dridex | f6c643e1e29177914ad70b4c2b40d28d9d05b0518bfb358888bab8f68736f118

Analysis

max time kernel
158s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6c643e1e29177914ad70b4c2b40d28d9d05b0518bfb358888bab8f68736f118.dll
Size

886KB
MD5

471a11a667025ad95b5c6ee9690d7036
SHA1

27e65af61719544741b1efb7065e8172534f1acd
SHA256

f6c643e1e29177914ad70b4c2b40d28d9d05b0518bfb358888bab8f68736f118
SHA512

e1b7d25e163dd1264e456bcb6b494a43a1392ee5766f05e57dea9e4ec9fde6056177ca5f52d323837fc8f21c93ce2beaf836fc533c123952ec65b3d0832ae327

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2640-130-0x00000000012D0000-0x00000000012D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

msdt.execmstp.exePresentationSettings.exe

pid process

1912 msdt.exe
1496 cmstp.exe
456 PresentationSettings.exe
Loads dropped DLL 4 IoCs

Processes:

msdt.execmstp.exePresentationSettings.exe

pid process

1912 msdt.exe
1496 cmstp.exe
1496 cmstp.exe
456 PresentationSettings.exe

pid	process
1912	msdt.exe
1496	cmstp.exe
456	PresentationSettings.exe

pid	process
1912	msdt.exe
1496	cmstp.exe
1496	cmstp.exe
456	PresentationSettings.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wurgjldbctt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\Ec9OEKYF\\cmstp.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemsdt.execmstp.exePresentationSettings.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1352	rundll32.exe
1352	rundll32.exe
1352	rundll32.exe
1352	rundll32.exe
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640
2640

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2640

pid	process
2640

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2640 wrote to memory of 3824	2640	msdt.exe
PID 2640 wrote to memory of 3824	2640	msdt.exe
PID 2640 wrote to memory of 1912	2640	msdt.exe
PID 2640 wrote to memory of 1912	2640	msdt.exe
PID 2640 wrote to memory of 3516	2640	cmstp.exe
PID 2640 wrote to memory of 3516	2640	cmstp.exe
PID 2640 wrote to memory of 1496	2640	cmstp.exe
PID 2640 wrote to memory of 1496	2640	cmstp.exe
PID 2640 wrote to memory of 3520	2640	PresentationSettings.exe
PID 2640 wrote to memory of 3520	2640	PresentationSettings.exe
PID 2640 wrote to memory of 456	2640	PresentationSettings.exe
PID 2640 wrote to memory of 456	2640	PresentationSettings.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f6c643e1e29177914ad70b4c2b40d28d9d05b0518bfb358888bab8f68736f118.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1352

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:3824

C:\Users\Admin\AppData\Local\vO8eE\msdt.exe
C:\Users\Admin\AppData\Local\vO8eE\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1912

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:3516

C:\Users\Admin\AppData\Local\rN0QPzrN9\cmstp.exe
C:\Users\Admin\AppData\Local\rN0QPzrN9\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1496

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:3520

C:\Users\Admin\AppData\Local\kEp\PresentationSettings.exe
C:\Users\Admin\AppData\Local\kEp\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\kEp\PresentationSettings.exe
Filesize
219KB

MD5
790799a168c41689849310f6c15f98fa

SHA1
a5d213fc1c71a56de9441b2e35411d83770c01ec

SHA256
6e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8

SHA512
8153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866

Download Submit
C:\Users\Admin\AppData\Local\kEp\WINMM.dll
Filesize
892KB

MD5
25a9ea582246f2ffc4292d1bfbe95894

SHA1
82b8660c832dc37742e5e30a792e6af260b1bc77

SHA256
f54a0e6d555c571493d2b62cf6585438fe7b0db805b17facd3f0a3cd19109777

SHA512
040be5e1d59db4bfcf992ea68e1529d2e3b12a16981608ae179410d6abbcd4ba57a89bbf9d3c4769f503cea891d5e5c11c798300d8eca28d2d85e8069f575d24

Download Submit
C:\Users\Admin\AppData\Local\kEp\WINMM.dll
Filesize
892KB

MD5
25a9ea582246f2ffc4292d1bfbe95894

SHA1
82b8660c832dc37742e5e30a792e6af260b1bc77

SHA256
f54a0e6d555c571493d2b62cf6585438fe7b0db805b17facd3f0a3cd19109777

SHA512
040be5e1d59db4bfcf992ea68e1529d2e3b12a16981608ae179410d6abbcd4ba57a89bbf9d3c4769f503cea891d5e5c11c798300d8eca28d2d85e8069f575d24

Download Submit
C:\Users\Admin\AppData\Local\rN0QPzrN9\VERSION.dll
Filesize
888KB

MD5
795522d721e78e38b65a2a7e4a5bdb9b

SHA1
8bc66a6cdd7baaad09311ce037dd5aba77e5a321

SHA256
ab78273e70b173b8f9c5dce9fa25de313b515c8cf6d5e884ebd44ad8f2a4b481

SHA512
fb2edbdb48c7035c9cf5a2ced51edb269596328c883b785400b6475cff7140e5c680421ad6016c05bfe0b17236c77ec440f2b311e0d89c164fb841d23d2276fb

Download Submit
C:\Users\Admin\AppData\Local\rN0QPzrN9\VERSION.dll
Filesize
888KB

MD5
795522d721e78e38b65a2a7e4a5bdb9b

SHA1
8bc66a6cdd7baaad09311ce037dd5aba77e5a321

SHA256
ab78273e70b173b8f9c5dce9fa25de313b515c8cf6d5e884ebd44ad8f2a4b481

SHA512
fb2edbdb48c7035c9cf5a2ced51edb269596328c883b785400b6475cff7140e5c680421ad6016c05bfe0b17236c77ec440f2b311e0d89c164fb841d23d2276fb

Download Submit
C:\Users\Admin\AppData\Local\rN0QPzrN9\VERSION.dll
Filesize
888KB

MD5
795522d721e78e38b65a2a7e4a5bdb9b

SHA1
8bc66a6cdd7baaad09311ce037dd5aba77e5a321

SHA256
ab78273e70b173b8f9c5dce9fa25de313b515c8cf6d5e884ebd44ad8f2a4b481

SHA512
fb2edbdb48c7035c9cf5a2ced51edb269596328c883b785400b6475cff7140e5c680421ad6016c05bfe0b17236c77ec440f2b311e0d89c164fb841d23d2276fb

Download Submit
C:\Users\Admin\AppData\Local\rN0QPzrN9\cmstp.exe
Filesize
96KB

MD5
4cc43fe4d397ff79fa69f397e016df52

SHA1
8fd6cf81ad40c9b123cd75611860a8b95c72869c

SHA256
f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c

SHA512
851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157

Download Submit
C:\Users\Admin\AppData\Local\vO8eE\UxTheme.dll
Filesize
890KB

MD5
1925a0adfed24218406a3e79d2f9ccb0

SHA1
9838283c376f6050c8a2c4a74a416c7e7d579c8b

SHA256
dc43f98af0f435da5bfb48416d704a517f035cf6ac4c69c02410a545544a8959

SHA512
b7278c7ee624552d3405574e94ca886708b248f7c6dc88596e1a190d73f233592ad9325947cadac08879462c3fba64ffdbff2aa33fb26532aaaf10799ae3add8

Download Submit
C:\Users\Admin\AppData\Local\vO8eE\UxTheme.dll
Filesize
890KB

MD5
1925a0adfed24218406a3e79d2f9ccb0

SHA1
9838283c376f6050c8a2c4a74a416c7e7d579c8b

SHA256
dc43f98af0f435da5bfb48416d704a517f035cf6ac4c69c02410a545544a8959

SHA512
b7278c7ee624552d3405574e94ca886708b248f7c6dc88596e1a190d73f233592ad9325947cadac08879462c3fba64ffdbff2aa33fb26532aaaf10799ae3add8

Download Submit
C:\Users\Admin\AppData\Local\vO8eE\msdt.exe
Filesize
421KB

MD5
992c3f0cc8180f2f51156671e027ae75

SHA1
942ec8c2ccfcacd75a1cd86cbe8873aee5115e29

SHA256
6859d1b5d1beaa2985b298f3fcee67f0aac747687a9dec2b4376585e99e9756f

SHA512
1f1b8d39e29274cfc87a9ef1510adb9c530086a421c121523376731c8933c6e234e9146310d3767ce888a8dce7a5713221f4d25e5b7b6398d06ae2be2b99eadf

Download Submit
memory/456-155-0x0000000000000000-mapping.dmp

Download
memory/1496-150-0x0000000000000000-mapping.dmp

Download
memory/1912-146-0x0000000000000000-mapping.dmp

Download
memory/2640-135-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2640-139-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2640-145-0x00007FFA16AB0000-0x00007FFA16AC0000-memory.dmp

Filesize
64KB

Download
memory/2640-143-0x00007FFA16B9C000-0x00007FFA16B9D000-memory.dmp

Filesize
4KB

Download
memory/2640-144-0x00007FFA16B6C000-0x00007FFA16B6D000-memory.dmp

Filesize
4KB

Download
memory/2640-141-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2640-140-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2640-142-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2640-133-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2640-130-0x00000000012D0000-0x00000000012D1000-memory.dmp

Filesize
4KB

Download
memory/2640-138-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2640-137-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2640-136-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2640-134-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2640-131-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/2640-132-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download