dridex | 985a0bde29b03b987245abf186f4840538585fb6f0204e737ebc56e79d1484ea

Analysis

max time kernel
170s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

985a0bde29b03b987245abf186f4840538585fb6f0204e737ebc56e79d1484ea.dll
Size

1.2MB
MD5

dc0390d145ecd8967fa2ac796ceb7086
SHA1

6824dcf9398dc587524c61cf9b5eba8fc022da27
SHA256

985a0bde29b03b987245abf186f4840538585fb6f0204e737ebc56e79d1484ea
SHA512

80571cccc3c2dae5678547331a9ba3de522d4d48014d0e9359cdbaa9aeef260823875e374e945059919b885d1f307bbbd3f3ebf324e1eba1a6d2a7308c4eb2b4

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1268-59-0x00000000029D0000-0x00000000029D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

sigverif.exeosk.exewscript.exe

pid process

1160 sigverif.exe
1060 osk.exe
268 wscript.exe
Loads dropped DLL 8 IoCs

Processes:

sigverif.exeosk.exewscript.exe

pid process

1268
1160 sigverif.exe
1268
1060 osk.exe
1268
1268
268 wscript.exe
1268

pid	process
1160	sigverif.exe
1060	osk.exe
268	wscript.exe

pid	process
1268
1160	sigverif.exe
1268
1060	osk.exe
1268
1268
268	wscript.exe
1268

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gcehmtlftxqmyqm = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\0xAEM\\osk.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exesigverif.exeosk.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exesigverif.exe

pid	process
760	rundll32.exe
760	rundll32.exe
760	rundll32.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1160	sigverif.exe
1160	sigverif.exe
1268
1268
1268
1268

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1268 wrote to memory of 520	1268	sigverif.exe
PID 1268 wrote to memory of 520	1268	sigverif.exe
PID 1268 wrote to memory of 520	1268	sigverif.exe
PID 1268 wrote to memory of 1160	1268	sigverif.exe
PID 1268 wrote to memory of 1160	1268	sigverif.exe
PID 1268 wrote to memory of 1160	1268	sigverif.exe
PID 1268 wrote to memory of 1808	1268	osk.exe
PID 1268 wrote to memory of 1808	1268	osk.exe
PID 1268 wrote to memory of 1808	1268	osk.exe
PID 1268 wrote to memory of 1060	1268	osk.exe
PID 1268 wrote to memory of 1060	1268	osk.exe
PID 1268 wrote to memory of 1060	1268	osk.exe
PID 1268 wrote to memory of 972	1268	wscript.exe
PID 1268 wrote to memory of 972	1268	wscript.exe
PID 1268 wrote to memory of 972	1268	wscript.exe
PID 1268 wrote to memory of 268	1268	wscript.exe
PID 1268 wrote to memory of 268	1268	wscript.exe
PID 1268 wrote to memory of 268	1268	wscript.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\985a0bde29b03b987245abf186f4840538585fb6f0204e737ebc56e79d1484ea.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:760

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:520

C:\Users\Admin\AppData\Local\esjsE\sigverif.exe
C:\Users\Admin\AppData\Local\esjsE\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1160

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:1808

C:\Users\Admin\AppData\Local\71lSmZ\osk.exe
C:\Users\Admin\AppData\Local\71lSmZ\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1060

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:972

C:\Users\Admin\AppData\Local\mmnd\wscript.exe
C:\Users\Admin\AppData\Local\mmnd\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:268

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\71lSmZ\UxTheme.dll
Filesize
1.3MB

MD5
a291b75e393339e05fef626a5c65972b

SHA1
17b1738d792a90f0c72b11616ae40c2d2bea6458

SHA256
002796f0d35bfdfc549437de74c63c11a69eaabd2f4eec1f30893904db1f3b90

SHA512
623c715a474dd9a0264d1133f6cf85e04016fb48d1b7fdc8b5048c33e72851dfd02b6ebe5a8787b25b41bdbb1790ff51bd785612045f4d9a12c23ea9e4abe697

Download Submit
C:\Users\Admin\AppData\Local\71lSmZ\osk.exe
Filesize
676KB

MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
C:\Users\Admin\AppData\Local\esjsE\VERSION.dll
Filesize
1.2MB

MD5
36046e2b4d39eb38410cd8ca4f77ed83

SHA1
c3f1efc40a2b8485a3b49d4df25f06008043b601

SHA256
a0eed8de50d675c7d8c61ca3aafd5c23f8f069643eed389f3ac25f6e462dd485

SHA512
de263292b042798e9a4bc02ba90b99a1fe4a42ecac1375cd079d024db38417c5129baa8649c20cf3f4e1abc3dba9934705269bb004a7aef6902b3aad853d16b4

Download Submit
C:\Users\Admin\AppData\Local\esjsE\sigverif.exe
Filesize
73KB

MD5
e8e95ae5534553fc055051cee99a7f55

SHA1
4e0f668849fd546edd083d5981ed685d02a68df4

SHA256
9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

SHA512
5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

Download Submit
C:\Users\Admin\AppData\Local\mmnd\VERSION.dll
Filesize
1.2MB

MD5
de5de37c0c572345ed6c6473d5d8bccb

SHA1
12b9aefe27692f1436e450335626b749bd5f91d6

SHA256
82b06440d0d7829cb2c702a89e46e5a2ad4efeed1554ad4dc8db68d854abe539

SHA512
0af51a99c5b55c48df23d30e65167990356989b7ae053135b388014e10bbdc5089d91b9ebd61e591e0e077ab28fc1aae1bef9bb748f5d3f80318bdeff584a967

Download Submit
C:\Users\Admin\AppData\Local\mmnd\wscript.exe
Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\71lSmZ\UxTheme.dll
Filesize
1.3MB

MD5
a291b75e393339e05fef626a5c65972b

SHA1
17b1738d792a90f0c72b11616ae40c2d2bea6458

SHA256
002796f0d35bfdfc549437de74c63c11a69eaabd2f4eec1f30893904db1f3b90

SHA512
623c715a474dd9a0264d1133f6cf85e04016fb48d1b7fdc8b5048c33e72851dfd02b6ebe5a8787b25b41bdbb1790ff51bd785612045f4d9a12c23ea9e4abe697

Download Submit
\Users\Admin\AppData\Local\71lSmZ\osk.exe
Filesize
676KB

MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
\Users\Admin\AppData\Local\esjsE\VERSION.dll
Filesize
1.2MB

MD5
36046e2b4d39eb38410cd8ca4f77ed83

SHA1
c3f1efc40a2b8485a3b49d4df25f06008043b601

SHA256
a0eed8de50d675c7d8c61ca3aafd5c23f8f069643eed389f3ac25f6e462dd485

SHA512
de263292b042798e9a4bc02ba90b99a1fe4a42ecac1375cd079d024db38417c5129baa8649c20cf3f4e1abc3dba9934705269bb004a7aef6902b3aad853d16b4

Download Submit
\Users\Admin\AppData\Local\esjsE\sigverif.exe
Filesize
73KB

MD5
e8e95ae5534553fc055051cee99a7f55

SHA1
4e0f668849fd546edd083d5981ed685d02a68df4

SHA256
9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

SHA512
5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

Download Submit
\Users\Admin\AppData\Local\mmnd\VERSION.dll
Filesize
1.2MB

MD5
de5de37c0c572345ed6c6473d5d8bccb

SHA1
12b9aefe27692f1436e450335626b749bd5f91d6

SHA256
82b06440d0d7829cb2c702a89e46e5a2ad4efeed1554ad4dc8db68d854abe539

SHA512
0af51a99c5b55c48df23d30e65167990356989b7ae053135b388014e10bbdc5089d91b9ebd61e591e0e077ab28fc1aae1bef9bb748f5d3f80318bdeff584a967

Download Submit
\Users\Admin\AppData\Local\mmnd\wscript.exe
Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\mmnd\wscript.exe
Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\wNZpZ9e94ll\wscript.exe
Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
memory/268-110-0x00000000001E0000-0x00000000001E7000-memory.dmp

Filesize
28KB

Download
memory/268-106-0x0000000000000000-mapping.dmp

Download
memory/760-58-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/760-54-0x000007FEF6FB0000-0x000007FEF70F7000-memory.dmp

Filesize
1.3MB

Download
memory/1060-99-0x000007FEF6FB0000-0x000007FEF70F8000-memory.dmp

Filesize
1.3MB

Download
memory/1060-103-0x00000000001C0000-0x00000000001C7000-memory.dmp

Filesize
28KB

Download
memory/1060-94-0x0000000000000000-mapping.dmp

Download
memory/1160-92-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1160-85-0x000007FEFC4D1000-0x000007FEFC4D3000-memory.dmp

Filesize
8KB

Download
memory/1160-83-0x0000000000000000-mapping.dmp

Download
memory/1160-88-0x000007FEF7290000-0x000007FEF73D8000-memory.dmp

Filesize
1.3MB

Download
memory/1268-60-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1268-63-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1268-62-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1268-80-0x00000000029B0000-0x00000000029B7000-memory.dmp

Filesize
28KB

Download
memory/1268-61-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1268-72-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1268-64-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1268-81-0x0000000077E30000-0x0000000077E32000-memory.dmp

Filesize
8KB

Download
memory/1268-71-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1268-66-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1268-67-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1268-59-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1268-68-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1268-69-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1268-70-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1268-65-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads