dridex | 754bbc764d9795ce569b43da13cff7ac3a2989e00d40b6bfa28d26b744181a63

Analysis

max time kernel
184s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

754bbc764d9795ce569b43da13cff7ac3a2989e00d40b6bfa28d26b744181a63.dll
Size

695KB
MD5

2152a92c873be5b4f0e9eeb39994bf73
SHA1

f4f2ce11b51a4612bbb815ada9caff2707ab3efa
SHA256

754bbc764d9795ce569b43da13cff7ac3a2989e00d40b6bfa28d26b744181a63
SHA512

93ca66ed5b29c38050c2ea957fa1767618181f4759b8ec97023579f7be6eed4dc7d09c02c49bf75888a242ba5d74f1e1da0248d8a512973ab076eb76383d19a6

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 3 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1420-54-0x0000000140000000-0x00000001400B2000-memory.dmp	dridex_payload
behavioral1/memory/1316-82-0x0000000140000000-0x00000001400B3000-memory.dmp	dridex_payload
behavioral1/memory/1320-101-0x0000000140000000-0x00000001400B4000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1232-58-0x0000000002A80000-0x0000000002A81000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

vmicsvc.exenotepad.exemfpmp.exe

pid process

1316 vmicsvc.exe
1508 notepad.exe
1320 mfpmp.exe
Loads dropped DLL 7 IoCs

Processes:

vmicsvc.exenotepad.exemfpmp.exe

pid process

1232
1316 vmicsvc.exe
1232
1508 notepad.exe
1232
1320 mfpmp.exe
1232

pid	process
1316	vmicsvc.exe
1508	notepad.exe
1320	mfpmp.exe

pid	process
1232
1316	vmicsvc.exe
1232
1508	notepad.exe
1232
1320	mfpmp.exe
1232

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Evgmngveltmlhb = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\MA2Q8U~1\\notepad.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exevmicsvc.exenotepad.exemfpmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vmicsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	notepad.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exevmicsvc.exenotepad.exemfpmp.exe

pid	process
1420	rundll32.exe
1420	rundll32.exe
1420	rundll32.exe
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1316	vmicsvc.exe
1316	vmicsvc.exe
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1508	notepad.exe
1508	notepad.exe
1232
1232
1232
1232
1320	mfpmp.exe
1320	mfpmp.exe
1232
1232
1232
1232
1232
1232
1232
1232

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1232

description	pid	process
Token: SeShutdownPrivilege	1232

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1232 wrote to memory of 592	1232	vmicsvc.exe
PID 1232 wrote to memory of 592	1232	vmicsvc.exe
PID 1232 wrote to memory of 592	1232	vmicsvc.exe
PID 1232 wrote to memory of 1316	1232	vmicsvc.exe
PID 1232 wrote to memory of 1316	1232	vmicsvc.exe
PID 1232 wrote to memory of 1316	1232	vmicsvc.exe
PID 1232 wrote to memory of 1440	1232	notepad.exe
PID 1232 wrote to memory of 1440	1232	notepad.exe
PID 1232 wrote to memory of 1440	1232	notepad.exe
PID 1232 wrote to memory of 1508	1232	notepad.exe
PID 1232 wrote to memory of 1508	1232	notepad.exe
PID 1232 wrote to memory of 1508	1232	notepad.exe
PID 1232 wrote to memory of 1308	1232	mfpmp.exe
PID 1232 wrote to memory of 1308	1232	mfpmp.exe
PID 1232 wrote to memory of 1308	1232	mfpmp.exe
PID 1232 wrote to memory of 1320	1232	mfpmp.exe
PID 1232 wrote to memory of 1320	1232	mfpmp.exe
PID 1232 wrote to memory of 1320	1232	mfpmp.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\754bbc764d9795ce569b43da13cff7ac3a2989e00d40b6bfa28d26b744181a63.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1420

C:\Windows\system32\vmicsvc.exe
C:\Windows\system32\vmicsvc.exe
1⤵
PID:592

C:\Users\Admin\AppData\Local\tEzObdCm\vmicsvc.exe
C:\Users\Admin\AppData\Local\tEzObdCm\vmicsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1316

C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
1⤵
PID:1440

C:\Users\Admin\AppData\Local\HvouO4\notepad.exe
C:\Users\Admin\AppData\Local\HvouO4\notepad.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1508

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:1308

C:\Users\Admin\AppData\Local\o24LWu\mfpmp.exe
C:\Users\Admin\AppData\Local\o24LWu\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1320

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HvouO4\VERSION.dll
Filesize
696KB

MD5
387230b5a0fed986b91426c58b4ea9f1

SHA1
e192ac75df1699ce556e83bd105aba18ecf373d7

SHA256
026a1f133e340ab8c503c9cfa57fd62019b3dd745941067173a3c5c6cc918747

SHA512
bcaec635ff9108ab173901f8585b3b2c4d96359fe52f6e884e4c08ecc28b15448e886e875f1afc960d655503331e6696f2a8c1cbe04fbcccf902925aded9f05f

Download Submit
C:\Users\Admin\AppData\Local\HvouO4\notepad.exe
Filesize
189KB

MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
C:\Users\Admin\AppData\Local\o24LWu\MFPlat.DLL
Filesize
701KB

MD5
5003acca5a579bf26f95f35c678c930c

SHA1
0488ddf3f74a5151496355faa35373ef20a95455

SHA256
ac735c83b881d69264793aec96442e21281740332be645c13c2c46e8fae3e883

SHA512
957242b368968518b6c96713e27c117978f1950befdf1c146e7b9a00f4df5fa5d59af0603b6c9cf3a84c69faf5c8c5e179b4052bf4c0679d2d4b89a55433c85f

Download Submit
C:\Users\Admin\AppData\Local\o24LWu\mfpmp.exe
Filesize
24KB

MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
C:\Users\Admin\AppData\Local\tEzObdCm\ACTIVEDS.dll
Filesize
696KB

MD5
245fb834070611cd2f8c34b7d22e4635

SHA1
ee6e5fad6de1c14858e64eeab3191357665781b3

SHA256
e5ba67b756162b6516bc4d8b451af92067007f326d475b6d2190e9fd11574016

SHA512
fde39aaa5dafd358ef5b8aa6767897b3807c98719528b561ab7a7aa75c17336e8cfa3afec0e5c13821c244307f45eb0290c603e3c0ae6383f507b665158fb34a

Download Submit
C:\Users\Admin\AppData\Local\tEzObdCm\vmicsvc.exe
Filesize
238KB

MD5
79e14b291ca96a02f1eb22bd721deccd

SHA1
4c8dbff611acd8a92cd2280239f78bebd2a9947e

SHA256
d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

SHA512
f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

Download Submit
\Users\Admin\AppData\Local\HvouO4\VERSION.dll
Filesize
696KB

MD5
387230b5a0fed986b91426c58b4ea9f1

SHA1
e192ac75df1699ce556e83bd105aba18ecf373d7

SHA256
026a1f133e340ab8c503c9cfa57fd62019b3dd745941067173a3c5c6cc918747

SHA512
bcaec635ff9108ab173901f8585b3b2c4d96359fe52f6e884e4c08ecc28b15448e886e875f1afc960d655503331e6696f2a8c1cbe04fbcccf902925aded9f05f

Download Submit
\Users\Admin\AppData\Local\HvouO4\notepad.exe
Filesize
189KB

MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
\Users\Admin\AppData\Local\o24LWu\MFPlat.DLL
Filesize
701KB

MD5
5003acca5a579bf26f95f35c678c930c

SHA1
0488ddf3f74a5151496355faa35373ef20a95455

SHA256
ac735c83b881d69264793aec96442e21281740332be645c13c2c46e8fae3e883

SHA512
957242b368968518b6c96713e27c117978f1950befdf1c146e7b9a00f4df5fa5d59af0603b6c9cf3a84c69faf5c8c5e179b4052bf4c0679d2d4b89a55433c85f

Download Submit
\Users\Admin\AppData\Local\o24LWu\mfpmp.exe
Filesize
24KB

MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
\Users\Admin\AppData\Local\tEzObdCm\ACTIVEDS.dll
Filesize
696KB

MD5
245fb834070611cd2f8c34b7d22e4635

SHA1
ee6e5fad6de1c14858e64eeab3191357665781b3

SHA256
e5ba67b756162b6516bc4d8b451af92067007f326d475b6d2190e9fd11574016

SHA512
fde39aaa5dafd358ef5b8aa6767897b3807c98719528b561ab7a7aa75c17336e8cfa3afec0e5c13821c244307f45eb0290c603e3c0ae6383f507b665158fb34a

Download Submit
\Users\Admin\AppData\Local\tEzObdCm\vmicsvc.exe
Filesize
238KB

MD5
79e14b291ca96a02f1eb22bd721deccd

SHA1
4c8dbff611acd8a92cd2280239f78bebd2a9947e

SHA256
d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

SHA512
f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\M3jYhTG5I\mfpmp.exe
Filesize
24KB

MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
memory/1232-76-0x00000000779A0000-0x00000000779A2000-memory.dmp

Filesize
8KB

Download
memory/1232-59-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1232-75-0x0000000001DD0000-0x0000000001DD7000-memory.dmp

Filesize
28KB

Download
memory/1232-66-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1232-64-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1232-58-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/1232-61-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1232-65-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1232-63-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1232-60-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1232-62-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1316-85-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1316-82-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/1316-78-0x0000000000000000-mapping.dmp

Download
memory/1320-97-0x0000000000000000-mapping.dmp

Download
memory/1320-101-0x0000000140000000-0x00000001400B4000-memory.dmp

Filesize
720KB

Download
memory/1320-104-0x0000000000200000-0x0000000000207000-memory.dmp

Filesize
28KB

Download
memory/1420-57-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download
memory/1420-54-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1508-89-0x000007FEFC041000-0x000007FEFC043000-memory.dmp

Filesize
8KB

Download
memory/1508-95-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1508-87-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads