dridex | 55eddcd9ad0a30bea19917fb692268f64d0368b82bdd21f978f1ce2232091087

Analysis

max time kernel
154s
max time network
126s
platform
windows10_x64
resource
win10-en-20211014
submitted
26-11-2021 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55eddcd9ad0a30bea19917fb692268f64d0368b82bdd21f978f1ce2232091087.dll
Size

1.2MB
MD5

41ed518bacab22ba8da8b7c5f15ba859
SHA1

1b2212ed3d9261d2517f1239bf1ef19c71e1430f
SHA256

55eddcd9ad0a30bea19917fb692268f64d0368b82bdd21f978f1ce2232091087
SHA512

4e974ff9c55e91ed641b9c3b163469837dffa75ea1973ad7457114fb0c68cb0cfb1011b2975d38e67f1a064cd906af45ffc2ee773c7886a7d9601ffec0f8dc32

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3056-122-0x00000000005B0000-0x00000000005B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

PresentationSettings.exemfpmp.exemsra.exe

pid process

648 PresentationSettings.exe
1096 mfpmp.exe
2560 msra.exe
Loads dropped DLL 3 IoCs

Processes:

PresentationSettings.exemfpmp.exemsra.exe

pid process

648 PresentationSettings.exe
1096 mfpmp.exe
2560 msra.exe

pid	process
648	PresentationSettings.exe
1096	mfpmp.exe
2560	msra.exe

pid	process
648	PresentationSettings.exe
1096	mfpmp.exe
2560	msra.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\WINDOW~1\\dQOr27\\mfpmp.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msra.exerundll32.exePresentationSettings.exemfpmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exePresentationSettings.exe

pid	process
2616	rundll32.exe
2616	rundll32.exe
2616	rundll32.exe
2616	rundll32.exe
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
648	PresentationSettings.exe
648	PresentationSettings.exe
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3056

pid	process
3056

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3056 wrote to memory of 640	3056	PresentationSettings.exe
PID 3056 wrote to memory of 640	3056	PresentationSettings.exe
PID 3056 wrote to memory of 648	3056	PresentationSettings.exe
PID 3056 wrote to memory of 648	3056	PresentationSettings.exe
PID 3056 wrote to memory of 1832	3056	mfpmp.exe
PID 3056 wrote to memory of 1832	3056	mfpmp.exe
PID 3056 wrote to memory of 1096	3056	mfpmp.exe
PID 3056 wrote to memory of 1096	3056	mfpmp.exe
PID 3056 wrote to memory of 1460	3056	msra.exe
PID 3056 wrote to memory of 1460	3056	msra.exe
PID 3056 wrote to memory of 2560	3056	msra.exe
PID 3056 wrote to memory of 2560	3056	msra.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\55eddcd9ad0a30bea19917fb692268f64d0368b82bdd21f978f1ce2232091087.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2616

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:640

C:\Users\Admin\AppData\Local\Gw6ev\PresentationSettings.exe
C:\Users\Admin\AppData\Local\Gw6ev\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:648

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:1832

C:\Users\Admin\AppData\Local\VYfV4\mfpmp.exe
C:\Users\Admin\AppData\Local\VYfV4\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1096

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:1460

C:\Users\Admin\AppData\Local\ubxSC0aQ\msra.exe
C:\Users\Admin\AppData\Local\ubxSC0aQ\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Gw6ev\PresentationSettings.exe
MD5
bd73d1773092998a116df978b49860b7

SHA1
c69255098b8528b88e12a4051fd4e880e8ebe0e7

SHA256
cebf396bdf405225c55ce25b6cac39165fa9cb26ddd52e73392df6ea4ce178ec

SHA512
dc932ddc9e512776ec5e3a09aa136e2a7a9209ab6f5168c5bcf9756f33b4007a88a332d246a1cc96f0097c0c758e03997dad10907e4be1bf2183fa3e049b5611

Download Submit
C:\Users\Admin\AppData\Local\Gw6ev\WINMM.dll
MD5
c8db71883e5d4e38c6073540cc0d9946

SHA1
7524ee1af136893d73b32d9598ab59c674836fc5

SHA256
919bc42d19c3fccd2443a20befae7279530ee4785da9018494b009d6843cc77a

SHA512
fc438a70b41013d53e04aff82b816e4abefa2faf8f98f00ecb5956a36d1cf55bbedcdd6d38af69a23b7472c218a8b504d1c0f79338a8e840e06194a9ffb80e70

Download Submit
C:\Users\Admin\AppData\Local\VYfV4\MFPlat.DLL
MD5
39955cf4332e8ce5122f78a0894d1558

SHA1
68cdce8a0cd4ee55a085848ecc28a97aaaa15860

SHA256
ab8bef280fea720691655a3779df49aaeb832a76dcd131a8ba3af8c72074f2f4

SHA512
ee396ee5c59bb74fe15aa192d0f4f828f508dc1e43ac44818081e1d074e83f107a02358c54c337ebf473e6c621eb0639878876872fa458269de223d3b6f374d1

Download Submit
C:\Users\Admin\AppData\Local\VYfV4\mfpmp.exe
MD5
0a51780965f4a75557ac6b1a710a7c7b

SHA1
30e7be939ada607cbafd07261da463396878f4f5

SHA256
45b8b316c617f703af064aafab9a35c465d5f7835b758995e82ac0dedbaad037

SHA512
e62c2252b66809cca9e7f625392ef09891eba1eec3c210798684a9c71a9c5315598ca259c8ebd09af5d8aaf94261fca91f30bd0dd22a917d5287e9443ae18326

Download Submit
C:\Users\Admin\AppData\Local\ubxSC0aQ\NDFAPI.DLL
MD5
18e287bd92c015857042b73d08566ff2

SHA1
f7312150ca6be11146300b4419dc0c38ace5f339

SHA256
cb8a324bbcd64f18a0f07ea0d8ab7b88f0e6210a574bac559961b20a3c61b675

SHA512
1d099aa56816b6eab9810e82d8ef2d2d4ef36062cfe7e2e090685f733dd3558df5755e1682264bfaf52f5adc0825db6b90c4d67b877bb5d93ee597e8eadf8ef4

Download Submit
C:\Users\Admin\AppData\Local\ubxSC0aQ\msra.exe
MD5
b00eb640229462c7080dc17e5805dfc9

SHA1
28b438b47d145b17c94cbec39b204ced6eccb5f1

SHA256
529378155b8aa91ff47d1f015c96a373fdb12acef3811d2f8a7e3dff67fded3b

SHA512
e962f71be1f25787710b8cb92453bcc19ff38921d01b2c892a4c61bfa09959377a73a95a02c0a62b1c93aaef7d9b4a43c196ca76ac7c7327abe85340bf94b6d2

Download Submit
\Users\Admin\AppData\Local\Gw6ev\WINMM.dll
MD5
c8db71883e5d4e38c6073540cc0d9946

SHA1
7524ee1af136893d73b32d9598ab59c674836fc5

SHA256
919bc42d19c3fccd2443a20befae7279530ee4785da9018494b009d6843cc77a

SHA512
fc438a70b41013d53e04aff82b816e4abefa2faf8f98f00ecb5956a36d1cf55bbedcdd6d38af69a23b7472c218a8b504d1c0f79338a8e840e06194a9ffb80e70

Download Submit
\Users\Admin\AppData\Local\VYfV4\MFPlat.DLL
MD5
39955cf4332e8ce5122f78a0894d1558

SHA1
68cdce8a0cd4ee55a085848ecc28a97aaaa15860

SHA256
ab8bef280fea720691655a3779df49aaeb832a76dcd131a8ba3af8c72074f2f4

SHA512
ee396ee5c59bb74fe15aa192d0f4f828f508dc1e43ac44818081e1d074e83f107a02358c54c337ebf473e6c621eb0639878876872fa458269de223d3b6f374d1

Download Submit
\Users\Admin\AppData\Local\ubxSC0aQ\NDFAPI.DLL
MD5
18e287bd92c015857042b73d08566ff2

SHA1
f7312150ca6be11146300b4419dc0c38ace5f339

SHA256
cb8a324bbcd64f18a0f07ea0d8ab7b88f0e6210a574bac559961b20a3c61b675

SHA512
1d099aa56816b6eab9810e82d8ef2d2d4ef36062cfe7e2e090685f733dd3558df5755e1682264bfaf52f5adc0825db6b90c4d67b877bb5d93ee597e8eadf8ef4

Download Submit
memory/648-160-0x000001B3B6B10000-0x000001B3B6B12000-memory.dmp

Filesize
8KB

Download
memory/648-152-0x0000000000000000-mapping.dmp

Download
memory/648-162-0x000001B3B6B10000-0x000001B3B6B12000-memory.dmp

Filesize
8KB

Download
memory/648-161-0x000001B3B6B10000-0x000001B3B6B12000-memory.dmp

Filesize
8KB

Download
memory/648-156-0x00007FFF862E0000-0x00007FFF8640E000-memory.dmp

Filesize
1.2MB

Download
memory/1096-174-0x000001EF179F0000-0x000001EF179F2000-memory.dmp

Filesize
8KB

Download
memory/1096-173-0x000001EF179F0000-0x000001EF179F2000-memory.dmp

Filesize
8KB

Download
memory/1096-163-0x0000000000000000-mapping.dmp

Download
memory/1096-169-0x00007FFF92780000-0x00007FFF928AE000-memory.dmp

Filesize
1.2MB

Download
memory/1096-168-0x000001EF179F0000-0x000001EF179F2000-memory.dmp

Filesize
8KB

Download
memory/1096-167-0x000001EF179F0000-0x000001EF179F2000-memory.dmp

Filesize
8KB

Download
memory/2560-179-0x00007FFF92780000-0x00007FFF928AD000-memory.dmp

Filesize
1.2MB

Download
memory/2560-175-0x0000000000000000-mapping.dmp

Download
memory/2560-183-0x0000020C3EA60000-0x0000020C3EA62000-memory.dmp

Filesize
8KB

Download
memory/2560-184-0x0000020C3EA60000-0x0000020C3EA62000-memory.dmp

Filesize
8KB

Download
memory/2560-185-0x0000020C3EA60000-0x0000020C3EA62000-memory.dmp

Filesize
8KB

Download
memory/2616-115-0x00007FFF92780000-0x00007FFF928AC000-memory.dmp

Filesize
1.2MB

Download
memory/2616-121-0x00000130014E0000-0x00000130014E7000-memory.dmp

Filesize
28KB

Download
memory/2616-120-0x00000130014F0000-0x00000130014F2000-memory.dmp

Filesize
8KB

Download
memory/2616-119-0x00000130014F0000-0x00000130014F2000-memory.dmp

Filesize
8KB

Download
memory/3056-132-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3056-151-0x00007FFFA05D0000-0x00007FFFA05D2000-memory.dmp

Filesize
8KB

Download
memory/3056-150-0x00000000005C0000-0x00000000005C2000-memory.dmp

Filesize
8KB

Download
memory/3056-149-0x00007FFFA0495000-0x00007FFFA0496000-memory.dmp

Filesize
4KB

Download
memory/3056-148-0x00000000005C0000-0x00000000005C2000-memory.dmp

Filesize
8KB

Download
memory/3056-147-0x00000000005C0000-0x00000000005C2000-memory.dmp

Filesize
8KB

Download
memory/3056-142-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3056-141-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3056-140-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3056-139-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3056-138-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3056-137-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3056-135-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3056-136-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3056-134-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3056-133-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3056-131-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3056-130-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3056-129-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3056-128-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3056-123-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3056-125-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3056-127-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3056-126-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3056-124-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3056-122-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/3056-186-0x00000000005C0000-0x00000000005C2000-memory.dmp

Filesize
8KB

Download