dridex | b8eeb8c59a0b5352f8c313e727fddb899875960df029eaca7e868610702cfaf0

Analysis

max time kernel
185s
max time network
44s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8eeb8c59a0b5352f8c313e727fddb899875960df029eaca7e868610702cfaf0.dll
Size

1.2MB
MD5

754bb938d40d9602980e2e9ec5a4e927
SHA1

45b9def51ab5c99967127db3ed203ebeced50cc3
SHA256

b8eeb8c59a0b5352f8c313e727fddb899875960df029eaca7e868610702cfaf0
SHA512

87cd8995040a8f487f7ae45d4d0f31b658504c6060acd7c3948c8bd1c27ceb67045882bf73dd541ab05421089a7addff0b0318fd85f78c117a6acdc2a86264c2

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1256-59-0x0000000001C90000-0x0000000001C91000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

fveprompt.execonsent.exeSndVol.exe

pid process

268 fveprompt.exe
1556 consent.exe
1728 SndVol.exe
Loads dropped DLL 7 IoCs

Processes:

fveprompt.execonsent.exeSndVol.exe

pid process

1256
268 fveprompt.exe
1256
1556 consent.exe
1256
1728 SndVol.exe
1256

pid	process
268	fveprompt.exe
1556	consent.exe
1728	SndVol.exe

pid	process
1256
268	fveprompt.exe
1256
1556	consent.exe
1256
1728	SndVol.exe
1256

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Evgmngveltmlhb = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\FjCFO6Y\\consent.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exefveprompt.execonsent.exeSndVol.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fveprompt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	consent.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1256

description	pid	process
Token: SeShutdownPrivilege	1256

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1256 wrote to memory of 2020	1256	fveprompt.exe
PID 1256 wrote to memory of 2020	1256	fveprompt.exe
PID 1256 wrote to memory of 2020	1256	fveprompt.exe
PID 1256 wrote to memory of 268	1256	fveprompt.exe
PID 1256 wrote to memory of 268	1256	fveprompt.exe
PID 1256 wrote to memory of 268	1256	fveprompt.exe
PID 1256 wrote to memory of 1552	1256	consent.exe
PID 1256 wrote to memory of 1552	1256	consent.exe
PID 1256 wrote to memory of 1552	1256	consent.exe
PID 1256 wrote to memory of 1556	1256	consent.exe
PID 1256 wrote to memory of 1556	1256	consent.exe
PID 1256 wrote to memory of 1556	1256	consent.exe
PID 1256 wrote to memory of 588	1256	SndVol.exe
PID 1256 wrote to memory of 588	1256	SndVol.exe
PID 1256 wrote to memory of 588	1256	SndVol.exe
PID 1256 wrote to memory of 1728	1256	SndVol.exe
PID 1256 wrote to memory of 1728	1256	SndVol.exe
PID 1256 wrote to memory of 1728	1256	SndVol.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b8eeb8c59a0b5352f8c313e727fddb899875960df029eaca7e868610702cfaf0.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:972

C:\Windows\system32\fveprompt.exe
C:\Windows\system32\fveprompt.exe
1⤵
PID:2020

C:\Users\Admin\AppData\Local\V5AM\fveprompt.exe
C:\Users\Admin\AppData\Local\V5AM\fveprompt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:268

C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
1⤵
PID:1552

C:\Users\Admin\AppData\Local\Qmv\consent.exe
C:\Users\Admin\AppData\Local\Qmv\consent.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1556

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:588

C:\Users\Admin\AppData\Local\WjNt\SndVol.exe
C:\Users\Admin\AppData\Local\WjNt\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1728

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Qmv\WINSTA.dll
Filesize
1.2MB

MD5
06caa3755d88a61d0891a93982d407ce

SHA1
5b33127daf60b777a6f7f551cb803a8f4357537f

SHA256
bd22e63051564c25596bd38f36aae328addc47c528b07358c7368edd072ed516

SHA512
d4e2bf7b26be8cb22b13c7950cc982ad4243da3ccf43c03c6f34c70b52e618cec6c47dd73262314e632d1b0f67180c6f391d9712ac20a694dda1145992f7619d

Download Submit
C:\Users\Admin\AppData\Local\Qmv\consent.exe
Filesize
109KB

MD5
0b5511674394666e9d221f8681b2c2e6

SHA1
6e4e720dfc424a12383f0b8194e4477e3bc346dc

SHA256
ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

SHA512
00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

Download Submit
C:\Users\Admin\AppData\Local\V5AM\fveprompt.exe
Filesize
104KB

MD5
dc2c44a23b2cd52bd53accf389ae14b2

SHA1
e36c7b6f328aa2ab2f52478169c52c1916f04b5f

SHA256
7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

SHA512
ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

Download Submit
C:\Users\Admin\AppData\Local\V5AM\slc.dll
Filesize
1.2MB

MD5
faa36019e84a8ed41354f302b9da78b9

SHA1
2e18403516aa65fd0eab470cbd001e2799c7d598

SHA256
c352e88939d16084f91c691c19b151bdd1563bbe38e13fe78d10e0f4d9075a15

SHA512
d0d4c1efd3248d9303596f02b11ae1dac164dda08990cc632f1ba77d6185da1605e9807a6ec9d04658cf4d981677553fe7e55516f55ec96914158a41c00719c1

Download Submit
C:\Users\Admin\AppData\Local\WjNt\SndVol.exe
Filesize
267KB

MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
C:\Users\Admin\AppData\Local\WjNt\UxTheme.dll
Filesize
1.2MB

MD5
820a81a50b4ae96fda6a2de6f6c2b830

SHA1
c1b7e370f1c5bdb0a155971bacb10d94f75db59e

SHA256
76ad33d7afbf938be4ff2cebfde928eb770ec649ecd6da8e244eef800e47d49c

SHA512
2db737b68e0d800ddfce88cee083628e03e50c93d787a10c95d5fe7d927253f652651ecfeb37db2694c65ec47a554125294278f18c0ae25332f344abd43558bd

Download Submit
\Users\Admin\AppData\Local\Qmv\WINSTA.dll
Filesize
1.2MB

MD5
06caa3755d88a61d0891a93982d407ce

SHA1
5b33127daf60b777a6f7f551cb803a8f4357537f

SHA256
bd22e63051564c25596bd38f36aae328addc47c528b07358c7368edd072ed516

SHA512
d4e2bf7b26be8cb22b13c7950cc982ad4243da3ccf43c03c6f34c70b52e618cec6c47dd73262314e632d1b0f67180c6f391d9712ac20a694dda1145992f7619d

Download Submit
\Users\Admin\AppData\Local\Qmv\consent.exe
Filesize
109KB

MD5
0b5511674394666e9d221f8681b2c2e6

SHA1
6e4e720dfc424a12383f0b8194e4477e3bc346dc

SHA256
ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b

SHA512
00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

Download Submit
\Users\Admin\AppData\Local\V5AM\fveprompt.exe
Filesize
104KB

MD5
dc2c44a23b2cd52bd53accf389ae14b2

SHA1
e36c7b6f328aa2ab2f52478169c52c1916f04b5f

SHA256
7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

SHA512
ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

Download Submit
\Users\Admin\AppData\Local\V5AM\slc.dll
Filesize
1.2MB

MD5
faa36019e84a8ed41354f302b9da78b9

SHA1
2e18403516aa65fd0eab470cbd001e2799c7d598

SHA256
c352e88939d16084f91c691c19b151bdd1563bbe38e13fe78d10e0f4d9075a15

SHA512
d0d4c1efd3248d9303596f02b11ae1dac164dda08990cc632f1ba77d6185da1605e9807a6ec9d04658cf4d981677553fe7e55516f55ec96914158a41c00719c1

Download Submit
\Users\Admin\AppData\Local\WjNt\SndVol.exe
Filesize
267KB

MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
\Users\Admin\AppData\Local\WjNt\UxTheme.dll
Filesize
1.2MB

MD5
820a81a50b4ae96fda6a2de6f6c2b830

SHA1
c1b7e370f1c5bdb0a155971bacb10d94f75db59e

SHA256
76ad33d7afbf938be4ff2cebfde928eb770ec649ecd6da8e244eef800e47d49c

SHA512
2db737b68e0d800ddfce88cee083628e03e50c93d787a10c95d5fe7d927253f652651ecfeb37db2694c65ec47a554125294278f18c0ae25332f344abd43558bd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\WIzlc7tiH28\SndVol.exe
Filesize
267KB

MD5
c3489639ec8e181044f6c6bfd3d01ac9

SHA1
e057c90b675a6da19596b0ac458c25d7440b7869

SHA256
a632ef1a1490d31d76f13997ee56f4f75796bf9e366c76446857e9ae855f4103

SHA512
63b96c8afb8c3f5f969459531d3a543f6e8714d5ca1664c6bbb01edd9f5e850856931d7923f363c9dc7d8843deeaad69722d15993641d04e786e02184446c0c9

Download Submit
memory/268-91-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/268-87-0x000007FEF6BE0000-0x000007FEF6D13000-memory.dmp

Filesize
1.2MB

Download
memory/268-84-0x000007FEFBFF1000-0x000007FEFBFF3000-memory.dmp

Filesize
8KB

Download
memory/268-82-0x0000000000000000-mapping.dmp

Download
memory/972-58-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/972-54-0x000007FEF6920000-0x000007FEF6A52000-memory.dmp

Filesize
1.2MB

Download
memory/1256-70-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1256-71-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1256-61-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1256-60-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1256-74-0x0000000001C70000-0x0000000001C77000-memory.dmp

Filesize
28KB

Download
memory/1256-63-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1256-80-0x00000000777B0000-0x00000000777B2000-memory.dmp

Filesize
8KB

Download
memory/1256-69-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1256-64-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1256-65-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1256-66-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1256-59-0x0000000001C90000-0x0000000001C91000-memory.dmp

Filesize
4KB

Download
memory/1256-62-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1256-68-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1256-67-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/1556-93-0x0000000000000000-mapping.dmp

Download
memory/1556-102-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1556-98-0x000007FEF6920000-0x000007FEF6A54000-memory.dmp

Filesize
1.2MB

Download
memory/1728-104-0x0000000000000000-mapping.dmp

Download
memory/1728-109-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/1728-110-0x000007FEF6920000-0x000007FEF6A53000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads