacfb3ab4246

SHA256
b02ef5235c39b37fd4b0c44266c69d3bd7e4d07a3d9f34c92ff6fc99bae57bbd

SHA512
e7a796457e7029c378347af2dfb9c9957c08cae07c3ba4224cad8b831304773885a701105f2c68757a439e1805dc5ca8ee759ba34e94ba01c352c30ca4988fc7

Download Submit
\Users\Admin\AppData\Local\fTY\DUI70.dll
MD5
e0903eade8b0984d5cc7dbaf66a39267

SHA1
ffa020a49358512b105cb42f133ded63f90d7aae

SHA256
e34d903bc1bc167fd3619282f79a0910a727e207dfb4e316d8b82806d3bba91e

SHA512
39eaac0fa994cf86f6a95ec89727088bd2c9e1b160c8b6fb21d3f3b52a37805dd4c1f51ffcf3070cdf96badad2e1729e02e31fcc4f5aec4e303147243f9b5640

Download Submit
\Users\Admin\AppData\Local\sMC49LPgU\VERSION.dll
MD5
2377b71a43b2c595352bfcd35c442dc8

SHA1
1fda19d2bdab6199ea46b8c030edf4190a90274e

SHA256
7987af768e8f71c793e3b6ca91de8461fec301d2f72cf9d180665a2a88c8162c

SHA512
e143dd15bb97552ef630f7e081c619f27ba86e36dd70de88e1259387cb22afa38c0e47e290e11f82042e357f8eef0121d2d12a604fe53ea0bcb0fc9f7d81cde7

Download Submit
memory/2088-158-0x000001A129480000-0x000001A129482000-memory.dmp

Filesize
8KB

Download
memory/2088-157-0x000001A129480000-0x000001A129482000-memory.dmp

Filesize
8KB

Download
memory/2088-156-0x000001A129480000-0x000001A129482000-memory.dmp

Filesize
8KB

Download
memory/2088-153-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2088-149-0x0000000000000000-mapping.dmp

Download
memory/2872-147-0x0000000000190000-0x0000000000192000-memory.dmp

Filesize
8KB

Download
memory/2872-128-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2872-136-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2872-137-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2872-138-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2872-145-0x0000000000190000-0x0000000000192000-memory.dmp

Filesize
8KB

Download
memory/2872-144-0x0000000000190000-0x0000000000192000-memory.dmp

Filesize
8KB

Download
memory/2872-146-0x00007FFB26A65000-0x00007FFB26A66000-memory.dmp

Filesize
4KB

Download
memory/2872-124-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2872-148-0x00007FFB26950000-0x00007FFB26960000-memory.dmp

Filesize
64KB

Download
memory/2872-134-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2872-133-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2872-132-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2872-131-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2872-130-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2872-129-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2872-126-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2872-135-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2872-127-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2872-125-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3152-123-0x000002713D030000-0x000002713D037000-memory.dmp

Filesize
28KB

Download
memory/3152-118-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3152-121-0x000002713D0E0000-0x000002713D0E2000-memory.dmp

Filesize
8KB

Download
memory/3152-122-0x000002713D0E0000-0x000002713D0E2000-memory.dmp

Filesize
8KB

Download
memory/4360-173-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/4360-169-0x0000000000000000-mapping.dmp

Download
memory/4360-176-0x000001FD3DC30000-0x000001FD3DC32000-memory.dmp

Filesize
8KB

Download
memory/4360-177-0x000001FD3DC30000-0x000001FD3DC32000-memory.dmp

Filesize
8KB

Download
memory/4360-178-0x000001FD3DC30000-0x000001FD3DC32000-memory.dmp

Filesize
8KB

Download
memory/4524-167-0x000002068E4C0000-0x000002068E4C2000-memory.dmp

Filesize
8KB

Download
memory/4524-168-0x000002068E4C0000-0x000002068E4C2000-memory.dmp

Filesize
8KB

Download
memory/4524-166-0x000002068E4C0000-0x000002068E4C2000-memory.dmp

Filesize
8KB

Download
memory/4524-159-0x0000000000000000-mapping.dmp

Download