dridex | e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-en-20211104
submitted
03-12-2021 10:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a.dll
Size

1.2MB
MD5

ea1bfbc91324c0cbb97f17775e653dab
SHA1

61c6d875774c9cd59ae56e351a291c2cf9e79284
SHA256

e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a
SHA512

903a180a93cc7ecd2b6e0fd76fc597456bbd1986d28f63993fc00b57dc47afad779fd05ce734f4070d3b16af08aec5e5da1086aefcf85929ba87c7cd1e27dc75

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1220-59-0x0000000002130000-0x0000000002131000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

msra.exespreview.exeWFS.exe

pid process

1288 msra.exe
1956 spreview.exe
1888 WFS.exe

pid	process
1288	msra.exe
1956	spreview.exe
1888	WFS.exe

Drops startup file 3 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkFTV3lLxeo
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkFTV3lLxeo\credui.dll
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkFTV3lLxeo\WFS.exe

Loads dropped DLL 7 IoCs

Processes:

msra.exespreview.exeWFS.exe

pid process

1220
1288 msra.exe
1220
1956 spreview.exe
1220
1888 WFS.exe
1220

pid	process
1220
1288	msra.exe
1220
1956	spreview.exe
1220
1888	WFS.exe
1220

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DNTException\\2PtOQ\\spreview.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemsra.exespreview.exeWFS.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spreview.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1472	rundll32.exe
1472	rundll32.exe
1472	rundll32.exe
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exemsra.exespreview.exeWFS.exe

pid process

1472 rundll32.exe
1220
1288 msra.exe
1956 spreview.exe
1888 WFS.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1220 wrote to memory of 1192	1220	msra.exe
PID 1220 wrote to memory of 1192	1220	msra.exe
PID 1220 wrote to memory of 1192	1220	msra.exe
PID 1220 wrote to memory of 1288	1220	msra.exe
PID 1220 wrote to memory of 1288	1220	msra.exe
PID 1220 wrote to memory of 1288	1220	msra.exe
PID 1220 wrote to memory of 1568	1220	spreview.exe
PID 1220 wrote to memory of 1568	1220	spreview.exe
PID 1220 wrote to memory of 1568	1220	spreview.exe
PID 1220 wrote to memory of 1956	1220	spreview.exe
PID 1220 wrote to memory of 1956	1220	spreview.exe
PID 1220 wrote to memory of 1956	1220	spreview.exe
PID 1220 wrote to memory of 980	1220	WFS.exe
PID 1220 wrote to memory of 980	1220	WFS.exe
PID 1220 wrote to memory of 980	1220	WFS.exe
PID 1220 wrote to memory of 1888	1220	WFS.exe
PID 1220 wrote to memory of 1888	1220	WFS.exe
PID 1220 wrote to memory of 1888	1220	WFS.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3a97ee2fa0ea4dc05340e0778674a93e8c95944c519df7ee5f486c08b1df15a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1472

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:1192

C:\Users\Admin\AppData\Local\b2Wmo4k\msra.exe
C:\Users\Admin\AppData\Local\b2Wmo4k\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1288

C:\Windows\system32\spreview.exe
C:\Windows\system32\spreview.exe
1⤵
PID:1568

C:\Users\Admin\AppData\Local\xN5N\spreview.exe
C:\Users\Admin\AppData\Local\xN5N\spreview.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1956

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:980

C:\Users\Admin\AppData\Local\h41oRkVwt\WFS.exe
C:\Users\Admin\AppData\Local\h41oRkVwt\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1888

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\b2Wmo4k\UxTheme.dll
MD5
14f165dd7a277950316ecac0f180e3c3

SHA1
f2d46e6564bdfc886c87e9db9fd9ae215298e38c

SHA256
4a2b427b69b536f97f16a79763aca6a71b06d10b29ff70505dd9435d03d6840d

SHA512
365472ae9afc06dd3aeceac506b3783445945ac3426f517ccd5311e22a033aa64d6c22f07f6660b6da46f5f18c212c6f017cb6ebf4acc9ac0cf09ce264127b9a

Download Submit
C:\Users\Admin\AppData\Local\b2Wmo4k\msra.exe
MD5
e79df53bad587e24b3cf965a5746c7b6

SHA1
87a97ec159a3fc1db211f3c2c62e4d60810e7a70

SHA256
4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

SHA512
9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

Download Submit
C:\Users\Admin\AppData\Local\h41oRkVwt\WFS.exe
MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
C:\Users\Admin\AppData\Local\h41oRkVwt\credui.dll
MD5
067b56f6ebc64d1a21865b18b87a45e5

SHA1
f2dd5934449ea7c0e0c4fbd0a4e6a882cab6b0c5

SHA256
187c8519edd126671b6c7bef7275e8c4b3ab3a126510aed5b07b5614cfdae415

SHA512
e1ddd286e75dc93a2cd76cf70de2a1f44ac6f8a98f00e3cd438a5af064f430c452658a22eeb96f886ffe4cb54fa5ab6249c6f207b1c892921ec229570ea2f334

Download Submit
C:\Users\Admin\AppData\Local\xN5N\spreview.exe
MD5
704cd4cac010e8e6d8de9b778ed17773

SHA1
81856abf70640f102b8b3defe2cf65669fe8e165

SHA256
4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

SHA512
b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

Download Submit
C:\Users\Admin\AppData\Local\xN5N\sqmapi.dll
MD5
4684f30be3b4d829b519aa13caefad43

SHA1
06210f421008b58494ca355fa7765a668a1beda7

SHA256
a53665163b03af1da62e7164b3d099177a2e4f27a31c3331d58119350b2d21c0

SHA512
8a8478d0d766ec69b6c65bfb04d57b8e83c0206eca0297bfde48f9d5435f56b290491ebb64a6757b8a1c0a3032b08f3cdae3d98bf566f52889f1a442f2100b92

Download Submit
\Users\Admin\AppData\Local\b2Wmo4k\UxTheme.dll
MD5
14f165dd7a277950316ecac0f180e3c3

SHA1
f2d46e6564bdfc886c87e9db9fd9ae215298e38c

SHA256
4a2b427b69b536f97f16a79763aca6a71b06d10b29ff70505dd9435d03d6840d

SHA512
365472ae9afc06dd3aeceac506b3783445945ac3426f517ccd5311e22a033aa64d6c22f07f6660b6da46f5f18c212c6f017cb6ebf4acc9ac0cf09ce264127b9a

Download Submit
\Users\Admin\AppData\Local\b2Wmo4k\msra.exe
MD5
e79df53bad587e24b3cf965a5746c7b6

SHA1
87a97ec159a3fc1db211f3c2c62e4d60810e7a70

SHA256
4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

SHA512
9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

Download Submit
\Users\Admin\AppData\Local\h41oRkVwt\WFS.exe
MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
\Users\Admin\AppData\Local\h41oRkVwt\credui.dll
MD5
067b56f6ebc64d1a21865b18b87a45e5

SHA1
f2dd5934449ea7c0e0c4fbd0a4e6a882cab6b0c5

SHA256
187c8519edd126671b6c7bef7275e8c4b3ab3a126510aed5b07b5614cfdae415

SHA512
e1ddd286e75dc93a2cd76cf70de2a1f44ac6f8a98f00e3cd438a5af064f430c452658a22eeb96f886ffe4cb54fa5ab6249c6f207b1c892921ec229570ea2f334

Download Submit
\Users\Admin\AppData\Local\xN5N\spreview.exe
MD5
704cd4cac010e8e6d8de9b778ed17773

SHA1
81856abf70640f102b8b3defe2cf65669fe8e165

SHA256
4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

SHA512
b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

Download Submit
\Users\Admin\AppData\Local\xN5N\sqmapi.dll
MD5
4684f30be3b4d829b519aa13caefad43

SHA1
06210f421008b58494ca355fa7765a668a1beda7

SHA256
a53665163b03af1da62e7164b3d099177a2e4f27a31c3331d58119350b2d21c0

SHA512
8a8478d0d766ec69b6c65bfb04d57b8e83c0206eca0297bfde48f9d5435f56b290491ebb64a6757b8a1c0a3032b08f3cdae3d98bf566f52889f1a442f2100b92

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EkFTV3lLxeo\WFS.exe
MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
memory/1220-77-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-68-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-71-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-73-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-74-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-75-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-76-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-59-0x0000000002130000-0x0000000002131000-memory.dmp

Filesize
4KB

Download
memory/1220-78-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-79-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-85-0x0000000077260000-0x0000000077262000-memory.dmp

Filesize
8KB

Download
memory/1220-70-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-60-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-69-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-62-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-72-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-67-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-61-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-63-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-66-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-65-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1220-64-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1288-92-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/1288-89-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/1288-87-0x0000000000000000-mapping.dmp

Download
memory/1472-55-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1472-58-0x0000000000320000-0x0000000000327000-memory.dmp

Filesize
28KB

Download
memory/1888-105-0x0000000000000000-mapping.dmp

Download
memory/1888-110-0x000000013F661000-0x000000013F663000-memory.dmp

Filesize
8KB

Download
memory/1956-96-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads