dridex | 5af146f34a016cb00d039b9c27f9377562b2114d1bd3bfb3bae84e37b621faeb

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
01-03-2022 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5af146f34a016cb00d039b9c27f9377562b2114d1bd3bfb3bae84e37b621faeb.dll
Size

1.4MB
MD5

bbd1c7e574466ed65425219a7aa7ff68
SHA1

e9778bcf32187c7b54d0879b4f57a9aa38e19fa6
SHA256

5af146f34a016cb00d039b9c27f9377562b2114d1bd3bfb3bae84e37b621faeb
SHA512

c57faf27f783786a284d65b7fb124d700d8c03c4a0447025976ea737555199bcb4b9a400c06c3d6829fee2658882fb8c5b1e538776ce34cabd2358f6d0f3f547

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2216-135-0x0000000000910000-0x0000000000911000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

msinfo32.exePresentationHost.exedwm.exeAtBroker.exe

pid process

3788 msinfo32.exe
4220 PresentationHost.exe
4180 dwm.exe
1520 AtBroker.exe
Loads dropped DLL 8 IoCs

Processes:

msinfo32.exePresentationHost.exedwm.exeAtBroker.exe

pid process

3788 msinfo32.exe
4220 PresentationHost.exe
4220 PresentationHost.exe
4180 dwm.exe
4180 dwm.exe
4180 dwm.exe
4180 dwm.exe
1520 AtBroker.exe

pid	process
3788	msinfo32.exe
4220	PresentationHost.exe
4180	dwm.exe
1520	AtBroker.exe

pid	process
3788	msinfo32.exe
4220	PresentationHost.exe
4220	PresentationHost.exe
4180	dwm.exe
4180	dwm.exe
4180	dwm.exe
4180	dwm.exe
1520	AtBroker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zrakajr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\sll\\dwm.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msinfo32.exedwm.exeAtBroker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AtBroker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
2564	regsvr32.exe
2564	regsvr32.exe
2564	regsvr32.exe
2564	regsvr32.exe
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216
2216

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2216

pid	process
2216

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

description	pid	target process
PID 2216 wrote to memory of 2068	2216	msinfo32.exe
PID 2216 wrote to memory of 2068	2216	msinfo32.exe
PID 2216 wrote to memory of 3788	2216	msinfo32.exe
PID 2216 wrote to memory of 3788	2216	msinfo32.exe
PID 2216 wrote to memory of 4232	2216	PresentationHost.exe
PID 2216 wrote to memory of 4232	2216	PresentationHost.exe
PID 2216 wrote to memory of 4220	2216	PresentationHost.exe
PID 2216 wrote to memory of 4220	2216	PresentationHost.exe
PID 2216 wrote to memory of 4192	2216	dwm.exe
PID 2216 wrote to memory of 4192	2216	dwm.exe
PID 2216 wrote to memory of 4180	2216	dwm.exe
PID 2216 wrote to memory of 4180	2216	dwm.exe
PID 2216 wrote to memory of 1492	2216	AtBroker.exe
PID 2216 wrote to memory of 1492	2216	AtBroker.exe
PID 2216 wrote to memory of 1520	2216	AtBroker.exe
PID 2216 wrote to memory of 1520	2216	AtBroker.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5af146f34a016cb00d039b9c27f9377562b2114d1bd3bfb3bae84e37b621faeb.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2564

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:2068

C:\Users\Admin\AppData\Local\2YQ\msinfo32.exe
C:\Users\Admin\AppData\Local\2YQ\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3788

C:\Windows\system32\PresentationHost.exe
C:\Windows\system32\PresentationHost.exe
1⤵
PID:4232

C:\Users\Admin\AppData\Local\9LONb36\PresentationHost.exe
C:\Users\Admin\AppData\Local\9LONb36\PresentationHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4220

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:4192

C:\Users\Admin\AppData\Local\oQA8tLdz\dwm.exe
C:\Users\Admin\AppData\Local\oQA8tLdz\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4180

C:\Windows\system32\AtBroker.exe
C:\Windows\system32\AtBroker.exe
1⤵
PID:1492

C:\Users\Admin\AppData\Local\I9i\AtBroker.exe
C:\Users\Admin\AppData\Local\I9i\AtBroker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2YQ\MFC42u.dll
MD5
faeba26abe714f08302a5e10ac8d952f

SHA1
dd6b74a6ecebd5a37e887389f5b0c576af29d36c

SHA256
07139c525cd4280beca30808fc6578e8ef2b2e9464ad72a029d6852757172099

SHA512
86de14e72c7c2d475b80d1fc14aa654e2a46cece4ee25b56a8c85c275116ee346e04f1104f8ac2087da05be67dea43dbed89014f207c6a9185fcef5cc55bb81a

Download Submit
C:\Users\Admin\AppData\Local\2YQ\MFC42u.dll
MD5
faeba26abe714f08302a5e10ac8d952f

SHA1
dd6b74a6ecebd5a37e887389f5b0c576af29d36c

SHA256
07139c525cd4280beca30808fc6578e8ef2b2e9464ad72a029d6852757172099

SHA512
86de14e72c7c2d475b80d1fc14aa654e2a46cece4ee25b56a8c85c275116ee346e04f1104f8ac2087da05be67dea43dbed89014f207c6a9185fcef5cc55bb81a

Download Submit
C:\Users\Admin\AppData\Local\2YQ\msinfo32.exe
MD5
0aed91da63713bf9f881b03a604a1c9d

SHA1
b1b2d292cb1a4c13dc243b5eab13afb316a28b9a

SHA256
5cf1604d2473661266e08fc0e4e144ea98f99b7584c43585eb2b01551130fd14

SHA512
04bca9b321d702122b6e72c2ad15b7cd98924e5dfc3b8dd0e907ea28fd7826d3f72b98c67242b6698594df648d3c2b6b0952bb52a2363b687bbe44a66e830c03

Download Submit
C:\Users\Admin\AppData\Local\9LONb36\PresentationHost.exe
MD5
ef27d65b92d89e8175e6751a57ed9d93

SHA1
7279b58e711b459434f047e9098f9131391c3778

SHA256
17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

SHA512
40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

Download Submit
C:\Users\Admin\AppData\Local\9LONb36\VERSION.dll
MD5
36ae9ce20b0706423faf4ac52e03d26a

SHA1
ebb872417b6919d94a915b4393c9216cd0b32b68

SHA256
caa44d7917d95e06edf4452f24349442b11515f881f65d96d32421efeb57a7ba

SHA512
4c88e05aae366529906b38071e88d049b599ee11b74470fab6ba4b9f00aca9deab4676e18cdec065f237b481a645b8efdc6889d931a5ed40ef819f6f8346a14e

Download Submit
C:\Users\Admin\AppData\Local\9LONb36\VERSION.dll
MD5
36ae9ce20b0706423faf4ac52e03d26a

SHA1
ebb872417b6919d94a915b4393c9216cd0b32b68

SHA256
caa44d7917d95e06edf4452f24349442b11515f881f65d96d32421efeb57a7ba

SHA512
4c88e05aae366529906b38071e88d049b599ee11b74470fab6ba4b9f00aca9deab4676e18cdec065f237b481a645b8efdc6889d931a5ed40ef819f6f8346a14e

Download Submit
C:\Users\Admin\AppData\Local\9LONb36\VERSION.dll
MD5
36ae9ce20b0706423faf4ac52e03d26a

SHA1
ebb872417b6919d94a915b4393c9216cd0b32b68

SHA256
caa44d7917d95e06edf4452f24349442b11515f881f65d96d32421efeb57a7ba

SHA512
4c88e05aae366529906b38071e88d049b599ee11b74470fab6ba4b9f00aca9deab4676e18cdec065f237b481a645b8efdc6889d931a5ed40ef819f6f8346a14e

Download Submit
C:\Users\Admin\AppData\Local\I9i\AtBroker.exe
MD5
30076e434a015bdf4c136e09351882cc

SHA1
584c958a35e23083a0861421357405afd26d9a0c

SHA256
ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd

SHA512
675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024

Download Submit
C:\Users\Admin\AppData\Local\I9i\UxTheme.dll
MD5
b3c54ebea45d999861ad5912c1fd57e5

SHA1
c0d5dfc1c078c2e1cd3da58c3a76032e1741293e

SHA256
82ce9381d6d21b508fbf13978474e6f7cfeb0a422321ccabe33b0b647e958f3b

SHA512
6dc1234e9328163b987206226e1ad6919b7f8a3291a7e0425dfc449d3044e6f2e5ad9aed02ea25dbc638d1cc29f3000c2f4bf4591d40032e154dbd58b5631cec

Download Submit
C:\Users\Admin\AppData\Local\I9i\UxTheme.dll
MD5
b3c54ebea45d999861ad5912c1fd57e5

SHA1
c0d5dfc1c078c2e1cd3da58c3a76032e1741293e

SHA256
82ce9381d6d21b508fbf13978474e6f7cfeb0a422321ccabe33b0b647e958f3b

SHA512
6dc1234e9328163b987206226e1ad6919b7f8a3291a7e0425dfc449d3044e6f2e5ad9aed02ea25dbc638d1cc29f3000c2f4bf4591d40032e154dbd58b5631cec

Download Submit
C:\Users\Admin\AppData\Local\oQA8tLdz\dwm.exe
MD5
5c27608411832c5b39ba04e33d53536c

SHA1
f92f8b7439ce1de4c297046ed1d3ff9f20bc97af

SHA256
0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565

SHA512
1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

Download Submit
C:\Users\Admin\AppData\Local\oQA8tLdz\dwm.exe
MD5
5c27608411832c5b39ba04e33d53536c

SHA1
f92f8b7439ce1de4c297046ed1d3ff9f20bc97af

SHA256
0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565

SHA512
1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

Download Submit
C:\Users\Admin\AppData\Local\oQA8tLdz\dxgi.dll
MD5
5cc3ab654df9f6ec743355f4365fae73

SHA1
6f7f06793e35b23e56cde99bd888df3fa5d42d8a

SHA256
3ea5c7d3d3de1b244dd2ee04fa768b36def0d0588088b2e0698b8e0702d35455

SHA512
f144b7d3892f2859f19f78900672f16c8b2f9c4f319e4996a186472e410c5fc4267c524550a7dc52434091cb8e387162901daaa2b8fae3a581f5e1bce34b6840

Download Submit
C:\Users\Admin\AppData\Local\oQA8tLdz\dxgi.dll
MD5
5cc3ab654df9f6ec743355f4365fae73

SHA1
6f7f06793e35b23e56cde99bd888df3fa5d42d8a

SHA256
3ea5c7d3d3de1b244dd2ee04fa768b36def0d0588088b2e0698b8e0702d35455

SHA512
f144b7d3892f2859f19f78900672f16c8b2f9c4f319e4996a186472e410c5fc4267c524550a7dc52434091cb8e387162901daaa2b8fae3a581f5e1bce34b6840

Download Submit
C:\Users\Admin\AppData\Local\oQA8tLdz\dxgi.dll
MD5
5cc3ab654df9f6ec743355f4365fae73

SHA1
6f7f06793e35b23e56cde99bd888df3fa5d42d8a

SHA256
3ea5c7d3d3de1b244dd2ee04fa768b36def0d0588088b2e0698b8e0702d35455

SHA512
f144b7d3892f2859f19f78900672f16c8b2f9c4f319e4996a186472e410c5fc4267c524550a7dc52434091cb8e387162901daaa2b8fae3a581f5e1bce34b6840

Download Submit
C:\Users\Admin\AppData\Local\oQA8tLdz\dxgi.dll
MD5
5cc3ab654df9f6ec743355f4365fae73

SHA1
6f7f06793e35b23e56cde99bd888df3fa5d42d8a

SHA256
3ea5c7d3d3de1b244dd2ee04fa768b36def0d0588088b2e0698b8e0702d35455

SHA512
f144b7d3892f2859f19f78900672f16c8b2f9c4f319e4996a186472e410c5fc4267c524550a7dc52434091cb8e387162901daaa2b8fae3a581f5e1bce34b6840

Download Submit
C:\Users\Admin\AppData\Local\oQA8tLdz\dxgi.dll
MD5
5cc3ab654df9f6ec743355f4365fae73

SHA1
6f7f06793e35b23e56cde99bd888df3fa5d42d8a

SHA256
3ea5c7d3d3de1b244dd2ee04fa768b36def0d0588088b2e0698b8e0702d35455

SHA512
f144b7d3892f2859f19f78900672f16c8b2f9c4f319e4996a186472e410c5fc4267c524550a7dc52434091cb8e387162901daaa2b8fae3a581f5e1bce34b6840

Download Submit
memory/1520-187-0x00000209D8D20000-0x00000209D8D27000-memory.dmp

Filesize
28KB

Download
memory/2216-143-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/2216-144-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/2216-142-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/2216-154-0x00007FFB36BAC000-0x00007FFB36BAD000-memory.dmp

Filesize
4KB

Download
memory/2216-141-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/2216-140-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/2216-139-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/2216-138-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/2216-136-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/2216-135-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/2216-153-0x00000000008C0000-0x00000000008C7000-memory.dmp

Filesize
28KB

Download
memory/2216-137-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/2216-155-0x00007FFB36AF0000-0x00007FFB36B00000-memory.dmp

Filesize
64KB

Download
memory/2216-151-0x00007FFB354DA000-0x00007FFB354DB000-memory.dmp

Filesize
4KB

Download
memory/2216-152-0x00007FFB36BDC000-0x00007FFB36BDD000-memory.dmp

Filesize
4KB

Download
memory/2564-130-0x0000000140000000-0x0000000140178000-memory.dmp

Filesize
1.5MB

Download
memory/2564-134-0x0000000000D90000-0x0000000000D97000-memory.dmp

Filesize
28KB

Download
memory/3788-159-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/3788-163-0x000002D70DAE0000-0x000002D70DAE7000-memory.dmp

Filesize
28KB

Download
memory/4180-175-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4180-179-0x00000241FABD0000-0x00000241FABD7000-memory.dmp

Filesize
28KB

Download