dridex | 7f99fa6b320c69b5a80cd50b772da933825a0bef75bf56ba2939f87bee136a95

Analysis

max time kernel
60s
max time network
21s
platform
windows10_x64
resource
win10-en-20211014
submitted
06-12-2021 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f99fa6b320c69b5a80cd50b772da933825a0bef75bf56ba2939f87bee136a95.dll
Size

772KB
MD5

f11a250479b111aebbf272a7b6315728
SHA1

27e219c25e4d31e97d157d5004f118179f66d0bd
SHA256

7f99fa6b320c69b5a80cd50b772da933825a0bef75bf56ba2939f87bee136a95
SHA512

074a893bcc9ffe302cc2d27de9eda3ea67f9f3b1df592bb907cba8aa2f4895311329fc0d11bb7f5e2f638c9501c40f26522620a9e954c4f1b9800948af1712e5

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 5 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2668-116-0x00007FFDC4170000-0x00007FFDC423B000-memory.dmp	dridex_payload
behavioral2/memory/3020-127-0x0000000140000000-0x00000001400CB000-memory.dmp	dridex_payload
behavioral2/memory/3904-141-0x00007FFDC4170000-0x00007FFDC423C000-memory.dmp	dridex_payload
behavioral2/memory/2840-151-0x00007FFDB8720000-0x00007FFDB87EC000-memory.dmp	dridex_payload
behavioral2/memory/1268-163-0x00007FFDC4170000-0x00007FFDC423D000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3020-122-0x00000000005E0000-0x00000000005E1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

rdpshell.exemsconfig.execonsent.exexpsrchvw.exe

pid process

3904 rdpshell.exe
2840 msconfig.exe
2376 consent.exe
1268 xpsrchvw.exe
Loads dropped DLL 3 IoCs

Processes:

rdpshell.exemsconfig.exexpsrchvw.exe

pid process

3904 rdpshell.exe
2840 msconfig.exe
1268 xpsrchvw.exe

pid	process
3904	rdpshell.exe
2840	msconfig.exe
2376	consent.exe
1268	xpsrchvw.exe

pid	process
3904	rdpshell.exe
2840	msconfig.exe
1268	xpsrchvw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slqggwbvaxk = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Proof\\dFS58\\msconfig.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpshell.exemsconfig.exexpsrchvw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpshell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xpsrchvw.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2668	rundll32.exe
2668	rundll32.exe
2668	rundll32.exe
2668	rundll32.exe
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

description	pid	target process
PID 3020 wrote to memory of 3376	3020	rdpshell.exe
PID 3020 wrote to memory of 3376	3020	rdpshell.exe
PID 3020 wrote to memory of 3904	3020	rdpshell.exe
PID 3020 wrote to memory of 3904	3020	rdpshell.exe
PID 3020 wrote to memory of 2832	3020	msconfig.exe
PID 3020 wrote to memory of 2832	3020	msconfig.exe
PID 3020 wrote to memory of 2840	3020	msconfig.exe
PID 3020 wrote to memory of 2840	3020	msconfig.exe
PID 3020 wrote to memory of 576	3020	consent.exe
PID 3020 wrote to memory of 576	3020	consent.exe
PID 3020 wrote to memory of 2376	3020	consent.exe
PID 3020 wrote to memory of 2376	3020	consent.exe
PID 3020 wrote to memory of 372	3020	xpsrchvw.exe
PID 3020 wrote to memory of 372	3020	xpsrchvw.exe
PID 3020 wrote to memory of 1268	3020	xpsrchvw.exe
PID 3020 wrote to memory of 1268	3020	xpsrchvw.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f99fa6b320c69b5a80cd50b772da933825a0bef75bf56ba2939f87bee136a95.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2668

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:3376

C:\Users\Admin\AppData\Local\iSPp\rdpshell.exe
C:\Users\Admin\AppData\Local\iSPp\rdpshell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3904

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:2832

C:\Users\Admin\AppData\Local\OvzFZFm\msconfig.exe
C:\Users\Admin\AppData\Local\OvzFZFm\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2840

C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
1⤵
PID:576

C:\Users\Admin\AppData\Local\iAPD\consent.exe
C:\Users\Admin\AppData\Local\iAPD\consent.exe
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
1⤵
PID:372

C:\Users\Admin\AppData\Local\enUkuQxPO\xpsrchvw.exe
C:\Users\Admin\AppData\Local\enUkuQxPO\xpsrchvw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\OvzFZFm\VERSION.dll
MD5
7028584e8a129d55883b70d7b0ab9171

SHA1
2cad91a87752f6fe7ede4a10fd9e4be42e8ab242

SHA256
8c0887f737916bf6b78aaaecf0c1a84e88f71dbe74bd0b9593ba5322a25461a2

SHA512
e421c66bb183cc12f0b8c38fc594495dc0200d41d64f977621dad7d8c77792165ced2b2def80e1f3e0ef39e61e68a405902c549345bf42a3b3f55cb031d2900d

Download Submit
C:\Users\Admin\AppData\Local\OvzFZFm\msconfig.exe
MD5
b869aef04af69e345561d01905942fef

SHA1
e61b5522c3b8b5ada95846cc6306c9c2f29265d4

SHA256
9cf1d82402469616b2b0a663e22f965395181abc91140139df226ab882a619cc

SHA512
52ad0b6b5cc6053de42d06248c312180091c06ade8a54da32a946add93854e6dd0b1af2bf02957ddb77207fd3c53ef4def6dcda0591e28b457c0e361776498f2

Download Submit
C:\Users\Admin\AppData\Local\enUkuQxPO\WINMM.dll
MD5
6b2cb2a74a44c86dd0b7ca1650196fa0

SHA1
2d10e9d7aa9c6d4d5618be9aabfe86a39336d57d

SHA256
273c4e2ac322b2eda8a2a44291630c9a3420c86a05ba7a5479ffeb3dd2171e9d

SHA512
63a6190eaa959808a626ca2c9bb58e4a99f29928db5a1efe07c363e62f1c97293579c2c7d371395f32f3b7649f321dfbd2d3a2a103d663e9ad047c58667e4671

Download Submit
C:\Users\Admin\AppData\Local\enUkuQxPO\xpsrchvw.exe
MD5
ca268b5a709c8fd984c1130919fcae5d

SHA1
9a7f22ce3341737257086a04f23c893830df2a93

SHA256
ded8b0ca8d89dda1ab809dc60a83abbbdb9cf0d9b477d98816525b4828cb4b44

SHA512
355104444345d09c3012524eaf1b56f1de6da34284e8b0ae8d3e1df0465df8d181f100bdac00d728fd57d6e6a67b6bca1257591007c7931f0ba9c433cc3ae0bc

Download Submit
C:\Users\Admin\AppData\Local\iAPD\consent.exe
MD5
6d7e9c7bad50da67b1f23c6b4a9e1f7f

SHA1
b02648a975909e63d93e3531c1250f89ba676f9f

SHA256
b9711ed459bdbf39679f731ab67221068e0b6b8d8be88f22f4e89467ebac223b

SHA512
3e1aeb0ed4bc63319d7720356d8d7f01a9f5a28906f818941d41e434ca7a2ede0b26f63ea8275c2bc244621e88c017050f6c6118140108c35fe7b6e2371e7d12

Download Submit
C:\Users\Admin\AppData\Local\iSPp\WTSAPI32.dll
MD5
700c5d47823cd1d867ff7d1d785a58bc

SHA1
3af3085508878f122f22d596330d5f72cf291b8f

SHA256
a151ff7f446271bb18fcda174234fc09a425aae88b144899f68b672baacebd69

SHA512
1f0b3085fbf81c10dce9c666d594c91e7f7e265640946570c4fc12a15f820a4533f5f3b6e6593bb835295a95bba591e1214ae0e92d0581d551af049046e15c04

Download Submit
C:\Users\Admin\AppData\Local\iSPp\rdpshell.exe
MD5
7389a53d3f7c89ff63616568aa2665e8

SHA1
444d3797eef1459a89156e35da5ed382bd3880bf

SHA256
92dd2b669e97c994846ae312f81cb66a37e2826f61db5de1052b10c2c96be09a

SHA512
92c15268c2f440ca6948efaddcbc14659ac364000160c3373c2a014714403b67c3754fb12c328a9179268e5d0f6d4420a40e42467279d7cba8a45c3b9f1159bc

Download Submit
\Users\Admin\AppData\Local\OvzFZFm\VERSION.dll
MD5
7028584e8a129d55883b70d7b0ab9171

SHA1
2cad91a87752f6fe7ede4a10fd9e4be42e8ab242

SHA256
8c0887f737916bf6b78aaaecf0c1a84e88f71dbe74bd0b9593ba5322a25461a2

SHA512
e421c66bb183cc12f0b8c38fc594495dc0200d41d64f977621dad7d8c77792165ced2b2def80e1f3e0ef39e61e68a405902c549345bf42a3b3f55cb031d2900d

Download Submit
\Users\Admin\AppData\Local\enUkuQxPO\WINMM.dll
MD5
6b2cb2a74a44c86dd0b7ca1650196fa0

SHA1
2d10e9d7aa9c6d4d5618be9aabfe86a39336d57d

SHA256
273c4e2ac322b2eda8a2a44291630c9a3420c86a05ba7a5479ffeb3dd2171e9d

SHA512
63a6190eaa959808a626ca2c9bb58e4a99f29928db5a1efe07c363e62f1c97293579c2c7d371395f32f3b7649f321dfbd2d3a2a103d663e9ad047c58667e4671

Download Submit
\Users\Admin\AppData\Local\iSPp\WTSAPI32.dll
MD5
700c5d47823cd1d867ff7d1d785a58bc

SHA1
3af3085508878f122f22d596330d5f72cf291b8f

SHA256
a151ff7f446271bb18fcda174234fc09a425aae88b144899f68b672baacebd69

SHA512
1f0b3085fbf81c10dce9c666d594c91e7f7e265640946570c4fc12a15f820a4533f5f3b6e6593bb835295a95bba591e1214ae0e92d0581d551af049046e15c04

Download Submit
memory/1268-168-0x000001E2CA970000-0x000001E2CA972000-memory.dmp

Filesize
8KB

Download
memory/1268-163-0x00007FFDC4170000-0x00007FFDC423D000-memory.dmp

Filesize
820KB

Download
memory/1268-159-0x0000000000000000-mapping.dmp

Download
memory/1268-166-0x000001E2CA970000-0x000001E2CA972000-memory.dmp

Filesize
8KB

Download
memory/1268-167-0x000001E2CA970000-0x000001E2CA972000-memory.dmp

Filesize
8KB

Download
memory/2376-157-0x0000000000000000-mapping.dmp

Download
memory/2668-116-0x00007FFDC4170000-0x00007FFDC423B000-memory.dmp

Filesize
812KB

Download
memory/2668-121-0x0000024A12510000-0x0000024A12512000-memory.dmp

Filesize
8KB

Download
memory/2668-120-0x0000024A12510000-0x0000024A12512000-memory.dmp

Filesize
8KB

Download
memory/2668-119-0x0000024A12510000-0x0000024A12512000-memory.dmp

Filesize
8KB

Download
memory/2668-115-0x0000024A12500000-0x0000024A12507000-memory.dmp

Filesize
28KB

Download
memory/2840-155-0x000002639A000000-0x000002639A002000-memory.dmp

Filesize
8KB

Download
memory/2840-151-0x00007FFDB8720000-0x00007FFDB87EC000-memory.dmp

Filesize
816KB

Download
memory/2840-156-0x000002639A000000-0x000002639A002000-memory.dmp

Filesize
8KB

Download
memory/2840-147-0x0000000000000000-mapping.dmp

Download
memory/2840-154-0x000002639A000000-0x000002639A002000-memory.dmp

Filesize
8KB

Download
memory/3020-126-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3020-124-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3020-169-0x0000000000820000-0x0000000000822000-memory.dmp

Filesize
8KB

Download
memory/3020-122-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/3020-136-0x00007FFDD22F5000-0x00007FFDD22F6000-memory.dmp

Filesize
4KB

Download
memory/3020-123-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3020-135-0x00007FFDD2325000-0x00007FFDD2326000-memory.dmp

Filesize
4KB

Download
memory/3020-134-0x0000000000820000-0x0000000000822000-memory.dmp

Filesize
8KB

Download
memory/3020-132-0x0000000000820000-0x0000000000822000-memory.dmp

Filesize
8KB

Download
memory/3020-133-0x0000000000820000-0x0000000000822000-memory.dmp

Filesize
8KB

Download
memory/3020-127-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3020-125-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/3904-145-0x0000020752950000-0x0000020752952000-memory.dmp

Filesize
8KB

Download
memory/3904-137-0x0000000000000000-mapping.dmp

Download
memory/3904-146-0x0000020752950000-0x0000020752952000-memory.dmp

Filesize
8KB

Download
memory/3904-144-0x0000020752950000-0x0000020752952000-memory.dmp

Filesize
8KB

Download
memory/3904-141-0x00007FFDC4170000-0x00007FFDC423C000-memory.dmp

Filesize
816KB

Download