dridex | 6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f

Analysis

max time kernel
152s
max time network
122s
platform
windows7_x64
resource
win7-en-20211208
submitted
01-02-2022 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f.dll
Size

1.0MB
MD5

369638ac700f3c41ebaba447d4048ff8
SHA1

6c50a1abf9dc992e74a73279d40fb1a09368cdfe
SHA256

6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f
SHA512

5f7a1913e83cd443a3339af0a52c04a4de17c67be480646d9bb02c984196a0a1ec3d7419ee88ca12d219af927aad1859c47372e08ba6a7a35ad956d5dc4ce7f5

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1208-59-0x0000000002AA0000-0x0000000002AA1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

sethc.exesethc.exeSystemPropertiesAdvanced.exe

pid process

1868 sethc.exe
872 sethc.exe
1788 SystemPropertiesAdvanced.exe
Loads dropped DLL 7 IoCs

Processes:

sethc.exesethc.exeSystemPropertiesAdvanced.exe

pid process

1208
1868 sethc.exe
1208
872 sethc.exe
1208
1788 SystemPropertiesAdvanced.exe
1208

pid	process
1868	sethc.exe
872	sethc.exe
1788	SystemPropertiesAdvanced.exe

pid	process
1208
1868	sethc.exe
1208
872	sethc.exe
1208
1788	SystemPropertiesAdvanced.exe
1208

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fjgidavujrva = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\fKbd72k\\sethc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sethc.exesethc.exeSystemPropertiesAdvanced.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sethc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sethc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exesethc.exe

pid	process
1468	rundll32.exe
1468	rundll32.exe
1468	rundll32.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1868	sethc.exe
1868	sethc.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1208

pid	process
1208

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1208 wrote to memory of 888	1208	sethc.exe
PID 1208 wrote to memory of 888	1208	sethc.exe
PID 1208 wrote to memory of 888	1208	sethc.exe
PID 1208 wrote to memory of 1868	1208	sethc.exe
PID 1208 wrote to memory of 1868	1208	sethc.exe
PID 1208 wrote to memory of 1868	1208	sethc.exe
PID 1208 wrote to memory of 1284	1208	sethc.exe
PID 1208 wrote to memory of 1284	1208	sethc.exe
PID 1208 wrote to memory of 1284	1208	sethc.exe
PID 1208 wrote to memory of 872	1208	sethc.exe
PID 1208 wrote to memory of 872	1208	sethc.exe
PID 1208 wrote to memory of 872	1208	sethc.exe
PID 1208 wrote to memory of 1372	1208	SystemPropertiesAdvanced.exe
PID 1208 wrote to memory of 1372	1208	SystemPropertiesAdvanced.exe
PID 1208 wrote to memory of 1372	1208	SystemPropertiesAdvanced.exe
PID 1208 wrote to memory of 1788	1208	SystemPropertiesAdvanced.exe
PID 1208 wrote to memory of 1788	1208	SystemPropertiesAdvanced.exe
PID 1208 wrote to memory of 1788	1208	SystemPropertiesAdvanced.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6712500bb0de148a99ec940160d3d61850e2ce3803adca8f39e9fa8621b8ea6f.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1468

C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
1⤵
PID:888

C:\Users\Admin\AppData\Local\rddeZv\sethc.exe
C:\Users\Admin\AppData\Local\rddeZv\sethc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1868

C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
1⤵
PID:1284

C:\Users\Admin\AppData\Local\JZcmyO\sethc.exe
C:\Users\Admin\AppData\Local\JZcmyO\sethc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:872

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:1372

C:\Users\Admin\AppData\Local\mvTdI\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\mvTdI\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1788

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\JZcmyO\UxTheme.dll
MD5
3e0ddb2a9058d0dc028afb22e6b45ee2

SHA1
1fc24dec516cb3c91bb88c7b2ac14186f18e68bd

SHA256
c312aef933637729cba5b4399a0162202d224e4441739b24c51eb25ae5ad6c91

SHA512
a05e65251de8b6a82999740452d43dded5b9a24cb70f0b3d8ac39c62d5eac5ffc3e3eb40dda64b81f52d5c1eba49c35338d2ab6ef177d61a3e42a5fbeee81e61

Download Submit
C:\Users\Admin\AppData\Local\JZcmyO\sethc.exe
MD5
3bcb70da9b5a2011e01e35ed29a3f3f3

SHA1
9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

SHA256
dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

SHA512
69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

Download Submit
C:\Users\Admin\AppData\Local\mvTdI\SYSDM.CPL
MD5
cb76df0ce41a639cc76749957db7ec9f

SHA1
dc1a0fcb4acd45e7dcd4a37eef71d3052cd8a8d7

SHA256
5859cf9ce7cbd47fbac9460ff9e45d64797a0674ac7c7755c22e23ca205e8b3e

SHA512
48685e8a9e0bb0b78cd4073bae13abea690b58646abf66601de6f323ad0cc5770e794bb195b5c6796b70349ac7b13f8c3e383ea706a1ae8d6ba7af6b898136b9

Download Submit
C:\Users\Admin\AppData\Local\mvTdI\SystemPropertiesAdvanced.exe
MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
C:\Users\Admin\AppData\Local\rddeZv\OLEACC.dll
MD5
d0801b124c0547833080fb4d2056e7ff

SHA1
4cc3fac887a72cf5c5c0162505ae200876ad9bee

SHA256
278267d0cab76c38aa2f3a70ceb2514bf422ff2a1da5cd8dee97b10a7e9d33c6

SHA512
629deead4fbecc8645cb90ddf252b6a14eccdd7a1813387ab85d6a8739e5e1669c4c5307d7ae64fa134e2aafe943d45259be91070cf20133d7239a0e30aa215c

Download Submit
C:\Users\Admin\AppData\Local\rddeZv\sethc.exe
MD5
3bcb70da9b5a2011e01e35ed29a3f3f3

SHA1
9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

SHA256
dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

SHA512
69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

Download Submit
\Users\Admin\AppData\Local\JZcmyO\UxTheme.dll
MD5
3e0ddb2a9058d0dc028afb22e6b45ee2

SHA1
1fc24dec516cb3c91bb88c7b2ac14186f18e68bd

SHA256
c312aef933637729cba5b4399a0162202d224e4441739b24c51eb25ae5ad6c91

SHA512
a05e65251de8b6a82999740452d43dded5b9a24cb70f0b3d8ac39c62d5eac5ffc3e3eb40dda64b81f52d5c1eba49c35338d2ab6ef177d61a3e42a5fbeee81e61

Download Submit
\Users\Admin\AppData\Local\JZcmyO\sethc.exe
MD5
3bcb70da9b5a2011e01e35ed29a3f3f3

SHA1
9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

SHA256
dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

SHA512
69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

Download Submit
\Users\Admin\AppData\Local\mvTdI\SYSDM.CPL
MD5
cb76df0ce41a639cc76749957db7ec9f

SHA1
dc1a0fcb4acd45e7dcd4a37eef71d3052cd8a8d7

SHA256
5859cf9ce7cbd47fbac9460ff9e45d64797a0674ac7c7755c22e23ca205e8b3e

SHA512
48685e8a9e0bb0b78cd4073bae13abea690b58646abf66601de6f323ad0cc5770e794bb195b5c6796b70349ac7b13f8c3e383ea706a1ae8d6ba7af6b898136b9

Download Submit
\Users\Admin\AppData\Local\mvTdI\SystemPropertiesAdvanced.exe
MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
\Users\Admin\AppData\Local\rddeZv\OLEACC.dll
MD5
d0801b124c0547833080fb4d2056e7ff

SHA1
4cc3fac887a72cf5c5c0162505ae200876ad9bee

SHA256
278267d0cab76c38aa2f3a70ceb2514bf422ff2a1da5cd8dee97b10a7e9d33c6

SHA512
629deead4fbecc8645cb90ddf252b6a14eccdd7a1813387ab85d6a8739e5e1669c4c5307d7ae64fa134e2aafe943d45259be91070cf20133d7239a0e30aa215c

Download Submit
\Users\Admin\AppData\Local\rddeZv\sethc.exe
MD5
3bcb70da9b5a2011e01e35ed29a3f3f3

SHA1
9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

SHA256
dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

SHA512
69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\IyJnnIo\SystemPropertiesAdvanced.exe
MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
memory/872-83-0x000007FEF68A0000-0x000007FEF69A6000-memory.dmp

Filesize
1.0MB

Download
memory/1208-65-0x0000000140000000-0x0000000140105000-memory.dmp

Filesize
1.0MB

Download
memory/1208-63-0x0000000140000000-0x0000000140105000-memory.dmp

Filesize
1.0MB

Download
memory/1208-62-0x0000000140000000-0x0000000140105000-memory.dmp

Filesize
1.0MB

Download
memory/1208-61-0x0000000140000000-0x0000000140105000-memory.dmp

Filesize
1.0MB

Download
memory/1208-64-0x0000000140000000-0x0000000140105000-memory.dmp

Filesize
1.0MB

Download
memory/1208-59-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1208-70-0x0000000077B90000-0x0000000077B92000-memory.dmp

Filesize
8KB

Download
memory/1208-60-0x0000000140000000-0x0000000140105000-memory.dmp

Filesize
1.0MB

Download
memory/1468-54-0x000007FEF68A0000-0x000007FEF69A5000-memory.dmp

Filesize
1.0MB

Download
memory/1468-58-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/1868-75-0x000007FEF7060000-0x000007FEF7165000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads