dridex | 86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100

Analysis

max time kernel
151s
max time network
117s
platform
windows7_x64
resource
win7-en-20211208
submitted
01-02-2022 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100.dll
Size

768KB
MD5

bd5cfa593ed87901f8184eaa44c0a8b8
SHA1

963a57fb83ca6361624fb057058ea4fb538015dc
SHA256

86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100
SHA512

f6235abb0503db5a7cc7a0f6d2a4682db1491127a4f5700d3f68e15535b838651e1df8a8292643e46febb678e16abe9f36f6990db57db3f58c60ceae186ae489

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1404-60-0x0000000002640000-0x0000000002641000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesRemote.exeicardagt.exemsra.exe

pid process

1168 SystemPropertiesRemote.exe
904 icardagt.exe
1052 msra.exe
Loads dropped DLL 7 IoCs

Processes:

SystemPropertiesRemote.exeicardagt.exemsra.exe

pid process

1404
1168 SystemPropertiesRemote.exe
1404
904 icardagt.exe
1404
1052 msra.exe
1404

pid	process
1168	SystemPropertiesRemote.exe
904	icardagt.exe
1052	msra.exe

pid	process
1404
1168	SystemPropertiesRemote.exe
1404
904	icardagt.exe
1404
1052	msra.exe
1404

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wcnzbxxys = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\kqgT\\icardagt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesRemote.exeicardagt.exemsra.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icardagt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeSystemPropertiesRemote.exeicardagt.exe

pid	process
1624	rundll32.exe
1624	rundll32.exe
1624	rundll32.exe
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1168	SystemPropertiesRemote.exe
1168	SystemPropertiesRemote.exe
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
904	icardagt.exe
904	icardagt.exe
1404
1404
1404
1404

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1404

pid	process
1404

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1404 wrote to memory of 1460	1404	SystemPropertiesRemote.exe
PID 1404 wrote to memory of 1460	1404	SystemPropertiesRemote.exe
PID 1404 wrote to memory of 1460	1404	SystemPropertiesRemote.exe
PID 1404 wrote to memory of 1168	1404	SystemPropertiesRemote.exe
PID 1404 wrote to memory of 1168	1404	SystemPropertiesRemote.exe
PID 1404 wrote to memory of 1168	1404	SystemPropertiesRemote.exe
PID 1404 wrote to memory of 820	1404	icardagt.exe
PID 1404 wrote to memory of 820	1404	icardagt.exe
PID 1404 wrote to memory of 820	1404	icardagt.exe
PID 1404 wrote to memory of 904	1404	icardagt.exe
PID 1404 wrote to memory of 904	1404	icardagt.exe
PID 1404 wrote to memory of 904	1404	icardagt.exe
PID 1404 wrote to memory of 1824	1404	msra.exe
PID 1404 wrote to memory of 1824	1404	msra.exe
PID 1404 wrote to memory of 1824	1404	msra.exe
PID 1404 wrote to memory of 1052	1404	msra.exe
PID 1404 wrote to memory of 1052	1404	msra.exe
PID 1404 wrote to memory of 1052	1404	msra.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1624

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:1460

C:\Users\Admin\AppData\Local\dsdld\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\dsdld\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1168

C:\Windows\system32\icardagt.exe
C:\Windows\system32\icardagt.exe
1⤵
PID:820

C:\Users\Admin\AppData\Local\bVwgXp\icardagt.exe
C:\Users\Admin\AppData\Local\bVwgXp\icardagt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:904

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:1824

C:\Users\Admin\AppData\Local\aHWQ\msra.exe
C:\Users\Admin\AppData\Local\aHWQ\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1052

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\aHWQ\Secur32.dll
MD5
f374127c36c0607c61a316f7778fcad4

SHA1
609c078e1d2d122541b84ed814e029454e2f4cdf

SHA256
38be48b8bb47448c2b3faa572aa0e1c2a7a9fd02ae96f1bf4334bba776c76ecb

SHA512
570e631100fa23656da843340946d6c3c57cefbc3202ba36272458906192cd655e3622b2c60fda2d393a72611a281eed80369f335d39343112a3f2d229e15ace

Download Submit
C:\Users\Admin\AppData\Local\aHWQ\msra.exe
MD5
e79df53bad587e24b3cf965a5746c7b6

SHA1
87a97ec159a3fc1db211f3c2c62e4d60810e7a70

SHA256
4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

SHA512
9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

Download Submit
C:\Users\Admin\AppData\Local\bVwgXp\VERSION.dll
MD5
7bc0059a3350c7637b0bbf28bdcdae40

SHA1
5bb3e7f557e5392301ca51eedf9f357539e1c681

SHA256
c62af27b379ec1f50c3882378a3851fa6f050177f9afb66a82443770fa350c3c

SHA512
838170ad53243b6f89eac76380d0004ce66f00714fb843530ce332d1b5652f14826e15010f8cb785f616bfa3d221901e58d8d7743f4617d8cb47052fa9133c1a

Download Submit
C:\Users\Admin\AppData\Local\bVwgXp\icardagt.exe
MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
C:\Users\Admin\AppData\Local\dsdld\SYSDM.CPL
MD5
afeb46c014b503c90dfb15c4cc929a95

SHA1
1e656fbd9736cc881ec706d1b3646f4cb159c4c1

SHA256
c568a0b122230c2492a96b73bc392aaf8466e84225bbea7ed1ffbdb957762fcf

SHA512
3ed7e6caaf412a04b7a952fafb4bdd1b0ca4bb4e690e78cb22e1a414726d7fcfdcb4b89a55ef3eb20e055077ed8fbe45c38051d560d5a3f27212adf9f1108b16

Download Submit
C:\Users\Admin\AppData\Local\dsdld\SystemPropertiesRemote.exe
MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
\Users\Admin\AppData\Local\aHWQ\Secur32.dll
MD5
f374127c36c0607c61a316f7778fcad4

SHA1
609c078e1d2d122541b84ed814e029454e2f4cdf

SHA256
38be48b8bb47448c2b3faa572aa0e1c2a7a9fd02ae96f1bf4334bba776c76ecb

SHA512
570e631100fa23656da843340946d6c3c57cefbc3202ba36272458906192cd655e3622b2c60fda2d393a72611a281eed80369f335d39343112a3f2d229e15ace

Download Submit
\Users\Admin\AppData\Local\aHWQ\msra.exe
MD5
e79df53bad587e24b3cf965a5746c7b6

SHA1
87a97ec159a3fc1db211f3c2c62e4d60810e7a70

SHA256
4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

SHA512
9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

Download Submit
\Users\Admin\AppData\Local\bVwgXp\VERSION.dll
MD5
7bc0059a3350c7637b0bbf28bdcdae40

SHA1
5bb3e7f557e5392301ca51eedf9f357539e1c681

SHA256
c62af27b379ec1f50c3882378a3851fa6f050177f9afb66a82443770fa350c3c

SHA512
838170ad53243b6f89eac76380d0004ce66f00714fb843530ce332d1b5652f14826e15010f8cb785f616bfa3d221901e58d8d7743f4617d8cb47052fa9133c1a

Download Submit
\Users\Admin\AppData\Local\bVwgXp\icardagt.exe
MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
\Users\Admin\AppData\Local\dsdld\SYSDM.CPL
MD5
afeb46c014b503c90dfb15c4cc929a95

SHA1
1e656fbd9736cc881ec706d1b3646f4cb159c4c1

SHA256
c568a0b122230c2492a96b73bc392aaf8466e84225bbea7ed1ffbdb957762fcf

SHA512
3ed7e6caaf412a04b7a952fafb4bdd1b0ca4bb4e690e78cb22e1a414726d7fcfdcb4b89a55ef3eb20e055077ed8fbe45c38051d560d5a3f27212adf9f1108b16

Download Submit
\Users\Admin\AppData\Local\dsdld\SystemPropertiesRemote.exe
MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Flash Player\YdzM1Jr\msra.exe
MD5
e79df53bad587e24b3cf965a5746c7b6

SHA1
87a97ec159a3fc1db211f3c2c62e4d60810e7a70

SHA256
4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

SHA512
9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

Download Submit
memory/904-82-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

Filesize
8KB

Download
memory/904-85-0x000007FEF5C00000-0x000007FEF5CC0000-memory.dmp

Filesize
768KB

Download
memory/1052-94-0x000007FEF5BF0000-0x000007FEF5CB1000-memory.dmp

Filesize
772KB

Download
memory/1168-76-0x000007FEF6350000-0x000007FEF6410000-memory.dmp

Filesize
768KB

Download
memory/1404-63-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1404-62-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1404-61-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1404-66-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1404-64-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1404-65-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1404-60-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/1404-71-0x0000000076EE0000-0x0000000076EE2000-memory.dmp

Filesize
8KB

Download
memory/1624-59-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1624-55-0x000007FEF6290000-0x000007FEF6350000-memory.dmp

Filesize
768KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads