dridex | 55eddcd9ad0a30bea19917fb692268f64d0368b82bdd21f978f1ce2232091087

Analysis

max time kernel
154s
max time network
122s
platform
windows7_x64
resource
win7-en-20211104
submitted
26-11-2021 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55eddcd9ad0a30bea19917fb692268f64d0368b82bdd21f978f1ce2232091087.dll
Size

1.2MB
MD5

41ed518bacab22ba8da8b7c5f15ba859
SHA1

1b2212ed3d9261d2517f1239bf1ef19c71e1430f
SHA256

55eddcd9ad0a30bea19917fb692268f64d0368b82bdd21f978f1ce2232091087
SHA512

4e974ff9c55e91ed641b9c3b163469837dffa75ea1973ad7457114fb0c68cb0cfb1011b2975d38e67f1a064cd906af45ffc2ee773c7886a7d9601ffec0f8dc32

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1260-60-0x0000000002BA0000-0x0000000002BA1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

cttune.exeNetplwiz.exeperfmon.exe

pid process

1384 cttune.exe
1780 Netplwiz.exe
1736 perfmon.exe
Loads dropped DLL 7 IoCs

Processes:

cttune.exeNetplwiz.exeperfmon.exe

pid process

1260
1384 cttune.exe
1260
1780 Netplwiz.exe
1260
1736 perfmon.exe
1260

pid	process
1384	cttune.exe
1780	Netplwiz.exe
1736	perfmon.exe

pid	process
1260
1384	cttune.exe
1260
1780	Netplwiz.exe
1260
1736	perfmon.exe
1260

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\MEDIAC~1\\wrGT\\Netplwiz.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.execttune.exeNetplwiz.exeperfmon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cttune.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.execttune.exeNetplwiz.exe

pid	process
1084	rundll32.exe
1084	rundll32.exe
1084	rundll32.exe
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1384	cttune.exe
1384	cttune.exe
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1780	Netplwiz.exe
1780	Netplwiz.exe
1260
1260
1260
1260

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1260

pid	process
1260

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1260 wrote to memory of 1140	1260	cttune.exe
PID 1260 wrote to memory of 1140	1260	cttune.exe
PID 1260 wrote to memory of 1140	1260	cttune.exe
PID 1260 wrote to memory of 1384	1260	cttune.exe
PID 1260 wrote to memory of 1384	1260	cttune.exe
PID 1260 wrote to memory of 1384	1260	cttune.exe
PID 1260 wrote to memory of 1784	1260	Netplwiz.exe
PID 1260 wrote to memory of 1784	1260	Netplwiz.exe
PID 1260 wrote to memory of 1784	1260	Netplwiz.exe
PID 1260 wrote to memory of 1780	1260	Netplwiz.exe
PID 1260 wrote to memory of 1780	1260	Netplwiz.exe
PID 1260 wrote to memory of 1780	1260	Netplwiz.exe
PID 1260 wrote to memory of 1712	1260	perfmon.exe
PID 1260 wrote to memory of 1712	1260	perfmon.exe
PID 1260 wrote to memory of 1712	1260	perfmon.exe
PID 1260 wrote to memory of 1736	1260	perfmon.exe
PID 1260 wrote to memory of 1736	1260	perfmon.exe
PID 1260 wrote to memory of 1736	1260	perfmon.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\55eddcd9ad0a30bea19917fb692268f64d0368b82bdd21f978f1ce2232091087.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1084

C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
1⤵
PID:1140

C:\Users\Admin\AppData\Local\kTze3UMA\cttune.exe
C:\Users\Admin\AppData\Local\kTze3UMA\cttune.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1384

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:1784

C:\Users\Admin\AppData\Local\46Qn\Netplwiz.exe
C:\Users\Admin\AppData\Local\46Qn\Netplwiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1780

C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
1⤵
PID:1712

C:\Users\Admin\AppData\Local\OoGw8S\perfmon.exe
C:\Users\Admin\AppData\Local\OoGw8S\perfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1736

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\46Qn\NETPLWIZ.dll
MD5
c51d08517ac8192e22b805f4829c3e39

SHA1
22615b0d278457543b54f098ea58f288dd396053

SHA256
1799e90234911d1daf1ee5a598e4b9ac9a65899eb9632be7a36b8e550f8c8bf6

SHA512
59bdeefb2e954a0c5763da4488b4cc7d7a6df25c34886af980098ddf64834b3cd69872c35b10b0e2c4bfb8147310e3cfed7b20226558c9fcafa471a46f06f11f

Download Submit
C:\Users\Admin\AppData\Local\46Qn\Netplwiz.exe
MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
C:\Users\Admin\AppData\Local\OoGw8S\credui.dll
MD5
8486d4d3a5767cfd47281a0ad0805bbd

SHA1
936a368b8f091056a60c2101a1a433d99b87845e

SHA256
3c4c23fadc0a9ddedc4daf1e0e0983f84b3415a701ce21abc3ad1b523a102606

SHA512
b249435c1bef91d8fcddea06ab3e81d7b35b8ada2e858b1ee7fc1677d2230641777c614f5085f393a8bc32edec11aae57353b361d1fb1d8a6e73ce8928abdff2

Download Submit
C:\Users\Admin\AppData\Local\OoGw8S\perfmon.exe
MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
C:\Users\Admin\AppData\Local\kTze3UMA\UxTheme.dll
MD5
73a742b384fb960f9a04e3ca514fe51e

SHA1
68446941eea75e9c75dd1cae88e98b3a571e2d47

SHA256
3f7745f2b3e7d93d6d5538f5906bdbe3236e01627c8b52b884177685855cbb07

SHA512
b6bc4e18f891492a303cb23fd14f347d0b348ba927433590d25d9cc7ded436869edaf7674295ef0ebf1876e49c48970fe1ccf79ea2eacec7fdc9649fdc3897ad

Download Submit
C:\Users\Admin\AppData\Local\kTze3UMA\cttune.exe
MD5
7116848fd23e6195fcbbccdf83ce9af4

SHA1
35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

SHA256
39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

SHA512
e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

Download Submit
\Users\Admin\AppData\Local\46Qn\NETPLWIZ.dll
MD5
c51d08517ac8192e22b805f4829c3e39

SHA1
22615b0d278457543b54f098ea58f288dd396053

SHA256
1799e90234911d1daf1ee5a598e4b9ac9a65899eb9632be7a36b8e550f8c8bf6

SHA512
59bdeefb2e954a0c5763da4488b4cc7d7a6df25c34886af980098ddf64834b3cd69872c35b10b0e2c4bfb8147310e3cfed7b20226558c9fcafa471a46f06f11f

Download Submit
\Users\Admin\AppData\Local\46Qn\Netplwiz.exe
MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
\Users\Admin\AppData\Local\OoGw8S\credui.dll
MD5
8486d4d3a5767cfd47281a0ad0805bbd

SHA1
936a368b8f091056a60c2101a1a433d99b87845e

SHA256
3c4c23fadc0a9ddedc4daf1e0e0983f84b3415a701ce21abc3ad1b523a102606

SHA512
b249435c1bef91d8fcddea06ab3e81d7b35b8ada2e858b1ee7fc1677d2230641777c614f5085f393a8bc32edec11aae57353b361d1fb1d8a6e73ce8928abdff2

Download Submit
\Users\Admin\AppData\Local\OoGw8S\perfmon.exe
MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
\Users\Admin\AppData\Local\kTze3UMA\UxTheme.dll
MD5
73a742b384fb960f9a04e3ca514fe51e

SHA1
68446941eea75e9c75dd1cae88e98b3a571e2d47

SHA256
3f7745f2b3e7d93d6d5538f5906bdbe3236e01627c8b52b884177685855cbb07

SHA512
b6bc4e18f891492a303cb23fd14f347d0b348ba927433590d25d9cc7ded436869edaf7674295ef0ebf1876e49c48970fe1ccf79ea2eacec7fdc9649fdc3897ad

Download Submit
\Users\Admin\AppData\Local\kTze3UMA\cttune.exe
MD5
7116848fd23e6195fcbbccdf83ce9af4

SHA1
35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

SHA256
39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

SHA512
e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\zpsecRb\perfmon.exe
MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
memory/1084-55-0x000007FEF6B30000-0x000007FEF6C5C000-memory.dmp

Filesize
1.2MB

Download
memory/1084-59-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1260-78-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-66-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-75-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-76-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-77-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-73-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-79-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-80-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-85-0x0000000077990000-0x0000000077992000-memory.dmp

Filesize
8KB

Download
memory/1260-72-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-60-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/1260-71-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-70-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-61-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-68-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-62-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-69-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-63-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-67-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-74-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-65-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1260-64-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1384-92-0x000007FEF6D80000-0x000007FEF6EAD000-memory.dmp

Filesize
1.2MB

Download
memory/1384-91-0x000007FEFC061000-0x000007FEFC063000-memory.dmp

Filesize
8KB

Download
memory/1384-87-0x0000000000000000-mapping.dmp

Download
memory/1736-106-0x0000000000000000-mapping.dmp

Download
memory/1780-101-0x000007FEF6B30000-0x000007FEF6C5D000-memory.dmp

Filesize
1.2MB

Download
memory/1780-97-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads