dridex | 35de1c7ca742f0f5e25b9ffcf632bac7e50bd68d11b31cf1fcf66c6065265f71

Analysis

max time kernel
163s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35de1c7ca742f0f5e25b9ffcf632bac7e50bd68d11b31cf1fcf66c6065265f71.dll
Size

1000KB
MD5

a1802c11c7ddd2eada359d6de66a3f92
SHA1

232773f600292d53111d1bfb13117553da7c497e
SHA256

35de1c7ca742f0f5e25b9ffcf632bac7e50bd68d11b31cf1fcf66c6065265f71
SHA512

48b1a0176e19d4c281856605cdd446893bfc378d78152e92c69ab390e465485b65dda5d19ed7c5e284600854c6208f71f5dd42c10c8799048025164989db630d

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3292-135-0x00000000015F0000-0x00000000015F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

BitLockerWizardElev.exeraserver.exebdechangepin.exe

pid process

1160 BitLockerWizardElev.exe
4800 raserver.exe
1108 bdechangepin.exe
Loads dropped DLL 3 IoCs

Processes:

BitLockerWizardElev.exeraserver.exebdechangepin.exe

pid process

1160 BitLockerWizardElev.exe
4800 raserver.exe
1108 bdechangepin.exe

pid	process
1160	BitLockerWizardElev.exe
4800	raserver.exe
1108	bdechangepin.exe

pid	process
1160	BitLockerWizardElev.exe
4800	raserver.exe
1108	bdechangepin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eqzhtortkjjc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Proof\\Oz1js6CaB\\raserver.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeBitLockerWizardElev.exeraserver.exebdechangepin.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdechangepin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1084	rundll32.exe
1084	rundll32.exe
1084	rundll32.exe
1084	rundll32.exe
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3292

pid	process
3292

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3292 wrote to memory of 624	3292	BitLockerWizardElev.exe
PID 3292 wrote to memory of 624	3292	BitLockerWizardElev.exe
PID 3292 wrote to memory of 1160	3292	BitLockerWizardElev.exe
PID 3292 wrote to memory of 1160	3292	BitLockerWizardElev.exe
PID 3292 wrote to memory of 980	3292	raserver.exe
PID 3292 wrote to memory of 980	3292	raserver.exe
PID 3292 wrote to memory of 4800	3292	raserver.exe
PID 3292 wrote to memory of 4800	3292	raserver.exe
PID 3292 wrote to memory of 1128	3292	bdechangepin.exe
PID 3292 wrote to memory of 1128	3292	bdechangepin.exe
PID 3292 wrote to memory of 1108	3292	bdechangepin.exe
PID 3292 wrote to memory of 1108	3292	bdechangepin.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\35de1c7ca742f0f5e25b9ffcf632bac7e50bd68d11b31cf1fcf66c6065265f71.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1084

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:624

C:\Users\Admin\AppData\Local\bau6qreww\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\bau6qreww\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1160

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:980

C:\Users\Admin\AppData\Local\H3E08so\raserver.exe
C:\Users\Admin\AppData\Local\H3E08so\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4800

C:\Windows\system32\bdechangepin.exe
C:\Windows\system32\bdechangepin.exe
1⤵
PID:1128

C:\Users\Admin\AppData\Local\VbWl0E9\bdechangepin.exe
C:\Users\Admin\AppData\Local\VbWl0E9\bdechangepin.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\H3E08so\WTSAPI32.dll
Filesize
1003KB

MD5
0a42215bb1efa11524b5e411532012f6

SHA1
cbc619e434f7accd668e67fd07b977600d86ef5b

SHA256
97957ecad72d1da5fea382133b1a9b315c74fd4c22a07e8e6b95da7e6bcc25ca

SHA512
aa79c047456fc7d7173b6cd8a2d6f27a5e6ee89286e9c7b3b845581c15d3468a55f6cd7f8b1d38f22dca536dc30d53fa0df87bdfc24c4ace3be0b459a85bb113

Download Submit
C:\Users\Admin\AppData\Local\H3E08so\WTSAPI32.dll
Filesize
1003KB

MD5
0a42215bb1efa11524b5e411532012f6

SHA1
cbc619e434f7accd668e67fd07b977600d86ef5b

SHA256
97957ecad72d1da5fea382133b1a9b315c74fd4c22a07e8e6b95da7e6bcc25ca

SHA512
aa79c047456fc7d7173b6cd8a2d6f27a5e6ee89286e9c7b3b845581c15d3468a55f6cd7f8b1d38f22dca536dc30d53fa0df87bdfc24c4ace3be0b459a85bb113

Download Submit
C:\Users\Admin\AppData\Local\H3E08so\raserver.exe
Filesize
132KB

MD5
d1841c6ee4ea45794ced131d4b68b60e

SHA1
4be6d2116060d7c723ac2d0b5504efe23198ea01

SHA256
38732626242988cc5b8f97fe8d3b030d483046ef66ea90d7ea3607f1adc0600d

SHA512
d8bad215872c5956c6e8acac1cd3ad19b85f72b224b068fb71cfd1493705bc7d3390853ba923a1aa461140294f8793247df018484a378e4f026c2a12cb3fa5c9

Download Submit
C:\Users\Admin\AppData\Local\VbWl0E9\DUI70.dll
Filesize
1.2MB

MD5
6407569e32f52b1b481d2471c866686a

SHA1
893ee9f314e6e2f2f536a05243641ee932f59339

SHA256
d42cd48ad91968bf8300bc01a911d6cb40ad8f0741eee86d882e0deea2477d52

SHA512
ab92e41e51c61d0139cd5409a916701debaed7230e45b50e155fa5b5d17b83b77d7bd412c8e6bbcb80d8f44392dc07ea11bb3828e3ba2e07f0224a4701a7b41b

Download Submit
C:\Users\Admin\AppData\Local\VbWl0E9\DUI70.dll
Filesize
1.2MB

MD5
6407569e32f52b1b481d2471c866686a

SHA1
893ee9f314e6e2f2f536a05243641ee932f59339

SHA256
d42cd48ad91968bf8300bc01a911d6cb40ad8f0741eee86d882e0deea2477d52

SHA512
ab92e41e51c61d0139cd5409a916701debaed7230e45b50e155fa5b5d17b83b77d7bd412c8e6bbcb80d8f44392dc07ea11bb3828e3ba2e07f0224a4701a7b41b

Download Submit
C:\Users\Admin\AppData\Local\VbWl0E9\bdechangepin.exe
Filesize
373KB

MD5
601a28eb2d845d729ddd7330cbae6fd6

SHA1
5cf9f6f9135c903d42a7756c638333db8621e642

SHA256
4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

SHA512
1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

Download Submit
C:\Users\Admin\AppData\Local\bau6qreww\BitLockerWizardElev.exe
Filesize
100KB

MD5
8ac5a3a20cf18ae2308c64fd707eeb81

SHA1
31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

SHA256
803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

SHA512
85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

Download Submit
C:\Users\Admin\AppData\Local\bau6qreww\FVEWIZ.dll
Filesize
1003KB

MD5
cb55f67bc817e332be9bca509bb70b6d

SHA1
7229ecab85ec3ebb1d34767f4b1b267f0d98a0aa

SHA256
de5aab2b6db8f2f7ef83c8696c78a66be7e56b48c6c42e3df537e82c1a42b970

SHA512
85d792437bbb8975d4586bae337c79f469193bc97cc0c626ad3c7d2975199db71d66e4eb6086e095ea676679bd999c54db9f869c1f42ca2074d9230fc910fe0f

Download Submit
C:\Users\Admin\AppData\Local\bau6qreww\FVEWIZ.dll
Filesize
1003KB

MD5
cb55f67bc817e332be9bca509bb70b6d

SHA1
7229ecab85ec3ebb1d34767f4b1b267f0d98a0aa

SHA256
de5aab2b6db8f2f7ef83c8696c78a66be7e56b48c6c42e3df537e82c1a42b970

SHA512
85d792437bbb8975d4586bae337c79f469193bc97cc0c626ad3c7d2975199db71d66e4eb6086e095ea676679bd999c54db9f869c1f42ca2074d9230fc910fe0f

Download Submit
memory/1084-134-0x000002B7695D0000-0x000002B7695D7000-memory.dmp

Filesize
28KB

Download
memory/1084-130-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1108-177-0x0000000000000000-mapping.dmp

Download
memory/1108-181-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1108-185-0x000001702BA30000-0x000001702BA37000-memory.dmp

Filesize
28KB

Download
memory/1160-159-0x0000000000000000-mapping.dmp

Download
memory/1160-167-0x00000226A3420000-0x00000226A3427000-memory.dmp

Filesize
28KB

Download
memory/1160-163-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3292-157-0x00000000013B0000-0x00000000013B7000-memory.dmp

Filesize
28KB

Download
memory/3292-142-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/3292-155-0x00007FFDFAB3C000-0x00007FFDFAB3D000-memory.dmp

Filesize
4KB

Download
memory/3292-156-0x00007FFDFAB0C000-0x00007FFDFAB0D000-memory.dmp

Filesize
4KB

Download
memory/3292-146-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/3292-145-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/3292-144-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/3292-135-0x00000000015F0000-0x00000000015F1000-memory.dmp

Filesize
4KB

Download
memory/3292-143-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/3292-158-0x00007FFDFAA50000-0x00007FFDFAA60000-memory.dmp

Filesize
64KB

Download
memory/3292-141-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/3292-136-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/3292-140-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/3292-139-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/3292-138-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/3292-137-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/4800-176-0x000001C0B62F0000-0x000001C0B62F7000-memory.dmp

Filesize
28KB

Download
memory/4800-168-0x0000000000000000-mapping.dmp

Download