dridex | 3e01cc84e691f32494b07ecb3468cbb5d9c085488fe0a5b8110f80071fcaf180

Analysis

max time kernel
152s
max time network
122s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-11-2021 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e01cc84e691f32494b07ecb3468cbb5d9c085488fe0a5b8110f80071fcaf180.dll
Size

1.2MB
MD5

93c7117d555fe4e4790b02958ddcee41
SHA1

d7eaacfdc572f9bcdb295eae11881fffe72b0a43
SHA256

3e01cc84e691f32494b07ecb3468cbb5d9c085488fe0a5b8110f80071fcaf180
SHA512

9cd85e1eebbed1adfd5f56a9b72dd719f506b7dfbba798581776b1a310d8bd140441c345006d4792467616cb7b4c94ada7689bf3e10de72dac9a1bac1047226c

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1252-61-0x0000000002AF0000-0x0000000002AF1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

isoburn.exeshrpubw.exeWFS.exe

pid process

1848 isoburn.exe
1272 shrpubw.exe
1724 WFS.exe
Loads dropped DLL 7 IoCs

Processes:

isoburn.exeshrpubw.exeWFS.exe

pid process

1252
1848 isoburn.exe
1252
1272 shrpubw.exe
1252
1724 WFS.exe
1252

pid	process
1848	isoburn.exe
1272	shrpubw.exe
1724	WFS.exe

pid	process
1252
1848	isoburn.exe
1252
1272	shrpubw.exe
1252
1724	WFS.exe
1252

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\5p\\shrpubw.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

isoburn.exeshrpubw.exeWFS.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exeisoburn.exeshrpubw.exe

pid	process
1600	regsvr32.exe
1600	regsvr32.exe
1600	regsvr32.exe
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1848	isoburn.exe
1848	isoburn.exe
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1272	shrpubw.exe
1272	shrpubw.exe
1252
1252

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1252

pid	process
1252

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1252 wrote to memory of 1560	1252	isoburn.exe
PID 1252 wrote to memory of 1560	1252	isoburn.exe
PID 1252 wrote to memory of 1560	1252	isoburn.exe
PID 1252 wrote to memory of 1848	1252	isoburn.exe
PID 1252 wrote to memory of 1848	1252	isoburn.exe
PID 1252 wrote to memory of 1848	1252	isoburn.exe
PID 1252 wrote to memory of 1556	1252	shrpubw.exe
PID 1252 wrote to memory of 1556	1252	shrpubw.exe
PID 1252 wrote to memory of 1556	1252	shrpubw.exe
PID 1252 wrote to memory of 1272	1252	shrpubw.exe
PID 1252 wrote to memory of 1272	1252	shrpubw.exe
PID 1252 wrote to memory of 1272	1252	shrpubw.exe
PID 1252 wrote to memory of 1760	1252	WFS.exe
PID 1252 wrote to memory of 1760	1252	WFS.exe
PID 1252 wrote to memory of 1760	1252	WFS.exe
PID 1252 wrote to memory of 1724	1252	WFS.exe
PID 1252 wrote to memory of 1724	1252	WFS.exe
PID 1252 wrote to memory of 1724	1252	WFS.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3e01cc84e691f32494b07ecb3468cbb5d9c085488fe0a5b8110f80071fcaf180.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1600

C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
1⤵
PID:1560

C:\Users\Admin\AppData\Local\pOC9gct\isoburn.exe
C:\Users\Admin\AppData\Local\pOC9gct\isoburn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1848

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:1556

C:\Users\Admin\AppData\Local\SwAo3yt\shrpubw.exe
C:\Users\Admin\AppData\Local\SwAo3yt\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1272

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:1760

C:\Users\Admin\AppData\Local\FfeCAhzX\WFS.exe
C:\Users\Admin\AppData\Local\FfeCAhzX\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1724

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\FfeCAhzX\WFS.exe
MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
C:\Users\Admin\AppData\Local\FfeCAhzX\WINMM.dll
MD5
a40f2383dca25f8e90a1423c1c6e82e0

SHA1
6b64b72c2802a8f30c7d5ee4a8b748ed7c9da749

SHA256
0572c88854b1cb2b1c5f14b5b5bd5919c8e844c1086f45422e83a8eee38e53d4

SHA512
1c6dacbf5f12e3cede98707a1b6c0986e0f9586e33fd7943b52e39875846008c89c20e1d5747516e87893ebc28f154306c238a4842016678a3a82627edd54089

Download Submit
C:\Users\Admin\AppData\Local\SwAo3yt\shrpubw.exe
MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
C:\Users\Admin\AppData\Local\SwAo3yt\srvcli.dll
MD5
5ce644347e63bd87a176795fdd5495f9

SHA1
63ea5f26daadd06e45a52334f5918485b2cb1c71

SHA256
80d1e0005ecab7e2c2625bcd2610919b264a66896bfe26098cec5616228bdf4a

SHA512
361118909aa3deac559d682ec0804fe3788917e4ca4e743a015d7e6d4cfb29224c9e5c80b48c5d6ecededecfb771cbdec39fbddd0fc844c1ae5c8247ec873215

Download Submit
C:\Users\Admin\AppData\Local\pOC9gct\UxTheme.dll
MD5
0ec18e427875bb9955b59798cf13299a

SHA1
7cffdf970a55001e5c26c947f0dfcddb1eaa886d

SHA256
506629c8ec76b5b50c36a5d0b42e468c5417881e3658f49691661075c7e4036c

SHA512
1c4f3a9dded53533a20042668d4b6c074b8425e032faddf739231b6ccab832b1b8d76b1e0ed8e30a15d0b198b939883bd5e447e7aad8543c41f98e18bb3845c7

Download Submit
C:\Users\Admin\AppData\Local\pOC9gct\isoburn.exe
MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
\Users\Admin\AppData\Local\FfeCAhzX\WFS.exe
MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
\Users\Admin\AppData\Local\FfeCAhzX\WINMM.dll
MD5
a40f2383dca25f8e90a1423c1c6e82e0

SHA1
6b64b72c2802a8f30c7d5ee4a8b748ed7c9da749

SHA256
0572c88854b1cb2b1c5f14b5b5bd5919c8e844c1086f45422e83a8eee38e53d4

SHA512
1c6dacbf5f12e3cede98707a1b6c0986e0f9586e33fd7943b52e39875846008c89c20e1d5747516e87893ebc28f154306c238a4842016678a3a82627edd54089

Download Submit
\Users\Admin\AppData\Local\SwAo3yt\shrpubw.exe
MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
\Users\Admin\AppData\Local\SwAo3yt\srvcli.dll
MD5
5ce644347e63bd87a176795fdd5495f9

SHA1
63ea5f26daadd06e45a52334f5918485b2cb1c71

SHA256
80d1e0005ecab7e2c2625bcd2610919b264a66896bfe26098cec5616228bdf4a

SHA512
361118909aa3deac559d682ec0804fe3788917e4ca4e743a015d7e6d4cfb29224c9e5c80b48c5d6ecededecfb771cbdec39fbddd0fc844c1ae5c8247ec873215

Download Submit
\Users\Admin\AppData\Local\pOC9gct\UxTheme.dll
MD5
0ec18e427875bb9955b59798cf13299a

SHA1
7cffdf970a55001e5c26c947f0dfcddb1eaa886d

SHA256
506629c8ec76b5b50c36a5d0b42e468c5417881e3658f49691661075c7e4036c

SHA512
1c4f3a9dded53533a20042668d4b6c074b8425e032faddf739231b6ccab832b1b8d76b1e0ed8e30a15d0b198b939883bd5e447e7aad8543c41f98e18bb3845c7

Download Submit
\Users\Admin\AppData\Local\pOC9gct\isoburn.exe
MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\VMaNBRBBlwu\WFS.exe
MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
memory/1252-70-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-65-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-73-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-75-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-74-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-77-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-76-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-78-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-79-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-80-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-81-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-82-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-83-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-85-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-84-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-90-0x00000000774A0000-0x00000000774A2000-memory.dmp

Filesize
8KB

Download
memory/1252-71-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-61-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/1252-62-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-69-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-68-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-63-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-67-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-66-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-64-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1252-72-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/1272-102-0x0000000000000000-mapping.dmp

Download
memory/1272-107-0x000007FEF6580000-0x000007FEF66AB000-memory.dmp

Filesize
1.2MB

Download
memory/1600-55-0x000007FEFBD11000-0x000007FEFBD13000-memory.dmp

Filesize
8KB

Download
memory/1600-60-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1600-56-0x000007FEFADD0000-0x000007FEFAEFA000-memory.dmp

Filesize
1.2MB

Download
memory/1724-112-0x0000000000000000-mapping.dmp

Download
memory/1724-117-0x000000013F831000-0x000000013F833000-memory.dmp

Filesize
8KB

Download
memory/1724-118-0x000007FEF64F0000-0x000007FEF661C000-memory.dmp

Filesize
1.2MB

Download
memory/1848-97-0x000007FEFAE30000-0x000007FEFAF5B000-memory.dmp

Filesize
1.2MB

Download
memory/1848-92-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads