dridex | ab34dad9a255538b46b5c06a9d99d3324a6f204b3f09ff376378580f45f63adb

Analysis

max time kernel
161s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
02-03-2022 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab34dad9a255538b46b5c06a9d99d3324a6f204b3f09ff376378580f45f63adb.dll
Size

1.2MB
MD5

a121d39d7907071cb07215d25364b798
SHA1

f189ab1ab8a4083c5e37b7a06f33e271dd9c4a59
SHA256

ab34dad9a255538b46b5c06a9d99d3324a6f204b3f09ff376378580f45f63adb
SHA512

e4db45f6baa1ac14b85bc8879373f4bdbc966184ea3b5f6e457cc26781d0e1230d83727d4046750817e86853a779961cccedb2cb9a6f67ebfe374804237fbdcb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2460-138-0x0000000000C50000-0x0000000000C51000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

iexpress.exesystemreset.exeBdeUISrv.exe

pid process

2964 iexpress.exe
3768 systemreset.exe
2776 BdeUISrv.exe
Loads dropped DLL 3 IoCs

Processes:

iexpress.exesystemreset.exeBdeUISrv.exe

pid process

2964 iexpress.exe
3768 systemreset.exe
2776 BdeUISrv.exe

pid	process
2964	iexpress.exe
3768	systemreset.exe
2776	BdeUISrv.exe

pid	process
2964	iexpress.exe
3768	systemreset.exe
2776	BdeUISrv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Flqldkhbz = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\I1hh\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeiexpress.exesystemreset.exeBdeUISrv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	systemreset.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BdeUISrv.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3996	rundll32.exe
3996	rundll32.exe
3996	rundll32.exe
3996	rundll32.exe
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460
2460

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2460

pid	process
2460

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460
Token: SeShutdownPrivilege	2460
Token: SeCreatePagefilePrivilege	2460

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2460 wrote to memory of 3004	2460	iexpress.exe
PID 2460 wrote to memory of 3004	2460	iexpress.exe
PID 2460 wrote to memory of 2964	2460	iexpress.exe
PID 2460 wrote to memory of 2964	2460	iexpress.exe
PID 2460 wrote to memory of 208	2460	systemreset.exe
PID 2460 wrote to memory of 208	2460	systemreset.exe
PID 2460 wrote to memory of 3768	2460	systemreset.exe
PID 2460 wrote to memory of 3768	2460	systemreset.exe
PID 2460 wrote to memory of 3228	2460	BdeUISrv.exe
PID 2460 wrote to memory of 3228	2460	BdeUISrv.exe
PID 2460 wrote to memory of 2776	2460	BdeUISrv.exe
PID 2460 wrote to memory of 2776	2460	BdeUISrv.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ab34dad9a255538b46b5c06a9d99d3324a6f204b3f09ff376378580f45f63adb.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3996

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:3004

C:\Users\Admin\AppData\Local\5gox\iexpress.exe
C:\Users\Admin\AppData\Local\5gox\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2964

C:\Windows\system32\systemreset.exe
C:\Windows\system32\systemreset.exe
1⤵
PID:208

C:\Users\Admin\AppData\Local\bhhT\systemreset.exe
C:\Users\Admin\AppData\Local\bhhT\systemreset.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3768

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:3228

C:\Users\Admin\AppData\Local\J9IG\BdeUISrv.exe
C:\Users\Admin\AppData\Local\J9IG\BdeUISrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5gox\VERSION.dll
MD5
85637d3a83b13ed03cb90b94c014b7fd

SHA1
c1325de4265a880b9cc9205681985b53a4c14263

SHA256
ce5699a4bfd6bbdbaeca4b8c84a0732e1083ea7ab256cb9c36a92568e992762b

SHA512
2a4db1790f30ef46612692ebcccbb2627f5e51eb0af1a3a0fa543784e7b50f497fec6cae5033f84212f45cbda0c2b255ca5ef0e60d7e8db18fde29cd316e97c8

Download Submit
C:\Users\Admin\AppData\Local\5gox\VERSION.dll
MD5
85637d3a83b13ed03cb90b94c014b7fd

SHA1
c1325de4265a880b9cc9205681985b53a4c14263

SHA256
ce5699a4bfd6bbdbaeca4b8c84a0732e1083ea7ab256cb9c36a92568e992762b

SHA512
2a4db1790f30ef46612692ebcccbb2627f5e51eb0af1a3a0fa543784e7b50f497fec6cae5033f84212f45cbda0c2b255ca5ef0e60d7e8db18fde29cd316e97c8

Download Submit
C:\Users\Admin\AppData\Local\5gox\iexpress.exe
MD5
17b93a43e25d821d01af40ba6babcc8c

SHA1
97c978d78056d995f751dfef1388d7cce4cc404a

SHA256
d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3

SHA512
6b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391

Download Submit
C:\Users\Admin\AppData\Local\J9IG\BdeUISrv.exe
MD5
8595075667ff2c9a9f9e2eebc62d8f53

SHA1
c48b54e571f05d4e21d015bb3926c2129f19191a

SHA256
20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db

SHA512
080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

Download Submit
C:\Users\Admin\AppData\Local\J9IG\WTSAPI32.dll
MD5
cb76771734fd5949b2cf1d4ce495ed1c

SHA1
c7152ac44c24011a06c964288cc6ab27ed3d140e

SHA256
96963b3e748684dc1ad061ebb4f50c1a26e73bda23c58ff81db9487409769cbe

SHA512
46322eb27d07ceb32fe8eb9a7064cce78f19fe1943de77a7efc3f384acbed4c223d3cf3a59f9d32772e8f0efa3e8597fd1adc3d923c973cf9085727a40d50791

Download Submit
C:\Users\Admin\AppData\Local\J9IG\WTSAPI32.dll
MD5
cb76771734fd5949b2cf1d4ce495ed1c

SHA1
c7152ac44c24011a06c964288cc6ab27ed3d140e

SHA256
96963b3e748684dc1ad061ebb4f50c1a26e73bda23c58ff81db9487409769cbe

SHA512
46322eb27d07ceb32fe8eb9a7064cce78f19fe1943de77a7efc3f384acbed4c223d3cf3a59f9d32772e8f0efa3e8597fd1adc3d923c973cf9085727a40d50791

Download Submit
C:\Users\Admin\AppData\Local\bhhT\ReAgent.dll
MD5
0de4a02d0e7175ddd158e7fd8e40d818

SHA1
fd339ee87441d851308eb64a6f027787230bd5ee

SHA256
501f3f8ee370f351dc5cc3f65a913dcda5238c064115f2e08c9fa49987c741d8

SHA512
301a1fa702dcdc0a615edc066465942e54be53a632ba49a347a1c850082b56ad58f85d0c4a38bc91a8d938f420ab440471e601fc92745046b719fdcf947e7d30

Download Submit
C:\Users\Admin\AppData\Local\bhhT\ReAgent.dll
MD5
0de4a02d0e7175ddd158e7fd8e40d818

SHA1
fd339ee87441d851308eb64a6f027787230bd5ee

SHA256
501f3f8ee370f351dc5cc3f65a913dcda5238c064115f2e08c9fa49987c741d8

SHA512
301a1fa702dcdc0a615edc066465942e54be53a632ba49a347a1c850082b56ad58f85d0c4a38bc91a8d938f420ab440471e601fc92745046b719fdcf947e7d30

Download Submit
C:\Users\Admin\AppData\Local\bhhT\systemreset.exe
MD5
325ff647506adb89514defdd1c372194

SHA1
84234ff97d6ddc8a4ea21303ea842aa76a74e0ea

SHA256
ebff6159a7627234f94f606afa2e55e98e1548fd197d22779a5fcff24aa477ad

SHA512
8a9758f4af0264be08d684125827ef11efe651138059f6b463c52476f8a8e1bed94d093042f85893cb3e37c5f3ba7b55c6ce9394595001e661bccbc578da3868

Download Submit
memory/2460-144-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2460-142-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2460-154-0x00007FFA4DA5C000-0x00007FFA4DA5D000-memory.dmp

Filesize
4KB

Download
memory/2460-156-0x00007FFA4DA2C000-0x00007FFA4DA2D000-memory.dmp

Filesize
4KB

Download
memory/2460-155-0x0000000000C30000-0x0000000000C37000-memory.dmp

Filesize
28KB

Download
memory/2460-153-0x00007FFA4BA3A000-0x00007FFA4BA3B000-memory.dmp

Filesize
4KB

Download
memory/2460-157-0x00007FFA4D970000-0x00007FFA4D980000-memory.dmp

Filesize
64KB

Download
memory/2460-146-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2460-145-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2460-138-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/2460-140-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2460-141-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2460-143-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2460-139-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2776-190-0x000002031A8D0000-0x000002031A8D7000-memory.dmp

Filesize
28KB

Download
memory/2964-168-0x000002D9CA420000-0x000002D9CA427000-memory.dmp

Filesize
28KB

Download
memory/2964-161-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3768-179-0x000002B20CF00000-0x000002B20CF07000-memory.dmp

Filesize
28KB

Download
memory/3996-130-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3996-137-0x0000024657650000-0x0000024657657000-memory.dmp

Filesize
28KB

Download