dridex | f8e491e0b4830499f16eaa2dc20b483a1b07cd0a0129f8bfdb27329da1fe9d25

Analysis

max time kernel
152s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8e491e0b4830499f16eaa2dc20b483a1b07cd0a0129f8bfdb27329da1fe9d25.dll
Size

1.0MB
MD5

13af4c70983e18808bfcf66c108d268f
SHA1

144ef35edd26bdf5aba2ebcf8c4dfaf9dd7ef070
SHA256

f8e491e0b4830499f16eaa2dc20b483a1b07cd0a0129f8bfdb27329da1fe9d25
SHA512

25e725ce5c9cda3f6104bf7fa1779af3a40d5635e8ffbc413aa32ab9f0edd0760eb147f40891eb0e82cf1edeb4fe3a29636114ed1c5defbe44c5cc64e904fda2

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1280-60-0x0000000002930000-0x0000000002931000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

msinfo32.exemsconfig.exeNetplwiz.exe

pid process

1204 msinfo32.exe
1076 msconfig.exe
544 Netplwiz.exe
Loads dropped DLL 7 IoCs

Processes:

msinfo32.exemsconfig.exeNetplwiz.exe

pid process

1280
1204 msinfo32.exe
1280
1076 msconfig.exe
1280
544 Netplwiz.exe
1280

pid	process
1204	msinfo32.exe
1076	msconfig.exe
544	Netplwiz.exe

pid	process
1280
1204	msinfo32.exe
1280
1076	msconfig.exe
1280
544	Netplwiz.exe
1280

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Evgmngveltmlhb = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\r8Jhd2\\msconfig.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Netplwiz.exemsinfo32.exemsconfig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
480	regsvr32.exe
480	regsvr32.exe
480	regsvr32.exe
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1280 wrote to memory of 1424	1280	msinfo32.exe
PID 1280 wrote to memory of 1424	1280	msinfo32.exe
PID 1280 wrote to memory of 1424	1280	msinfo32.exe
PID 1280 wrote to memory of 1204	1280	msinfo32.exe
PID 1280 wrote to memory of 1204	1280	msinfo32.exe
PID 1280 wrote to memory of 1204	1280	msinfo32.exe
PID 1280 wrote to memory of 392	1280	msconfig.exe
PID 1280 wrote to memory of 392	1280	msconfig.exe
PID 1280 wrote to memory of 392	1280	msconfig.exe
PID 1280 wrote to memory of 1076	1280	msconfig.exe
PID 1280 wrote to memory of 1076	1280	msconfig.exe
PID 1280 wrote to memory of 1076	1280	msconfig.exe
PID 1280 wrote to memory of 1992	1280	Netplwiz.exe
PID 1280 wrote to memory of 1992	1280	Netplwiz.exe
PID 1280 wrote to memory of 1992	1280	Netplwiz.exe
PID 1280 wrote to memory of 544	1280	Netplwiz.exe
PID 1280 wrote to memory of 544	1280	Netplwiz.exe
PID 1280 wrote to memory of 544	1280	Netplwiz.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\f8e491e0b4830499f16eaa2dc20b483a1b07cd0a0129f8bfdb27329da1fe9d25.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:480

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:1424

C:\Users\Admin\AppData\Local\YY5g\msinfo32.exe
C:\Users\Admin\AppData\Local\YY5g\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1204

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:392

C:\Users\Admin\AppData\Local\GUoPqlcea\msconfig.exe
C:\Users\Admin\AppData\Local\GUoPqlcea\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1076

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:1992

C:\Users\Admin\AppData\Local\yUz3\Netplwiz.exe
C:\Users\Admin\AppData\Local\yUz3\Netplwiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:544

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GUoPqlcea\MFC42u.dll
Filesize
1.0MB

MD5
d93b6b3ff20a7c71c44a5d8fb4930cef

SHA1
7a486aa76206149b0e5ea96c7b07693c4c3d2dfc

SHA256
15e619bb432ca129dee214cdee9a6fb504d24ea1cab849fd000d974b97493d67

SHA512
df7997a9e228a1d8a829b30067603fb36de5c5662baf3c28d4645810bc4990023e8d85cb319803083dc3efec5a1a213b4dabc90d7b59bfdc045726ee80ca6388

Download Submit
C:\Users\Admin\AppData\Local\GUoPqlcea\msconfig.exe
Filesize
293KB

MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
C:\Users\Admin\AppData\Local\YY5g\MFC42u.dll
Filesize
1.0MB

MD5
26124fe10142f11656c1b4f91c97c0ab

SHA1
d73e56ddccbaf40cb69afc1b925011cbd5caa336

SHA256
b3c7381b24cec1ab0b2a90c8457a116cc8ffc480d169574c75d22d60bb3377dc

SHA512
6e81018e36ed0ff84f0cd5ed1b72b334bbd40a4f69d0c6ce07ddc12d8d1840d5e0652722f785b53e1702a1bb299868492e2516680220f9296e9ec7da1341f802

Download Submit
C:\Users\Admin\AppData\Local\YY5g\msinfo32.exe
Filesize
370KB

MD5
d291620d4c51c5f5ffa62ccdc52c5c13

SHA1
2081c97f15b1c2a2eadce366baf3c510da553cc7

SHA256
76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

SHA512
75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

Download Submit
C:\Users\Admin\AppData\Local\yUz3\NETPLWIZ.dll
Filesize
1.0MB

MD5
e5601a592489e5c94d8e8d6e08c041c1

SHA1
f78289d1acb80810528be2171c3003f6b3c70c99

SHA256
69dfa7f760c6d1b7469d8b9d1a3fc752cd09eac145c879d4bfa93126090a6eae

SHA512
57215d4f40eb618adeea0b06955e636539a668e64b2da4d129a3f4e64709588407ae24303619bea1b278bc02a2ef0bd86a2805451a505fb5ae46d74f7bef3189

Download Submit
C:\Users\Admin\AppData\Local\yUz3\Netplwiz.exe
Filesize
26KB

MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
\Users\Admin\AppData\Local\GUoPqlcea\MFC42u.dll
Filesize
1.0MB

MD5
d93b6b3ff20a7c71c44a5d8fb4930cef

SHA1
7a486aa76206149b0e5ea96c7b07693c4c3d2dfc

SHA256
15e619bb432ca129dee214cdee9a6fb504d24ea1cab849fd000d974b97493d67

SHA512
df7997a9e228a1d8a829b30067603fb36de5c5662baf3c28d4645810bc4990023e8d85cb319803083dc3efec5a1a213b4dabc90d7b59bfdc045726ee80ca6388

Download Submit
\Users\Admin\AppData\Local\GUoPqlcea\msconfig.exe
Filesize
293KB

MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
\Users\Admin\AppData\Local\YY5g\MFC42u.dll
Filesize
1.0MB

MD5
26124fe10142f11656c1b4f91c97c0ab

SHA1
d73e56ddccbaf40cb69afc1b925011cbd5caa336

SHA256
b3c7381b24cec1ab0b2a90c8457a116cc8ffc480d169574c75d22d60bb3377dc

SHA512
6e81018e36ed0ff84f0cd5ed1b72b334bbd40a4f69d0c6ce07ddc12d8d1840d5e0652722f785b53e1702a1bb299868492e2516680220f9296e9ec7da1341f802

Download Submit
\Users\Admin\AppData\Local\YY5g\msinfo32.exe
Filesize
370KB

MD5
d291620d4c51c5f5ffa62ccdc52c5c13

SHA1
2081c97f15b1c2a2eadce366baf3c510da553cc7

SHA256
76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

SHA512
75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

Download Submit
\Users\Admin\AppData\Local\yUz3\NETPLWIZ.dll
Filesize
1.0MB

MD5
e5601a592489e5c94d8e8d6e08c041c1

SHA1
f78289d1acb80810528be2171c3003f6b3c70c99

SHA256
69dfa7f760c6d1b7469d8b9d1a3fc752cd09eac145c879d4bfa93126090a6eae

SHA512
57215d4f40eb618adeea0b06955e636539a668e64b2da4d129a3f4e64709588407ae24303619bea1b278bc02a2ef0bd86a2805451a505fb5ae46d74f7bef3189

Download Submit
\Users\Admin\AppData\Local\yUz3\Netplwiz.exe
Filesize
26KB

MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\g6Pga47fG\Netplwiz.exe
Filesize
26KB

MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
memory/480-54-0x000007FEFB8E1000-0x000007FEFB8E3000-memory.dmp

Filesize
8KB

Download
memory/480-59-0x00000000000B0000-0x00000000000B7000-memory.dmp

Filesize
28KB

Download
memory/480-55-0x0000000140000000-0x0000000140107000-memory.dmp

Filesize
1.0MB

Download
memory/544-110-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/544-105-0x0000000000000000-mapping.dmp

Download
memory/544-114-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/1076-94-0x0000000000000000-mapping.dmp

Download
memory/1076-103-0x0000000000370000-0x0000000000377000-memory.dmp

Filesize
28KB

Download
memory/1204-83-0x0000000000000000-mapping.dmp

Download
memory/1204-88-0x0000000140000000-0x000000014010E000-memory.dmp

Filesize
1.1MB

Download
memory/1204-92-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/1280-81-0x0000000077240000-0x0000000077242000-memory.dmp

Filesize
8KB

Download
memory/1280-80-0x0000000002210000-0x0000000002217000-memory.dmp

Filesize
28KB

Download
memory/1280-71-0x0000000140000000-0x0000000140107000-memory.dmp

Filesize
1.0MB

Download
memory/1280-65-0x0000000140000000-0x0000000140107000-memory.dmp

Filesize
1.0MB

Download
memory/1280-66-0x0000000140000000-0x0000000140107000-memory.dmp

Filesize
1.0MB

Download
memory/1280-67-0x0000000140000000-0x0000000140107000-memory.dmp

Filesize
1.0MB

Download
memory/1280-70-0x0000000140000000-0x0000000140107000-memory.dmp

Filesize
1.0MB

Download
memory/1280-69-0x0000000140000000-0x0000000140107000-memory.dmp

Filesize
1.0MB

Download
memory/1280-68-0x0000000140000000-0x0000000140107000-memory.dmp

Filesize
1.0MB

Download
memory/1280-64-0x0000000140000000-0x0000000140107000-memory.dmp

Filesize
1.0MB

Download
memory/1280-63-0x0000000140000000-0x0000000140107000-memory.dmp

Filesize
1.0MB

Download
memory/1280-62-0x0000000140000000-0x0000000140107000-memory.dmp

Filesize
1.0MB

Download
memory/1280-61-0x0000000140000000-0x0000000140107000-memory.dmp

Filesize
1.0MB

Download
memory/1280-60-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads