dridex | a25acf9e95fa653dde6830bbe1dc4406804347b9d3f9a037f53f0a8e79296fe2

Analysis

max time kernel
155s
max time network
118s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-11-2021 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a25acf9e95fa653dde6830bbe1dc4406804347b9d3f9a037f53f0a8e79296fe2.dll
Size

1.2MB
MD5

92d2b982db190dd73a46815f69730460
SHA1

fa22116b54799ed06e28dca5a813c4ac29f24184
SHA256

a25acf9e95fa653dde6830bbe1dc4406804347b9d3f9a037f53f0a8e79296fe2
SHA512

f8abc9da38f5f04d91e7f7c00ff8464914737f19a892374f960f511dd36c15ba2c901e53e2a4e4f5047d89f15af7f6d3fbb4e790e2147ca2a828ef3b3d32d122

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1368-60-0x00000000029B0000-0x00000000029B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

Magnify.exeiexpress.exeSystemPropertiesRemote.exe

pid process

1256 Magnify.exe
1068 iexpress.exe
1300 SystemPropertiesRemote.exe
Loads dropped DLL 7 IoCs

Processes:

Magnify.exeiexpress.exeSystemPropertiesRemote.exe

pid process

1368
1256 Magnify.exe
1368
1068 iexpress.exe
1368
1300 SystemPropertiesRemote.exe
1368

pid	process
1256	Magnify.exe
1068	iexpress.exe
1300	SystemPropertiesRemote.exe

pid	process
1368
1256	Magnify.exe
1368
1068	iexpress.exe
1368
1300	SystemPropertiesRemote.exe
1368

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\y7Up6u\\iexpress.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesRemote.exerundll32.exeMagnify.exeiexpress.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magnify.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeMagnify.exeiexpress.exe

pid	process
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1256	Magnify.exe
1256	Magnify.exe
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1368
1068	iexpress.exe
1068	iexpress.exe
1368
1368
1368
1368
1368
1368

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1368

pid	process
1368

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1368 wrote to memory of 1036	1368	Magnify.exe
PID 1368 wrote to memory of 1036	1368	Magnify.exe
PID 1368 wrote to memory of 1036	1368	Magnify.exe
PID 1368 wrote to memory of 1256	1368	Magnify.exe
PID 1368 wrote to memory of 1256	1368	Magnify.exe
PID 1368 wrote to memory of 1256	1368	Magnify.exe
PID 1368 wrote to memory of 1528	1368	iexpress.exe
PID 1368 wrote to memory of 1528	1368	iexpress.exe
PID 1368 wrote to memory of 1528	1368	iexpress.exe
PID 1368 wrote to memory of 1068	1368	iexpress.exe
PID 1368 wrote to memory of 1068	1368	iexpress.exe
PID 1368 wrote to memory of 1068	1368	iexpress.exe
PID 1368 wrote to memory of 1716	1368	SystemPropertiesRemote.exe
PID 1368 wrote to memory of 1716	1368	SystemPropertiesRemote.exe
PID 1368 wrote to memory of 1716	1368	SystemPropertiesRemote.exe
PID 1368 wrote to memory of 1300	1368	SystemPropertiesRemote.exe
PID 1368 wrote to memory of 1300	1368	SystemPropertiesRemote.exe
PID 1368 wrote to memory of 1300	1368	SystemPropertiesRemote.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a25acf9e95fa653dde6830bbe1dc4406804347b9d3f9a037f53f0a8e79296fe2.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1360

C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
1⤵
PID:1036

C:\Users\Admin\AppData\Local\ls1LNpv\Magnify.exe
C:\Users\Admin\AppData\Local\ls1LNpv\Magnify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1256

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:1528

C:\Users\Admin\AppData\Local\sg2\iexpress.exe
C:\Users\Admin\AppData\Local\sg2\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1068

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:1716

C:\Users\Admin\AppData\Local\bBMMDV\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\bBMMDV\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1300

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\bBMMDV\SYSDM.CPL
MD5
09d144fd9c7e536b212e677ce25be3c6

SHA1
36da6595975d8c5a19d7f0d75693f30b28040f85

SHA256
b06e8517f20c0e699807226d06de76a3f0ad7ec46290901ccdd71e9b8c663848

SHA512
0e7149890e3c8d60c47fdb26ee3b8574b7ad2f6cad089f763ac2205cae1e09853629fc5866fabb16af46961d3a64f668eef2feb3c35c7e43982153f118e6974e

Download Submit
C:\Users\Admin\AppData\Local\bBMMDV\SystemPropertiesRemote.exe
MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
C:\Users\Admin\AppData\Local\ls1LNpv\Magnify.exe
MD5
233b45ddf77bd45e53872881cff1839b

SHA1
d4b8cafce4664bb339859a90a9dd1506f831756d

SHA256
adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a

SHA512
6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

Download Submit
C:\Users\Admin\AppData\Local\ls1LNpv\Magnify.exe
MD5
233b45ddf77bd45e53872881cff1839b

SHA1
d4b8cafce4664bb339859a90a9dd1506f831756d

SHA256
adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a

SHA512
6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

Download Submit
C:\Users\Admin\AppData\Local\ls1LNpv\dwmapi.dll
MD5
287b1c1ae358698e80f9f52261ff4d94

SHA1
1c36fed7730db0234194b58862d03e7d8bc9f6fa

SHA256
a8c96ff269fb666f58ce42c8455f47cf452b98dedef2a8b3c84a4366c750fef1

SHA512
d1f15be88641c1ed25819fc47b87609d34900be244c37149bbf487280efd09b068a52302da6c72e095c82f12dc9eb523a59def9fe456bf72582f00f89643881b

Download Submit
C:\Users\Admin\AppData\Local\sg2\VERSION.dll
MD5
23314ddfd1b18ad9361850353c9c6527

SHA1
b74cd8ea6dd6e59fa2cce22303be0f3d5f0b1fb8

SHA256
d618dd45950830f8f58d607612d99931e5a7d52c2015f69a38d687c04157f9f3

SHA512
fc426153598d5bc22c24c60ce57e09c2fa7528a9ffc6b600ad3f536fd0c415bdc5f3c8a4a55b37a992ba0fb245757ba9719a79f9dee6987e31dcb53427118521

Download Submit
C:\Users\Admin\AppData\Local\sg2\iexpress.exe
MD5
46fd16f9b1924a2ea8cd5c6716cc654f

SHA1
99284bc91cf829e9602b4b95811c1d72977700b6

SHA256
9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

SHA512
52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

Download Submit
\Users\Admin\AppData\Local\bBMMDV\SYSDM.CPL
MD5
09d144fd9c7e536b212e677ce25be3c6

SHA1
36da6595975d8c5a19d7f0d75693f30b28040f85

SHA256
b06e8517f20c0e699807226d06de76a3f0ad7ec46290901ccdd71e9b8c663848

SHA512
0e7149890e3c8d60c47fdb26ee3b8574b7ad2f6cad089f763ac2205cae1e09853629fc5866fabb16af46961d3a64f668eef2feb3c35c7e43982153f118e6974e

Download Submit
\Users\Admin\AppData\Local\bBMMDV\SystemPropertiesRemote.exe
MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
\Users\Admin\AppData\Local\ls1LNpv\Magnify.exe
MD5
233b45ddf77bd45e53872881cff1839b

SHA1
d4b8cafce4664bb339859a90a9dd1506f831756d

SHA256
adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a

SHA512
6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

Download Submit
\Users\Admin\AppData\Local\ls1LNpv\dwmapi.dll
MD5
287b1c1ae358698e80f9f52261ff4d94

SHA1
1c36fed7730db0234194b58862d03e7d8bc9f6fa

SHA256
a8c96ff269fb666f58ce42c8455f47cf452b98dedef2a8b3c84a4366c750fef1

SHA512
d1f15be88641c1ed25819fc47b87609d34900be244c37149bbf487280efd09b068a52302da6c72e095c82f12dc9eb523a59def9fe456bf72582f00f89643881b

Download Submit
\Users\Admin\AppData\Local\sg2\VERSION.dll
MD5
23314ddfd1b18ad9361850353c9c6527

SHA1
b74cd8ea6dd6e59fa2cce22303be0f3d5f0b1fb8

SHA256
d618dd45950830f8f58d607612d99931e5a7d52c2015f69a38d687c04157f9f3

SHA512
fc426153598d5bc22c24c60ce57e09c2fa7528a9ffc6b600ad3f536fd0c415bdc5f3c8a4a55b37a992ba0fb245757ba9719a79f9dee6987e31dcb53427118521

Download Submit
\Users\Admin\AppData\Local\sg2\iexpress.exe
MD5
46fd16f9b1924a2ea8cd5c6716cc654f

SHA1
99284bc91cf829e9602b4b95811c1d72977700b6

SHA256
9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

SHA512
52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\kL\SystemPropertiesRemote.exe
MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
memory/1068-98-0x0000000000000000-mapping.dmp

Download
memory/1068-102-0x000007FEF6280000-0x000007FEF63AD000-memory.dmp

Filesize
1.2MB

Download
memory/1256-92-0x000007FEF6320000-0x000007FEF644D000-memory.dmp

Filesize
1.2MB

Download
memory/1256-89-0x000007FEFB831000-0x000007FEFB833000-memory.dmp

Filesize
8KB

Download
memory/1256-87-0x0000000000000000-mapping.dmp

Download
memory/1300-107-0x0000000000000000-mapping.dmp

Download
memory/1360-55-0x000007FEF6320000-0x000007FEF644C000-memory.dmp

Filesize
1.2MB

Download
memory/1360-59-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1368-70-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1368-85-0x0000000077160000-0x0000000077162000-memory.dmp

Filesize
8KB

Download
memory/1368-79-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1368-80-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1368-78-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1368-77-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1368-76-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1368-75-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1368-69-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1368-74-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1368-73-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1368-72-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1368-71-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1368-68-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1368-66-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1368-67-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1368-61-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1368-65-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1368-64-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1368-63-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1368-62-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1368-60-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads