dridex | 076e78d17a3bba27225ed654145b83f73563a85d568287fd22fbcb3f6aaed049

Analysis

max time kernel
153s
max time network
138s
platform
windows10_x64
resource
win10-en-20211014
submitted
26-11-2021 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

076e78d17a3bba27225ed654145b83f73563a85d568287fd22fbcb3f6aaed049.dll
Size

1.3MB
MD5

a5d99a124590b06e72d07c3371875c1c
SHA1

9ec7c5ed0795e3631bd8445428b3385586789a62
SHA256

076e78d17a3bba27225ed654145b83f73563a85d568287fd22fbcb3f6aaed049
SHA512

def205a46b1ddf95d3e7d28ef94a9f87a5759e3f325241e7ae4cbcfae88c4e9fad0a25f9d506010a040f1c0829df4ff7d25a405a3fce5296184c81d6e99ab6c2

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2960-124-0x0000000001330000-0x0000000001331000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

printfilterpipelinesvc.exeProximityUxHost.exeshrpubw.exe

pid process

3212 printfilterpipelinesvc.exe
2948 ProximityUxHost.exe
2824 shrpubw.exe
Loads dropped DLL 3 IoCs

Processes:

printfilterpipelinesvc.exeProximityUxHost.exeshrpubw.exe

pid process

3212 printfilterpipelinesvc.exe
2948 ProximityUxHost.exe
2824 shrpubw.exe

pid	process
3212	printfilterpipelinesvc.exe
2948	ProximityUxHost.exe
2824	shrpubw.exe

pid	process
3212	printfilterpipelinesvc.exe
2948	ProximityUxHost.exe
2824	shrpubw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\ahxDeoSUu\\ProximityUxHost.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ProximityUxHost.exeshrpubw.exerundll32.exeprintfilterpipelinesvc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ProximityUxHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	printfilterpipelinesvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960
2960

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exeprintfilterpipelinesvc.exeProximityUxHost.exeshrpubw.exe

pid process

2640 rundll32.exe
2960
3212 printfilterpipelinesvc.exe
2948 ProximityUxHost.exe
2824 shrpubw.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2960 wrote to memory of 2568	2960	printfilterpipelinesvc.exe
PID 2960 wrote to memory of 2568	2960	printfilterpipelinesvc.exe
PID 2960 wrote to memory of 3212	2960	printfilterpipelinesvc.exe
PID 2960 wrote to memory of 3212	2960	printfilterpipelinesvc.exe
PID 2960 wrote to memory of 3436	2960	ProximityUxHost.exe
PID 2960 wrote to memory of 3436	2960	ProximityUxHost.exe
PID 2960 wrote to memory of 2948	2960	ProximityUxHost.exe
PID 2960 wrote to memory of 2948	2960	ProximityUxHost.exe
PID 2960 wrote to memory of 1480	2960	shrpubw.exe
PID 2960 wrote to memory of 1480	2960	shrpubw.exe
PID 2960 wrote to memory of 2824	2960	shrpubw.exe
PID 2960 wrote to memory of 2824	2960	shrpubw.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\076e78d17a3bba27225ed654145b83f73563a85d568287fd22fbcb3f6aaed049.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2640

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe
1⤵
PID:2568

C:\Users\Admin\AppData\Local\DLhmHvh\printfilterpipelinesvc.exe
C:\Users\Admin\AppData\Local\DLhmHvh\printfilterpipelinesvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:3212

C:\Windows\system32\ProximityUxHost.exe
C:\Windows\system32\ProximityUxHost.exe
1⤵
PID:3436

C:\Users\Admin\AppData\Local\LyS6Pxh\ProximityUxHost.exe
C:\Users\Admin\AppData\Local\LyS6Pxh\ProximityUxHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:2948

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:1480

C:\Users\Admin\AppData\Local\bkKU1\shrpubw.exe
C:\Users\Admin\AppData\Local\bkKU1\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:2824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DLhmHvh\XmlLite.dll
MD5
d156d9d46de363ce84730ac4fb11bde1

SHA1
1220a524058bba56d7abbf7ad6e6380ccfda2649

SHA256
871f703649769e40c36eda8bd0cb8b7c8f8d43e2900caface08aa61a5c70751e

SHA512
f2f3cc8680ab47dc24213b77bfee2cec2044e9083e806ee6ccbbd70b48882d956452885928649dba8ec7ea9cc59d2fad3e187d599fd4f49170b18d8306781ddf

Download Submit
C:\Users\Admin\AppData\Local\DLhmHvh\printfilterpipelinesvc.exe
MD5
3f759db69d6016c286bd25f10e4b6e0c

SHA1
e2243c1e27b9a0b68e550e1775aa75f3bafd5286

SHA256
eeb432af61d3157153cc6683ae4ffbb44b306ed0b980911be2891358048dc7c7

SHA512
67f0cf128a048139b5ceb0b6fb88498076b60d5822fe807fe1ab0d1856e74096d3625cb824a80066b6a27ae0929c44164fc6e8e56cfc18b04e25ebcd51d948ac

Download Submit
C:\Users\Admin\AppData\Local\LyS6Pxh\DUI70.dll
MD5
1e15d6a5439de3e78036235f16cbb94c

SHA1
0d545dfbeb97661c4fe13a9fb5aac8e7782ca57e

SHA256
b89789033c2c960326ec93fd9b8b56d3b9c93e0ad2dec6d9b9325603ac5c9f92

SHA512
60c35abf9974b4aa65e0a6bfdf38f093a9d6cc796036658b3cf2fc23759d1f26950934351b756ff5e53a407585b07a0f111e8eff7c7d0117186c0fbebb7ad8c3

Download Submit
C:\Users\Admin\AppData\Local\LyS6Pxh\ProximityUxHost.exe
MD5
8a990b37066b57cf2d0ca84c3f7f91da

SHA1
12a5ab083cda21fdb7c92f153f1c200837905618

SHA256
aad97c2832beb45a772c6c99692d0193a3f74562e6cb81c217fd612eae9a646c

SHA512
c53d0163ad2519a4894b6b91849a43491e7955a726f5d223c82fa83119ed8e8fa1449fdcbe6f07abf68b977ebcda736c3516aa487b0621957ccaccfe3193c38d

Download Submit
C:\Users\Admin\AppData\Local\bkKU1\MFC42u.dll
MD5
032ad3577d2f5f8848acf48d87791e98

SHA1
60e0287c138a4d4e3bbd4763df99367e4048b328

SHA256
895ac2522459b2a572fa972f98ef18e383ca1ef0baf40f0631e0fb26a2d91b3b

SHA512
fcef10fb100bb8159892a182106c0287b4d057399f8907076d7b75377c1d73576a0e7ceb4ef79318532a37fcac88a2d92909f1a180534f4cb30471e0e81c599d

Download Submit
C:\Users\Admin\AppData\Local\bkKU1\shrpubw.exe
MD5
2cc2e7c22c71491178be7c112206354d

SHA1
3925a3ae53c412f39bdef5db553b52f24b5a6c92

SHA256
7880cfe0caa95a3319a5d2862cdc335b40ceb9c7afcbb57129c968628d69acab

SHA512
8cfedb0a15cabda1040e458b0a707889492e609622eed637d00c67ef29d7f64443145e07e1c701bc1ec481116dc45a3222d820228c80c0bed3c2bd86c271a88f

Download Submit
\Users\Admin\AppData\Local\DLhmHvh\XmlLite.dll
MD5
d156d9d46de363ce84730ac4fb11bde1

SHA1
1220a524058bba56d7abbf7ad6e6380ccfda2649

SHA256
871f703649769e40c36eda8bd0cb8b7c8f8d43e2900caface08aa61a5c70751e

SHA512
f2f3cc8680ab47dc24213b77bfee2cec2044e9083e806ee6ccbbd70b48882d956452885928649dba8ec7ea9cc59d2fad3e187d599fd4f49170b18d8306781ddf

Download Submit
\Users\Admin\AppData\Local\LyS6Pxh\DUI70.dll
MD5
1e15d6a5439de3e78036235f16cbb94c

SHA1
0d545dfbeb97661c4fe13a9fb5aac8e7782ca57e

SHA256
b89789033c2c960326ec93fd9b8b56d3b9c93e0ad2dec6d9b9325603ac5c9f92

SHA512
60c35abf9974b4aa65e0a6bfdf38f093a9d6cc796036658b3cf2fc23759d1f26950934351b756ff5e53a407585b07a0f111e8eff7c7d0117186c0fbebb7ad8c3

Download Submit
\Users\Admin\AppData\Local\bkKU1\MFC42u.dll
MD5
032ad3577d2f5f8848acf48d87791e98

SHA1
60e0287c138a4d4e3bbd4763df99367e4048b328

SHA256
895ac2522459b2a572fa972f98ef18e383ca1ef0baf40f0631e0fb26a2d91b3b

SHA512
fcef10fb100bb8159892a182106c0287b4d057399f8907076d7b75377c1d73576a0e7ceb4ef79318532a37fcac88a2d92909f1a180534f4cb30471e0e81c599d

Download Submit
memory/2640-123-0x000001CA65910000-0x000001CA65912000-memory.dmp

Filesize
8KB

Download
memory/2640-121-0x000001CA65900000-0x000001CA65907000-memory.dmp

Filesize
28KB

Download
memory/2640-118-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2640-122-0x000001CA65910000-0x000001CA65912000-memory.dmp

Filesize
8KB

Download
memory/2824-177-0x0000018ED6150000-0x0000018ED6152000-memory.dmp

Filesize
8KB

Download
memory/2824-169-0x0000000000000000-mapping.dmp

Download
memory/2824-173-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2824-176-0x0000018ED6150000-0x0000018ED6152000-memory.dmp

Filesize
8KB

Download
memory/2824-178-0x0000018ED6150000-0x0000018ED6152000-memory.dmp

Filesize
8KB

Download
memory/2948-167-0x000001FBC2300000-0x000001FBC2302000-memory.dmp

Filesize
8KB

Download
memory/2948-166-0x000001FBC2300000-0x000001FBC2302000-memory.dmp

Filesize
8KB

Download
memory/2948-163-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2948-168-0x000001FBC2300000-0x000001FBC2302000-memory.dmp

Filesize
8KB

Download
memory/2948-159-0x0000000000000000-mapping.dmp

Download
memory/2960-131-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2960-132-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2960-124-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/2960-147-0x0000000001340000-0x0000000001342000-memory.dmp

Filesize
8KB

Download
memory/2960-146-0x00007FF857575000-0x00007FF857576000-memory.dmp

Filesize
4KB

Download
memory/2960-125-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2960-126-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2960-127-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2960-145-0x0000000001340000-0x0000000001342000-memory.dmp

Filesize
8KB

Download
memory/2960-144-0x0000000001340000-0x0000000001342000-memory.dmp

Filesize
8KB

Download
memory/2960-138-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2960-137-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2960-136-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2960-135-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2960-134-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2960-133-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2960-148-0x00007FF8576B0000-0x00007FF8576B2000-memory.dmp

Filesize
8KB

Download
memory/2960-130-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2960-129-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/2960-128-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/3212-158-0x000001C24D270000-0x000001C24D272000-memory.dmp

Filesize
8KB

Download
memory/3212-157-0x000001C24D270000-0x000001C24D272000-memory.dmp

Filesize
8KB

Download
memory/3212-156-0x000001C24D270000-0x000001C24D272000-memory.dmp

Filesize
8KB

Download
memory/3212-149-0x0000000000000000-mapping.dmp

Download