dridex | 71ad14dfe6f748dcf5b72c9b6ce19ea03d33e5cd2a0cb649020b3e187d568eec

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71ad14dfe6f748dcf5b72c9b6ce19ea03d33e5cd2a0cb649020b3e187d568eec.dll
Size

881KB
MD5

46fe98c098555a5781788c232d294163
SHA1

f6c334c3afadb2110e4520b840fc799faa0f21f8
SHA256

71ad14dfe6f748dcf5b72c9b6ce19ea03d33e5cd2a0cb649020b3e187d568eec
SHA512

4e3e24275361bf43dd79ddc1a92170d0357f10f6d448cf8f76054fddbe9eb20fa289eb2b39c092af8fc94759fed757863723be0cb3cc12cec3e00424db315a99

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3172-130-0x0000000001360000-0x0000000001361000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

msconfig.exewscript.exemsdt.exe

pid process

1168 msconfig.exe
2744 wscript.exe
3332 msdt.exe
Loads dropped DLL 3 IoCs

Processes:

msconfig.exewscript.exemsdt.exe

pid process

1168 msconfig.exe
2744 wscript.exe
3332 msdt.exe

pid	process
1168	msconfig.exe
2744	wscript.exe
3332	msdt.exe

pid	process
1168	msconfig.exe
2744	wscript.exe
3332	msdt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eqzhtortkjjc = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\JMsv\\wscript.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msdt.exerundll32.exemsconfig.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1512	rundll32.exe
1512	rundll32.exe
1512	rundll32.exe
1512	rundll32.exe
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3172

pid	process
3172

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3172 wrote to memory of 400	3172	msconfig.exe
PID 3172 wrote to memory of 400	3172	msconfig.exe
PID 3172 wrote to memory of 1168	3172	msconfig.exe
PID 3172 wrote to memory of 1168	3172	msconfig.exe
PID 3172 wrote to memory of 1996	3172	wscript.exe
PID 3172 wrote to memory of 1996	3172	wscript.exe
PID 3172 wrote to memory of 2744	3172	wscript.exe
PID 3172 wrote to memory of 2744	3172	wscript.exe
PID 3172 wrote to memory of 3464	3172	msdt.exe
PID 3172 wrote to memory of 3464	3172	msdt.exe
PID 3172 wrote to memory of 3332	3172	msdt.exe
PID 3172 wrote to memory of 3332	3172	msdt.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\71ad14dfe6f748dcf5b72c9b6ce19ea03d33e5cd2a0cb649020b3e187d568eec.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:400

C:\Users\Admin\AppData\Local\Ucb1\msconfig.exe
C:\Users\Admin\AppData\Local\Ucb1\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1168

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:1996

C:\Users\Admin\AppData\Local\HMTJ6Pq\wscript.exe
C:\Users\Admin\AppData\Local\HMTJ6Pq\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2744

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:3464

C:\Users\Admin\AppData\Local\aXc\msdt.exe
C:\Users\Admin\AppData\Local\aXc\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HMTJ6Pq\VERSION.dll
Filesize
882KB

MD5
66cc3c6297b61791b0d4be566ace3830

SHA1
7acd9d657ec003d4cecb61628b630275acdd7996

SHA256
967c0067dca764ee896a8c7858759161b595d3314bd2fc8090cdb1f07091e4d4

SHA512
1e048ef90e730ce457a6e673c888046fc7847625baab06dca32fc9c9d7d2df23135bc68e3264d7b47111b05af356f7707222a73a4dba96472072b08f4dc96856

Download Submit
C:\Users\Admin\AppData\Local\HMTJ6Pq\VERSION.dll
Filesize
882KB

MD5
66cc3c6297b61791b0d4be566ace3830

SHA1
7acd9d657ec003d4cecb61628b630275acdd7996

SHA256
967c0067dca764ee896a8c7858759161b595d3314bd2fc8090cdb1f07091e4d4

SHA512
1e048ef90e730ce457a6e673c888046fc7847625baab06dca32fc9c9d7d2df23135bc68e3264d7b47111b05af356f7707222a73a4dba96472072b08f4dc96856

Download Submit
C:\Users\Admin\AppData\Local\HMTJ6Pq\wscript.exe
Filesize
166KB

MD5
a47cbe969ea935bdd3ab568bb126bc80

SHA1
15f2facfd05daf46d2c63912916bf2887cebd98a

SHA256
34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100

SHA512
f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

Download Submit
C:\Users\Admin\AppData\Local\Ucb1\VERSION.dll
Filesize
882KB

MD5
12e6ea9e35e8a893e71150e7accfc89a

SHA1
3814475c9b910a549597b6c5616a9ce95c4dbb51

SHA256
c11be90e23f036579ff74a2283749f111d439d5423c37b76f7f90104633e326e

SHA512
f09806d4b3021f7556b75e3bca3a9df8a4b07d74417fb2d11184f341a5e3f9906bd6ecb39b5603e034ccf8fbd69c50c27ebf39bacc4d570403a9c7df66429ffb

Download Submit
C:\Users\Admin\AppData\Local\Ucb1\VERSION.dll
Filesize
882KB

MD5
12e6ea9e35e8a893e71150e7accfc89a

SHA1
3814475c9b910a549597b6c5616a9ce95c4dbb51

SHA256
c11be90e23f036579ff74a2283749f111d439d5423c37b76f7f90104633e326e

SHA512
f09806d4b3021f7556b75e3bca3a9df8a4b07d74417fb2d11184f341a5e3f9906bd6ecb39b5603e034ccf8fbd69c50c27ebf39bacc4d570403a9c7df66429ffb

Download Submit
C:\Users\Admin\AppData\Local\Ucb1\msconfig.exe
Filesize
193KB

MD5
39009536cafe30c6ef2501fe46c9df5e

SHA1
6ff7b4d30f31186de899665c704a105227704b72

SHA256
93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04

SHA512
95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

Download Submit
C:\Users\Admin\AppData\Local\aXc\DUI70.dll
Filesize
1.1MB

MD5
779296fdbb2e1b0c3badac2e5f3a0342

SHA1
6589d90d519fe426175be4b501015e6ceefb877b

SHA256
aceca50b46beb18f391847043749962784b021f16d015fb902bae99edc4f8ba4

SHA512
7c1838afe81f4c82a72df20a1d6d160ec4ab75f83965322d9b4b5ab2964a17f54739a2a483f4b2896712623df863676a98a84cbef256fcb0a2eb165f34e52006

Download Submit
C:\Users\Admin\AppData\Local\aXc\DUI70.dll
Filesize
1.1MB

MD5
779296fdbb2e1b0c3badac2e5f3a0342

SHA1
6589d90d519fe426175be4b501015e6ceefb877b

SHA256
aceca50b46beb18f391847043749962784b021f16d015fb902bae99edc4f8ba4

SHA512
7c1838afe81f4c82a72df20a1d6d160ec4ab75f83965322d9b4b5ab2964a17f54739a2a483f4b2896712623df863676a98a84cbef256fcb0a2eb165f34e52006

Download Submit
C:\Users\Admin\AppData\Local\aXc\msdt.exe
Filesize
421KB

MD5
992c3f0cc8180f2f51156671e027ae75

SHA1
942ec8c2ccfcacd75a1cd86cbe8873aee5115e29

SHA256
6859d1b5d1beaa2985b298f3fcee67f0aac747687a9dec2b4376585e99e9756f

SHA512
1f1b8d39e29274cfc87a9ef1510adb9c530086a421c121523376731c8933c6e234e9146310d3767ce888a8dce7a5713221f4d25e5b7b6398d06ae2be2b99eadf

Download Submit
memory/1168-144-0x0000000000000000-mapping.dmp

Download
memory/2744-148-0x0000000000000000-mapping.dmp

Download
memory/3172-138-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3172-137-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3172-143-0x00007FFC3B4F0000-0x00007FFC3B500000-memory.dmp

Filesize
64KB

Download
memory/3172-134-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3172-135-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3172-136-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3172-142-0x00007FFC3B5AC000-0x00007FFC3B5AD000-memory.dmp

Filesize
4KB

Download
memory/3172-133-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3172-130-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download
memory/3172-141-0x00007FFC3B5DC000-0x00007FFC3B5DD000-memory.dmp

Filesize
4KB

Download
memory/3172-139-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3172-132-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3172-140-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3172-131-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/3332-152-0x0000000000000000-mapping.dmp

Download