dridex | 3e8094c9c90760a0cfde4ee4f6009a00559e6fc776b255c58f589c3d31c4dde2

Analysis

max time kernel
151s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e8094c9c90760a0cfde4ee4f6009a00559e6fc776b255c58f589c3d31c4dde2.dll
Size

687KB
MD5

2e72504c85d431114f47490953c13451
SHA1

b3d121ae4b85ea4a23d10f743bac6828f74c5b12
SHA256

3e8094c9c90760a0cfde4ee4f6009a00559e6fc776b255c58f589c3d31c4dde2
SHA512

b8d489ffcedca0f9776de3ab631ec6f9e4aa8ce3f3a554d7e53bafa85723ea1176ae6015180ff200f37dd5fef689582103e7cb5ea2f58abbc908cb5312af7b7e

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 3 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2084-131-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral2/memory/372-171-0x0000000140000000-0x00000001400B8000-memory.dmp	dridex_payload
behavioral2/memory/996-179-0x0000000140000000-0x00000001400B2000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/384-134-0x0000000000780000-0x0000000000781000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 5 IoCs

Processes:

ie4uinit.exePresentationHost.exemspaint.exeDeviceEnroller.exerdpinit.exe

pid process

2236 ie4uinit.exe
4908 PresentationHost.exe
372 mspaint.exe
996 DeviceEnroller.exe
1432 rdpinit.exe

Loads dropped DLL 8 IoCs

Processes:

ie4uinit.exePresentationHost.exemspaint.exeDeviceEnroller.exerdpinit.exe

pid	process
2236	ie4uinit.exe
2236	ie4uinit.exe
2236	ie4uinit.exe
4908	PresentationHost.exe
4908	PresentationHost.exe
372	mspaint.exe
996	DeviceEnroller.exe
1432	rdpinit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wurgjldbctt = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\MVZIJT~1\\DEVICE~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

mspaint.exeDeviceEnroller.exerdpinit.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceEnroller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384
384

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

384

pid	process
384

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

description	pid	target process
PID 384 wrote to memory of 5068	384	ie4uinit.exe
PID 384 wrote to memory of 5068	384	ie4uinit.exe
PID 384 wrote to memory of 2236	384	ie4uinit.exe
PID 384 wrote to memory of 2236	384	ie4uinit.exe
PID 384 wrote to memory of 4836	384	PresentationHost.exe
PID 384 wrote to memory of 4836	384	PresentationHost.exe
PID 384 wrote to memory of 4908	384	PresentationHost.exe
PID 384 wrote to memory of 4908	384	PresentationHost.exe
PID 384 wrote to memory of 4820	384	mspaint.exe
PID 384 wrote to memory of 4820	384	mspaint.exe
PID 384 wrote to memory of 372	384	mspaint.exe
PID 384 wrote to memory of 372	384	mspaint.exe
PID 384 wrote to memory of 3872	384	DeviceEnroller.exe
PID 384 wrote to memory of 3872	384	DeviceEnroller.exe
PID 384 wrote to memory of 996	384	DeviceEnroller.exe
PID 384 wrote to memory of 996	384	DeviceEnroller.exe
PID 384 wrote to memory of 4464	384	rdpinit.exe
PID 384 wrote to memory of 4464	384	rdpinit.exe
PID 384 wrote to memory of 1432	384	rdpinit.exe
PID 384 wrote to memory of 1432	384	rdpinit.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3e8094c9c90760a0cfde4ee4f6009a00559e6fc776b255c58f589c3d31c4dde2.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2084

C:\Windows\system32\ie4uinit.exe
C:\Windows\system32\ie4uinit.exe
1⤵
PID:5068

C:\Users\Admin\AppData\Local\O7zStkjXr\ie4uinit.exe
C:\Users\Admin\AppData\Local\O7zStkjXr\ie4uinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236

C:\Windows\system32\PresentationHost.exe
C:\Windows\system32\PresentationHost.exe
1⤵
PID:4836

C:\Users\Admin\AppData\Local\rm47Z\PresentationHost.exe
C:\Users\Admin\AppData\Local\rm47Z\PresentationHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4908

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:4820

C:\Users\Admin\AppData\Local\1K5YyPWYB\mspaint.exe
C:\Users\Admin\AppData\Local\1K5YyPWYB\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:372

C:\Windows\system32\DeviceEnroller.exe
C:\Windows\system32\DeviceEnroller.exe
1⤵
PID:3872

C:\Users\Admin\AppData\Local\fppUJyQy\DeviceEnroller.exe
C:\Users\Admin\AppData\Local\fppUJyQy\DeviceEnroller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:996

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:4464

C:\Users\Admin\AppData\Local\pMR\rdpinit.exe
C:\Users\Admin\AppData\Local\pMR\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1K5YyPWYB\MFC42u.dll
Filesize
715KB

MD5
58f786027c676a81073edb080d077704

SHA1
055bd2064d078cd88d2aafe09c7ad67091d2cdc0

SHA256
18b0545fa0a28964cf4e1fa5f5eb3c60937ad763c4dac908e132a8dcd42273d0

SHA512
7c7f4a23e348d241456cf92de6e8dfef2891dc2b4a312a75e5990a5bcbbce1190fbf17bcc730620c306c91c0067f32e49b0df853c2ae15907b22635f11967397

Download Submit
C:\Users\Admin\AppData\Local\1K5YyPWYB\MFC42u.dll
Filesize
715KB

MD5
58f786027c676a81073edb080d077704

SHA1
055bd2064d078cd88d2aafe09c7ad67091d2cdc0

SHA256
18b0545fa0a28964cf4e1fa5f5eb3c60937ad763c4dac908e132a8dcd42273d0

SHA512
7c7f4a23e348d241456cf92de6e8dfef2891dc2b4a312a75e5990a5bcbbce1190fbf17bcc730620c306c91c0067f32e49b0df853c2ae15907b22635f11967397

Download Submit
C:\Users\Admin\AppData\Local\1K5YyPWYB\mspaint.exe
Filesize
965KB

MD5
f221a4ccafec690101c59f726c95b646

SHA1
2098e4b62eaab213cbee73ba40fe4f1b8901a782

SHA256
94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709

SHA512
8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf

Download Submit
C:\Users\Admin\AppData\Local\1K5YyPWYB\mspaint.exe
Filesize
965KB

MD5
f221a4ccafec690101c59f726c95b646

SHA1
2098e4b62eaab213cbee73ba40fe4f1b8901a782

SHA256
94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709

SHA512
8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf

Download Submit
C:\Users\Admin\AppData\Local\O7zStkjXr\VERSION.dll
Filesize
689KB

MD5
40f0187587d6481c88745b30899db840

SHA1
5c1508e48b0e1790c361a95e2879571d56f422ea

SHA256
0d4bbcf7d374821569af551ae351dad56c1eefd7be0f3a146e20dce800099744

SHA512
788c13023d19ddd9f351a6180334665dc8959ea78637a35083abc645de02528db1fb4603da106b2154a38585c3595c9d35985cd3f90ba828915002fa74c8f376

Download Submit
C:\Users\Admin\AppData\Local\O7zStkjXr\VERSION.dll
Filesize
689KB

MD5
40f0187587d6481c88745b30899db840

SHA1
5c1508e48b0e1790c361a95e2879571d56f422ea

SHA256
0d4bbcf7d374821569af551ae351dad56c1eefd7be0f3a146e20dce800099744

SHA512
788c13023d19ddd9f351a6180334665dc8959ea78637a35083abc645de02528db1fb4603da106b2154a38585c3595c9d35985cd3f90ba828915002fa74c8f376

Download Submit
C:\Users\Admin\AppData\Local\O7zStkjXr\VERSION.dll
Filesize
689KB

MD5
40f0187587d6481c88745b30899db840

SHA1
5c1508e48b0e1790c361a95e2879571d56f422ea

SHA256
0d4bbcf7d374821569af551ae351dad56c1eefd7be0f3a146e20dce800099744

SHA512
788c13023d19ddd9f351a6180334665dc8959ea78637a35083abc645de02528db1fb4603da106b2154a38585c3595c9d35985cd3f90ba828915002fa74c8f376

Download Submit
C:\Users\Admin\AppData\Local\O7zStkjXr\VERSION.dll
Filesize
689KB

MD5
40f0187587d6481c88745b30899db840

SHA1
5c1508e48b0e1790c361a95e2879571d56f422ea

SHA256
0d4bbcf7d374821569af551ae351dad56c1eefd7be0f3a146e20dce800099744

SHA512
788c13023d19ddd9f351a6180334665dc8959ea78637a35083abc645de02528db1fb4603da106b2154a38585c3595c9d35985cd3f90ba828915002fa74c8f376

Download Submit
C:\Users\Admin\AppData\Local\O7zStkjXr\ie4uinit.exe
Filesize
262KB

MD5
a2f0104edd80ca2c24c24356d5eacc4f

SHA1
8269b9fd9231f04ed47419bd565c69dc677fab56

SHA256
5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c

SHA512
e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

Download Submit
C:\Users\Admin\AppData\Local\fppUJyQy\DeviceEnroller.exe
Filesize
448KB

MD5
946d9474533f58d2613078fd14ca7473

SHA1
c2620ac9522fa3702a6a03299b930d6044aa5e49

SHA256
cf5f5fe084f172e9c435615c1dc6ae7d3bd8c5ec8ea290caa0627c2f392760cb

SHA512
3653d41a0553ee63a43490f682c9b528651a6336f28adafc333d4d148577351122db8279ff83ee59bb0a9c17bb384e9f6c9c78677c8c5ed671a42036dec1f8c1

Download Submit
C:\Users\Admin\AppData\Local\fppUJyQy\XmlLite.dll
Filesize
688KB

MD5
0a2608b58d0cfe241d708d41eb0cb19b

SHA1
5121a4b841f55a388b24c9dfb7f5d9f5412f38d7

SHA256
b8281484a5e2f4d869a04bcc7047585822270b118fea82d711280a78ffd02044

SHA512
1e8ac05e0cad7bf0b9b5816b493ba13286fee9e94cb6107922e29a74253c0f70acdd25b37780bafab1c8af1e234a44a9241c07cf60dd573e6360014369eff4c2

Download Submit
C:\Users\Admin\AppData\Local\fppUJyQy\XmlLite.dll
Filesize
688KB

MD5
0a2608b58d0cfe241d708d41eb0cb19b

SHA1
5121a4b841f55a388b24c9dfb7f5d9f5412f38d7

SHA256
b8281484a5e2f4d869a04bcc7047585822270b118fea82d711280a78ffd02044

SHA512
1e8ac05e0cad7bf0b9b5816b493ba13286fee9e94cb6107922e29a74253c0f70acdd25b37780bafab1c8af1e234a44a9241c07cf60dd573e6360014369eff4c2

Download Submit
C:\Users\Admin\AppData\Local\pMR\WTSAPI32.dll
Filesize
690KB

MD5
211e7254da765d4b8bc11a12994411dd

SHA1
a1537d8e10c26a0e18724e808c1300210adfd387

SHA256
5a28d7a163fb6cb1e1a29518f1dec0f6a4f00d0a8bd7b6a812f7665545567772

SHA512
c41b84ff3c52e0fa619e41f6b61febf59ef6567d2dbc1c457ea680358e6b481f6c301f6dfb12cc8fec64bc6d284fa52cf0f33ba1778d56a5c687a28c2fc1d70e

Download Submit
C:\Users\Admin\AppData\Local\pMR\WTSAPI32.dll
Filesize
690KB

MD5
211e7254da765d4b8bc11a12994411dd

SHA1
a1537d8e10c26a0e18724e808c1300210adfd387

SHA256
5a28d7a163fb6cb1e1a29518f1dec0f6a4f00d0a8bd7b6a812f7665545567772

SHA512
c41b84ff3c52e0fa619e41f6b61febf59ef6567d2dbc1c457ea680358e6b481f6c301f6dfb12cc8fec64bc6d284fa52cf0f33ba1778d56a5c687a28c2fc1d70e

Download Submit
C:\Users\Admin\AppData\Local\pMR\rdpinit.exe
Filesize
343KB

MD5
b0ecd76d99c5f5134aeb52460add6f80

SHA1
51462078092c9d6b7fa2b9544ffe0a49eb258106

SHA256
51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

SHA512
16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

Download Submit
C:\Users\Admin\AppData\Local\rm47Z\PresentationHost.exe
Filesize
276KB

MD5
ef27d65b92d89e8175e6751a57ed9d93

SHA1
7279b58e711b459434f047e9098f9131391c3778

SHA256
17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

SHA512
40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

Download Submit
C:\Users\Admin\AppData\Local\rm47Z\VERSION.dll
Filesize
689KB

MD5
3103413952061bae63adf634ee4b3665

SHA1
88649dc2986d34b6c62ce41bc43723e1bf4e3725

SHA256
691220cdea4d81e1b1a47720f40554d4c060ef94a56a25ee9d89ce28ef18a4fe

SHA512
c4e114c4bfb605032e3f923c57958b021aa8ad638de32a2061ee5b4c21ce5fea7ca28a5229f27f95e248497bce444f12aaff4badccc2431eb7fd3a149979c43c

Download Submit
C:\Users\Admin\AppData\Local\rm47Z\VERSION.dll
Filesize
689KB

MD5
3103413952061bae63adf634ee4b3665

SHA1
88649dc2986d34b6c62ce41bc43723e1bf4e3725

SHA256
691220cdea4d81e1b1a47720f40554d4c060ef94a56a25ee9d89ce28ef18a4fe

SHA512
c4e114c4bfb605032e3f923c57958b021aa8ad638de32a2061ee5b4c21ce5fea7ca28a5229f27f95e248497bce444f12aaff4badccc2431eb7fd3a149979c43c

Download Submit
C:\Users\Admin\AppData\Local\rm47Z\VERSION.dll
Filesize
689KB

MD5
3103413952061bae63adf634ee4b3665

SHA1
88649dc2986d34b6c62ce41bc43723e1bf4e3725

SHA256
691220cdea4d81e1b1a47720f40554d4c060ef94a56a25ee9d89ce28ef18a4fe

SHA512
c4e114c4bfb605032e3f923c57958b021aa8ad638de32a2061ee5b4c21ce5fea7ca28a5229f27f95e248497bce444f12aaff4badccc2431eb7fd3a149979c43c

Download Submit
memory/372-171-0x0000000140000000-0x00000001400B8000-memory.dmp

Filesize
736KB

Download
memory/372-166-0x0000000000000000-mapping.dmp

Download
memory/372-174-0x000001F87A340000-0x000001F87A347000-memory.dmp

Filesize
28KB

Download
memory/384-152-0x00007FFDC938C000-0x00007FFDC938D000-memory.dmp

Filesize
4KB

Download
memory/384-137-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/384-134-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/384-154-0x00007FFDC92D0000-0x00007FFDC92E0000-memory.dmp

Filesize
64KB

Download
memory/384-153-0x0000000000740000-0x0000000000747000-memory.dmp

Filesize
28KB

Download
memory/384-151-0x00007FFDC93BC000-0x00007FFDC93BD000-memory.dmp

Filesize
4KB

Download
memory/384-136-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/384-142-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/384-141-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/384-140-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/384-139-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/384-135-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/384-138-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/996-182-0x000001EC7F430000-0x000001EC7F437000-memory.dmp

Filesize
28KB

Download
memory/996-175-0x0000000000000000-mapping.dmp

Download
memory/996-179-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1432-183-0x0000000000000000-mapping.dmp

Download
memory/1432-190-0x00000296DE0F0000-0x00000296DE0F7000-memory.dmp

Filesize
28KB

Download
memory/2084-130-0x00000270E1100000-0x00000270E1107000-memory.dmp

Filesize
28KB

Download
memory/2084-131-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/2236-155-0x0000000000000000-mapping.dmp

Download
memory/4908-161-0x0000000000000000-mapping.dmp

Download