dridex | 7430782577e2742413e2626cbbcf65c1e5c3ef365a8c6572e89c92763ed2a2a5

Analysis

max time kernel
152s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7430782577e2742413e2626cbbcf65c1e5c3ef365a8c6572e89c92763ed2a2a5.dll
Size

880KB
MD5

07f98fb6236121f89df1416e4370b71d
SHA1

72ab25f7dd2e975d052b64e4878a08d567d96dd7
SHA256

7430782577e2742413e2626cbbcf65c1e5c3ef365a8c6572e89c92763ed2a2a5
SHA512

219a4e92ac76abf7e756ef20a71338207fbe5b4a623671489b0144317861f6e74fe9b1b9fdf32c7755c170479099c9442db74863e514a751a7295b028a215e85

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/1060-130-0x0000000000840000-0x0000000000841000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

AtBroker.exeSystemPropertiesComputerName.exeRecoveryDrive.exe

pid process

4452 AtBroker.exe
4236 SystemPropertiesComputerName.exe
2880 RecoveryDrive.exe
Loads dropped DLL 3 IoCs

Processes:

AtBroker.exeSystemPropertiesComputerName.exeRecoveryDrive.exe

pid process

4452 AtBroker.exe
4236 SystemPropertiesComputerName.exe
2880 RecoveryDrive.exe

pid	process
4452	AtBroker.exe
4236	SystemPropertiesComputerName.exe
2880	RecoveryDrive.exe

pid	process
4452	AtBroker.exe
4236	SystemPropertiesComputerName.exe
2880	RecoveryDrive.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wurgjldbctt = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Security\\aJN6uT3\\SystemPropertiesComputerName.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

AtBroker.exeSystemPropertiesComputerName.exeRecoveryDrive.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AtBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RecoveryDrive.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4644	rundll32.exe
4644	rundll32.exe
4644	rundll32.exe
4644	rundll32.exe
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060
1060

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1060

pid	process
1060

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 1060 wrote to memory of 4812	1060	AtBroker.exe
PID 1060 wrote to memory of 4812	1060	AtBroker.exe
PID 1060 wrote to memory of 4452	1060	AtBroker.exe
PID 1060 wrote to memory of 4452	1060	AtBroker.exe
PID 1060 wrote to memory of 3308	1060	SystemPropertiesComputerName.exe
PID 1060 wrote to memory of 3308	1060	SystemPropertiesComputerName.exe
PID 1060 wrote to memory of 4236	1060	SystemPropertiesComputerName.exe
PID 1060 wrote to memory of 4236	1060	SystemPropertiesComputerName.exe
PID 1060 wrote to memory of 2284	1060	RecoveryDrive.exe
PID 1060 wrote to memory of 2284	1060	RecoveryDrive.exe
PID 1060 wrote to memory of 2880	1060	RecoveryDrive.exe
PID 1060 wrote to memory of 2880	1060	RecoveryDrive.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7430782577e2742413e2626cbbcf65c1e5c3ef365a8c6572e89c92763ed2a2a5.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4644

C:\Windows\system32\AtBroker.exe
C:\Windows\system32\AtBroker.exe
1⤵
PID:4812

C:\Users\Admin\AppData\Local\aWmhba\AtBroker.exe
C:\Users\Admin\AppData\Local\aWmhba\AtBroker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4452

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:3308

C:\Users\Admin\AppData\Local\P4Imoa\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\P4Imoa\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4236

C:\Windows\system32\RecoveryDrive.exe
C:\Windows\system32\RecoveryDrive.exe
1⤵
PID:2284

C:\Users\Admin\AppData\Local\dv0Sz\RecoveryDrive.exe
C:\Users\Admin\AppData\Local\dv0Sz\RecoveryDrive.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\P4Imoa\SYSDM.CPL
Filesize
880KB

MD5
b6804d7e2c054a2c761869480b807549

SHA1
1b3b0a6eba9b97871a18734829bc89e97828ebf6

SHA256
7e014b6c09eadbec21387030b4bfd52ebf2ffe3c85b9016e8781e4da5b106cf3

SHA512
427c006ea43db42de3ec72e524bb09ae066f646eb863a47a71fe9b57fa6a0a7082fa301b7459e32f97740e3ca864bdeec9cdf795273360c1d0f1c41fd0d945ff

Download Submit
C:\Users\Admin\AppData\Local\P4Imoa\SYSDM.CPL
Filesize
880KB

MD5
b6804d7e2c054a2c761869480b807549

SHA1
1b3b0a6eba9b97871a18734829bc89e97828ebf6

SHA256
7e014b6c09eadbec21387030b4bfd52ebf2ffe3c85b9016e8781e4da5b106cf3

SHA512
427c006ea43db42de3ec72e524bb09ae066f646eb863a47a71fe9b57fa6a0a7082fa301b7459e32f97740e3ca864bdeec9cdf795273360c1d0f1c41fd0d945ff

Download Submit
C:\Users\Admin\AppData\Local\P4Imoa\SystemPropertiesComputerName.exe
Filesize
82KB

MD5
6711765f323289f5008a6a2a04b6f264

SHA1
d8116fdf73608b4b254ad83c74f2232584d24144

SHA256
bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e

SHA512
438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

Download Submit
C:\Users\Admin\AppData\Local\aWmhba\AtBroker.exe
Filesize
90KB

MD5
30076e434a015bdf4c136e09351882cc

SHA1
584c958a35e23083a0861421357405afd26d9a0c

SHA256
ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd

SHA512
675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024

Download Submit
C:\Users\Admin\AppData\Local\aWmhba\UxTheme.dll
Filesize
883KB

MD5
33688662d2d092880295a7653bf68756

SHA1
445cab03b758cec72df2526ca2a94d9ddcea84f4

SHA256
1f6b382478ab11c1cd460f392f420d5499989650f3633fa87d2e82bbb45aa027

SHA512
1a3cba3cdff3609f345b6b741f809e7e951ef7fbfc18c4c23a32827674e2dce21003bce6febcefe33dab973877a18c517c76ea47a18eb318818ad84e57149739

Download Submit
C:\Users\Admin\AppData\Local\aWmhba\UxTheme.dll
Filesize
883KB

MD5
33688662d2d092880295a7653bf68756

SHA1
445cab03b758cec72df2526ca2a94d9ddcea84f4

SHA256
1f6b382478ab11c1cd460f392f420d5499989650f3633fa87d2e82bbb45aa027

SHA512
1a3cba3cdff3609f345b6b741f809e7e951ef7fbfc18c4c23a32827674e2dce21003bce6febcefe33dab973877a18c517c76ea47a18eb318818ad84e57149739

Download Submit
C:\Users\Admin\AppData\Local\dv0Sz\RecoveryDrive.exe
Filesize
911KB

MD5
b9b3dc6f2eb89e41ff27400952602c74

SHA1
24ae07e0db3ace0809d08bbd039db3a9d533e81b

SHA256
630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

SHA512
7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

Download Submit
C:\Users\Admin\AppData\Local\dv0Sz\UxTheme.dll
Filesize
883KB

MD5
d2cc0d998faa62334be5615ef26216c3

SHA1
4d0f6c7c9c3bca8587b8fa0ced6aaaf36c64a8e7

SHA256
b402b299a892c2f3c475b7fabadb3431fcb17a694f2765b8052b6175dbf9b49a

SHA512
2e7f7e8c0ccb6ecaa2e5ca4ccfc11e9f01501e69cae8c33a426716d11c4d0cae3597b4b82568cfe6001233baf8aa452b6e1622a1bd60a04871d398a11a9d7f55

Download Submit
C:\Users\Admin\AppData\Local\dv0Sz\UxTheme.dll
Filesize
883KB

MD5
d2cc0d998faa62334be5615ef26216c3

SHA1
4d0f6c7c9c3bca8587b8fa0ced6aaaf36c64a8e7

SHA256
b402b299a892c2f3c475b7fabadb3431fcb17a694f2765b8052b6175dbf9b49a

SHA512
2e7f7e8c0ccb6ecaa2e5ca4ccfc11e9f01501e69cae8c33a426716d11c4d0cae3597b4b82568cfe6001233baf8aa452b6e1622a1bd60a04871d398a11a9d7f55

Download Submit
memory/1060-141-0x00007FFAFF15C000-0x00007FFAFF15D000-memory.dmp

Filesize
4KB

Download
memory/1060-138-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1060-142-0x00007FFAFF12C000-0x00007FFAFF12D000-memory.dmp

Filesize
4KB

Download
memory/1060-130-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/1060-143-0x00007FFAFF070000-0x00007FFAFF080000-memory.dmp

Filesize
64KB

Download
memory/1060-132-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1060-137-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1060-131-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1060-140-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1060-136-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1060-139-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1060-135-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1060-134-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1060-133-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/2880-152-0x0000000000000000-mapping.dmp

Download
memory/4236-148-0x0000000000000000-mapping.dmp

Download
memory/4452-144-0x0000000000000000-mapping.dmp

Download