dridex | 9dbfefd3aa7cbd264a254148e585440e404efe13db1bbc21cb462e17e85ce4b9

Analysis

max time kernel
150s
max time network
79s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9dbfefd3aa7cbd264a254148e585440e404efe13db1bbc21cb462e17e85ce4b9.dll
Size

1.1MB
MD5

6bd4364803953637e50005a3b7ffef39
SHA1

612d94d8505a4df8c1daf0b2577d63902fc48bc4
SHA256

9dbfefd3aa7cbd264a254148e585440e404efe13db1bbc21cb462e17e85ce4b9
SHA512

cc4965aa058138d81d0a034fa3b802ff830eff8475addb788116f792e1597a40fd1580a217384e1afec865f19ce1de669c5f175cd49c1a2cd095a94874334649

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3076-130-0x0000000000590000-0x0000000000591000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemSettingsRemoveDevice.exeSystemPropertiesDataExecutionPrevention.exesessionmsg.exe

pid process

2148 SystemSettingsRemoveDevice.exe
3476 SystemPropertiesDataExecutionPrevention.exe
3584 sessionmsg.exe
Loads dropped DLL 3 IoCs

Processes:

SystemSettingsRemoveDevice.exeSystemPropertiesDataExecutionPrevention.exesessionmsg.exe

pid process

2148 SystemSettingsRemoveDevice.exe
3476 SystemPropertiesDataExecutionPrevention.exe
3584 sessionmsg.exe

pid	process
2148	SystemSettingsRemoveDevice.exe
3476	SystemPropertiesDataExecutionPrevention.exe
3584	sessionmsg.exe

pid	process
2148	SystemSettingsRemoveDevice.exe
3476	SystemPropertiesDataExecutionPrevention.exe
3584	sessionmsg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wurgjldbctt = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\UTaHBTjx\\SystemPropertiesDataExecutionPrevention.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemSettingsRemoveDevice.exeSystemPropertiesDataExecutionPrevention.exesessionmsg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemSettingsRemoveDevice.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesDataExecutionPrevention.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sessionmsg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1104	rundll32.exe
1104	rundll32.exe
1104	rundll32.exe
1104	rundll32.exe
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076
3076

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3076

pid	process
3076

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3076 wrote to memory of 1888	3076	SystemSettingsRemoveDevice.exe
PID 3076 wrote to memory of 1888	3076	SystemSettingsRemoveDevice.exe
PID 3076 wrote to memory of 2148	3076	SystemSettingsRemoveDevice.exe
PID 3076 wrote to memory of 2148	3076	SystemSettingsRemoveDevice.exe
PID 3076 wrote to memory of 2660	3076	SystemPropertiesDataExecutionPrevention.exe
PID 3076 wrote to memory of 2660	3076	SystemPropertiesDataExecutionPrevention.exe
PID 3076 wrote to memory of 3476	3076	SystemPropertiesDataExecutionPrevention.exe
PID 3076 wrote to memory of 3476	3076	SystemPropertiesDataExecutionPrevention.exe
PID 3076 wrote to memory of 5044	3076	sessionmsg.exe
PID 3076 wrote to memory of 5044	3076	sessionmsg.exe
PID 3076 wrote to memory of 3584	3076	sessionmsg.exe
PID 3076 wrote to memory of 3584	3076	sessionmsg.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9dbfefd3aa7cbd264a254148e585440e404efe13db1bbc21cb462e17e85ce4b9.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1104

C:\Windows\system32\SystemSettingsRemoveDevice.exe
C:\Windows\system32\SystemSettingsRemoveDevice.exe
1⤵
PID:1888

C:\Users\Admin\AppData\Local\QqJdmdOZ\SystemSettingsRemoveDevice.exe
C:\Users\Admin\AppData\Local\QqJdmdOZ\SystemSettingsRemoveDevice.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2148

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
1⤵
PID:2660

C:\Users\Admin\AppData\Local\S4HXm\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\S4HXm\SystemPropertiesDataExecutionPrevention.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3476

C:\Windows\system32\sessionmsg.exe
C:\Windows\system32\sessionmsg.exe
1⤵
PID:5044

C:\Users\Admin\AppData\Local\JI41Pz\sessionmsg.exe
C:\Users\Admin\AppData\Local\JI41Pz\sessionmsg.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\JI41Pz\DUI70.dll
Filesize
1.4MB

MD5
dc1b9d87ce7e40c938872315eddb08f7

SHA1
a1bafb13d59f8157977fded7b5ea73196f49f04c

SHA256
a1b556f2e44248acb46236888d5c07bdf52d329eea3b783cb23fda269b85c91b

SHA512
7b26767384501ad9372d10f44b12b9b63fea8f7464e2d2d8708b42242cf9b0e0b4cd2c210630a167589a410cc6b17a13fc5210dfa9d07fd3845055f4d052e906

Download Submit
C:\Users\Admin\AppData\Local\JI41Pz\DUI70.dll
Filesize
1.4MB

MD5
dc1b9d87ce7e40c938872315eddb08f7

SHA1
a1bafb13d59f8157977fded7b5ea73196f49f04c

SHA256
a1b556f2e44248acb46236888d5c07bdf52d329eea3b783cb23fda269b85c91b

SHA512
7b26767384501ad9372d10f44b12b9b63fea8f7464e2d2d8708b42242cf9b0e0b4cd2c210630a167589a410cc6b17a13fc5210dfa9d07fd3845055f4d052e906

Download Submit
C:\Users\Admin\AppData\Local\JI41Pz\sessionmsg.exe
Filesize
85KB

MD5
480f710806b68dfe478ca1ec7d7e79cc

SHA1
b4fc97fed2dbff9c4874cb65ede7b50699db37cd

SHA256
2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc

SHA512
29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

Download Submit
C:\Users\Admin\AppData\Local\QqJdmdOZ\DUI70.dll
Filesize
1.4MB

MD5
9fc3049a5f227d2b2c818148826b208f

SHA1
bb94f721f1c62a6760e54b1651adfbfd441d06ae

SHA256
560c757c54fb16a7238b3d11fb1adb8371509dabc6119fe6e7954fe7df53d00a

SHA512
a9bd6ee7b081496ee9ee3af6f0168fbf2acbfb1b0689b580b3dd888821934dfe217dc935c01664b804f1503cdcd54e9f5739396a195589271a4366b9ae4856e1

Download Submit
C:\Users\Admin\AppData\Local\QqJdmdOZ\DUI70.dll
Filesize
1.4MB

MD5
9fc3049a5f227d2b2c818148826b208f

SHA1
bb94f721f1c62a6760e54b1651adfbfd441d06ae

SHA256
560c757c54fb16a7238b3d11fb1adb8371509dabc6119fe6e7954fe7df53d00a

SHA512
a9bd6ee7b081496ee9ee3af6f0168fbf2acbfb1b0689b580b3dd888821934dfe217dc935c01664b804f1503cdcd54e9f5739396a195589271a4366b9ae4856e1

Download Submit
C:\Users\Admin\AppData\Local\QqJdmdOZ\SystemSettingsRemoveDevice.exe
Filesize
39KB

MD5
7853f1c933690bb7c53c67151cbddeb0

SHA1
d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6

SHA256
9500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d

SHA512
831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304

Download Submit
C:\Users\Admin\AppData\Local\S4HXm\SYSDM.CPL
Filesize
1.1MB

MD5
fa2dfeb001737e4bfa258cbb9af2282c

SHA1
6fccbb016e3bf24169940447ba6610f72ed8bdfb

SHA256
5c22736b59ebc1f80edd8480161947b7f0e564eb66b9083c7c886a31a56803da

SHA512
216061ccdc715a00cfb9a8debba7d3bc56d3249b1cd0004f0383d64646b0d29b56a61d53d298af028c5ae1f3ae2862c65c748c885c9d94e111503aba3606bec8

Download Submit
C:\Users\Admin\AppData\Local\S4HXm\SYSDM.CPL
Filesize
1.1MB

MD5
fa2dfeb001737e4bfa258cbb9af2282c

SHA1
6fccbb016e3bf24169940447ba6610f72ed8bdfb

SHA256
5c22736b59ebc1f80edd8480161947b7f0e564eb66b9083c7c886a31a56803da

SHA512
216061ccdc715a00cfb9a8debba7d3bc56d3249b1cd0004f0383d64646b0d29b56a61d53d298af028c5ae1f3ae2862c65c748c885c9d94e111503aba3606bec8

Download Submit
C:\Users\Admin\AppData\Local\S4HXm\SystemPropertiesDataExecutionPrevention.exe
Filesize
82KB

MD5
de58532954c2704f2b2309ffc320651d

SHA1
0a9fc98f4d47dccb0b231edf9a63309314f68e3b

SHA256
1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3

SHA512
d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed

Download Submit
memory/2148-146-0x0000000000000000-mapping.dmp

Download
memory/3076-138-0x0000000140000000-0x0000000140126000-memory.dmp

Filesize
1.1MB

Download
memory/3076-130-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/3076-131-0x0000000140000000-0x0000000140126000-memory.dmp

Filesize
1.1MB

Download
memory/3076-143-0x00007FFBAF5BC000-0x00007FFBAF5BD000-memory.dmp

Filesize
4KB

Download
memory/3076-144-0x00007FFBAF58C000-0x00007FFBAF58D000-memory.dmp

Filesize
4KB

Download
memory/3076-145-0x00007FFBAF4D0000-0x00007FFBAF4E0000-memory.dmp

Filesize
64KB

Download
memory/3076-141-0x0000000140000000-0x0000000140126000-memory.dmp

Filesize
1.1MB

Download
memory/3076-140-0x0000000140000000-0x0000000140126000-memory.dmp

Filesize
1.1MB

Download
memory/3076-139-0x0000000140000000-0x0000000140126000-memory.dmp

Filesize
1.1MB

Download
memory/3076-142-0x0000000140000000-0x0000000140126000-memory.dmp

Filesize
1.1MB

Download
memory/3076-132-0x0000000140000000-0x0000000140126000-memory.dmp

Filesize
1.1MB

Download
memory/3076-137-0x0000000140000000-0x0000000140126000-memory.dmp

Filesize
1.1MB

Download
memory/3076-136-0x0000000140000000-0x0000000140126000-memory.dmp

Filesize
1.1MB

Download
memory/3076-135-0x0000000140000000-0x0000000140126000-memory.dmp

Filesize
1.1MB

Download
memory/3076-133-0x0000000140000000-0x0000000140126000-memory.dmp

Filesize
1.1MB

Download
memory/3076-134-0x0000000140000000-0x0000000140126000-memory.dmp

Filesize
1.1MB

Download
memory/3476-150-0x0000000000000000-mapping.dmp

Download
memory/3584-154-0x0000000000000000-mapping.dmp

Download