dridex | e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a

Analysis

max time kernel
155s
max time network
137s
platform
windows10_x64
resource
win10-en-20211104
submitted
26-11-2021 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a.dll
Size

1.2MB
MD5

ea1bfbc91324c0cbb97f17775e653dab
SHA1

61c6d875774c9cd59ae56e351a291c2cf9e79284
SHA256

e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a
SHA512

903a180a93cc7ecd2b6e0fd76fc597456bbd1986d28f63993fc00b57dc47afad779fd05ce734f4070d3b16af08aec5e5da1086aefcf85929ba87c7cd1e27dc75

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3016-124-0x0000000001260000-0x0000000001261000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesDataExecutionPrevention.exeDeviceEnroller.exemspaint.exe

pid process

1348 SystemPropertiesDataExecutionPrevention.exe
1260 DeviceEnroller.exe
3620 mspaint.exe
Loads dropped DLL 3 IoCs

Processes:

SystemPropertiesDataExecutionPrevention.exeDeviceEnroller.exemspaint.exe

pid process

1348 SystemPropertiesDataExecutionPrevention.exe
1260 DeviceEnroller.exe
3620 mspaint.exe

pid	process
1348	SystemPropertiesDataExecutionPrevention.exe
1260	DeviceEnroller.exe
3620	mspaint.exe

pid	process
1348	SystemPropertiesDataExecutionPrevention.exe
1260	DeviceEnroller.exe
3620	mspaint.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\6I\\DEVICE~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesDataExecutionPrevention.exeDeviceEnroller.exemspaint.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesDataExecutionPrevention.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceEnroller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2416	rundll32.exe
2416	rundll32.exe
2416	rundll32.exe
2416	rundll32.exe
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016
3016

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exeSystemPropertiesDataExecutionPrevention.exeDeviceEnroller.exemspaint.exe

pid process

2416 rundll32.exe
3016
1348 SystemPropertiesDataExecutionPrevention.exe
1260 DeviceEnroller.exe
3620 mspaint.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3016 wrote to memory of 1376	3016	SystemPropertiesDataExecutionPrevention.exe
PID 3016 wrote to memory of 1376	3016	SystemPropertiesDataExecutionPrevention.exe
PID 3016 wrote to memory of 1348	3016	SystemPropertiesDataExecutionPrevention.exe
PID 3016 wrote to memory of 1348	3016	SystemPropertiesDataExecutionPrevention.exe
PID 3016 wrote to memory of 3480	3016	DeviceEnroller.exe
PID 3016 wrote to memory of 3480	3016	DeviceEnroller.exe
PID 3016 wrote to memory of 1260	3016	DeviceEnroller.exe
PID 3016 wrote to memory of 1260	3016	DeviceEnroller.exe
PID 3016 wrote to memory of 436	3016	mspaint.exe
PID 3016 wrote to memory of 436	3016	mspaint.exe
PID 3016 wrote to memory of 3620	3016	mspaint.exe
PID 3016 wrote to memory of 3620	3016	mspaint.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2416

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
1⤵
PID:1376

C:\Users\Admin\AppData\Local\ABiGb\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\ABiGb\SystemPropertiesDataExecutionPrevention.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1348

C:\Windows\system32\DeviceEnroller.exe
C:\Windows\system32\DeviceEnroller.exe
1⤵
PID:3480

C:\Users\Admin\AppData\Local\yiL\DeviceEnroller.exe
C:\Users\Admin\AppData\Local\yiL\DeviceEnroller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1260

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:436

C:\Users\Admin\AppData\Local\TOSIgJg9\mspaint.exe
C:\Users\Admin\AppData\Local\TOSIgJg9\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:3620

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ABiGb\SYSDM.CPL
MD5
297a2b9b1ad7f68e713e92154a514126

SHA1
1224f7b457df4db8e56ae61b5606e5f013951081

SHA256
44315c4937fe45bb060f8ea654d285f25fac4b1be1112505003e9f66c9e7a73d

SHA512
12c39cfb90c113ce34c0a9e3e594e0564b31141995019bf256af01a46e8a0889841123d1d8ebfca445b9a2b1c614d69c06ff5d95406516bee45814aae7bfc017

Download Submit
C:\Users\Admin\AppData\Local\ABiGb\SystemPropertiesDataExecutionPrevention.exe
MD5
4403602563fa270edfef477bed37c25f

SHA1
5179a5556d609192408d152c4070e90abadac723

SHA256
39b7b0b6c3ae14856c2509b9dc5322c2ba8d79bcf6bda10416467304897cf963

SHA512
2c6845dac6c3f1478b97e783da6244a2cd7dc5f4fb71d80348cb7b605cfa17376f258f76f30ad05f99653e05f84c25ec3a66e6988e4be4ce86d7cf503891a7ef

Download Submit
C:\Users\Admin\AppData\Local\TOSIgJg9\MFC42u.dll
MD5
699b17e6ea1af9293a35637b1543e53f

SHA1
982b296b4d571e0ee39294b2132de441e24cf74b

SHA256
0ddc5f1270453f9f62ecc1d61f0ef05896bb10e5e9063f29d8e9a83ac1a27efd

SHA512
d84bbe37f30d29fa805f5b3480e8a0f407528468c6136cfe7bc56d5aa8e283094c7160e1f99a7318d4a35e564a3760ca5a1ebeb2478ee10390ee3aee1de6bb7a

Download Submit
C:\Users\Admin\AppData\Local\TOSIgJg9\mspaint.exe
MD5
d19c421c2609048fbb88f37baeb53c29

SHA1
3a29ebe10d225242d88714e17b9d612b16c1947b

SHA256
b80c76fc0bc57f7d74f5aca9f60d9609dcff4a8683dcd5de2e0b9eeb1621bca7

SHA512
7b2327a658e3236ec678179de9221b92bc5c0ca36cf2c7af238e4c9f630ecb06e0558f2c3e2617941f6021f3a4132d0e3b6a117c6dbe684f63eb5380ea42d288

Download Submit
C:\Users\Admin\AppData\Local\TOSIgJg9\mspaint.exe
MD5
d19c421c2609048fbb88f37baeb53c29

SHA1
3a29ebe10d225242d88714e17b9d612b16c1947b

SHA256
b80c76fc0bc57f7d74f5aca9f60d9609dcff4a8683dcd5de2e0b9eeb1621bca7

SHA512
7b2327a658e3236ec678179de9221b92bc5c0ca36cf2c7af238e4c9f630ecb06e0558f2c3e2617941f6021f3a4132d0e3b6a117c6dbe684f63eb5380ea42d288

Download Submit
C:\Users\Admin\AppData\Local\yiL\DeviceEnroller.exe
MD5
bd732a3a065f5cca6df003a7ca78bb35

SHA1
449d027d933fdd530a6a27d7c2132f98ee56374a

SHA256
fd5f32939c8de2d80a6f2481268313b5151c21c474c61635c92d2b8ea436955e

SHA512
d1cd727841522be31e979484cdea467501693e1a3bab2fabc72510c73698353c960f7d2c16be9a4406d804da2b2ad7da58827a630f9616ebe296cae481103701

Download Submit
C:\Users\Admin\AppData\Local\yiL\XmlLite.dll
MD5
84533d778e8b967924e5380aafe1215f

SHA1
5357635cd622fab2d03b8c1fbeefd3baacab0173

SHA256
ab0ddb217150417814d5bcd6b7e5a9b1c5322a738506b4657f617fc1f72de1c2

SHA512
ba0286ac02498e37c657b5c2cb6f73103d8e7459093af93a900f08e71fedd2f48d24ac4b0b38ebf4302d1dd405f918d1e897e957468d3b05bba76ad915f27000

Download Submit
\Users\Admin\AppData\Local\ABiGb\SYSDM.CPL
MD5
297a2b9b1ad7f68e713e92154a514126

SHA1
1224f7b457df4db8e56ae61b5606e5f013951081

SHA256
44315c4937fe45bb060f8ea654d285f25fac4b1be1112505003e9f66c9e7a73d

SHA512
12c39cfb90c113ce34c0a9e3e594e0564b31141995019bf256af01a46e8a0889841123d1d8ebfca445b9a2b1c614d69c06ff5d95406516bee45814aae7bfc017

Download Submit
\Users\Admin\AppData\Local\TOSIgJg9\MFC42u.dll
MD5
699b17e6ea1af9293a35637b1543e53f

SHA1
982b296b4d571e0ee39294b2132de441e24cf74b

SHA256
0ddc5f1270453f9f62ecc1d61f0ef05896bb10e5e9063f29d8e9a83ac1a27efd

SHA512
d84bbe37f30d29fa805f5b3480e8a0f407528468c6136cfe7bc56d5aa8e283094c7160e1f99a7318d4a35e564a3760ca5a1ebeb2478ee10390ee3aee1de6bb7a

Download Submit
\Users\Admin\AppData\Local\yiL\XmlLite.dll
MD5
84533d778e8b967924e5380aafe1215f

SHA1
5357635cd622fab2d03b8c1fbeefd3baacab0173

SHA256
ab0ddb217150417814d5bcd6b7e5a9b1c5322a738506b4657f617fc1f72de1c2

SHA512
ba0286ac02498e37c657b5c2cb6f73103d8e7459093af93a900f08e71fedd2f48d24ac4b0b38ebf4302d1dd405f918d1e897e957468d3b05bba76ad915f27000

Download Submit
memory/1260-172-0x0000022A635E0000-0x0000022A635E2000-memory.dmp

Filesize
8KB

Download
memory/1260-173-0x0000022A635E0000-0x0000022A635E2000-memory.dmp

Filesize
8KB

Download
memory/1260-174-0x0000022A635E0000-0x0000022A635E2000-memory.dmp

Filesize
8KB

Download
memory/1260-165-0x0000000000000000-mapping.dmp

Download
memory/1348-163-0x000001A332B20000-0x000001A332B22000-memory.dmp

Filesize
8KB

Download
memory/1348-162-0x000001A332B20000-0x000001A332B22000-memory.dmp

Filesize
8KB

Download
memory/1348-161-0x000001A332B20000-0x000001A332B22000-memory.dmp

Filesize
8KB

Download
memory/1348-158-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1348-154-0x0000000000000000-mapping.dmp

Download
memory/2416-118-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2416-123-0x0000029C666F0000-0x0000029C666F7000-memory.dmp

Filesize
28KB

Download
memory/2416-122-0x0000029C66700000-0x0000029C66702000-memory.dmp

Filesize
8KB

Download
memory/2416-121-0x0000029C66700000-0x0000029C66702000-memory.dmp

Filesize
8KB

Download
memory/3016-133-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3016-135-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3016-150-0x0000000001270000-0x0000000001272000-memory.dmp

Filesize
8KB

Download
memory/3016-151-0x0000000001270000-0x0000000001272000-memory.dmp

Filesize
8KB

Download
memory/3016-152-0x00007FF958875000-0x00007FF958876000-memory.dmp

Filesize
4KB

Download
memory/3016-153-0x0000000001270000-0x0000000001272000-memory.dmp

Filesize
8KB

Download
memory/3016-144-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3016-143-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3016-141-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3016-140-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3016-139-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3016-138-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3016-137-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3016-164-0x00007FF9589B0000-0x00007FF9589B2000-memory.dmp

Filesize
8KB

Download
memory/3016-136-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3016-142-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3016-134-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3016-125-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3016-131-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3016-132-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3016-130-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3016-129-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3016-128-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3016-124-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/3016-127-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3016-126-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3620-175-0x0000000000000000-mapping.dmp

Download
memory/3620-180-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3620-183-0x0000029BA6CB0000-0x0000029BA6CB2000-memory.dmp

Filesize
8KB

Download
memory/3620-184-0x0000029BA6CB0000-0x0000029BA6CB2000-memory.dmp

Filesize
8KB

Download
memory/3620-185-0x0000029BA6CB0000-0x0000029BA6CB2000-memory.dmp

Filesize
8KB

Download