dridex | ac789285c91a1777f5c5cfb1e0c6d93f1a06856849ef005f471cb6641b05a8ee

Analysis

max time kernel
168s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac789285c91a1777f5c5cfb1e0c6d93f1a06856849ef005f471cb6641b05a8ee.dll
Size

1.2MB
MD5

bd42ea33dfc75bbbc8e5b537fc14ac6d
SHA1

bf81af779374bfd5bc6caf97524e549541025a56
SHA256

ac789285c91a1777f5c5cfb1e0c6d93f1a06856849ef005f471cb6641b05a8ee
SHA512

78f92d35c6d8f1a7c79293d52d4f6ba13d2ad8d4cc018ede2e4d4c78392b94e384c86b6626c062bcf1a2f44f95eb28d60342565ed497a5166ef43a181dc41b43

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3104-135-0x00000000007A0000-0x00000000007A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 5 IoCs

Processes:

mspaint.exeNarrator.exePresentationHost.exeEhStorAuthn.exeAtBroker.exe

pid process

3052 mspaint.exe
2600 Narrator.exe
4736 PresentationHost.exe
2688 EhStorAuthn.exe
4812 AtBroker.exe
Loads dropped DLL 5 IoCs

Processes:

mspaint.exePresentationHost.exeEhStorAuthn.exeAtBroker.exe

pid process

3052 mspaint.exe
4736 PresentationHost.exe
4736 PresentationHost.exe
2688 EhStorAuthn.exe
4812 AtBroker.exe

pid	process
3052	mspaint.exe
2600	Narrator.exe
4736	PresentationHost.exe
2688	EhStorAuthn.exe
4812	AtBroker.exe

pid	process
3052	mspaint.exe
4736	PresentationHost.exe
4736	PresentationHost.exe
2688	EhStorAuthn.exe
4812	AtBroker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eqzhtortkjjc = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Ib2gVT9j7ne\\EhStorAuthn.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

AtBroker.exerundll32.exemspaint.exeEhStorAuthn.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AtBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104
3104

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3104

pid	process
3104

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 3104 wrote to memory of 460	3104	mspaint.exe
PID 3104 wrote to memory of 460	3104	mspaint.exe
PID 3104 wrote to memory of 3052	3104	mspaint.exe
PID 3104 wrote to memory of 3052	3104	mspaint.exe
PID 3104 wrote to memory of 2588	3104	Narrator.exe
PID 3104 wrote to memory of 2588	3104	Narrator.exe
PID 3104 wrote to memory of 4768	3104	PresentationHost.exe
PID 3104 wrote to memory of 4768	3104	PresentationHost.exe
PID 3104 wrote to memory of 4736	3104	PresentationHost.exe
PID 3104 wrote to memory of 4736	3104	PresentationHost.exe
PID 3104 wrote to memory of 4928	3104	EhStorAuthn.exe
PID 3104 wrote to memory of 4928	3104	EhStorAuthn.exe
PID 3104 wrote to memory of 2688	3104	EhStorAuthn.exe
PID 3104 wrote to memory of 2688	3104	EhStorAuthn.exe
PID 3104 wrote to memory of 2752	3104	AtBroker.exe
PID 3104 wrote to memory of 2752	3104	AtBroker.exe
PID 3104 wrote to memory of 4812	3104	AtBroker.exe
PID 3104 wrote to memory of 4812	3104	AtBroker.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ac789285c91a1777f5c5cfb1e0c6d93f1a06856849ef005f471cb6641b05a8ee.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1560

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:460

C:\Users\Admin\AppData\Local\AzmjDnJ\mspaint.exe
C:\Users\Admin\AppData\Local\AzmjDnJ\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3052

C:\Windows\system32\Narrator.exe
C:\Windows\system32\Narrator.exe
1⤵
PID:2588

C:\Users\Admin\AppData\Local\FO2Kr9o19\Narrator.exe
C:\Users\Admin\AppData\Local\FO2Kr9o19\Narrator.exe
1⤵
- Executes dropped EXE
PID:2600

C:\Windows\system32\PresentationHost.exe
C:\Windows\system32\PresentationHost.exe
1⤵
PID:4768

C:\Users\Admin\AppData\Local\mfSFZ7R\PresentationHost.exe
C:\Users\Admin\AppData\Local\mfSFZ7R\PresentationHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4736

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:4928

C:\Users\Admin\AppData\Local\oOB2gOcSR\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\oOB2gOcSR\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2688

C:\Windows\system32\AtBroker.exe
C:\Windows\system32\AtBroker.exe
1⤵
PID:2752

C:\Users\Admin\AppData\Local\A4B0TILNP\AtBroker.exe
C:\Users\Admin\AppData\Local\A4B0TILNP\AtBroker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\A4B0TILNP\AtBroker.exe
Filesize
90KB

MD5
30076e434a015bdf4c136e09351882cc

SHA1
584c958a35e23083a0861421357405afd26d9a0c

SHA256
ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd

SHA512
675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024

Download Submit
C:\Users\Admin\AppData\Local\A4B0TILNP\UxTheme.dll
Filesize
1.2MB

MD5
bc2607e96d5d304a34817811c37ee2a6

SHA1
43d3091a7fe9c3625a8f1b8e6a6c134128552d4e

SHA256
f1c56bde9e840fb5caa1cd32aa1bfcb32036f90e8e9cfa10a154c34fb1d3ce7d

SHA512
211e0eac228069e2fecf134bd4bb2c8cb851019a2f02b5671221822bd84c131a2e86dd7191ca783d16211737e7e650f46fe702b6aed00517bb3cab6c5a936c4e

Download Submit
C:\Users\Admin\AppData\Local\A4B0TILNP\UxTheme.dll
Filesize
1.2MB

MD5
bc2607e96d5d304a34817811c37ee2a6

SHA1
43d3091a7fe9c3625a8f1b8e6a6c134128552d4e

SHA256
f1c56bde9e840fb5caa1cd32aa1bfcb32036f90e8e9cfa10a154c34fb1d3ce7d

SHA512
211e0eac228069e2fecf134bd4bb2c8cb851019a2f02b5671221822bd84c131a2e86dd7191ca783d16211737e7e650f46fe702b6aed00517bb3cab6c5a936c4e

Download Submit
C:\Users\Admin\AppData\Local\AzmjDnJ\WINMM.dll
Filesize
1.2MB

MD5
ea41693084fb5c04ee51981b32bfd9cc

SHA1
2e39070412025e7b1c3b21c1c26f805af57609fc

SHA256
f5af942686cf0272bae2318c770d550adb99c40a096142c9bfb0b078df8e7b4b

SHA512
89b2b06f4dca1fe03c7be5587463676b08ed46c3ae78ba95629e32748ee8532e30c7bb9a50a42a50f45a8789127d00b825b5a4533291e89ed64cd4c373644948

Download Submit
C:\Users\Admin\AppData\Local\AzmjDnJ\WINMM.dll
Filesize
1.2MB

MD5
ea41693084fb5c04ee51981b32bfd9cc

SHA1
2e39070412025e7b1c3b21c1c26f805af57609fc

SHA256
f5af942686cf0272bae2318c770d550adb99c40a096142c9bfb0b078df8e7b4b

SHA512
89b2b06f4dca1fe03c7be5587463676b08ed46c3ae78ba95629e32748ee8532e30c7bb9a50a42a50f45a8789127d00b825b5a4533291e89ed64cd4c373644948

Download Submit
C:\Users\Admin\AppData\Local\AzmjDnJ\mspaint.exe
Filesize
965KB

MD5
f221a4ccafec690101c59f726c95b646

SHA1
2098e4b62eaab213cbee73ba40fe4f1b8901a782

SHA256
94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709

SHA512
8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf

Download Submit
C:\Users\Admin\AppData\Local\AzmjDnJ\mspaint.exe
Filesize
965KB

MD5
f221a4ccafec690101c59f726c95b646

SHA1
2098e4b62eaab213cbee73ba40fe4f1b8901a782

SHA256
94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709

SHA512
8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf

Download Submit
C:\Users\Admin\AppData\Local\FO2Kr9o19\Narrator.exe
Filesize
521KB

MD5
d92defaa4d346278480d2780325d8d18

SHA1
6494d55b2e5064ffe8add579edfcd13c3e69fffe

SHA256
69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83

SHA512
b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

Download Submit
C:\Users\Admin\AppData\Local\mfSFZ7R\PresentationHost.exe
Filesize
276KB

MD5
ef27d65b92d89e8175e6751a57ed9d93

SHA1
7279b58e711b459434f047e9098f9131391c3778

SHA256
17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

SHA512
40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

Download Submit
C:\Users\Admin\AppData\Local\mfSFZ7R\VERSION.dll
Filesize
1.2MB

MD5
481ee38f68dc3dfb53a61d66d9a6f575

SHA1
60a4d8d3db42c36cae420510b9c26ce46a75bc9f

SHA256
42f8fd9c88b045bddd8f9994abfe15d3802e40f4e7dcf7e3ae0f48659582001d

SHA512
7036703dbbebae362e751ba7b33dce218824847301f6a712e217c8482bb6315c9d0ae1ac302dd0d5d6a89ccbfcf792fffd745511b5370c544067ab254eefb50d

Download Submit
C:\Users\Admin\AppData\Local\mfSFZ7R\VERSION.dll
Filesize
1.2MB

MD5
481ee38f68dc3dfb53a61d66d9a6f575

SHA1
60a4d8d3db42c36cae420510b9c26ce46a75bc9f

SHA256
42f8fd9c88b045bddd8f9994abfe15d3802e40f4e7dcf7e3ae0f48659582001d

SHA512
7036703dbbebae362e751ba7b33dce218824847301f6a712e217c8482bb6315c9d0ae1ac302dd0d5d6a89ccbfcf792fffd745511b5370c544067ab254eefb50d

Download Submit
C:\Users\Admin\AppData\Local\mfSFZ7R\VERSION.dll
Filesize
1.2MB

MD5
481ee38f68dc3dfb53a61d66d9a6f575

SHA1
60a4d8d3db42c36cae420510b9c26ce46a75bc9f

SHA256
42f8fd9c88b045bddd8f9994abfe15d3802e40f4e7dcf7e3ae0f48659582001d

SHA512
7036703dbbebae362e751ba7b33dce218824847301f6a712e217c8482bb6315c9d0ae1ac302dd0d5d6a89ccbfcf792fffd745511b5370c544067ab254eefb50d

Download Submit
C:\Users\Admin\AppData\Local\oOB2gOcSR\EhStorAuthn.exe
Filesize
128KB

MD5
d45618e58303edb4268a6cca5ec99ecc

SHA1
1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

SHA256
d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

SHA512
5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

Download Submit
C:\Users\Admin\AppData\Local\oOB2gOcSR\UxTheme.dll
Filesize
1.2MB

MD5
7fa2396f2bd4de01a7d68580d98952fc

SHA1
4ff7c875e82cf82cfed85a8318e59a8172f37f51

SHA256
817447291138ce366fa96489ac398ac829b80bffe241a152f3ef0240ce280865

SHA512
22304ab9d50ba7ecc9d49a8b643de1265d63a98e4eaf3fafd88de80543b2c085d994f48738c05278fae2d8d5febd14c8eaf6dd1eba515f3a47661eed0e67d0c4

Download Submit
C:\Users\Admin\AppData\Local\oOB2gOcSR\UxTheme.dll
Filesize
1.2MB

MD5
7fa2396f2bd4de01a7d68580d98952fc

SHA1
4ff7c875e82cf82cfed85a8318e59a8172f37f51

SHA256
817447291138ce366fa96489ac398ac829b80bffe241a152f3ef0240ce280865

SHA512
22304ab9d50ba7ecc9d49a8b643de1265d63a98e4eaf3fafd88de80543b2c085d994f48738c05278fae2d8d5febd14c8eaf6dd1eba515f3a47661eed0e67d0c4

Download Submit
memory/1560-134-0x0000024295C00000-0x0000024295C07000-memory.dmp

Filesize
28KB

Download
memory/1560-130-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/2688-183-0x0000025BE4860000-0x0000025BE4867000-memory.dmp

Filesize
28KB

Download
memory/2688-179-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2688-175-0x0000000000000000-mapping.dmp

Download
memory/3052-159-0x0000000000000000-mapping.dmp

Download
memory/3052-164-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3052-168-0x00000209E5850000-0x00000209E5857000-memory.dmp

Filesize
28KB

Download
memory/3104-146-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3104-157-0x0000000000570000-0x0000000000577000-memory.dmp

Filesize
28KB

Download
memory/3104-139-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3104-145-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3104-138-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3104-136-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3104-142-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3104-143-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3104-144-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3104-140-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3104-158-0x00007FFE9EB10000-0x00007FFE9EB20000-memory.dmp

Filesize
64KB

Download
memory/3104-155-0x00007FFE9EBFC000-0x00007FFE9EBFD000-memory.dmp

Filesize
4KB

Download
memory/3104-156-0x00007FFE9EBCC000-0x00007FFE9EBCD000-memory.dmp

Filesize
4KB

Download
memory/3104-141-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3104-135-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/3104-137-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/4736-170-0x0000000000000000-mapping.dmp

Download
memory/4812-184-0x0000000000000000-mapping.dmp

Download
memory/4812-192-0x0000019EA5780000-0x0000019EA5787000-memory.dmp

Filesize
28KB

Download