dridex | 49fdafcb6cd2de9ad2f9fe206849dca0f0a0ec5d789f5d233592c2d0ac9ac196

Analysis

max time kernel
152s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49fdafcb6cd2de9ad2f9fe206849dca0f0a0ec5d789f5d233592c2d0ac9ac196.dll
Size

882KB
MD5

26bcda26b072631f82eeaf26e9f1e2f3
SHA1

406dfdea2817a9b2575f36faa6903a66dce8d6db
SHA256

49fdafcb6cd2de9ad2f9fe206849dca0f0a0ec5d789f5d233592c2d0ac9ac196
SHA512

389dac3dbab8255dab1d5e86dfc14477f92dead694c129bcb0d47c1bcacc0a7f40b2a347b90692854d53ecb71091d6166f84e7e45d72a9b5139f8eb7b6bcc8a7

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1264-54-0x0000000002A40000-0x0000000002A41000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesRemote.execalc.exemsdtc.exe

pid process

1104 SystemPropertiesRemote.exe
524 calc.exe
1560 msdtc.exe
Loads dropped DLL 7 IoCs

Processes:

SystemPropertiesRemote.execalc.exemsdtc.exe

pid process

1264
1104 SystemPropertiesRemote.exe
1264
524 calc.exe
1264
1560 msdtc.exe
1264

pid	process
1104	SystemPropertiesRemote.exe
524	calc.exe
1560	msdtc.exe

pid	process
1264
1104	SystemPropertiesRemote.exe
1264
524	calc.exe
1264
1560	msdtc.exe
1264

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Evgmngveltmlhb = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\ciLTL393\\calc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msdtc.exerundll32.exeSystemPropertiesRemote.execalc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdtc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	calc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1676	rundll32.exe
1676	rundll32.exe
1676	rundll32.exe
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1264 wrote to memory of 1344	1264	SystemPropertiesRemote.exe
PID 1264 wrote to memory of 1344	1264	SystemPropertiesRemote.exe
PID 1264 wrote to memory of 1344	1264	SystemPropertiesRemote.exe
PID 1264 wrote to memory of 1104	1264	SystemPropertiesRemote.exe
PID 1264 wrote to memory of 1104	1264	SystemPropertiesRemote.exe
PID 1264 wrote to memory of 1104	1264	SystemPropertiesRemote.exe
PID 1264 wrote to memory of 1120	1264	calc.exe
PID 1264 wrote to memory of 1120	1264	calc.exe
PID 1264 wrote to memory of 1120	1264	calc.exe
PID 1264 wrote to memory of 524	1264	calc.exe
PID 1264 wrote to memory of 524	1264	calc.exe
PID 1264 wrote to memory of 524	1264	calc.exe
PID 1264 wrote to memory of 1516	1264	msdtc.exe
PID 1264 wrote to memory of 1516	1264	msdtc.exe
PID 1264 wrote to memory of 1516	1264	msdtc.exe
PID 1264 wrote to memory of 1560	1264	msdtc.exe
PID 1264 wrote to memory of 1560	1264	msdtc.exe
PID 1264 wrote to memory of 1560	1264	msdtc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\49fdafcb6cd2de9ad2f9fe206849dca0f0a0ec5d789f5d233592c2d0ac9ac196.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1676

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:1344

C:\Users\Admin\AppData\Local\bvEHasm\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\bvEHasm\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1104

C:\Windows\system32\calc.exe
C:\Windows\system32\calc.exe
1⤵
PID:1120

C:\Users\Admin\AppData\Local\bQc\calc.exe
C:\Users\Admin\AppData\Local\bQc\calc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:524

C:\Windows\system32\msdtc.exe
C:\Windows\system32\msdtc.exe
1⤵
PID:1516

C:\Users\Admin\AppData\Local\VAW\msdtc.exe
C:\Users\Admin\AppData\Local\VAW\msdtc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1560

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\VAW\VERSION.dll
Filesize
883KB

MD5
a6b0f03c7df6206e7eb8c7ea40755e71

SHA1
8575674896e7d42dda5463cd95ad50d61eec5678

SHA256
7208f90ccae9f3090f19b19c39a1195f665c0dc84c548b9212b76e0b9f645c59

SHA512
9e5e7261709e2557d5edd7427bf5978641380a64a964c9017d4b9896685ad4cf961b0630346a0b4e65d1c240cfc09d778e47a13a31c099093e1adcfae51f837c

Download Submit
C:\Users\Admin\AppData\Local\VAW\msdtc.exe
Filesize
138KB

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
C:\Users\Admin\AppData\Local\bQc\VERSION.dll
Filesize
883KB

MD5
959860950d074dedce852a078c415074

SHA1
cee7ae9548bc07c4e2863faabf5bf63e6c0ec447

SHA256
a546fb5fe8757f3c2d2c03777dfef22ae7a43d776754ab228a9fb14e8591c0d9

SHA512
2b6286ed1e5b06b9fdb852f75401a0cb2e8294d420bc97a9df6d54c9e38a27319eb422d9cdcdb628a36b35e083671a09a3de959d6a44123c08c1ff162a4155ef

Download Submit
C:\Users\Admin\AppData\Local\bQc\calc.exe
Filesize
897KB

MD5
10e4a1d2132ccb5c6759f038cdb6f3c9

SHA1
42d36eeb2140441b48287b7cd30b38105986d68f

SHA256
c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

SHA512
9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

Download Submit
C:\Users\Admin\AppData\Local\bvEHasm\SYSDM.CPL
Filesize
883KB

MD5
e31bad558c72f2338b631e6d99b26274

SHA1
52f9efcf5b6433928467fa8cd5d65a003d452540

SHA256
ebdef4d5bab162fb8c1d8da7f0ca0ef06064a7300c9db6fa9685aa65e0587de8

SHA512
c94bbf9460da8eb2fc62ed11e8f0286ea21a5ddbcada08f636eb8a7113c26414a71b14990b48b9952bf0079f22d6a7229eed2695d9f337580c09406e24846052

Download Submit
C:\Users\Admin\AppData\Local\bvEHasm\SystemPropertiesRemote.exe
Filesize
80KB

MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
\Users\Admin\AppData\Local\VAW\VERSION.dll
Filesize
883KB

MD5
a6b0f03c7df6206e7eb8c7ea40755e71

SHA1
8575674896e7d42dda5463cd95ad50d61eec5678

SHA256
7208f90ccae9f3090f19b19c39a1195f665c0dc84c548b9212b76e0b9f645c59

SHA512
9e5e7261709e2557d5edd7427bf5978641380a64a964c9017d4b9896685ad4cf961b0630346a0b4e65d1c240cfc09d778e47a13a31c099093e1adcfae51f837c

Download Submit
\Users\Admin\AppData\Local\VAW\msdtc.exe
Filesize
138KB

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
\Users\Admin\AppData\Local\bQc\VERSION.dll
Filesize
883KB

MD5
959860950d074dedce852a078c415074

SHA1
cee7ae9548bc07c4e2863faabf5bf63e6c0ec447

SHA256
a546fb5fe8757f3c2d2c03777dfef22ae7a43d776754ab228a9fb14e8591c0d9

SHA512
2b6286ed1e5b06b9fdb852f75401a0cb2e8294d420bc97a9df6d54c9e38a27319eb422d9cdcdb628a36b35e083671a09a3de959d6a44123c08c1ff162a4155ef

Download Submit
\Users\Admin\AppData\Local\bQc\calc.exe
Filesize
897KB

MD5
10e4a1d2132ccb5c6759f038cdb6f3c9

SHA1
42d36eeb2140441b48287b7cd30b38105986d68f

SHA256
c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

SHA512
9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

Download Submit
\Users\Admin\AppData\Local\bvEHasm\SYSDM.CPL
Filesize
883KB

MD5
e31bad558c72f2338b631e6d99b26274

SHA1
52f9efcf5b6433928467fa8cd5d65a003d452540

SHA256
ebdef4d5bab162fb8c1d8da7f0ca0ef06064a7300c9db6fa9685aa65e0587de8

SHA512
c94bbf9460da8eb2fc62ed11e8f0286ea21a5ddbcada08f636eb8a7113c26414a71b14990b48b9952bf0079f22d6a7229eed2695d9f337580c09406e24846052

Download Submit
\Users\Admin\AppData\Local\bvEHasm\SystemPropertiesRemote.exe
Filesize
80KB

MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\IbPc9faV4U\msdtc.exe
Filesize
138KB

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
memory/524-74-0x000007FEFC021000-0x000007FEFC023000-memory.dmp

Filesize
8KB

Download
memory/524-72-0x0000000000000000-mapping.dmp

Download
memory/1104-67-0x0000000000000000-mapping.dmp

Download
memory/1264-65-0x0000000077980000-0x0000000077982000-memory.dmp

Filesize
8KB

Download
memory/1264-59-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1264-54-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/1264-60-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1264-58-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1264-57-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1264-64-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1264-56-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1264-63-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1264-55-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1264-62-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1264-61-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1560-78-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads