dridex | cb793c295b0bcd3baec5546b7176cdfdf10b0a9291d958c72eb85551825d22d6

Analysis

max time kernel
152s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
23-03-2022 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb793c295b0bcd3baec5546b7176cdfdf10b0a9291d958c72eb85551825d22d6.dll
Size

1.3MB
MD5

288c35481252c1212cbb764c490c2ad8
SHA1

9c48ba2239b5ae5675d0eb6b92cf0a37884403fd
SHA256

cb793c295b0bcd3baec5546b7176cdfdf10b0a9291d958c72eb85551825d22d6
SHA512

8a3b343ad8819f09f94868b19ab6f94a6fdf852f3c5183a371cd323a57af0b7fb9d5249516044e8f59721e6220ecd43338b6990c56cb0006840842cb923be112

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2688-135-0x0000000001300000-0x0000000001301000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

sigverif.exeLockScreenContentServer.exeMusNotifyIcon.exe

pid process

1672 sigverif.exe
1104 LockScreenContentServer.exe
1004 MusNotifyIcon.exe
Loads dropped DLL 3 IoCs

Processes:

sigverif.exeLockScreenContentServer.exeMusNotifyIcon.exe

pid process

1672 sigverif.exe
1104 LockScreenContentServer.exe
1004 MusNotifyIcon.exe

pid	process
1672	sigverif.exe
1104	LockScreenContentServer.exe
1004	MusNotifyIcon.exe

pid	process
1672	sigverif.exe
1104	LockScreenContentServer.exe
1004	MusNotifyIcon.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zrakajr = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\SystemExtensionsDev\\OETpU0KmuIf\\LockScreenContentServer.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exesigverif.exeLockScreenContentServer.exeMusNotifyIcon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LockScreenContentServer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotifyIcon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exesigverif.exe

pid	process
1516	rundll32.exe
1516	rundll32.exe
1516	rundll32.exe
1516	rundll32.exe
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
1672	sigverif.exe
1672	sigverif.exe
2688
2688
2688
2688
2688
2688
2688
2688

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2688
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 2688
Token: SeCreatePagefilePrivilege 2688

pid	process
2688

description	pid	process
Token: SeShutdownPrivilege	2688
Token: SeCreatePagefilePrivilege	2688

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2688 wrote to memory of 552	2688	sigverif.exe
PID 2688 wrote to memory of 552	2688	sigverif.exe
PID 2688 wrote to memory of 1672	2688	sigverif.exe
PID 2688 wrote to memory of 1672	2688	sigverif.exe
PID 2688 wrote to memory of 1528	2688	LockScreenContentServer.exe
PID 2688 wrote to memory of 1528	2688	LockScreenContentServer.exe
PID 2688 wrote to memory of 1104	2688	LockScreenContentServer.exe
PID 2688 wrote to memory of 1104	2688	LockScreenContentServer.exe
PID 2688 wrote to memory of 1008	2688	MusNotifyIcon.exe
PID 2688 wrote to memory of 1008	2688	MusNotifyIcon.exe
PID 2688 wrote to memory of 1004	2688	MusNotifyIcon.exe
PID 2688 wrote to memory of 1004	2688	MusNotifyIcon.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cb793c295b0bcd3baec5546b7176cdfdf10b0a9291d958c72eb85551825d22d6.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1516

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:552

C:\Users\Admin\AppData\Local\HZy5ZBdkc\sigverif.exe
C:\Users\Admin\AppData\Local\HZy5ZBdkc\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1672

C:\Windows\system32\LockScreenContentServer.exe
C:\Windows\system32\LockScreenContentServer.exe
1⤵
PID:1528

C:\Users\Admin\AppData\Local\1pim6v\LockScreenContentServer.exe
C:\Users\Admin\AppData\Local\1pim6v\LockScreenContentServer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1104

C:\Windows\system32\MusNotifyIcon.exe
C:\Windows\system32\MusNotifyIcon.exe
1⤵
PID:1008

C:\Users\Admin\AppData\Local\PU4Pi1KP\MusNotifyIcon.exe
C:\Users\Admin\AppData\Local\PU4Pi1KP\MusNotifyIcon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1pim6v\DUI70.dll
MD5
6909ae8302a7c85f15c0efe9f8ff11c1

SHA1
f1b5f4bf5e071a97811c70818490ad7a3462e961

SHA256
363d2089f6dcf844ae94298cde7ade56fc4393b942ccf7e3b19e853e8db3c222

SHA512
e621b69d6b70c812b0b42aa9521537a4ff0583e1afd526077b372c1f5aedcfaa2c6ede1e868b333c8b531d7d26a182ff60a0209f29faf8416157852329d95304

Download Submit
C:\Users\Admin\AppData\Local\1pim6v\DUI70.dll
MD5
6909ae8302a7c85f15c0efe9f8ff11c1

SHA1
f1b5f4bf5e071a97811c70818490ad7a3462e961

SHA256
363d2089f6dcf844ae94298cde7ade56fc4393b942ccf7e3b19e853e8db3c222

SHA512
e621b69d6b70c812b0b42aa9521537a4ff0583e1afd526077b372c1f5aedcfaa2c6ede1e868b333c8b531d7d26a182ff60a0209f29faf8416157852329d95304

Download Submit
C:\Users\Admin\AppData\Local\1pim6v\LockScreenContentServer.exe
MD5
a0b7513c98cf46ca2cea3a567fec137c

SHA1
2307fc8e3fc620ea3c2fdc6248ad4658479ba995

SHA256
cb2278884f04fd34753f7a20e5865ef5fc4fa47c28df9ac14ad6e922713af8c6

SHA512
3928485a60ffa7f2d2b7d0be51863e1f8197578cfb397f1086a1ab5132843a23bbc4042b04b5d01fafad04878bd839161fa492d0cf1a6bac6be92023cdee3d15

Download Submit
C:\Users\Admin\AppData\Local\HZy5ZBdkc\VERSION.dll
MD5
f52589ae4771047fd34afbd0b6769cfa

SHA1
2d0c1510453ce56f174fbeb9ca0de7f31baa1a36

SHA256
edfcca71463c6f37a63cf7bfc3c11323c6fadaf9be60b6f9df370f08bda3e30e

SHA512
30be0dcc87dc4772dc5148fc85a1d6c2c42a901b7c6989a215b585a6220c1d869da6cac032a140da810d9a17736cb04bb35be8311ab9b9fee586f50d6658c9a3

Download Submit
C:\Users\Admin\AppData\Local\HZy5ZBdkc\VERSION.dll
MD5
f52589ae4771047fd34afbd0b6769cfa

SHA1
2d0c1510453ce56f174fbeb9ca0de7f31baa1a36

SHA256
edfcca71463c6f37a63cf7bfc3c11323c6fadaf9be60b6f9df370f08bda3e30e

SHA512
30be0dcc87dc4772dc5148fc85a1d6c2c42a901b7c6989a215b585a6220c1d869da6cac032a140da810d9a17736cb04bb35be8311ab9b9fee586f50d6658c9a3

Download Submit
C:\Users\Admin\AppData\Local\HZy5ZBdkc\sigverif.exe
MD5
2151a535274b53ba8a728e542cbc07a8

SHA1
a2304c0f2616a7d12298540dce459dd9ccf07443

SHA256
064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

SHA512
e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

Download Submit
C:\Users\Admin\AppData\Local\PU4Pi1KP\MusNotifyIcon.exe
MD5
c54b1a69a21e03b83ebb0aeb3758b6f7

SHA1
b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c

SHA256
ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf

SHA512
2680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19

Download Submit
C:\Users\Admin\AppData\Local\PU4Pi1KP\XmlLite.dll
MD5
73de1885ed935b3879058c690d91520a

SHA1
be3a676addb130a6ad5dfe428c394ee5fbefaad9

SHA256
1e9a65f464f9c0163f30bfc91f7ff1f25cfbf1e93ea271378a2e596c858f30dc

SHA512
aa57d4a6fb87fd9311d24385799e24c52ee85823de87bd1749dfd50b6152ad04e09bbc951ab1307ad1117e8e480d412533da44c7e650b815435fa1febd0e2a91

Download Submit
C:\Users\Admin\AppData\Local\PU4Pi1KP\XmlLite.dll
MD5
73de1885ed935b3879058c690d91520a

SHA1
be3a676addb130a6ad5dfe428c394ee5fbefaad9

SHA256
1e9a65f464f9c0163f30bfc91f7ff1f25cfbf1e93ea271378a2e596c858f30dc

SHA512
aa57d4a6fb87fd9311d24385799e24c52ee85823de87bd1749dfd50b6152ad04e09bbc951ab1307ad1117e8e480d412533da44c7e650b815435fa1febd0e2a91

Download Submit
memory/1004-223-0x0000000000000000-mapping.dmp

Download
memory/1004-231-0x000001DEF5EC0000-0x000001DEF5EC7000-memory.dmp

Filesize
28KB

Download
memory/1104-222-0x000002B2922D0000-0x000002B2922D7000-memory.dmp

Filesize
28KB

Download
memory/1104-214-0x0000000000000000-mapping.dmp

Download
memory/1516-134-0x000002CEB4F40000-0x000002CEB4F47000-memory.dmp

Filesize
28KB

Download
memory/1516-130-0x00007FFC2E2D0000-0x00007FFC2E41E000-memory.dmp

Filesize
1.3MB

Download
memory/1672-213-0x000001CFD5AB0000-0x000001CFD5AB7000-memory.dmp

Filesize
28KB

Download
memory/1672-205-0x0000000000000000-mapping.dmp

Download
memory/2688-167-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-176-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-148-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-149-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-150-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-151-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-152-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-153-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-154-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-155-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-156-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-157-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-158-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-159-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-160-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-161-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-162-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-147-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-163-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-164-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-165-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-145-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-166-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-168-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-169-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-171-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-170-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-172-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-173-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-174-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-175-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-146-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-177-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-178-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-179-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-180-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-181-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-182-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-183-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-184-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-185-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-186-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-187-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-188-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-190-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-191-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-192-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-144-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-136-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-143-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-142-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-141-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-140-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-139-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-138-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-137-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-135-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/2688-193-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-194-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-189-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-203-0x0000000001310000-0x0000000001317000-memory.dmp

Filesize
28KB

Download
memory/2688-204-0x00007FFC4C780000-0x00007FFC4C790000-memory.dmp

Filesize
64KB

Download