dridex | 7589df6fc73705e680ebb569b62e9ac1517ed7f50ce4131e7fde26cdbacc9db2

Analysis

max time kernel
152s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7589df6fc73705e680ebb569b62e9ac1517ed7f50ce4131e7fde26cdbacc9db2.dll
Size

693KB
MD5

08a19101e1128428702d7dd9f509bebd
SHA1

0d69fcb18412ad3216ce0ba4d8a3fdf36510d5c7
SHA256

7589df6fc73705e680ebb569b62e9ac1517ed7f50ce4131e7fde26cdbacc9db2
SHA512

12a9fe8a62323b65a9c0a85f29fb05eaba22c557b5e7bbc246c3092ea17f5bd4be7a61596d3b597c447ac33d3dd6b649c40b462571c2e825d990ffdbd0d8cb28

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 3 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/4964-130-0x0000000140000000-0x00000001400B2000-memory.dmp	dridex_payload
behavioral2/memory/4968-156-0x0000000140000000-0x00000001400F8000-memory.dmp	dridex_payload
behavioral2/memory/2320-164-0x0000000140000000-0x00000001400B3000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

dpapimig.exeSystemPropertiesProtection.exeCustomShellHost.exe

pid process

4968 dpapimig.exe
2320 SystemPropertiesProtection.exe
1564 CustomShellHost.exe
Loads dropped DLL 3 IoCs

Processes:

dpapimig.exeSystemPropertiesProtection.exeCustomShellHost.exe

pid process

4968 dpapimig.exe
2320 SystemPropertiesProtection.exe
1564 CustomShellHost.exe

pid	process
4968	dpapimig.exe
2320	SystemPropertiesProtection.exe
1564	CustomShellHost.exe

pid	process
4968	dpapimig.exe
2320	SystemPropertiesProtection.exe
1564	CustomShellHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Erihzxqqayujs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\ECyBSHM\\SystemPropertiesProtection.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exedpapimig.exeSystemPropertiesProtection.exeCustomShellHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpapimig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CustomShellHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4964	rundll32.exe
4964	rundll32.exe
4964	rundll32.exe
4964	rundll32.exe
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084
2084

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2084

pid	process
2084

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2084 wrote to memory of 1904	2084	dpapimig.exe
PID 2084 wrote to memory of 1904	2084	dpapimig.exe
PID 2084 wrote to memory of 4968	2084	dpapimig.exe
PID 2084 wrote to memory of 4968	2084	dpapimig.exe
PID 2084 wrote to memory of 5112	2084	SystemPropertiesProtection.exe
PID 2084 wrote to memory of 5112	2084	SystemPropertiesProtection.exe
PID 2084 wrote to memory of 2320	2084	SystemPropertiesProtection.exe
PID 2084 wrote to memory of 2320	2084	SystemPropertiesProtection.exe
PID 2084 wrote to memory of 1636	2084	CustomShellHost.exe
PID 2084 wrote to memory of 1636	2084	CustomShellHost.exe
PID 2084 wrote to memory of 1564	2084	CustomShellHost.exe
PID 2084 wrote to memory of 1564	2084	CustomShellHost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7589df6fc73705e680ebb569b62e9ac1517ed7f50ce4131e7fde26cdbacc9db2.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4964

C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
1⤵
PID:1904

C:\Users\Admin\AppData\Local\cXz5a0QTo\dpapimig.exe
C:\Users\Admin\AppData\Local\cXz5a0QTo\dpapimig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4968

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:5112

C:\Users\Admin\AppData\Local\laSEY\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\laSEY\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2320

C:\Windows\system32\CustomShellHost.exe
C:\Windows\system32\CustomShellHost.exe
1⤵
PID:1636

C:\Users\Admin\AppData\Local\Icb\CustomShellHost.exe
C:\Users\Admin\AppData\Local\Icb\CustomShellHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Icb\CustomShellHost.exe
Filesize
835KB

MD5
70400e78b71bc8efdd063570428ae531

SHA1
cd86ecd008914fdd0389ac2dc00fe92d87746096

SHA256
91333f3282a2420359ae9d3adf537688741d21e964f021e2b152ab293447f289

SHA512
53005dda237fb23af79f54779c74a09835ad4cad3ca7b9dcec80e3793a60dd262f45b910bef96ab9c8e69d0c6990fea6ca5fee85d7f8425db523ae658372959e

Download Submit
C:\Users\Admin\AppData\Local\Icb\WTSAPI32.dll
Filesize
696KB

MD5
89865e3ef73bef7782564b7c8ec93ec7

SHA1
bed5019fac15d3b137676d619c6261eacf22bb5e

SHA256
d5bbeece79238b1e6399338db9fbd3556f9ccd0076ad6d6f4aeb922b83f6e5af

SHA512
ea85183196dfb8307f3636027940c825b2ca682f62826bddf546b7445758f10a09336ef0520fded957e6eb88bcc018efd83a1c8fea5381555e9858bb59d05b50

Download Submit
C:\Users\Admin\AppData\Local\Icb\WTSAPI32.dll
Filesize
696KB

MD5
89865e3ef73bef7782564b7c8ec93ec7

SHA1
bed5019fac15d3b137676d619c6261eacf22bb5e

SHA256
d5bbeece79238b1e6399338db9fbd3556f9ccd0076ad6d6f4aeb922b83f6e5af

SHA512
ea85183196dfb8307f3636027940c825b2ca682f62826bddf546b7445758f10a09336ef0520fded957e6eb88bcc018efd83a1c8fea5381555e9858bb59d05b50

Download Submit
C:\Users\Admin\AppData\Local\cXz5a0QTo\DUI70.dll
Filesize
970KB

MD5
1d055d0b5ded379e9a85e8c6e834eb3e

SHA1
ec1cf5d9765701d263a7d7360d8c99ae6851c9e9

SHA256
2e9c41cc953c7a5b4b9dc1a9a957089b5ed365b1dc1121ad4c49ca48efa5ce29

SHA512
9bf57249fe2a4b8c7c6516a6c763f1592ef66348ea88339ca6a4807124121d0acda8e80088449592031ddc2478b3784c3bde3e3de52dd110f5e91a0ae5f9d2ba

Download Submit
C:\Users\Admin\AppData\Local\cXz5a0QTo\DUI70.dll
Filesize
970KB

MD5
1d055d0b5ded379e9a85e8c6e834eb3e

SHA1
ec1cf5d9765701d263a7d7360d8c99ae6851c9e9

SHA256
2e9c41cc953c7a5b4b9dc1a9a957089b5ed365b1dc1121ad4c49ca48efa5ce29

SHA512
9bf57249fe2a4b8c7c6516a6c763f1592ef66348ea88339ca6a4807124121d0acda8e80088449592031ddc2478b3784c3bde3e3de52dd110f5e91a0ae5f9d2ba

Download Submit
C:\Users\Admin\AppData\Local\cXz5a0QTo\dpapimig.exe
Filesize
76KB

MD5
b6d6477a0c90a81624c6a8548026b4d0

SHA1
e6eac6941d27f76bbd306c2938c0a962dbf1ced1

SHA256
a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb

SHA512
72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe

Download Submit
C:\Users\Admin\AppData\Local\laSEY\SYSDM.CPL
Filesize
694KB

MD5
c81529057238b704712f0eec79bf4476

SHA1
92c17517b7838fa0773d186d90827b0243d431c0

SHA256
18a50aba0057acd6c4be3b93667604e07879de37477f70fa54a5c554ae9e395f

SHA512
58964f9aec9d7ec5545ad73f60d6d260aceb1b904c956cd6e750512ddeee5d672574c432a4e910c9b440430d171923d7ad32821077044fa02dd67cceaec6611f

Download Submit
C:\Users\Admin\AppData\Local\laSEY\SYSDM.CPL
Filesize
694KB

MD5
c81529057238b704712f0eec79bf4476

SHA1
92c17517b7838fa0773d186d90827b0243d431c0

SHA256
18a50aba0057acd6c4be3b93667604e07879de37477f70fa54a5c554ae9e395f

SHA512
58964f9aec9d7ec5545ad73f60d6d260aceb1b904c956cd6e750512ddeee5d672574c432a4e910c9b440430d171923d7ad32821077044fa02dd67cceaec6611f

Download Submit
C:\Users\Admin\AppData\Local\laSEY\SystemPropertiesProtection.exe
Filesize
82KB

MD5
26640d2d4fa912fc9a354ef6cfe500ff

SHA1
a343fd82659ce2d8de3beb587088867cf2ab8857

SHA256
a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37

SHA512
26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

Download Submit
memory/1564-175-0x0000021C848A0000-0x0000021C848A7000-memory.dmp

Filesize
28KB

Download
memory/1564-168-0x0000000000000000-mapping.dmp

Download
memory/2084-137-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2084-151-0x00007FF883B30000-0x00007FF883B40000-memory.dmp

Filesize
64KB

Download
memory/2084-139-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2084-150-0x0000000000E50000-0x0000000000E57000-memory.dmp

Filesize
28KB

Download
memory/2084-138-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2084-135-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2084-134-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2084-140-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2084-141-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2084-136-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2320-160-0x0000000000000000-mapping.dmp

Download
memory/2320-164-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/2320-167-0x000001E52F750000-0x000001E52F757000-memory.dmp

Filesize
28KB

Download
memory/4964-130-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/4964-133-0x00000138756F0000-0x00000138756F7000-memory.dmp

Filesize
28KB

Download
memory/4968-159-0x000002518AB10000-0x000002518AB17000-memory.dmp

Filesize
28KB

Download
memory/4968-156-0x0000000140000000-0x00000001400F8000-memory.dmp

Filesize
992KB

Download
memory/4968-152-0x0000000000000000-mapping.dmp

Download