dridex | a8faa4ec743ad43c615766b2eade75d45186f3657f72555dd2b097b0abe2e3b5

Analysis

max time kernel
176s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8faa4ec743ad43c615766b2eade75d45186f3657f72555dd2b097b0abe2e3b5.dll
Size

999KB
MD5

ac5bf7efa1660de78283ac86e057bb7c
SHA1

4a5d68d13ad08445ec490efb7c960e2b5f78062e
SHA256

a8faa4ec743ad43c615766b2eade75d45186f3657f72555dd2b097b0abe2e3b5
SHA512

f9a3bdaac6ab9f6a20a9b0de8244c42c7287a86c18a3d03a45c3a6036322668d78752ef3d09169cfb951b6c83a11731afd74c9158b097df780491c3d13a2e45d

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3172-135-0x0000000001360000-0x0000000001361000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

ie4ushowIE.exeSysResetErr.exeDevicePairingWizard.exe

pid process

3160 ie4ushowIE.exe
2944 SysResetErr.exe
1192 DevicePairingWizard.exe
Loads dropped DLL 3 IoCs

Processes:

ie4ushowIE.exeSysResetErr.exeDevicePairingWizard.exe

pid process

3160 ie4ushowIE.exe
2944 SysResetErr.exe
1192 DevicePairingWizard.exe

pid	process
3160	ie4ushowIE.exe
2944	SysResetErr.exe
1192	DevicePairingWizard.exe

pid	process
3160	ie4ushowIE.exe
2944	SysResetErr.exe
1192	DevicePairingWizard.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eqzhtortkjjc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\9sGvDX4ByX\\SysResetErr.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ie4ushowIE.exeSysResetErr.exeDevicePairingWizard.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ie4ushowIE.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SysResetErr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
2200	regsvr32.exe
2200	regsvr32.exe
2200	regsvr32.exe
2200	regsvr32.exe
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3172

pid	process
3172

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3172 wrote to memory of 2600	3172	ie4ushowIE.exe
PID 3172 wrote to memory of 2600	3172	ie4ushowIE.exe
PID 3172 wrote to memory of 3160	3172	ie4ushowIE.exe
PID 3172 wrote to memory of 3160	3172	ie4ushowIE.exe
PID 3172 wrote to memory of 1480	3172	SysResetErr.exe
PID 3172 wrote to memory of 1480	3172	SysResetErr.exe
PID 3172 wrote to memory of 2944	3172	SysResetErr.exe
PID 3172 wrote to memory of 2944	3172	SysResetErr.exe
PID 3172 wrote to memory of 4812	3172	DevicePairingWizard.exe
PID 3172 wrote to memory of 4812	3172	DevicePairingWizard.exe
PID 3172 wrote to memory of 1192	3172	DevicePairingWizard.exe
PID 3172 wrote to memory of 1192	3172	DevicePairingWizard.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a8faa4ec743ad43c615766b2eade75d45186f3657f72555dd2b097b0abe2e3b5.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2200

C:\Windows\system32\ie4ushowIE.exe
C:\Windows\system32\ie4ushowIE.exe
1⤵
PID:2600

C:\Users\Admin\AppData\Local\O0PVOl\ie4ushowIE.exe
C:\Users\Admin\AppData\Local\O0PVOl\ie4ushowIE.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3160

C:\Windows\system32\SysResetErr.exe
C:\Windows\system32\SysResetErr.exe
1⤵
PID:1480

C:\Users\Admin\AppData\Local\ILU5SDJZ\SysResetErr.exe
C:\Users\Admin\AppData\Local\ILU5SDJZ\SysResetErr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2944

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:4812

C:\Users\Admin\AppData\Local\QHw\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\QHw\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ILU5SDJZ\DUI70.dll
Filesize
1.2MB

MD5
840c398d540b7169e09ba086267cfb98

SHA1
984f1d5ef8e004a7f515b2f6555cb9608d02fbbd

SHA256
ed24b8be3ca8c087da5411a63feee4869290f0c01b73f6484288364b37b99c02

SHA512
da321ad69fa5fd9e097f9fcbe805fae1a549a5a8bc2e14e77e4352506c2dad168e60317bdf5fe361f70e8b6388ee7c8d97d166beb137fa156c8b80bd6eaa1312

Download Submit
C:\Users\Admin\AppData\Local\ILU5SDJZ\DUI70.dll
Filesize
1.2MB

MD5
840c398d540b7169e09ba086267cfb98

SHA1
984f1d5ef8e004a7f515b2f6555cb9608d02fbbd

SHA256
ed24b8be3ca8c087da5411a63feee4869290f0c01b73f6484288364b37b99c02

SHA512
da321ad69fa5fd9e097f9fcbe805fae1a549a5a8bc2e14e77e4352506c2dad168e60317bdf5fe361f70e8b6388ee7c8d97d166beb137fa156c8b80bd6eaa1312

Download Submit
C:\Users\Admin\AppData\Local\ILU5SDJZ\SysResetErr.exe
Filesize
41KB

MD5
090c6f458d61b7ddbdcfa54e761b8b57

SHA1
c5a93e9d6eca4c3842156cc0262933b334113864

SHA256
a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

SHA512
c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

Download Submit
C:\Users\Admin\AppData\Local\O0PVOl\VERSION.dll
Filesize
1001KB

MD5
eb5fe0a13cf010c2dc9681c2acc5bc79

SHA1
1b8219eea7a5cdba34618ed60a673869a70fd576

SHA256
a191b9aeeae65cad351852895eec43acbe268e4d34173014281f840ecdfdf6a1

SHA512
888a0a29d57dccb9425655c2d56d46da0fb90a1caccf7571a501a85e5b8026ec9bf072019455975ccde5ff6a3b12b891cb0b7b1ffc3356de1959eb435302d112

Download Submit
C:\Users\Admin\AppData\Local\O0PVOl\VERSION.dll
Filesize
1001KB

MD5
eb5fe0a13cf010c2dc9681c2acc5bc79

SHA1
1b8219eea7a5cdba34618ed60a673869a70fd576

SHA256
a191b9aeeae65cad351852895eec43acbe268e4d34173014281f840ecdfdf6a1

SHA512
888a0a29d57dccb9425655c2d56d46da0fb90a1caccf7571a501a85e5b8026ec9bf072019455975ccde5ff6a3b12b891cb0b7b1ffc3356de1959eb435302d112

Download Submit
C:\Users\Admin\AppData\Local\O0PVOl\ie4ushowIE.exe
Filesize
76KB

MD5
9de952f476abab0cd62bfd81e20a3deb

SHA1
109cc4467b78dad4b12a3225020ea590bccee3e6

SHA256
e9cb6336359ac6f71ac75af2836efb28daa3bafd10a1f0b775dcdc2ec8850a6b

SHA512
3cbe50a146ca50b0657a78a2d89a34630c69823005668906785b2d2015cc6139c8dbbf7aefa5fe55957ef55ae06e758933b3b41eaf822e49dba3b7700582e2c9

Download Submit
C:\Users\Admin\AppData\Local\QHw\DevicePairingWizard.exe
Filesize
93KB

MD5
d0e40a5a0c7dad2d6e5040d7fbc37533

SHA1
b0eabbd37a97a1abcd90bd56394f5c45585699eb

SHA256
2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

SHA512
1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

Download Submit
C:\Users\Admin\AppData\Local\QHw\MFC42u.dll
Filesize
1.0MB

MD5
ef4c07acaad2e89509a68b0ef6924687

SHA1
f861dad7253c5a0c459e462f7c52f37175312a99

SHA256
c7f669d52edb72ff2471d8fdf7cad93154afb01390b59efa95034f1f75b63506

SHA512
17e917f7d50686425fb93d1db3db790351d0466f1d4acf8b602c50077a6b8885955c947381c9d522a9c2cf5cf8485b028ca9547d17eaae4d8ed22aebf4916990

Download Submit
C:\Users\Admin\AppData\Local\QHw\MFC42u.dll
Filesize
1.0MB

MD5
ef4c07acaad2e89509a68b0ef6924687

SHA1
f861dad7253c5a0c459e462f7c52f37175312a99

SHA256
c7f669d52edb72ff2471d8fdf7cad93154afb01390b59efa95034f1f75b63506

SHA512
17e917f7d50686425fb93d1db3db790351d0466f1d4acf8b602c50077a6b8885955c947381c9d522a9c2cf5cf8485b028ca9547d17eaae4d8ed22aebf4916990

Download Submit
memory/1192-177-0x0000000000000000-mapping.dmp

Download
memory/1192-182-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/1192-181-0x0000014F3F310000-0x0000014F3F317000-memory.dmp

Filesize
28KB

Download
memory/2200-130-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/2200-134-0x0000000000AB0000-0x0000000000AB7000-memory.dmp

Filesize
28KB

Download
memory/2944-176-0x000001DB36C50000-0x000001DB36C57000-memory.dmp

Filesize
28KB

Download
memory/2944-168-0x0000000000000000-mapping.dmp

Download
memory/2944-172-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3160-159-0x0000000000000000-mapping.dmp

Download
memory/3160-163-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3160-167-0x00000183AE920000-0x00000183AE927000-memory.dmp

Filesize
28KB

Download
memory/3172-144-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/3172-143-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/3172-157-0x00007FFC3B5AC000-0x00007FFC3B5AD000-memory.dmp

Filesize
4KB

Download
memory/3172-156-0x00007FFC3B5DC000-0x00007FFC3B5DD000-memory.dmp

Filesize
4KB

Download
memory/3172-146-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/3172-145-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/3172-158-0x00007FFC3B4F0000-0x00007FFC3B500000-memory.dmp

Filesize
64KB

Download
memory/3172-149-0x00000000012B0000-0x00000000012B7000-memory.dmp

Filesize
28KB

Download
memory/3172-142-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/3172-141-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/3172-140-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/3172-139-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/3172-138-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/3172-136-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/3172-137-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/3172-135-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download