dridex | 49fdafcb6cd2de9ad2f9fe206849dca0f0a0ec5d789f5d233592c2d0ac9ac196

Analysis

max time kernel
186s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49fdafcb6cd2de9ad2f9fe206849dca0f0a0ec5d789f5d233592c2d0ac9ac196.dll
Size

882KB
MD5

26bcda26b072631f82eeaf26e9f1e2f3
SHA1

406dfdea2817a9b2575f36faa6903a66dce8d6db
SHA256

49fdafcb6cd2de9ad2f9fe206849dca0f0a0ec5d789f5d233592c2d0ac9ac196
SHA512

389dac3dbab8255dab1d5e86dfc14477f92dead694c129bcb0d47c1bcacc0a7f40b2a347b90692854d53ecb71091d6166f84e7e45d72a9b5139f8eb7b6bcc8a7

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3164-130-0x0000000000F00000-0x0000000000F01000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

bdechangepin.exeie4uinit.exerstrui.exe

pid process

724 bdechangepin.exe
4788 ie4uinit.exe
4252 rstrui.exe
Loads dropped DLL 4 IoCs

Processes:

bdechangepin.exeie4uinit.exerstrui.exe

pid process

724 bdechangepin.exe
4788 ie4uinit.exe
4788 ie4uinit.exe
4252 rstrui.exe

pid	process
724	bdechangepin.exe
4788	ie4uinit.exe
4252	rstrui.exe

pid	process
724	bdechangepin.exe
4788	ie4uinit.exe
4788	ie4uinit.exe
4252	rstrui.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eqzhtortkjjc = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\J5Xj42IUIo\\ie4uinit.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exebdechangepin.exeie4uinit.exerstrui.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdechangepin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ie4uinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rstrui.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
2372	rundll32.exe
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164
3164

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3164

pid	process
3164

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3164 wrote to memory of 5040	3164	bdechangepin.exe
PID 3164 wrote to memory of 5040	3164	bdechangepin.exe
PID 3164 wrote to memory of 724	3164	bdechangepin.exe
PID 3164 wrote to memory of 724	3164	bdechangepin.exe
PID 3164 wrote to memory of 832	3164	ie4uinit.exe
PID 3164 wrote to memory of 832	3164	ie4uinit.exe
PID 3164 wrote to memory of 4788	3164	ie4uinit.exe
PID 3164 wrote to memory of 4788	3164	ie4uinit.exe
PID 3164 wrote to memory of 2428	3164	rstrui.exe
PID 3164 wrote to memory of 2428	3164	rstrui.exe
PID 3164 wrote to memory of 4252	3164	rstrui.exe
PID 3164 wrote to memory of 4252	3164	rstrui.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\49fdafcb6cd2de9ad2f9fe206849dca0f0a0ec5d789f5d233592c2d0ac9ac196.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2372

C:\Windows\system32\bdechangepin.exe
C:\Windows\system32\bdechangepin.exe
1⤵
PID:5040

C:\Users\Admin\AppData\Local\agCNLk7\bdechangepin.exe
C:\Users\Admin\AppData\Local\agCNLk7\bdechangepin.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:724

C:\Windows\system32\ie4uinit.exe
C:\Windows\system32\ie4uinit.exe
1⤵
PID:832

C:\Users\Admin\AppData\Local\zj9inn\ie4uinit.exe
C:\Users\Admin\AppData\Local\zj9inn\ie4uinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4788

C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
1⤵
PID:2428

C:\Users\Admin\AppData\Local\au9HU\rstrui.exe
C:\Users\Admin\AppData\Local\au9HU\rstrui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\agCNLk7\DUI70.dll
Filesize
1.1MB

MD5
f7fb8ea15c0fd21840e7efd7e5b518cc

SHA1
7d3a797f5f35a7e2181835d76dbd76df4df92552

SHA256
bbace7bc7970d2dea6a15c1e17fce81a8cc9d6a91fe497b1685c38bfa60b3eba

SHA512
bff836da5729cd4d6990a305b0229d0c8354139e4cf29444396e477434f60d105878e4cea1adf4a41e12006b391ff5a470cec03cbdc77199912f29173a508755

Download Submit
C:\Users\Admin\AppData\Local\agCNLk7\DUI70.dll
Filesize
1.1MB

MD5
f7fb8ea15c0fd21840e7efd7e5b518cc

SHA1
7d3a797f5f35a7e2181835d76dbd76df4df92552

SHA256
bbace7bc7970d2dea6a15c1e17fce81a8cc9d6a91fe497b1685c38bfa60b3eba

SHA512
bff836da5729cd4d6990a305b0229d0c8354139e4cf29444396e477434f60d105878e4cea1adf4a41e12006b391ff5a470cec03cbdc77199912f29173a508755

Download Submit
C:\Users\Admin\AppData\Local\agCNLk7\bdechangepin.exe
Filesize
373KB

MD5
601a28eb2d845d729ddd7330cbae6fd6

SHA1
5cf9f6f9135c903d42a7756c638333db8621e642

SHA256
4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

SHA512
1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

Download Submit
C:\Users\Admin\AppData\Local\au9HU\SRCORE.dll
Filesize
883KB

MD5
ce7162569da39b68f7e03e44f084f43c

SHA1
e85d370bfac7154bea2373ef105c9824bce0baf0

SHA256
9a0c83d5b8b89c92d4b0bf4fecf76373b7cbced6ee1b004646bee948ca23b2b4

SHA512
8da2e51efba3421f221b9522a07c9875e8e3805a431e8baccfe7b501eca5676f504dde1c1b58a25cb5c8e196f5e6b931553f320909b92162dbdd10444d53d762

Download Submit
C:\Users\Admin\AppData\Local\au9HU\SRCORE.dll
Filesize
883KB

MD5
ce7162569da39b68f7e03e44f084f43c

SHA1
e85d370bfac7154bea2373ef105c9824bce0baf0

SHA256
9a0c83d5b8b89c92d4b0bf4fecf76373b7cbced6ee1b004646bee948ca23b2b4

SHA512
8da2e51efba3421f221b9522a07c9875e8e3805a431e8baccfe7b501eca5676f504dde1c1b58a25cb5c8e196f5e6b931553f320909b92162dbdd10444d53d762

Download Submit
C:\Users\Admin\AppData\Local\au9HU\rstrui.exe
Filesize
268KB

MD5
4cad10846e93e85790865d5c0ab6ffd9

SHA1
8a223f4bab28afa4c7ed630f29325563c5dcda1a

SHA256
9ddcfcaf2ebc810cc2e593446681bc4ccbad39756b1712cf045db8dee6310b4b

SHA512
c0db44de0d35a70277f8621a318c5099378da675376e47545cfbfa7412e70a870fd05c92e0d6523ea2e0139d54d9eeaed14973762341fa3154406ae36f4ce7c6

Download Submit
C:\Users\Admin\AppData\Local\zj9inn\VERSION.dll
Filesize
883KB

MD5
ffd28e39f501cc8732a37fae2381c13b

SHA1
f9d86a135470ca147ecb1ada03e9fcd1752ab0b3

SHA256
2ad6bfd595c19236e5bd1f957ab8fdbe20a1dadd919fee26ac547572ee746b4a

SHA512
3dca0d7eb9ea1205fe8b4bed45c2afa15ce48f8bd75ea1544a80fb33e2a90bbcb41d4913bd33e5191e3c7ead66c33bab47caa0225ec6fceffc418ec9491c9eec

Download Submit
C:\Users\Admin\AppData\Local\zj9inn\VERSION.dll
Filesize
883KB

MD5
ffd28e39f501cc8732a37fae2381c13b

SHA1
f9d86a135470ca147ecb1ada03e9fcd1752ab0b3

SHA256
2ad6bfd595c19236e5bd1f957ab8fdbe20a1dadd919fee26ac547572ee746b4a

SHA512
3dca0d7eb9ea1205fe8b4bed45c2afa15ce48f8bd75ea1544a80fb33e2a90bbcb41d4913bd33e5191e3c7ead66c33bab47caa0225ec6fceffc418ec9491c9eec

Download Submit
C:\Users\Admin\AppData\Local\zj9inn\VERSION.dll
Filesize
883KB

MD5
ffd28e39f501cc8732a37fae2381c13b

SHA1
f9d86a135470ca147ecb1ada03e9fcd1752ab0b3

SHA256
2ad6bfd595c19236e5bd1f957ab8fdbe20a1dadd919fee26ac547572ee746b4a

SHA512
3dca0d7eb9ea1205fe8b4bed45c2afa15ce48f8bd75ea1544a80fb33e2a90bbcb41d4913bd33e5191e3c7ead66c33bab47caa0225ec6fceffc418ec9491c9eec

Download Submit
C:\Users\Admin\AppData\Local\zj9inn\ie4uinit.exe
Filesize
262KB

MD5
a2f0104edd80ca2c24c24356d5eacc4f

SHA1
8269b9fd9231f04ed47419bd565c69dc677fab56

SHA256
5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c

SHA512
e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

Download Submit
memory/724-144-0x0000000000000000-mapping.dmp

Download
memory/3164-135-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3164-138-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3164-143-0x00007FFE71FB0000-0x00007FFE71FC0000-memory.dmp

Filesize
64KB

Download
memory/3164-136-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3164-141-0x00007FFE7209C000-0x00007FFE7209D000-memory.dmp

Filesize
4KB

Download
memory/3164-142-0x00007FFE7206C000-0x00007FFE7206D000-memory.dmp

Filesize
4KB

Download
memory/3164-139-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3164-132-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3164-140-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3164-137-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3164-130-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/3164-134-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3164-131-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3164-133-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/4252-153-0x0000000000000000-mapping.dmp

Download
memory/4788-148-0x0000000000000000-mapping.dmp

Download