dridex | 6f22b406ce7ba1aae300c8e36d4b83e6906792dccfcf943a9f47204624186399

Analysis

max time kernel
4294215s
max time network
123s
platform
windows7_x64
resource
win7-20220310-en
submitted
26-03-2022 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f22b406ce7ba1aae300c8e36d4b83e6906792dccfcf943a9f47204624186399.dll
Size

1.2MB
MD5

d17d0d38b37ae7db80db3c395776973f
SHA1

da12df02ea9f306bf7416d91c81f736d82ea7ca2
SHA256

6f22b406ce7ba1aae300c8e36d4b83e6906792dccfcf943a9f47204624186399
SHA512

a5aebe082e97b01eb525113d93cd60c485e93aea3aafae3fcac3850cc5f60bd709a06ca92ad318985e1f7203af0e080edb4e97a7433b87f076c61ab0b3a82ec9

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 3 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1824-54-0x0000000140000000-0x0000000140133000-memory.dmp	dridex_payload
behavioral1/memory/1456-84-0x0000000140000000-0x0000000140135000-memory.dmp	dridex_payload
behavioral1/memory/1120-94-0x0000000140000000-0x0000000140134000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1212-58-0x0000000002660000-0x0000000002661000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

mfpmp.exeicardagt.exerrinstaller.exe

pid process

1456 mfpmp.exe
1120 icardagt.exe
1964 rrinstaller.exe
Loads dropped DLL 7 IoCs

Processes:

mfpmp.exeicardagt.exerrinstaller.exe

pid process

1212
1456 mfpmp.exe
1212
1120 icardagt.exe
1212
1964 rrinstaller.exe
1212

pid	process
1456	mfpmp.exe
1120	icardagt.exe
1964	rrinstaller.exe

pid	process
1212
1456	mfpmp.exe
1212
1120	icardagt.exe
1212
1964	rrinstaller.exe
1212

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\Eaylklfntbynuq = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\PNAKWW~1\\icardagt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemfpmp.exeicardagt.exerrinstaller.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icardagt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rrinstaller.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1824	rundll32.exe
1824	rundll32.exe
1824	rundll32.exe
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1212

pid	process
1212

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1212 wrote to memory of 1544	1212	mfpmp.exe
PID 1212 wrote to memory of 1544	1212	mfpmp.exe
PID 1212 wrote to memory of 1544	1212	mfpmp.exe
PID 1212 wrote to memory of 1456	1212	mfpmp.exe
PID 1212 wrote to memory of 1456	1212	mfpmp.exe
PID 1212 wrote to memory of 1456	1212	mfpmp.exe
PID 1212 wrote to memory of 400	1212	icardagt.exe
PID 1212 wrote to memory of 400	1212	icardagt.exe
PID 1212 wrote to memory of 400	1212	icardagt.exe
PID 1212 wrote to memory of 1120	1212	icardagt.exe
PID 1212 wrote to memory of 1120	1212	icardagt.exe
PID 1212 wrote to memory of 1120	1212	icardagt.exe
PID 1212 wrote to memory of 556	1212	rrinstaller.exe
PID 1212 wrote to memory of 556	1212	rrinstaller.exe
PID 1212 wrote to memory of 556	1212	rrinstaller.exe
PID 1212 wrote to memory of 1964	1212	rrinstaller.exe
PID 1212 wrote to memory of 1964	1212	rrinstaller.exe
PID 1212 wrote to memory of 1964	1212	rrinstaller.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6f22b406ce7ba1aae300c8e36d4b83e6906792dccfcf943a9f47204624186399.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1824

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:1544

C:\Users\Admin\AppData\Local\AKsm\mfpmp.exe
C:\Users\Admin\AppData\Local\AKsm\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1456

C:\Windows\system32\icardagt.exe
C:\Windows\system32\icardagt.exe
1⤵
PID:400

C:\Users\Admin\AppData\Local\LRfwY\icardagt.exe
C:\Users\Admin\AppData\Local\LRfwY\icardagt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1120

C:\Windows\system32\rrinstaller.exe
C:\Windows\system32\rrinstaller.exe
1⤵
PID:556

C:\Users\Admin\AppData\Local\pxt\rrinstaller.exe
C:\Users\Admin\AppData\Local\pxt\rrinstaller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1964

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AKsm\MFPlat.DLL
Filesize
1.2MB

MD5
035681fd82d738005cc41b3f83c7d004

SHA1
71f60ce74dcead9c87e6cb6ff59a770b4e47cfc4

SHA256
4e90b9ad5b92ad4fbd261481a8964ea36ba67fc8377c420cce6df61b2f647672

SHA512
cc54b8fcd9f2c2fb0738039599ab51771f7c9f079cd70b02535c1ce6d5be35cdf6d089a178c5538f9993eeecb8879b125f8e24960982688dd457ece3715b470d

Download Submit
C:\Users\Admin\AppData\Local\AKsm\mfpmp.exe
Filesize
24KB

MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
C:\Users\Admin\AppData\Local\LRfwY\VERSION.dll
Filesize
1.2MB

MD5
ae704eda181ebb6ec4e623048bbe838c

SHA1
1ad1f91f6f67cb55ddaace8cb0628170068ffd8e

SHA256
a15981dfe52fda8378cc45dafe7866845d329647d5c8fcb133aef620f7065b80

SHA512
046a7cdaf724ab4d79ff3bc2a9ef5c3fb70662ea0705a2081fc49f87f682b04dec09bd4c9e06ab40253c7af6f8c3b76bfba971800b3877a7e3f40ed02b62ca8a

Download Submit
C:\Users\Admin\AppData\Local\LRfwY\icardagt.exe
Filesize
1.3MB

MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
C:\Users\Admin\AppData\Local\pxt\MFPlat.DLL
Filesize
1.2MB

MD5
47c2b1dd6204c477ed0f956279c586f1

SHA1
ccb402af45bd06cea294305f2f346604a57245eb

SHA256
af85de8f63caf8e838c5c02952c2938db8a8f83d12514cd372dfb69c67c49890

SHA512
c8ef51e618621e66378b692ef9ccd0c15739e5a784ca8697985b23f4cfa6dba50b524f4992f08e22f4d35d3916edf4fee23d655c86b9a40919cb8b8519b85407

Download Submit
C:\Users\Admin\AppData\Local\pxt\rrinstaller.exe
Filesize
54KB

MD5
0d3a73b0b30252680b383532f1758649

SHA1
9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

SHA256
fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

SHA512
a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

Download Submit
\Users\Admin\AppData\Local\AKsm\MFPlat.DLL
Filesize
1.2MB

MD5
035681fd82d738005cc41b3f83c7d004

SHA1
71f60ce74dcead9c87e6cb6ff59a770b4e47cfc4

SHA256
4e90b9ad5b92ad4fbd261481a8964ea36ba67fc8377c420cce6df61b2f647672

SHA512
cc54b8fcd9f2c2fb0738039599ab51771f7c9f079cd70b02535c1ce6d5be35cdf6d089a178c5538f9993eeecb8879b125f8e24960982688dd457ece3715b470d

Download Submit
\Users\Admin\AppData\Local\AKsm\mfpmp.exe
Filesize
24KB

MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
\Users\Admin\AppData\Local\LRfwY\VERSION.dll
Filesize
1.2MB

MD5
ae704eda181ebb6ec4e623048bbe838c

SHA1
1ad1f91f6f67cb55ddaace8cb0628170068ffd8e

SHA256
a15981dfe52fda8378cc45dafe7866845d329647d5c8fcb133aef620f7065b80

SHA512
046a7cdaf724ab4d79ff3bc2a9ef5c3fb70662ea0705a2081fc49f87f682b04dec09bd4c9e06ab40253c7af6f8c3b76bfba971800b3877a7e3f40ed02b62ca8a

Download Submit
\Users\Admin\AppData\Local\LRfwY\icardagt.exe
Filesize
1.3MB

MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
\Users\Admin\AppData\Local\pxt\MFPlat.DLL
Filesize
1.2MB

MD5
47c2b1dd6204c477ed0f956279c586f1

SHA1
ccb402af45bd06cea294305f2f346604a57245eb

SHA256
af85de8f63caf8e838c5c02952c2938db8a8f83d12514cd372dfb69c67c49890

SHA512
c8ef51e618621e66378b692ef9ccd0c15739e5a784ca8697985b23f4cfa6dba50b524f4992f08e22f4d35d3916edf4fee23d655c86b9a40919cb8b8519b85407

Download Submit
\Users\Admin\AppData\Local\pxt\rrinstaller.exe
Filesize
54KB

MD5
0d3a73b0b30252680b383532f1758649

SHA1
9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

SHA256
fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

SHA512
a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\UntbPl\rrinstaller.exe
Filesize
54KB

MD5
0d3a73b0b30252680b383532f1758649

SHA1
9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

SHA256
fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

SHA512
a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

Download Submit
memory/1120-89-0x0000000000000000-mapping.dmp

Download
memory/1120-91-0x000007FEFC2D1000-0x000007FEFC2D3000-memory.dmp

Filesize
8KB

Download
memory/1120-97-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/1120-94-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1212-67-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1212-59-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1212-78-0x0000000001D40000-0x0000000001D47000-memory.dmp

Filesize
28KB

Download
memory/1212-62-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1212-61-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1212-69-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1212-63-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1212-68-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1212-65-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1212-66-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1212-58-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/1212-60-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1212-64-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1456-80-0x0000000000000000-mapping.dmp

Download
memory/1456-87-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1456-84-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1824-54-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1824-57-0x00000000002B0000-0x00000000002B7000-memory.dmp

Filesize
28KB

Download
memory/1964-99-0x0000000000000000-mapping.dmp

Download
memory/1964-106-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads