dridex | 71294290d7f4be76b77229c3e0cc626186843b3600634463711a04b7b69a4cd1

Analysis

max time kernel
151s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71294290d7f4be76b77229c3e0cc626186843b3600634463711a04b7b69a4cd1.dll
Size

693KB
MD5

7c62918ed4a99483c0766db2fdafe75c
SHA1

2bee00c0b9ee71667da7a7ec57aac1d0cca147d0
SHA256

71294290d7f4be76b77229c3e0cc626186843b3600634463711a04b7b69a4cd1
SHA512

b76cd8d4b5a27cc6ad17ff1a17c80f2f5bc182f6594a214df7eee4ceec339ad78014fdf6afddf1f4e6be3bc78248c02344f27b0c96d86d49d86b4cd191af5cc4

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 4 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2908-130-0x0000000140000000-0x00000001400B2000-memory.dmp	dridex_payload
behavioral2/memory/4224-159-0x0000000140000000-0x00000001400B3000-memory.dmp	dridex_payload
behavioral2/memory/4588-168-0x0000000140000000-0x00000001400B4000-memory.dmp	dridex_payload
behavioral2/memory/3848-176-0x0000000140000000-0x00000001400B9000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/796-134-0x0000000000D00000-0x0000000000D01000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

psr.exemspaint.exeshrpubw.exe

pid process

4224 psr.exe
4588 mspaint.exe
3848 shrpubw.exe
Loads dropped DLL 3 IoCs

Processes:

psr.exemspaint.exeshrpubw.exe

pid process

4224 psr.exe
4588 mspaint.exe
3848 shrpubw.exe

pid	process
4224	psr.exe
4588	mspaint.exe
3848	shrpubw.exe

pid	process
4224	psr.exe
4588	mspaint.exe
3848	shrpubw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wurgjldbctt = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\WINDOW~1\\HtjA0\\mspaint.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exepsr.exemspaint.exeshrpubw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
2908	rundll32.exe
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796
796

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

796

pid	process
796

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 796 wrote to memory of 4208	796	psr.exe
PID 796 wrote to memory of 4208	796	psr.exe
PID 796 wrote to memory of 4224	796	psr.exe
PID 796 wrote to memory of 4224	796	psr.exe
PID 796 wrote to memory of 4624	796	mspaint.exe
PID 796 wrote to memory of 4624	796	mspaint.exe
PID 796 wrote to memory of 4588	796	mspaint.exe
PID 796 wrote to memory of 4588	796	mspaint.exe
PID 796 wrote to memory of 3192	796	shrpubw.exe
PID 796 wrote to memory of 3192	796	shrpubw.exe
PID 796 wrote to memory of 3848	796	shrpubw.exe
PID 796 wrote to memory of 3848	796	shrpubw.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\71294290d7f4be76b77229c3e0cc626186843b3600634463711a04b7b69a4cd1.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2908

C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
1⤵
PID:4208

C:\Users\Admin\AppData\Local\k2uMHW\psr.exe
C:\Users\Admin\AppData\Local\k2uMHW\psr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4224

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:4624

C:\Users\Admin\AppData\Local\GkPwS\mspaint.exe
C:\Users\Admin\AppData\Local\GkPwS\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4588

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:3192

C:\Users\Admin\AppData\Local\y7NrNBKl\shrpubw.exe
C:\Users\Admin\AppData\Local\y7NrNBKl\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GkPwS\WINMM.dll
Filesize
698KB

MD5
4c82fc2dec71bff2211056c1d11d5140

SHA1
cb92d60a943bfc372b4ab17a43f563184e7e4839

SHA256
3846955389682be2e669c2e7a1924d17622ee6573e3d7faacc534913fb7b111f

SHA512
1c8ad1556c987090edad4a1c228921627e68e254fcb7f1885d267c7d3e9c1e45e401d35ef0875c6ee2eaf219849b93e775b77fa69b58b0282206cc14b9dbe824

Download Submit
C:\Users\Admin\AppData\Local\GkPwS\WINMM.dll
Filesize
698KB

MD5
4c82fc2dec71bff2211056c1d11d5140

SHA1
cb92d60a943bfc372b4ab17a43f563184e7e4839

SHA256
3846955389682be2e669c2e7a1924d17622ee6573e3d7faacc534913fb7b111f

SHA512
1c8ad1556c987090edad4a1c228921627e68e254fcb7f1885d267c7d3e9c1e45e401d35ef0875c6ee2eaf219849b93e775b77fa69b58b0282206cc14b9dbe824

Download Submit
C:\Users\Admin\AppData\Local\GkPwS\mspaint.exe
Filesize
965KB

MD5
f221a4ccafec690101c59f726c95b646

SHA1
2098e4b62eaab213cbee73ba40fe4f1b8901a782

SHA256
94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709

SHA512
8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf

Download Submit
C:\Users\Admin\AppData\Local\GkPwS\mspaint.exe
Filesize
965KB

MD5
f221a4ccafec690101c59f726c95b646

SHA1
2098e4b62eaab213cbee73ba40fe4f1b8901a782

SHA256
94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709

SHA512
8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf

Download Submit
C:\Users\Admin\AppData\Local\k2uMHW\XmlLite.dll
Filesize
694KB

MD5
951d8d0281e6f189a0912af417b645a2

SHA1
de7df8b052890b42d2d91490ddaea2d241a3845c

SHA256
4c82236167c0d1191900cbd214b6003d491ee8ccb7c3f0ebcb7afc40dc0f4463

SHA512
7df8995c1eebae5883eabb7332d518cf7532405e70e8c7201d9708f49e44782516601e2df9357ecb6a00f7a110ccb5814906b6308056d24f7c9fcaa7de06d281

Download Submit
C:\Users\Admin\AppData\Local\k2uMHW\XmlLite.dll
Filesize
694KB

MD5
951d8d0281e6f189a0912af417b645a2

SHA1
de7df8b052890b42d2d91490ddaea2d241a3845c

SHA256
4c82236167c0d1191900cbd214b6003d491ee8ccb7c3f0ebcb7afc40dc0f4463

SHA512
7df8995c1eebae5883eabb7332d518cf7532405e70e8c7201d9708f49e44782516601e2df9357ecb6a00f7a110ccb5814906b6308056d24f7c9fcaa7de06d281

Download Submit
C:\Users\Admin\AppData\Local\k2uMHW\psr.exe
Filesize
232KB

MD5
ad53ead5379985081b7c3f1f357e545a

SHA1
6f5aa32c1d15fbf073558fadafd046d97b60184e

SHA256
4f0144f0e3e721b44babbf41b513942e4117f730546105480571f9c8fce56a1f

SHA512
433098bd74c34fbadfa447ef45cfa9dc076aef4cf7f2a0a6fe79d5e67f2504eebe8aa31fc1b7a4c5eeb20ede2c5485f75ad0fd77b4ecba3d68ca63313e6f6ea0

Download Submit
C:\Users\Admin\AppData\Local\y7NrNBKl\MFC42u.dll
Filesize
721KB

MD5
02775478e9eb0d2483939ba961607260

SHA1
a15816935c6f62c188f783871a122f44a06dc48e

SHA256
4fc1890290df54d5e963d560ea28e05792be30a6e658f00142318bb6df81c7ff

SHA512
c9fb2def7246127d6b60014903e761c2f701f764ebb96991f2ebd02903ed7cbb2f5c487e972c55557aceaed81583c636ab65b47f38cca87117b9d9f0685006ed

Download Submit
C:\Users\Admin\AppData\Local\y7NrNBKl\MFC42u.dll
Filesize
721KB

MD5
02775478e9eb0d2483939ba961607260

SHA1
a15816935c6f62c188f783871a122f44a06dc48e

SHA256
4fc1890290df54d5e963d560ea28e05792be30a6e658f00142318bb6df81c7ff

SHA512
c9fb2def7246127d6b60014903e761c2f701f764ebb96991f2ebd02903ed7cbb2f5c487e972c55557aceaed81583c636ab65b47f38cca87117b9d9f0685006ed

Download Submit
C:\Users\Admin\AppData\Local\y7NrNBKl\shrpubw.exe
Filesize
59KB

MD5
9910d5c62428ec5f92b04abf9428eec9

SHA1
05f27d7515e8ae1fa3bc974ec65b864ec4c9ac8b

SHA256
6b84e6e55d8572d7edf0b6243d00abb651fcb0cddddac8461de5f9bb80035a2e

SHA512
01be043f7ff879a683e53962eec58456ba200d6787ea66581bb62669ae65d5e58a5577cdf23441165f7a535fce1dec933e3ad2465c72172b4a1488b24ce722cb

Download Submit
memory/796-140-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/796-151-0x00007FFBC2E9C000-0x00007FFBC2E9D000-memory.dmp

Filesize
4KB

Download
memory/796-152-0x00007FFBC2E6C000-0x00007FFBC2E6D000-memory.dmp

Filesize
4KB

Download
memory/796-153-0x0000000000B00000-0x0000000000B07000-memory.dmp

Filesize
28KB

Download
memory/796-154-0x00007FFBC2DB0000-0x00007FFBC2DC0000-memory.dmp

Filesize
64KB

Download
memory/796-141-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/796-142-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/796-138-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/796-137-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/796-134-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/796-139-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/796-135-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/796-136-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/2908-133-0x00000188DCAF0000-0x00000188DCAF7000-memory.dmp

Filesize
28KB

Download
memory/2908-130-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/3848-172-0x0000000000000000-mapping.dmp

Download
memory/3848-176-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3848-179-0x0000024324160000-0x0000024324167000-memory.dmp

Filesize
28KB

Download
memory/4224-162-0x0000022A06390000-0x0000022A06397000-memory.dmp

Filesize
28KB

Download
memory/4224-159-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/4224-155-0x0000000000000000-mapping.dmp

Download
memory/4588-163-0x0000000000000000-mapping.dmp

Download
memory/4588-168-0x0000000140000000-0x00000001400B4000-memory.dmp

Filesize
720KB

Download
memory/4588-171-0x00000166F9340000-0x00000166F9347000-memory.dmp

Filesize
28KB

Download