dridex | d95eec365ca1737b4a967ec123f3d2fc0115c92672aa08a8f7b153dd05d6569b

Analysis

max time kernel
163s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d95eec365ca1737b4a967ec123f3d2fc0115c92672aa08a8f7b153dd05d6569b.dll
Size

689KB
MD5

b1cdb53b8ab59c27a81d06855ba5b6bd
SHA1

1725f3f1f6a59e2349846136291da89e568d0286
SHA256

d95eec365ca1737b4a967ec123f3d2fc0115c92672aa08a8f7b153dd05d6569b
SHA512

31b62bfac64df1f534e44466d896bd80c46fed15f4ea7c0db6d65a6727ffb21d9ab47ee573d8878cbb8c11fe173aefa12261b502bf6279dc653348b27f39be8a

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 4 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3512-130-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral2/memory/2796-159-0x0000000140000000-0x00000001400F7000-memory.dmp	dridex_payload
behavioral2/memory/4912-173-0x0000000140000000-0x00000001400B8000-memory.dmp	dridex_payload
behavioral2/memory/2372-181-0x0000000140000000-0x00000001400B2000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/680-134-0x0000000000A30000-0x0000000000A31000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

dpapimig.exeie4uinit.exeeudcedit.exemstsc.exe

pid process

2796 dpapimig.exe
2176 ie4uinit.exe
4912 eudcedit.exe
2372 mstsc.exe
Loads dropped DLL 6 IoCs

Processes:

dpapimig.exeie4uinit.exeeudcedit.exemstsc.exe

pid process

2796 dpapimig.exe
2176 ie4uinit.exe
2176 ie4uinit.exe
2176 ie4uinit.exe
4912 eudcedit.exe
2372 mstsc.exe

pid	process
2796	dpapimig.exe
2176	ie4uinit.exe
4912	eudcedit.exe
2372	mstsc.exe

pid	process
2796	dpapimig.exe
2176	ie4uinit.exe
2176	ie4uinit.exe
2176	ie4uinit.exe
4912	eudcedit.exe
2372	mstsc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wurgjldbctt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\PtzopllixS\\eudcedit.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dpapimig.exeeudcedit.exemstsc.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpapimig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eudcedit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstsc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3512	rundll32.exe
3512	rundll32.exe
3512	rundll32.exe
3512	rundll32.exe
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680
680

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

680

pid	process
680

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

description	pid	target process
PID 680 wrote to memory of 3472	680	dpapimig.exe
PID 680 wrote to memory of 3472	680	dpapimig.exe
PID 680 wrote to memory of 2796	680	dpapimig.exe
PID 680 wrote to memory of 2796	680	dpapimig.exe
PID 680 wrote to memory of 2100	680	ie4uinit.exe
PID 680 wrote to memory of 2100	680	ie4uinit.exe
PID 680 wrote to memory of 2176	680	ie4uinit.exe
PID 680 wrote to memory of 2176	680	ie4uinit.exe
PID 680 wrote to memory of 3252	680	eudcedit.exe
PID 680 wrote to memory of 3252	680	eudcedit.exe
PID 680 wrote to memory of 4912	680	eudcedit.exe
PID 680 wrote to memory of 4912	680	eudcedit.exe
PID 680 wrote to memory of 2236	680	mstsc.exe
PID 680 wrote to memory of 2236	680	mstsc.exe
PID 680 wrote to memory of 2372	680	mstsc.exe
PID 680 wrote to memory of 2372	680	mstsc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d95eec365ca1737b4a967ec123f3d2fc0115c92672aa08a8f7b153dd05d6569b.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3512

C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
1⤵
PID:3472

C:\Users\Admin\AppData\Local\TAuysK\dpapimig.exe
C:\Users\Admin\AppData\Local\TAuysK\dpapimig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2796

C:\Windows\system32\ie4uinit.exe
C:\Windows\system32\ie4uinit.exe
1⤵
PID:2100

C:\Users\Admin\AppData\Local\1RGA\ie4uinit.exe
C:\Users\Admin\AppData\Local\1RGA\ie4uinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176

C:\Windows\system32\eudcedit.exe
C:\Windows\system32\eudcedit.exe
1⤵
PID:3252

C:\Users\Admin\AppData\Local\M22\eudcedit.exe
C:\Users\Admin\AppData\Local\M22\eudcedit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4912

C:\Windows\system32\mstsc.exe
C:\Windows\system32\mstsc.exe
1⤵
PID:2236

C:\Users\Admin\AppData\Local\eNnuk\mstsc.exe
C:\Users\Admin\AppData\Local\eNnuk\mstsc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1RGA\VERSION.dll
Filesize
690KB

MD5
889c57ef97e60179da4c94d3af7eb2cf

SHA1
8fa9e6ff8c46a93f379c569b349204c88bbe8eca

SHA256
84038a09475b3364750ec16ad22af92f26b70132257cae872df3f814d83e2760

SHA512
c2436ef5b99445d58ddd9fa4bdaf5f3b4be3bd0035a7f7cf0f371537b4d748da03b35f9864fb98d75158a0d24a74b3190c04769c856f50288cebc8dd146134e4

Download Submit
C:\Users\Admin\AppData\Local\1RGA\VERSION.dll
Filesize
690KB

MD5
889c57ef97e60179da4c94d3af7eb2cf

SHA1
8fa9e6ff8c46a93f379c569b349204c88bbe8eca

SHA256
84038a09475b3364750ec16ad22af92f26b70132257cae872df3f814d83e2760

SHA512
c2436ef5b99445d58ddd9fa4bdaf5f3b4be3bd0035a7f7cf0f371537b4d748da03b35f9864fb98d75158a0d24a74b3190c04769c856f50288cebc8dd146134e4

Download Submit
C:\Users\Admin\AppData\Local\1RGA\VERSION.dll
Filesize
690KB

MD5
889c57ef97e60179da4c94d3af7eb2cf

SHA1
8fa9e6ff8c46a93f379c569b349204c88bbe8eca

SHA256
84038a09475b3364750ec16ad22af92f26b70132257cae872df3f814d83e2760

SHA512
c2436ef5b99445d58ddd9fa4bdaf5f3b4be3bd0035a7f7cf0f371537b4d748da03b35f9864fb98d75158a0d24a74b3190c04769c856f50288cebc8dd146134e4

Download Submit
C:\Users\Admin\AppData\Local\1RGA\VERSION.dll
Filesize
690KB

MD5
889c57ef97e60179da4c94d3af7eb2cf

SHA1
8fa9e6ff8c46a93f379c569b349204c88bbe8eca

SHA256
84038a09475b3364750ec16ad22af92f26b70132257cae872df3f814d83e2760

SHA512
c2436ef5b99445d58ddd9fa4bdaf5f3b4be3bd0035a7f7cf0f371537b4d748da03b35f9864fb98d75158a0d24a74b3190c04769c856f50288cebc8dd146134e4

Download Submit
C:\Users\Admin\AppData\Local\1RGA\ie4uinit.exe
Filesize
262KB

MD5
a2f0104edd80ca2c24c24356d5eacc4f

SHA1
8269b9fd9231f04ed47419bd565c69dc677fab56

SHA256
5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c

SHA512
e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

Download Submit
C:\Users\Admin\AppData\Local\M22\MFC42u.dll
Filesize
717KB

MD5
d15793f05b744fd7721da8240ee4ca99

SHA1
78dfb4e2d29d2ef3bb0e6df73b45b6f70aedb007

SHA256
69305cfbd06bf49c51584b9a38facc6c0f475eb43b6c39c8191614b68c0721f2

SHA512
0eecf5ac9fae389059bafcef6a417cd4610cbc8e11c2f478d3ec0c640f5874e46737ec8b54532b46543f63dad5e4fb4e4cf4d8572822dbf588fbd52bcdb9c440

Download Submit
C:\Users\Admin\AppData\Local\M22\MFC42u.dll
Filesize
717KB

MD5
d15793f05b744fd7721da8240ee4ca99

SHA1
78dfb4e2d29d2ef3bb0e6df73b45b6f70aedb007

SHA256
69305cfbd06bf49c51584b9a38facc6c0f475eb43b6c39c8191614b68c0721f2

SHA512
0eecf5ac9fae389059bafcef6a417cd4610cbc8e11c2f478d3ec0c640f5874e46737ec8b54532b46543f63dad5e4fb4e4cf4d8572822dbf588fbd52bcdb9c440

Download Submit
C:\Users\Admin\AppData\Local\M22\eudcedit.exe
Filesize
365KB

MD5
a9de6557179d371938fbe52511b551ce

SHA1
def460b4028788ded82dc55c36cb0df28599fd5f

SHA256
83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe

SHA512
5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

Download Submit
C:\Users\Admin\AppData\Local\TAuysK\DUI70.dll
Filesize
966KB

MD5
1b7a052dd9426d3e0d3bd202c1805d12

SHA1
58aa3130fe951d4b33a97e833a454e4e0f5df6c3

SHA256
8cc332f98d219d55ae1ee33df6d277ea24c6a827c77b4c9a28cea79f46798954

SHA512
72fed6e0c72468248028aa09b19ce4eb5ff3474ebf19ad56ff2bd3dbc73ad95d2d7e79cb3b6ac1dd80cb90dd091b0ed8f5f51a929a1aa7025f89c9d0568b2b30

Download Submit
C:\Users\Admin\AppData\Local\TAuysK\DUI70.dll
Filesize
966KB

MD5
1b7a052dd9426d3e0d3bd202c1805d12

SHA1
58aa3130fe951d4b33a97e833a454e4e0f5df6c3

SHA256
8cc332f98d219d55ae1ee33df6d277ea24c6a827c77b4c9a28cea79f46798954

SHA512
72fed6e0c72468248028aa09b19ce4eb5ff3474ebf19ad56ff2bd3dbc73ad95d2d7e79cb3b6ac1dd80cb90dd091b0ed8f5f51a929a1aa7025f89c9d0568b2b30

Download Submit
C:\Users\Admin\AppData\Local\TAuysK\dpapimig.exe
Filesize
76KB

MD5
b6d6477a0c90a81624c6a8548026b4d0

SHA1
e6eac6941d27f76bbd306c2938c0a962dbf1ced1

SHA256
a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb

SHA512
72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe

Download Submit
C:\Users\Admin\AppData\Local\eNnuk\Secur32.dll
Filesize
693KB

MD5
9292c2aadc04e8f83aa9062bc8652e05

SHA1
9922f4c332bc3c25f6dd38385f6f7ac0909d9cb9

SHA256
be209e9d8ecbf64bb7fb731638efdd2ceb7b56b8186bea5b24e1793fae6bc38e

SHA512
0885a4e54b21787b87c3f522c43135ccc7aec9350d09bd47efb1ffbfe08425818dfd89e5c521b0448081ebafe10cd43abdd13941a9bc02cda693b09ac712a39d

Download Submit
C:\Users\Admin\AppData\Local\eNnuk\Secur32.dll
Filesize
693KB

MD5
9292c2aadc04e8f83aa9062bc8652e05

SHA1
9922f4c332bc3c25f6dd38385f6f7ac0909d9cb9

SHA256
be209e9d8ecbf64bb7fb731638efdd2ceb7b56b8186bea5b24e1793fae6bc38e

SHA512
0885a4e54b21787b87c3f522c43135ccc7aec9350d09bd47efb1ffbfe08425818dfd89e5c521b0448081ebafe10cd43abdd13941a9bc02cda693b09ac712a39d

Download Submit
C:\Users\Admin\AppData\Local\eNnuk\mstsc.exe
Filesize
1.5MB

MD5
3a26640414cee37ff5b36154b1a0b261

SHA1
e0c28b5fdf53a202a7543b67bbc97214bad490ed

SHA256
1d1b6b2edac7ac6494c9eecda3afb804f679d7190f4d1a80929380e85743823f

SHA512
76fc70ead57ddacd3dbcec1a4772bd46924d30b30018a36b13052d2f7272cc86b63bf85d5e4ec04aac08630d4b2637ca6e7d35c08ce6b675d63ed011f7d95ba2

Download Submit
memory/680-140-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/680-135-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/680-154-0x00007FFC80BD0000-0x00007FFC80BE0000-memory.dmp

Filesize
64KB

Download
memory/680-153-0x0000000000A00000-0x0000000000A07000-memory.dmp

Filesize
28KB

Download
memory/680-152-0x00007FFC80C8C000-0x00007FFC80C8D000-memory.dmp

Filesize
4KB

Download
memory/680-134-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/680-136-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/680-137-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/680-151-0x00007FFC80CBC000-0x00007FFC80CBD000-memory.dmp

Filesize
4KB

Download
memory/680-142-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/680-138-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/680-141-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/680-139-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/2176-163-0x0000000000000000-mapping.dmp

Download
memory/2372-177-0x0000000000000000-mapping.dmp

Download
memory/2372-181-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2372-184-0x0000019E0D520000-0x0000019E0D527000-memory.dmp

Filesize
28KB

Download
memory/2796-155-0x0000000000000000-mapping.dmp

Download
memory/2796-162-0x000001891CA50000-0x000001891CA57000-memory.dmp

Filesize
28KB

Download
memory/2796-159-0x0000000140000000-0x00000001400F7000-memory.dmp

Filesize
988KB

Download
memory/3512-130-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/3512-133-0x00000154914A0000-0x00000154914A7000-memory.dmp

Filesize
28KB

Download
memory/4912-169-0x0000000000000000-mapping.dmp

Download
memory/4912-173-0x0000000140000000-0x00000001400B8000-memory.dmp

Filesize
736KB

Download
memory/4912-176-0x0000025BBAB30000-0x0000025BBAB37000-memory.dmp

Filesize
28KB

Download