dridex | ab8f6d64918bfde8d603af28047f91c3bdfd82df3d965391fc1b480542d64b89

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
23-03-2022 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab8f6d64918bfde8d603af28047f91c3bdfd82df3d965391fc1b480542d64b89.dll
Size

1.4MB
MD5

2a52d4cc48659ad06386e6f1ddb17613
SHA1

fb551a1f927e6b86fb2e8281d4f09a753e5a7f5b
SHA256

ab8f6d64918bfde8d603af28047f91c3bdfd82df3d965391fc1b480542d64b89
SHA512

c37af474e1defdc504f979dcdd11413ee2337baa6ebe49156e02999415cf8f3d5d69e6c3da8f8dd7ba58fec6e337ffdee4414c26e2ea79ad9ee1aa6d2381eec1

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2712-135-0x0000000000CD0000-0x0000000000CD1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

CameraSettingsUIHost.exeWindowsActionDialog.exewextract.exe

pid process

1572 CameraSettingsUIHost.exe
5048 WindowsActionDialog.exe
4692 wextract.exe
Loads dropped DLL 3 IoCs

Processes:

CameraSettingsUIHost.exeWindowsActionDialog.exewextract.exe

pid process

1572 CameraSettingsUIHost.exe
5048 WindowsActionDialog.exe
4692 wextract.exe

pid	process
1572	CameraSettingsUIHost.exe
5048	WindowsActionDialog.exe
4692	wextract.exe

pid	process
1572	CameraSettingsUIHost.exe
5048	WindowsActionDialog.exe
4692	wextract.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zrakajr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\if8lK\\WindowsActionDialog.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeCameraSettingsUIHost.exeWindowsActionDialog.exewextract.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CameraSettingsUIHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsActionDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeCameraSettingsUIHost.exe

pid	process
1620	rundll32.exe
1620	rundll32.exe
1620	rundll32.exe
1620	rundll32.exe
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
2712
1572	CameraSettingsUIHost.exe
1572	CameraSettingsUIHost.exe
2712
2712
2712
2712
2712
2712
2712

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2712

pid	process
2712

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2712 wrote to memory of 1412	2712	CameraSettingsUIHost.exe
PID 2712 wrote to memory of 1412	2712	CameraSettingsUIHost.exe
PID 2712 wrote to memory of 1572	2712	CameraSettingsUIHost.exe
PID 2712 wrote to memory of 1572	2712	CameraSettingsUIHost.exe
PID 2712 wrote to memory of 4268	2712	WindowsActionDialog.exe
PID 2712 wrote to memory of 4268	2712	WindowsActionDialog.exe
PID 2712 wrote to memory of 5048	2712	WindowsActionDialog.exe
PID 2712 wrote to memory of 5048	2712	WindowsActionDialog.exe
PID 2712 wrote to memory of 4720	2712	wextract.exe
PID 2712 wrote to memory of 4720	2712	wextract.exe
PID 2712 wrote to memory of 4692	2712	wextract.exe
PID 2712 wrote to memory of 4692	2712	wextract.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ab8f6d64918bfde8d603af28047f91c3bdfd82df3d965391fc1b480542d64b89.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1620

C:\Windows\system32\CameraSettingsUIHost.exe
C:\Windows\system32\CameraSettingsUIHost.exe
1⤵
PID:1412

C:\Users\Admin\AppData\Local\TOJ\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Local\TOJ\CameraSettingsUIHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1572

C:\Windows\system32\WindowsActionDialog.exe
C:\Windows\system32\WindowsActionDialog.exe
1⤵
PID:4268

C:\Users\Admin\AppData\Local\hB2zwsE\WindowsActionDialog.exe
C:\Users\Admin\AppData\Local\hB2zwsE\WindowsActionDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5048

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:4720

C:\Users\Admin\AppData\Local\a6W\wextract.exe
C:\Users\Admin\AppData\Local\a6W\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TOJ\CameraSettingsUIHost.exe
MD5
9e98636523a653c7a648f37be229cf69

SHA1
bd4da030e7cf4d55b7c644dfacd26b152e6a14c4

SHA256
3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717

SHA512
41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

Download Submit
C:\Users\Admin\AppData\Local\TOJ\DUI70.dll
MD5
dedaf85b1f06921c8345bdcf2d7734da

SHA1
758c4dbf694b66f438bea704d7d98a13c13edccf

SHA256
5abddf446dc9d678d526ec85201ed7d4f4b4b2f0fe15e5dfa8e363cdcdfbccd1

SHA512
e252620f7dbb9e010ce2e5c764ded7276f1e20535f9e5ee993fc2f20bc960b73b6eb018544122df203d0c984cb11acb96597de338b7af51ca0c43c0766617968

Download Submit
C:\Users\Admin\AppData\Local\TOJ\DUI70.dll
MD5
dedaf85b1f06921c8345bdcf2d7734da

SHA1
758c4dbf694b66f438bea704d7d98a13c13edccf

SHA256
5abddf446dc9d678d526ec85201ed7d4f4b4b2f0fe15e5dfa8e363cdcdfbccd1

SHA512
e252620f7dbb9e010ce2e5c764ded7276f1e20535f9e5ee993fc2f20bc960b73b6eb018544122df203d0c984cb11acb96597de338b7af51ca0c43c0766617968

Download Submit
C:\Users\Admin\AppData\Local\a6W\VERSION.dll
MD5
ffe08e63d22fffef880dee2d7a87c956

SHA1
49664dc183738db05a83a5cbf6ae3f747c8bde3e

SHA256
a6f5ec8077f6b3011e7f5d9740a044a86dcc867c88b34725300e2f96d8761f44

SHA512
e3f33e51bfcc64fd4f909260e1f8f55b8c1deae7cfdeb93972ab0eacf22f0aeed365cadd5c99885e60914f75a2f4a4a32c005a451ab860d48ea3ff1044ead35f

Download Submit
C:\Users\Admin\AppData\Local\a6W\VERSION.dll
MD5
ffe08e63d22fffef880dee2d7a87c956

SHA1
49664dc183738db05a83a5cbf6ae3f747c8bde3e

SHA256
a6f5ec8077f6b3011e7f5d9740a044a86dcc867c88b34725300e2f96d8761f44

SHA512
e3f33e51bfcc64fd4f909260e1f8f55b8c1deae7cfdeb93972ab0eacf22f0aeed365cadd5c99885e60914f75a2f4a4a32c005a451ab860d48ea3ff1044ead35f

Download Submit
C:\Users\Admin\AppData\Local\a6W\wextract.exe
MD5
56e501e3e49cfde55eb1caabe6913e45

SHA1
ab2399cbf17dbee7b302bea49e40d4cee7caea76

SHA256
fbb6dc62abeeb222b49a63f43dc6eea96f3d7e9a8da55381c15d57a5d099f3e0

SHA512
2b536e86cbd8ab026529ba2c72c0fda97e9b6f0bc4fd96777024155852670cb41d17937cde372a44cdbad3e53b8cd3ef1a4a3ee9b34dfb3c2069822095f7a172

Download Submit
C:\Users\Admin\AppData\Local\hB2zwsE\DUI70.dll
MD5
ac2e8fcf0f9a9d329ae24340a2c8819e

SHA1
29288313a42760fcab78fafd28e4c15289c16a2b

SHA256
1d4cf6d40e2cc557e82a0c8e8a2438420842d13de1edb7dee17e20d5e67e3b6f

SHA512
1836ba41dec4abfd4d3b0dab195ac8a4df1c62fbbba43421c6191d8095dde8806446c2700f2980b2b551ad0b317536b76983cee8dfe98623cbd43eeb98cdad60

Download Submit
C:\Users\Admin\AppData\Local\hB2zwsE\DUI70.dll
MD5
ac2e8fcf0f9a9d329ae24340a2c8819e

SHA1
29288313a42760fcab78fafd28e4c15289c16a2b

SHA256
1d4cf6d40e2cc557e82a0c8e8a2438420842d13de1edb7dee17e20d5e67e3b6f

SHA512
1836ba41dec4abfd4d3b0dab195ac8a4df1c62fbbba43421c6191d8095dde8806446c2700f2980b2b551ad0b317536b76983cee8dfe98623cbd43eeb98cdad60

Download Submit
C:\Users\Admin\AppData\Local\hB2zwsE\WindowsActionDialog.exe
MD5
73c523b6556f2dc7eefc662338d66f8d

SHA1
1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5

SHA256
0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31

SHA512
69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

Download Submit
memory/1572-214-0x0000000000000000-mapping.dmp

Download
memory/1572-222-0x0000022CD36F0000-0x0000022CD36F7000-memory.dmp

Filesize
28KB

Download
memory/1620-134-0x0000019D060F0000-0x0000019D060F7000-memory.dmp

Filesize
28KB

Download
memory/1620-130-0x00007FFF7BDE0000-0x00007FFF7BF3A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-166-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-174-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-143-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-144-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-145-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-146-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-147-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-149-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-150-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-148-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-152-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-151-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-153-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-154-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-155-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-156-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-157-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-159-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-160-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-158-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-161-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-162-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-163-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-164-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-165-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-141-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-167-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-168-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-169-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-170-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-171-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-172-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-173-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-142-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-175-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-177-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-176-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-178-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-179-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-180-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-181-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-182-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-184-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-183-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-185-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-186-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-187-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-188-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-189-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-190-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-191-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-192-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-193-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-194-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-208-0x0000000000CA0000-0x0000000000CA7000-memory.dmp

Filesize
28KB

Download
memory/2712-213-0x00007FFF99840000-0x00007FFF99850000-memory.dmp

Filesize
64KB

Download
memory/2712-135-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/2712-140-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-139-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-136-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-137-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2712-138-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4692-232-0x0000000000000000-mapping.dmp

Download
memory/4692-240-0x0000028839610000-0x0000028839617000-memory.dmp

Filesize
28KB

Download
memory/5048-231-0x00000260A74D0000-0x00000260A74D7000-memory.dmp

Filesize
28KB

Download
memory/5048-223-0x0000000000000000-mapping.dmp

Download