dridex | 8cf6c8d142639514e363103f0e9768f4847b0068c2eae252c45c782c5773ab60

Analysis

max time kernel
170s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cf6c8d142639514e363103f0e9768f4847b0068c2eae252c45c782c5773ab60.dll
Size

970KB
MD5

c57bd52b697bb4e7d84966e7e1060dcf
SHA1

bcae0790539d3753a5ddf7707a12068c3733a3b2
SHA256

8cf6c8d142639514e363103f0e9768f4847b0068c2eae252c45c782c5773ab60
SHA512

61d3830fe1d54f80ef1a5cb03f272f9148f897ceb132537c66117a287770fe48dc74a1a3e291c011c18c467ebeaf73b3b9f79802760bc6d8504b0ccd02cd3f0a

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1268-59-0x00000000029F0000-0x00000000029F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

mblctr.exerdpclip.exeiexpress.exe

pid process

1168 mblctr.exe
1408 rdpclip.exe
752 iexpress.exe
Loads dropped DLL 7 IoCs

Processes:

mblctr.exerdpclip.exeiexpress.exe

pid process

1268
1168 mblctr.exe
1268
1408 rdpclip.exe
1268
752 iexpress.exe
1268

pid	process
1168	mblctr.exe
1408	rdpclip.exe
752	iexpress.exe

pid	process
1268
1168	mblctr.exe
1268
1408	rdpclip.exe
1268
752	iexpress.exe
1268

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gcehmtlftxqmyqm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\z6\\rdpclip.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

mblctr.exerdpclip.exeiexpress.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mblctr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exemblctr.exe

pid	process
892	rundll32.exe
892	rundll32.exe
892	rundll32.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1168	mblctr.exe
1168	mblctr.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1268 wrote to memory of 664	1268	mblctr.exe
PID 1268 wrote to memory of 664	1268	mblctr.exe
PID 1268 wrote to memory of 664	1268	mblctr.exe
PID 1268 wrote to memory of 1168	1268	mblctr.exe
PID 1268 wrote to memory of 1168	1268	mblctr.exe
PID 1268 wrote to memory of 1168	1268	mblctr.exe
PID 1268 wrote to memory of 1564	1268	rdpclip.exe
PID 1268 wrote to memory of 1564	1268	rdpclip.exe
PID 1268 wrote to memory of 1564	1268	rdpclip.exe
PID 1268 wrote to memory of 1408	1268	rdpclip.exe
PID 1268 wrote to memory of 1408	1268	rdpclip.exe
PID 1268 wrote to memory of 1408	1268	rdpclip.exe
PID 1268 wrote to memory of 300	1268	iexpress.exe
PID 1268 wrote to memory of 300	1268	iexpress.exe
PID 1268 wrote to memory of 300	1268	iexpress.exe
PID 1268 wrote to memory of 752	1268	iexpress.exe
PID 1268 wrote to memory of 752	1268	iexpress.exe
PID 1268 wrote to memory of 752	1268	iexpress.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8cf6c8d142639514e363103f0e9768f4847b0068c2eae252c45c782c5773ab60.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:892

C:\Windows\system32\mblctr.exe
C:\Windows\system32\mblctr.exe
1⤵
PID:664

C:\Users\Admin\AppData\Local\1Bk5s\mblctr.exe
C:\Users\Admin\AppData\Local\1Bk5s\mblctr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1168

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:1564

C:\Users\Admin\AppData\Local\v3UEgU\rdpclip.exe
C:\Users\Admin\AppData\Local\v3UEgU\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1408

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:300

C:\Users\Admin\AppData\Local\dBC3\iexpress.exe
C:\Users\Admin\AppData\Local\dBC3\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:752

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1Bk5s\WINMM.dll
Filesize
975KB

MD5
6f8813d73a068d9db424ba34ea901a74

SHA1
5a00ac9f441a4fa8fa431afcd21fb99915e9c3ed

SHA256
7d03d5315535c764e9dafc5fed8316c9edbfeddc91b258856118896198b2db09

SHA512
2d43c5be909ad9175a8aa250b6fd158bb88f5331808d6727b55113b34a5f48984abc197cb0fa7dac0d5b114b888be9d312f7f785f95fb1bae59396c8db723892

Download Submit
C:\Users\Admin\AppData\Local\1Bk5s\mblctr.exe
Filesize
935KB

MD5
fa4c36b574bf387d9582ed2c54a347a8

SHA1
149077715ee56c668567e3a9cb9842284f4fe678

SHA256
b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f

SHA512
1f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55

Download Submit
C:\Users\Admin\AppData\Local\dBC3\VERSION.dll
Filesize
971KB

MD5
f05c2c2378cd9a820c1e49f3f110e00a

SHA1
a2364e6ba63ca3410a6adc580042aa5d50b4482b

SHA256
76abf7207668551d3cceedccfbedf9f964d7b20a9513bfb3db676b7a24ee4ded

SHA512
4d30428fa0b769bca852a13fc0c45e4aad6d294f25238b22390c9d78eb61faab42ad5e9b3d6effb7524b241dd872b78346b22d04c97c305e6b408e5ebdd6b623

Download Submit
C:\Users\Admin\AppData\Local\dBC3\iexpress.exe
Filesize
163KB

MD5
46fd16f9b1924a2ea8cd5c6716cc654f

SHA1
99284bc91cf829e9602b4b95811c1d72977700b6

SHA256
9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

SHA512
52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

Download Submit
C:\Users\Admin\AppData\Local\v3UEgU\WINSTA.dll
Filesize
976KB

MD5
8ea3ae2ef10f6f0c37e52e92a12a9a49

SHA1
96a9e20e44729738121ab61ef61250da30763ded

SHA256
898d514f93dd85a5b35f2617130c7aaed054b30070c360f92f21a93a39145448

SHA512
a9b6ee8cfa103fb89b3fd86fd082dc814a2a8a020dfd29d68326fb1152a5ee72089c39b7f7c953d3020ae637ff1e0664ca83992e32b3702f25f67bef2f16d42b

Download Submit
C:\Users\Admin\AppData\Local\v3UEgU\rdpclip.exe
Filesize
206KB

MD5
25d284eb2f12254c001afe9a82575a81

SHA1
cf131801fdd5ec92278f9e0ae62050e31c6670a5

SHA256
837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

SHA512
7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

Download Submit
\Users\Admin\AppData\Local\1Bk5s\WINMM.dll
Filesize
975KB

MD5
6f8813d73a068d9db424ba34ea901a74

SHA1
5a00ac9f441a4fa8fa431afcd21fb99915e9c3ed

SHA256
7d03d5315535c764e9dafc5fed8316c9edbfeddc91b258856118896198b2db09

SHA512
2d43c5be909ad9175a8aa250b6fd158bb88f5331808d6727b55113b34a5f48984abc197cb0fa7dac0d5b114b888be9d312f7f785f95fb1bae59396c8db723892

Download Submit
\Users\Admin\AppData\Local\1Bk5s\mblctr.exe
Filesize
935KB

MD5
fa4c36b574bf387d9582ed2c54a347a8

SHA1
149077715ee56c668567e3a9cb9842284f4fe678

SHA256
b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f

SHA512
1f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55

Download Submit
\Users\Admin\AppData\Local\dBC3\VERSION.dll
Filesize
971KB

MD5
f05c2c2378cd9a820c1e49f3f110e00a

SHA1
a2364e6ba63ca3410a6adc580042aa5d50b4482b

SHA256
76abf7207668551d3cceedccfbedf9f964d7b20a9513bfb3db676b7a24ee4ded

SHA512
4d30428fa0b769bca852a13fc0c45e4aad6d294f25238b22390c9d78eb61faab42ad5e9b3d6effb7524b241dd872b78346b22d04c97c305e6b408e5ebdd6b623

Download Submit
\Users\Admin\AppData\Local\dBC3\iexpress.exe
Filesize
163KB

MD5
46fd16f9b1924a2ea8cd5c6716cc654f

SHA1
99284bc91cf829e9602b4b95811c1d72977700b6

SHA256
9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

SHA512
52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

Download Submit
\Users\Admin\AppData\Local\v3UEgU\WINSTA.dll
Filesize
976KB

MD5
8ea3ae2ef10f6f0c37e52e92a12a9a49

SHA1
96a9e20e44729738121ab61ef61250da30763ded

SHA256
898d514f93dd85a5b35f2617130c7aaed054b30070c360f92f21a93a39145448

SHA512
a9b6ee8cfa103fb89b3fd86fd082dc814a2a8a020dfd29d68326fb1152a5ee72089c39b7f7c953d3020ae637ff1e0664ca83992e32b3702f25f67bef2f16d42b

Download Submit
\Users\Admin\AppData\Local\v3UEgU\rdpclip.exe
Filesize
206KB

MD5
25d284eb2f12254c001afe9a82575a81

SHA1
cf131801fdd5ec92278f9e0ae62050e31c6670a5

SHA256
837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

SHA512
7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\ij\iexpress.exe
Filesize
163KB

MD5
46fd16f9b1924a2ea8cd5c6716cc654f

SHA1
99284bc91cf829e9602b4b95811c1d72977700b6

SHA256
9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

SHA512
52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

Download Submit
memory/752-111-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/752-107-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/752-103-0x0000000000000000-mapping.dmp

Download
memory/892-54-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/892-58-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/1168-86-0x000007FEFBAF1000-0x000007FEFBAF3000-memory.dmp

Filesize
8KB

Download
memory/1168-87-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/1168-82-0x0000000000000000-mapping.dmp

Download
memory/1168-91-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/1268-60-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1268-70-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1268-67-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1268-64-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1268-61-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1268-66-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1268-79-0x00000000029D0000-0x00000000029D7000-memory.dmp

Filesize
28KB

Download
memory/1268-63-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1268-80-0x0000000077480000-0x0000000077482000-memory.dmp

Filesize
8KB

Download
memory/1268-59-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1268-65-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1268-68-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1268-69-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1268-62-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1408-101-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1408-93-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads