dridex | a25acf9e95fa653dde6830bbe1dc4406804347b9d3f9a037f53f0a8e79296fe2

Analysis

max time kernel
156s
max time network
130s
platform
windows10_x64
resource
win10-en-20211104
submitted
26-11-2021 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a25acf9e95fa653dde6830bbe1dc4406804347b9d3f9a037f53f0a8e79296fe2.dll
Size

1.2MB
MD5

92d2b982db190dd73a46815f69730460
SHA1

fa22116b54799ed06e28dca5a813c4ac29f24184
SHA256

a25acf9e95fa653dde6830bbe1dc4406804347b9d3f9a037f53f0a8e79296fe2
SHA512

f8abc9da38f5f04d91e7f7c00ff8464914737f19a892374f960f511dd36c15ba2c901e53e2a4e4f5047d89f15af7f6d3fbb4e790e2147ca2a828ef3b3d32d122

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3060-125-0x00000000012E0000-0x00000000012E1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

ApplySettingsTemplateCatalog.exeomadmclient.exePasswordOnWakeSettingFlyout.exe

pid process

1224 ApplySettingsTemplateCatalog.exe
576 omadmclient.exe
1092 PasswordOnWakeSettingFlyout.exe
Loads dropped DLL 3 IoCs

Processes:

ApplySettingsTemplateCatalog.exeomadmclient.exePasswordOnWakeSettingFlyout.exe

pid process

1224 ApplySettingsTemplateCatalog.exe
576 omadmclient.exe
1092 PasswordOnWakeSettingFlyout.exe

pid	process
1224	ApplySettingsTemplateCatalog.exe
576	omadmclient.exe
1092	PasswordOnWakeSettingFlyout.exe

pid	process
1224	ApplySettingsTemplateCatalog.exe
576	omadmclient.exe
1092	PasswordOnWakeSettingFlyout.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\oZOkgRQ\\omadmclient.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeApplySettingsTemplateCatalog.exeomadmclient.exePasswordOnWakeSettingFlyout.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplySettingsTemplateCatalog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	omadmclient.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PasswordOnWakeSettingFlyout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeApplySettingsTemplateCatalog.exe

pid	process
2104	rundll32.exe
2104	rundll32.exe
2104	rundll32.exe
2104	rundll32.exe
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
1224	ApplySettingsTemplateCatalog.exe
1224	ApplySettingsTemplateCatalog.exe
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060
3060

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3060

pid	process
3060

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3060 wrote to memory of 936	3060	ApplySettingsTemplateCatalog.exe
PID 3060 wrote to memory of 936	3060	ApplySettingsTemplateCatalog.exe
PID 3060 wrote to memory of 1224	3060	ApplySettingsTemplateCatalog.exe
PID 3060 wrote to memory of 1224	3060	ApplySettingsTemplateCatalog.exe
PID 3060 wrote to memory of 592	3060	omadmclient.exe
PID 3060 wrote to memory of 592	3060	omadmclient.exe
PID 3060 wrote to memory of 576	3060	omadmclient.exe
PID 3060 wrote to memory of 576	3060	omadmclient.exe
PID 3060 wrote to memory of 1260	3060	PasswordOnWakeSettingFlyout.exe
PID 3060 wrote to memory of 1260	3060	PasswordOnWakeSettingFlyout.exe
PID 3060 wrote to memory of 1092	3060	PasswordOnWakeSettingFlyout.exe
PID 3060 wrote to memory of 1092	3060	PasswordOnWakeSettingFlyout.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a25acf9e95fa653dde6830bbe1dc4406804347b9d3f9a037f53f0a8e79296fe2.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2104

C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
1⤵
PID:936

C:\Users\Admin\AppData\Local\TSXYXth\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\TSXYXth\ApplySettingsTemplateCatalog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1224

C:\Windows\system32\omadmclient.exe
C:\Windows\system32\omadmclient.exe
1⤵
PID:592

C:\Users\Admin\AppData\Local\I2QZj8iuw\omadmclient.exe
C:\Users\Admin\AppData\Local\I2QZj8iuw\omadmclient.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:576

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
1⤵
PID:1260

C:\Users\Admin\AppData\Local\fzu\PasswordOnWakeSettingFlyout.exe
C:\Users\Admin\AppData\Local\fzu\PasswordOnWakeSettingFlyout.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\I2QZj8iuw\XmlLite.dll
MD5
469fc73251e5c2cbc93660dff6c7478e

SHA1
65ad98e3662434f49a349745796ccbe8cdec4ae1

SHA256
c0d8e845ac9355bdeb2a1cf502dcaa018eb2f432e32603c193c42cd7e5924284

SHA512
4d11e002a75f86aa6961396aee40d5a660ee4795a5bf750a9c762993d9df5e0e222bb4363f370ced7cbb75df2fc069c7e8d4526bcaad566273e618f883eadeb0

Download Submit
C:\Users\Admin\AppData\Local\I2QZj8iuw\omadmclient.exe
MD5
0f8c6315c9458cab5b3aae2df853edb6

SHA1
ff59734b75896b422e8d7a642c4ea59bf6dab759

SHA256
76eb6879858ab42089e369984f6e0e775b32b6756a605ed5f2fb1a06c1151498

SHA512
966045c25685a0f01bcd49f6e9ec5bbdaa8a3e261129c03db85031fb1d8705bfba967894d2530c2691e16fdbed11a9df9122d9093db2b46c6ce1b641db36bb3c

Download Submit
C:\Users\Admin\AppData\Local\TSXYXth\ACTIVEDS.dll
MD5
72e9d0972b82fe454cf123cc66b334b2

SHA1
4a5b0b3532aacd9bddb90fc00fa3a66baf8a1454

SHA256
dd92295472b2cd7ef9550c23b449735b079efe487b3f47095997254a60573d31

SHA512
d2072d27b76da5662ed5a4271e26050b94d1035424e93cabe60c65f4647b34747c05e62b91f520ea18df80490ac66591b72bb74f51da15eaad6e4a928c7b35f8

Download Submit
C:\Users\Admin\AppData\Local\TSXYXth\ApplySettingsTemplateCatalog.exe
MD5
ce074a9724e9335539b4318df1dc8f6c

SHA1
f04dff9c5ee02a26d5feec0ce21d07c35f4d0129

SHA256
7b72517d06869deb6efb72e6220fbd903333378afacd011950b8b2a47bf38967

SHA512
9502cf40bba8da267b9dd219abe5d7249fc3fd59d45e66120a49b8cb0609a09aa5ef18d925036141049fa985fe45444d3af9412650d1c15bce27001dfb6b072a

Download Submit
C:\Users\Admin\AppData\Local\fzu\DUI70.dll
MD5
17e63f7ab78ec9f029eedfc16f7f555e

SHA1
2c6a2925df3a1366b770f6999ca888ac1804c076

SHA256
aafb5e7ed178e4c3577839b414cccb47e74115c04b5c10bb1f4448520334fc10

SHA512
83bf01ca681963b84cb4b366ce4fde91695930a6484708d49eef220d019f87c2139cc7d3a8b4f2cacdeaf851c16a0055a83da8383773f0cfbb5b5fa5ef4e0578

Download Submit
C:\Users\Admin\AppData\Local\fzu\PasswordOnWakeSettingFlyout.exe
MD5
a81fed73da02db15df427da1cd5f4141

SHA1
f831fc6377a6264be621e23635f22b437129b2ce

SHA256
1afed5b9302a4a4669ac7f966b7cf9fcaab037e94a0b3cabea3631055c97d3a5

SHA512
3c4541160f0f69d1c3a9dc4e67643864493eadb0450426f7f323d87fa7b0c81d96ef2201d33b3421a307171274615e90d4ee8bd07107ff4f75beedec0a2bf156

Download Submit
\Users\Admin\AppData\Local\I2QZj8iuw\XmlLite.dll
MD5
469fc73251e5c2cbc93660dff6c7478e

SHA1
65ad98e3662434f49a349745796ccbe8cdec4ae1

SHA256
c0d8e845ac9355bdeb2a1cf502dcaa018eb2f432e32603c193c42cd7e5924284

SHA512
4d11e002a75f86aa6961396aee40d5a660ee4795a5bf750a9c762993d9df5e0e222bb4363f370ced7cbb75df2fc069c7e8d4526bcaad566273e618f883eadeb0

Download Submit
\Users\Admin\AppData\Local\TSXYXth\ACTIVEDS.dll
MD5
72e9d0972b82fe454cf123cc66b334b2

SHA1
4a5b0b3532aacd9bddb90fc00fa3a66baf8a1454

SHA256
dd92295472b2cd7ef9550c23b449735b079efe487b3f47095997254a60573d31

SHA512
d2072d27b76da5662ed5a4271e26050b94d1035424e93cabe60c65f4647b34747c05e62b91f520ea18df80490ac66591b72bb74f51da15eaad6e4a928c7b35f8

Download Submit
\Users\Admin\AppData\Local\fzu\DUI70.dll
MD5
17e63f7ab78ec9f029eedfc16f7f555e

SHA1
2c6a2925df3a1366b770f6999ca888ac1804c076

SHA256
aafb5e7ed178e4c3577839b414cccb47e74115c04b5c10bb1f4448520334fc10

SHA512
83bf01ca681963b84cb4b366ce4fde91695930a6484708d49eef220d019f87c2139cc7d3a8b4f2cacdeaf851c16a0055a83da8383773f0cfbb5b5fa5ef4e0578

Download Submit
memory/576-176-0x0000028B401F0000-0x0000028B401F2000-memory.dmp

Filesize
8KB

Download
memory/576-175-0x0000028B401F0000-0x0000028B401F2000-memory.dmp

Filesize
8KB

Download
memory/576-166-0x0000000000000000-mapping.dmp

Download
memory/576-174-0x0000028B401F0000-0x0000028B401F2000-memory.dmp

Filesize
8KB

Download
memory/1092-187-0x0000020D0ABC0000-0x0000020D0ABC2000-memory.dmp

Filesize
8KB

Download
memory/1092-177-0x0000000000000000-mapping.dmp

Download
memory/1092-181-0x00007FFC81C10000-0x00007FFC81D82000-memory.dmp

Filesize
1.4MB

Download
memory/1092-185-0x0000020D0ABC0000-0x0000020D0ABC2000-memory.dmp

Filesize
8KB

Download
memory/1092-186-0x0000020D0ABC0000-0x0000020D0ABC2000-memory.dmp

Filesize
8KB

Download
memory/1224-165-0x0000021F984E0000-0x0000021F984E2000-memory.dmp

Filesize
8KB

Download
memory/1224-155-0x0000000000000000-mapping.dmp

Download
memory/1224-164-0x0000021F984E0000-0x0000021F984E2000-memory.dmp

Filesize
8KB

Download
memory/1224-163-0x0000021F984E0000-0x0000021F984E2000-memory.dmp

Filesize
8KB

Download
memory/1224-159-0x00007FFC81C60000-0x00007FFC81D8D000-memory.dmp

Filesize
1.2MB

Download
memory/2104-118-0x00007FFC81C60000-0x00007FFC81D8C000-memory.dmp

Filesize
1.2MB

Download
memory/2104-124-0x000001B5A8AC0000-0x000001B5A8AC7000-memory.dmp

Filesize
28KB

Download
memory/2104-123-0x000001B5A8AD0000-0x000001B5A8AD2000-memory.dmp

Filesize
8KB

Download
memory/2104-122-0x000001B5A8AD0000-0x000001B5A8AD2000-memory.dmp

Filesize
8KB

Download
memory/3060-134-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-153-0x00000000012F0000-0x00000000012F2000-memory.dmp

Filesize
8KB

Download
memory/3060-154-0x00007FFC8E060000-0x00007FFC8E062000-memory.dmp

Filesize
8KB

Download
memory/3060-152-0x00007FFC8DF25000-0x00007FFC8DF26000-memory.dmp

Filesize
4KB

Download
memory/3060-151-0x00000000012F0000-0x00000000012F2000-memory.dmp

Filesize
8KB

Download
memory/3060-150-0x00000000012F0000-0x00000000012F2000-memory.dmp

Filesize
8KB

Download
memory/3060-145-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-144-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-143-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-142-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-141-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-140-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-139-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-138-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-137-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-136-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-135-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-133-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-132-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-131-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-130-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-129-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-128-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-126-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-127-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3060-125-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download