dridex | c1b3d542437bf99e35a80e4e3c76f96bbd606ff4ad3d776dac0b669349a21f46

Analysis

max time kernel
171s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1b3d542437bf99e35a80e4e3c76f96bbd606ff4ad3d776dac0b669349a21f46.dll
Size

879KB
MD5

345fe9bed1a1c1abe86be54d6e986731
SHA1

c45e7d3942fbd00268937c9d638c580565a1a2ec
SHA256

c1b3d542437bf99e35a80e4e3c76f96bbd606ff4ad3d776dac0b669349a21f46
SHA512

3c130b65cbeebc6dc9e724df377a75d3a0780cce19d32f085b6b8b4aac01d881f63bb5cdc2b696943bc7f18b6802289ee4fd12203126f732b15dfb260aca55e7

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1308-54-0x0000000002200000-0x0000000002201000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

Netplwiz.exeshrpubw.exemfpmp.exe

pid process

332 Netplwiz.exe
1224 shrpubw.exe
1548 mfpmp.exe
Loads dropped DLL 7 IoCs

Processes:

Netplwiz.exeshrpubw.exemfpmp.exe

pid process

1308
332 Netplwiz.exe
1308
1224 shrpubw.exe
1308
1548 mfpmp.exe
1308

pid	process
332	Netplwiz.exe
1224	shrpubw.exe
1548	mfpmp.exe

pid	process
1308
332	Netplwiz.exe
1308
1224	shrpubw.exe
1308
1548	mfpmp.exe
1308

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Evgmngveltmlhb = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\EqLyzJCZCL\\shrpubw.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeNetplwiz.exeshrpubw.exemfpmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeNetplwiz.exe

pid	process
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
1308
332	Netplwiz.exe
332	Netplwiz.exe
1308
1308
1308
1308

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1308 wrote to memory of 1796	1308	Netplwiz.exe
PID 1308 wrote to memory of 1796	1308	Netplwiz.exe
PID 1308 wrote to memory of 1796	1308	Netplwiz.exe
PID 1308 wrote to memory of 332	1308	Netplwiz.exe
PID 1308 wrote to memory of 332	1308	Netplwiz.exe
PID 1308 wrote to memory of 332	1308	Netplwiz.exe
PID 1308 wrote to memory of 544	1308	shrpubw.exe
PID 1308 wrote to memory of 544	1308	shrpubw.exe
PID 1308 wrote to memory of 544	1308	shrpubw.exe
PID 1308 wrote to memory of 1224	1308	shrpubw.exe
PID 1308 wrote to memory of 1224	1308	shrpubw.exe
PID 1308 wrote to memory of 1224	1308	shrpubw.exe
PID 1308 wrote to memory of 1572	1308	mfpmp.exe
PID 1308 wrote to memory of 1572	1308	mfpmp.exe
PID 1308 wrote to memory of 1572	1308	mfpmp.exe
PID 1308 wrote to memory of 1548	1308	mfpmp.exe
PID 1308 wrote to memory of 1548	1308	mfpmp.exe
PID 1308 wrote to memory of 1548	1308	mfpmp.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c1b3d542437bf99e35a80e4e3c76f96bbd606ff4ad3d776dac0b669349a21f46.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1636

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:1796

C:\Users\Admin\AppData\Local\V95Sm\Netplwiz.exe
C:\Users\Admin\AppData\Local\V95Sm\Netplwiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:332

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:544

C:\Users\Admin\AppData\Local\kzZ\shrpubw.exe
C:\Users\Admin\AppData\Local\kzZ\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1224

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:1572

C:\Users\Admin\AppData\Local\O8Kmhnni\mfpmp.exe
C:\Users\Admin\AppData\Local\O8Kmhnni\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\O8Kmhnni\MFPlat.DLL
Filesize
884KB

MD5
fdd17e7eed4d1dea92c45d4236e2f87f

SHA1
4317b99ca117abf0a8c8fb7ff84a120d29166b32

SHA256
fa3e1ce987f4a2b5fc19eab1a1c95ea5e9a58e39103b9ef34a72bf6a48a6849f

SHA512
a2f07beb8c2793f3fb9f41b761c6e8b3460d1c2c079ac5e55fafd2d992c37a57730f3f4e587960dc4b64215cc2e470ef16889f5083bd2a48b71a5864cf04114c

Download Submit
C:\Users\Admin\AppData\Local\O8Kmhnni\mfpmp.exe
Filesize
24KB

MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
C:\Users\Admin\AppData\Local\V95Sm\NETPLWIZ.dll
Filesize
879KB

MD5
026c693dd740dc06b16774a34cd12311

SHA1
d00c04cc3a5b8a3fec20bed7a1c47dc28e26a45a

SHA256
88fa678bd3c7b77240807fa29f33a630912733161b2271fcad66862071f4f448

SHA512
a39232373a8e974a08afe76a98c6dda6200db5828b4ee9364d96bea1d2805c6bb6754e6428528a23fe0e3b54b8e3770ace07e16c7bbf9f2423dfe04c1577afa0

Download Submit
C:\Users\Admin\AppData\Local\V95Sm\Netplwiz.exe
Filesize
26KB

MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
C:\Users\Admin\AppData\Local\kzZ\ACLUI.dll
Filesize
879KB

MD5
720214b40e5f9b3f02ff9dab23b591ad

SHA1
d54c03e59ed410076e8790033e5787fe734072e6

SHA256
8cce79726e71084d9a6572130dda144d7d27c88c24855eb679800652b38740aa

SHA512
edc4b1d5e53479660a180e78dc7532910efe7e2639422ee4f4e833d0dea9dd07eb57b9b310f14dadc0dd49688c136b755f5484ff35eee9556d53ad9e90d129bc

Download Submit
C:\Users\Admin\AppData\Local\kzZ\shrpubw.exe
Filesize
398KB

MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
\Users\Admin\AppData\Local\O8Kmhnni\MFPlat.DLL
Filesize
884KB

MD5
fdd17e7eed4d1dea92c45d4236e2f87f

SHA1
4317b99ca117abf0a8c8fb7ff84a120d29166b32

SHA256
fa3e1ce987f4a2b5fc19eab1a1c95ea5e9a58e39103b9ef34a72bf6a48a6849f

SHA512
a2f07beb8c2793f3fb9f41b761c6e8b3460d1c2c079ac5e55fafd2d992c37a57730f3f4e587960dc4b64215cc2e470ef16889f5083bd2a48b71a5864cf04114c

Download Submit
\Users\Admin\AppData\Local\O8Kmhnni\mfpmp.exe
Filesize
24KB

MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
\Users\Admin\AppData\Local\V95Sm\NETPLWIZ.dll
Filesize
879KB

MD5
026c693dd740dc06b16774a34cd12311

SHA1
d00c04cc3a5b8a3fec20bed7a1c47dc28e26a45a

SHA256
88fa678bd3c7b77240807fa29f33a630912733161b2271fcad66862071f4f448

SHA512
a39232373a8e974a08afe76a98c6dda6200db5828b4ee9364d96bea1d2805c6bb6754e6428528a23fe0e3b54b8e3770ace07e16c7bbf9f2423dfe04c1577afa0

Download Submit
\Users\Admin\AppData\Local\V95Sm\Netplwiz.exe
Filesize
26KB

MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
\Users\Admin\AppData\Local\kzZ\ACLUI.dll
Filesize
879KB

MD5
720214b40e5f9b3f02ff9dab23b591ad

SHA1
d54c03e59ed410076e8790033e5787fe734072e6

SHA256
8cce79726e71084d9a6572130dda144d7d27c88c24855eb679800652b38740aa

SHA512
edc4b1d5e53479660a180e78dc7532910efe7e2639422ee4f4e833d0dea9dd07eb57b9b310f14dadc0dd49688c136b755f5484ff35eee9556d53ad9e90d129bc

Download Submit
\Users\Admin\AppData\Local\kzZ\shrpubw.exe
Filesize
398KB

MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\8W\mfpmp.exe
Filesize
24KB

MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
memory/332-67-0x0000000000000000-mapping.dmp

Download
memory/1224-74-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmp

Filesize
8KB

Download
memory/1224-72-0x0000000000000000-mapping.dmp

Download
memory/1308-65-0x00000000776A0000-0x00000000776A2000-memory.dmp

Filesize
8KB

Download
memory/1308-63-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1308-64-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1308-61-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1308-55-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1308-54-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1308-57-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1308-58-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1308-62-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1308-56-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1308-59-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1308-60-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1548-78-0x0000000000000000-mapping.dmp

Download