dridex | 0731ec1f9527f2a2c35d1aaee97f959cb02e795821987aaff927d97daa42478d

Analysis

max time kernel
154s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0731ec1f9527f2a2c35d1aaee97f959cb02e795821987aaff927d97daa42478d.dll
Size

883KB
MD5

ff389f0230936c0facf48d900e622849
SHA1

2cfcb3253c72dbe733bf9a6831f857c18e6dc7f8
SHA256

0731ec1f9527f2a2c35d1aaee97f959cb02e795821987aaff927d97daa42478d
SHA512

890b8918dc5c33ebc988bc9c6e1b850e1ef80afcbc03df47a0158b1cf072ebc09d0ee06626bd9f2ef287b17217e370150cb3e4ffc9c6b85613508d16ab5628af

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3140-130-0x0000000000C40000-0x0000000000C41000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

Narrator.exeUtilman.exebdeunlock.exeSppExtComObj.Exe

pid process

3108 Narrator.exe
3200 Utilman.exe
4064 bdeunlock.exe
2280 SppExtComObj.Exe
Loads dropped DLL 3 IoCs

Processes:

Utilman.exebdeunlock.exeSppExtComObj.Exe

pid process

3200 Utilman.exe
4064 bdeunlock.exe
2280 SppExtComObj.Exe

pid	process
3108	Narrator.exe
3200	Utilman.exe
4064	bdeunlock.exe
2280	SppExtComObj.Exe

pid	process
3200	Utilman.exe
4064	bdeunlock.exe
2280	SppExtComObj.Exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eqzhtortkjjc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\wBa15JH\\bdeunlock.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SppExtComObj.Exerundll32.exeUtilman.exebdeunlock.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.Exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utilman.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdeunlock.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2304	rundll32.exe
2304	rundll32.exe
2304	rundll32.exe
2304	rundll32.exe
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3140

pid	process
3140

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

description	pid	target process
PID 3140 wrote to memory of 3476	3140	Narrator.exe
PID 3140 wrote to memory of 3476	3140	Narrator.exe
PID 3140 wrote to memory of 2856	3140	Utilman.exe
PID 3140 wrote to memory of 2856	3140	Utilman.exe
PID 3140 wrote to memory of 3200	3140	Utilman.exe
PID 3140 wrote to memory of 3200	3140	Utilman.exe
PID 3140 wrote to memory of 3616	3140	bdeunlock.exe
PID 3140 wrote to memory of 3616	3140	bdeunlock.exe
PID 3140 wrote to memory of 4064	3140	bdeunlock.exe
PID 3140 wrote to memory of 4064	3140	bdeunlock.exe
PID 3140 wrote to memory of 4540	3140	SppExtComObj.Exe
PID 3140 wrote to memory of 4540	3140	SppExtComObj.Exe
PID 3140 wrote to memory of 2280	3140	SppExtComObj.Exe
PID 3140 wrote to memory of 2280	3140	SppExtComObj.Exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0731ec1f9527f2a2c35d1aaee97f959cb02e795821987aaff927d97daa42478d.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2304

C:\Windows\system32\Narrator.exe
C:\Windows\system32\Narrator.exe
1⤵
PID:3476

C:\Users\Admin\AppData\Local\vreT1e\Narrator.exe
C:\Users\Admin\AppData\Local\vreT1e\Narrator.exe
1⤵
- Executes dropped EXE
PID:3108

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:2856

C:\Users\Admin\AppData\Local\bbXmNfE\Utilman.exe
C:\Users\Admin\AppData\Local\bbXmNfE\Utilman.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3200

C:\Windows\system32\bdeunlock.exe
C:\Windows\system32\bdeunlock.exe
1⤵
PID:3616

C:\Users\Admin\AppData\Local\tANNQ5j\bdeunlock.exe
C:\Users\Admin\AppData\Local\tANNQ5j\bdeunlock.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4064

C:\Windows\system32\SppExtComObj.Exe
C:\Windows\system32\SppExtComObj.Exe
1⤵
PID:4540

C:\Users\Admin\AppData\Local\H2wKMrF7\SppExtComObj.Exe
C:\Users\Admin\AppData\Local\H2wKMrF7\SppExtComObj.Exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\H2wKMrF7\ACTIVEDS.dll
Filesize
885KB

MD5
151c54ca2169846b39eb8d5eba0c2682

SHA1
41a20db7c4eb79f9cce0bd2f67a2171fb9ea29f4

SHA256
8d7c47bcef24f0defe318b427eeb19def20c3b260600d2503932c61fe961d12f

SHA512
8e715fb5fec0bad5c4dd92f1890e3bd328b27b491bac88193207c152683609ba318c4e438fa99dfadacc97381027825438455c10c571aa075b65d85b37297b0c

Download Submit
C:\Users\Admin\AppData\Local\H2wKMrF7\ACTIVEDS.dll
Filesize
885KB

MD5
151c54ca2169846b39eb8d5eba0c2682

SHA1
41a20db7c4eb79f9cce0bd2f67a2171fb9ea29f4

SHA256
8d7c47bcef24f0defe318b427eeb19def20c3b260600d2503932c61fe961d12f

SHA512
8e715fb5fec0bad5c4dd92f1890e3bd328b27b491bac88193207c152683609ba318c4e438fa99dfadacc97381027825438455c10c571aa075b65d85b37297b0c

Download Submit
C:\Users\Admin\AppData\Local\H2wKMrF7\SppExtComObj.Exe
Filesize
559KB

MD5
728a78909aa69ca0e976e94482350700

SHA1
6508dfcbf37df25cae8ae68cf1fcd4b78084abb7

SHA256
2a6581576305771044f07ea0fef27f77859996dbf66c2017e938f90bfc1e010c

SHA512
22bf985e71afa58a1365cc733c0aa03dabd4b44e7c6a136eb5f9b870db14470201b4ef88a19fa3864af6c44e79e1a01d6f8806062d9d4861ba7dac77d82074f1

Download Submit
C:\Users\Admin\AppData\Local\bbXmNfE\DUser.dll
Filesize
888KB

MD5
8d3699647984a58c6f7fc7644f758ad8

SHA1
b45d6e2acd1a0155615289a2c46bb63be40ccbb2

SHA256
75ea9e89aeb5b413537a550716070d7c152a6d7ba16967f05d3c6f5aad54b369

SHA512
626a0cbe37ac627cadd641cb27852d486bf2e7ee1894ec3367af127e511e7e9c29f98ca21329f951690744e3224e1933b962b2e2fb396f18e55cf22840678510

Download Submit
C:\Users\Admin\AppData\Local\bbXmNfE\DUser.dll
Filesize
888KB

MD5
8d3699647984a58c6f7fc7644f758ad8

SHA1
b45d6e2acd1a0155615289a2c46bb63be40ccbb2

SHA256
75ea9e89aeb5b413537a550716070d7c152a6d7ba16967f05d3c6f5aad54b369

SHA512
626a0cbe37ac627cadd641cb27852d486bf2e7ee1894ec3367af127e511e7e9c29f98ca21329f951690744e3224e1933b962b2e2fb396f18e55cf22840678510

Download Submit
C:\Users\Admin\AppData\Local\bbXmNfE\Utilman.exe
Filesize
123KB

MD5
a117edc0e74ab4770acf7f7e86e573f7

SHA1
5ceffb1a5e05e52aafcbc2d44e1e8445440706f3

SHA256
b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37

SHA512
72883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97

Download Submit
C:\Users\Admin\AppData\Local\tANNQ5j\DUser.dll
Filesize
888KB

MD5
f1869fd83a0c9ce74865644d0912d731

SHA1
c19175bf2a6badb990cab68944662106e9cc1510

SHA256
7e76efe0036d5c2dbac906abd68c3d2044edc612aea32aa36ce406b5afebb8d0

SHA512
4b84d2e3b90b2c3ca46c90bf79727d2bd82691be20a839ba6dd7e784d520487053eeeb9debfcefcda70f0b8618529e3cc4389e88e9955abfa4063e92dcce14fa

Download Submit
C:\Users\Admin\AppData\Local\tANNQ5j\DUser.dll
Filesize
888KB

MD5
f1869fd83a0c9ce74865644d0912d731

SHA1
c19175bf2a6badb990cab68944662106e9cc1510

SHA256
7e76efe0036d5c2dbac906abd68c3d2044edc612aea32aa36ce406b5afebb8d0

SHA512
4b84d2e3b90b2c3ca46c90bf79727d2bd82691be20a839ba6dd7e784d520487053eeeb9debfcefcda70f0b8618529e3cc4389e88e9955abfa4063e92dcce14fa

Download Submit
C:\Users\Admin\AppData\Local\tANNQ5j\bdeunlock.exe
Filesize
279KB

MD5
fef5d67150c249db3c1f4b30a2a5a22e

SHA1
41ca037b0229be9338da4d78244b4f0ea5a3d5f3

SHA256
dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603

SHA512
4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7

Download Submit
C:\Users\Admin\AppData\Local\vreT1e\Narrator.exe
Filesize
521KB

MD5
d92defaa4d346278480d2780325d8d18

SHA1
6494d55b2e5064ffe8add579edfcd13c3e69fffe

SHA256
69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83

SHA512
b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

Download Submit
memory/2280-155-0x0000000000000000-mapping.dmp

Download
memory/3140-144-0x00007FFDEBDCC000-0x00007FFDEBDCD000-memory.dmp

Filesize
4KB

Download
memory/3140-138-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3140-143-0x00007FFDEBDFC000-0x00007FFDEBDFD000-memory.dmp

Filesize
4KB

Download
memory/3140-130-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/3140-145-0x00007FFDEBD10000-0x00007FFDEBD20000-memory.dmp

Filesize
64KB

Download
memory/3140-141-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3140-132-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3140-140-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3140-139-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3140-142-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3140-131-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3140-137-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3140-136-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3140-133-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3140-135-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3140-134-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3200-147-0x0000000000000000-mapping.dmp

Download
memory/4064-151-0x0000000000000000-mapping.dmp

Download