dridex | b8eeb8c59a0b5352f8c313e727fddb899875960df029eaca7e868610702cfaf0

Analysis

max time kernel
152s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8eeb8c59a0b5352f8c313e727fddb899875960df029eaca7e868610702cfaf0.dll
Size

1.2MB
MD5

754bb938d40d9602980e2e9ec5a4e927
SHA1

45b9def51ab5c99967127db3ed203ebeced50cc3
SHA256

b8eeb8c59a0b5352f8c313e727fddb899875960df029eaca7e868610702cfaf0
SHA512

87cd8995040a8f487f7ae45d4d0f31b658504c6060acd7c3948c8bd1c27ceb67045882bf73dd541ab05421089a7addff0b0318fd85f78c117a6acdc2a86264c2

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3132-135-0x0000000000C50000-0x0000000000C51000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

ApplySettingsTemplateCatalog.exeBitLockerWizardElev.exewbengine.exe

pid process

404 ApplySettingsTemplateCatalog.exe
2936 BitLockerWizardElev.exe
4592 wbengine.exe
Loads dropped DLL 3 IoCs

Processes:

ApplySettingsTemplateCatalog.exeBitLockerWizardElev.exewbengine.exe

pid process

404 ApplySettingsTemplateCatalog.exe
2936 BitLockerWizardElev.exe
4592 wbengine.exe

pid	process
404	ApplySettingsTemplateCatalog.exe
2936	BitLockerWizardElev.exe
4592	wbengine.exe

pid	process
404	ApplySettingsTemplateCatalog.exe
2936	BitLockerWizardElev.exe
4592	wbengine.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eqzhtortkjjc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\ZD\\BitLockerWizardElev.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BitLockerWizardElev.exewbengine.exerundll32.exeApplySettingsTemplateCatalog.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wbengine.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplySettingsTemplateCatalog.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
828	rundll32.exe
828	rundll32.exe
828	rundll32.exe
828	rundll32.exe
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3132

pid	process
3132

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3132 wrote to memory of 1948	3132	ApplySettingsTemplateCatalog.exe
PID 3132 wrote to memory of 1948	3132	ApplySettingsTemplateCatalog.exe
PID 3132 wrote to memory of 404	3132	ApplySettingsTemplateCatalog.exe
PID 3132 wrote to memory of 404	3132	ApplySettingsTemplateCatalog.exe
PID 3132 wrote to memory of 2808	3132	BitLockerWizardElev.exe
PID 3132 wrote to memory of 2808	3132	BitLockerWizardElev.exe
PID 3132 wrote to memory of 2936	3132	BitLockerWizardElev.exe
PID 3132 wrote to memory of 2936	3132	BitLockerWizardElev.exe
PID 3132 wrote to memory of 4596	3132	wbengine.exe
PID 3132 wrote to memory of 4596	3132	wbengine.exe
PID 3132 wrote to memory of 4592	3132	wbengine.exe
PID 3132 wrote to memory of 4592	3132	wbengine.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b8eeb8c59a0b5352f8c313e727fddb899875960df029eaca7e868610702cfaf0.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:828

C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
1⤵
PID:1948

C:\Users\Admin\AppData\Local\RRIDpImY\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\RRIDpImY\ApplySettingsTemplateCatalog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:404

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:2808

C:\Users\Admin\AppData\Local\DEYXDEKAu\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\DEYXDEKAu\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2936

C:\Windows\system32\wbengine.exe
C:\Windows\system32\wbengine.exe
1⤵
PID:4596

C:\Users\Admin\AppData\Local\l1d\wbengine.exe
C:\Users\Admin\AppData\Local\l1d\wbengine.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DEYXDEKAu\BitLockerWizardElev.exe
Filesize
100KB

MD5
8ac5a3a20cf18ae2308c64fd707eeb81

SHA1
31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

SHA256
803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

SHA512
85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

Download Submit
C:\Users\Admin\AppData\Local\DEYXDEKAu\FVEWIZ.dll
Filesize
1.2MB

MD5
312b023bf137b1f077aee8201b8717df

SHA1
3af0ed63f624a8c874480bf57430a60cb8d733e4

SHA256
2619ce6a390b2f2adcf9960fbeb16572ecea75be428484214ad90e396cbc3174

SHA512
ffbdb87750185ada2ae8e0254571006627c95b2b731216103a24719551f517b43c468e09565fa6bfaadefb8a6624eda0b62c45797729802db254d11762be7289

Download Submit
C:\Users\Admin\AppData\Local\DEYXDEKAu\FVEWIZ.dll
Filesize
1.2MB

MD5
312b023bf137b1f077aee8201b8717df

SHA1
3af0ed63f624a8c874480bf57430a60cb8d733e4

SHA256
2619ce6a390b2f2adcf9960fbeb16572ecea75be428484214ad90e396cbc3174

SHA512
ffbdb87750185ada2ae8e0254571006627c95b2b731216103a24719551f517b43c468e09565fa6bfaadefb8a6624eda0b62c45797729802db254d11762be7289

Download Submit
C:\Users\Admin\AppData\Local\RRIDpImY\ACTIVEDS.dll
Filesize
1.2MB

MD5
1129953a9aff5a33d92d6bcb34a16f01

SHA1
46cd8f75d87727004a867ea2a61632deaa603605

SHA256
1940160293db718779a5e19195a60ce32e3c5ec78abf6c2fbfa558243e5cb8ca

SHA512
c4e2d004da6f243fa55c4dfa296d5b2a26ee64ac7796190c6fb3173a43aa1fa0ea50767c4db0755d9790ec39c8d590c651d501f6f4ee2e2ccdf6ae7e06370528

Download Submit
C:\Users\Admin\AppData\Local\RRIDpImY\ACTIVEDS.dll
Filesize
1.2MB

MD5
1129953a9aff5a33d92d6bcb34a16f01

SHA1
46cd8f75d87727004a867ea2a61632deaa603605

SHA256
1940160293db718779a5e19195a60ce32e3c5ec78abf6c2fbfa558243e5cb8ca

SHA512
c4e2d004da6f243fa55c4dfa296d5b2a26ee64ac7796190c6fb3173a43aa1fa0ea50767c4db0755d9790ec39c8d590c651d501f6f4ee2e2ccdf6ae7e06370528

Download Submit
C:\Users\Admin\AppData\Local\RRIDpImY\ApplySettingsTemplateCatalog.exe
Filesize
1.1MB

MD5
13af41b1c1c53c7360cd582a82ec2093

SHA1
7425f893d1245e351483ab4a20a5f59d114df4e1

SHA256
a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

SHA512
c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

Download Submit
C:\Users\Admin\AppData\Local\l1d\XmlLite.dll
Filesize
1.2MB

MD5
1197b9ad6e6403a98ac2f4960e097b90

SHA1
b558652b9e7aa7b796b0f5acfa8d64c7d5910659

SHA256
ba598bc6618312de318e1185f6ebbf4e816ae05850664fab4604370b171b39a3

SHA512
4674d675d5d50d9897c2b75cb36569a0c1268bb1aa7f419234f4329e9e64f6ce71dddf6c13a69c99b2a5ac8a21fded57079fd1b9d223226a8b8ad59ecb8ec230

Download Submit
C:\Users\Admin\AppData\Local\l1d\XmlLite.dll
Filesize
1.2MB

MD5
1197b9ad6e6403a98ac2f4960e097b90

SHA1
b558652b9e7aa7b796b0f5acfa8d64c7d5910659

SHA256
ba598bc6618312de318e1185f6ebbf4e816ae05850664fab4604370b171b39a3

SHA512
4674d675d5d50d9897c2b75cb36569a0c1268bb1aa7f419234f4329e9e64f6ce71dddf6c13a69c99b2a5ac8a21fded57079fd1b9d223226a8b8ad59ecb8ec230

Download Submit
C:\Users\Admin\AppData\Local\l1d\wbengine.exe
Filesize
1.5MB

MD5
17270a354a66590953c4aac1cf54e507

SHA1
715babcc8e46b02ac498f4f06df7937904d9798d

SHA256
9954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4

SHA512
6be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89

Download Submit
memory/404-167-0x000001A3D8C50000-0x000001A3D8C57000-memory.dmp

Filesize
28KB

Download
memory/404-163-0x00007FFEDBE60000-0x00007FFEDBF93000-memory.dmp

Filesize
1.2MB

Download
memory/404-159-0x0000000000000000-mapping.dmp

Download
memory/828-130-0x00007FFECD740000-0x00007FFECD872000-memory.dmp

Filesize
1.2MB

Download
memory/828-134-0x000001DC96010000-0x000001DC96017000-memory.dmp

Filesize
28KB

Download
memory/2936-172-0x00007FFECD740000-0x00007FFECD873000-memory.dmp

Filesize
1.2MB

Download
memory/2936-168-0x0000000000000000-mapping.dmp

Download
memory/2936-176-0x00000211F5460000-0x00000211F5467000-memory.dmp

Filesize
28KB

Download
memory/3132-141-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3132-143-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3132-157-0x0000000000C40000-0x0000000000C47000-memory.dmp

Filesize
28KB

Download
memory/3132-155-0x00007FFEEB01C000-0x00007FFEEB01D000-memory.dmp

Filesize
4KB

Download
memory/3132-156-0x00007FFEEAFEC000-0x00007FFEEAFED000-memory.dmp

Filesize
4KB

Download
memory/3132-147-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3132-146-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3132-145-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3132-144-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3132-158-0x00007FFEEAF30000-0x00007FFEEAF40000-memory.dmp

Filesize
64KB

Download
memory/3132-142-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3132-139-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3132-140-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3132-138-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3132-135-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/3132-137-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/3132-136-0x0000000140000000-0x0000000140132000-memory.dmp

Filesize
1.2MB

Download
memory/4592-177-0x0000000000000000-mapping.dmp

Download
memory/4592-185-0x0000025F31200000-0x0000025F31207000-memory.dmp

Filesize
28KB

Download