dridex | 310fd238e3d99b5a9baf0c0be09026caa8c720076c2af2438ac534146506d7d3

Analysis

max time kernel
150s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

310fd238e3d99b5a9baf0c0be09026caa8c720076c2af2438ac534146506d7d3.dll
Size

689KB
MD5

dd97fd4acc0e239912f4bc617c5ed95e
SHA1

daf31e92ca109a223f1e73377cd9e5cc65e8a6bf
SHA256

310fd238e3d99b5a9baf0c0be09026caa8c720076c2af2438ac534146506d7d3
SHA512

69c8f2f00800b59125496a5801450405d54d932d9094bb05fdc22d2f3e03af2efbfc1e630eb4b2d6e309cb9efac0e33bacfcb6f1ddba289f2da28c9ff98217dc

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 4 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3984-130-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral2/memory/4632-156-0x0000000140000000-0x00000001400B2000-memory.dmp	dridex_payload
behavioral2/memory/3096-164-0x0000000140000000-0x00000001400B3000-memory.dmp	dridex_payload
behavioral2/memory/4404-172-0x0000000140000000-0x00000001400F7000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

ie4ushowIE.exesessionmsg.exeCameraSettingsUIHost.exe

pid process

4632 ie4ushowIE.exe
3096 sessionmsg.exe
4404 CameraSettingsUIHost.exe
Loads dropped DLL 3 IoCs

Processes:

ie4ushowIE.exesessionmsg.exeCameraSettingsUIHost.exe

pid process

4632 ie4ushowIE.exe
3096 sessionmsg.exe
4404 CameraSettingsUIHost.exe

pid	process
4632	ie4ushowIE.exe
3096	sessionmsg.exe
4404	CameraSettingsUIHost.exe

pid	process
4632	ie4ushowIE.exe
3096	sessionmsg.exe
4404	CameraSettingsUIHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Erihzxqqayujs = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\dDOhya\\SESSIO~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sessionmsg.exeCameraSettingsUIHost.exerundll32.exeie4ushowIE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sessionmsg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CameraSettingsUIHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ie4ushowIE.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3984	rundll32.exe
3984	rundll32.exe
3984	rundll32.exe
3984	rundll32.exe
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032
3032

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3032

pid	process
3032

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3032 wrote to memory of 4072	3032	ie4ushowIE.exe
PID 3032 wrote to memory of 4072	3032	ie4ushowIE.exe
PID 3032 wrote to memory of 4632	3032	ie4ushowIE.exe
PID 3032 wrote to memory of 4632	3032	ie4ushowIE.exe
PID 3032 wrote to memory of 4504	3032	sessionmsg.exe
PID 3032 wrote to memory of 4504	3032	sessionmsg.exe
PID 3032 wrote to memory of 3096	3032	sessionmsg.exe
PID 3032 wrote to memory of 3096	3032	sessionmsg.exe
PID 3032 wrote to memory of 2596	3032	CameraSettingsUIHost.exe
PID 3032 wrote to memory of 2596	3032	CameraSettingsUIHost.exe
PID 3032 wrote to memory of 4404	3032	CameraSettingsUIHost.exe
PID 3032 wrote to memory of 4404	3032	CameraSettingsUIHost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\310fd238e3d99b5a9baf0c0be09026caa8c720076c2af2438ac534146506d7d3.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3984

C:\Windows\system32\ie4ushowIE.exe
C:\Windows\system32\ie4ushowIE.exe
1⤵
PID:4072

C:\Users\Admin\AppData\Local\DwXo\ie4ushowIE.exe
C:\Users\Admin\AppData\Local\DwXo\ie4ushowIE.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4632

C:\Windows\system32\sessionmsg.exe
C:\Windows\system32\sessionmsg.exe
1⤵
PID:4504

C:\Users\Admin\AppData\Local\BgQ\sessionmsg.exe
C:\Users\Admin\AppData\Local\BgQ\sessionmsg.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3096

C:\Windows\system32\CameraSettingsUIHost.exe
C:\Windows\system32\CameraSettingsUIHost.exe
1⤵
PID:2596

C:\Users\Admin\AppData\Local\ROULx\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Local\ROULx\CameraSettingsUIHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4404

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BgQ\DUser.dll
Filesize
694KB

MD5
13dcb3414c24323c5d5b83341958338b

SHA1
ddf1be865d5666523584302e8d378fbd3e55bb76

SHA256
1474eb1ce054494e1ea6a3b42e09c1f0cccf56634340f720a4b372477898d321

SHA512
0d6ca7d4d92bcb8c3b0288680ece8fc9ce4a33c9516a1a61bd993f7f4d460be2687096e281ef177d1562d9a3ef9c7fdd142a841323649a3b4d6d402048e3b7bd

Download Submit
C:\Users\Admin\AppData\Local\BgQ\DUser.dll
Filesize
694KB

MD5
13dcb3414c24323c5d5b83341958338b

SHA1
ddf1be865d5666523584302e8d378fbd3e55bb76

SHA256
1474eb1ce054494e1ea6a3b42e09c1f0cccf56634340f720a4b372477898d321

SHA512
0d6ca7d4d92bcb8c3b0288680ece8fc9ce4a33c9516a1a61bd993f7f4d460be2687096e281ef177d1562d9a3ef9c7fdd142a841323649a3b4d6d402048e3b7bd

Download Submit
C:\Users\Admin\AppData\Local\BgQ\sessionmsg.exe
Filesize
85KB

MD5
480f710806b68dfe478ca1ec7d7e79cc

SHA1
b4fc97fed2dbff9c4874cb65ede7b50699db37cd

SHA256
2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc

SHA512
29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

Download Submit
C:\Users\Admin\AppData\Local\DwXo\VERSION.dll
Filesize
690KB

MD5
7d9763e3b898fccc5c82cc9f10c68d29

SHA1
19df0242f313368582bc5665820d15339adb701a

SHA256
a4f3e5b5a257fa4a30ab988b0cdae996067a9d65b26c852f2fe1399e753b23bb

SHA512
e2615bf3fe21e14b687fb094bd3a50991be45b5166d11525ef2a2f82e3e75caf5320c0a68143e0b2b19d66a7037c7ef59db9e235db49bafd874f6e7e862204dc

Download Submit
C:\Users\Admin\AppData\Local\DwXo\VERSION.dll
Filesize
690KB

MD5
7d9763e3b898fccc5c82cc9f10c68d29

SHA1
19df0242f313368582bc5665820d15339adb701a

SHA256
a4f3e5b5a257fa4a30ab988b0cdae996067a9d65b26c852f2fe1399e753b23bb

SHA512
e2615bf3fe21e14b687fb094bd3a50991be45b5166d11525ef2a2f82e3e75caf5320c0a68143e0b2b19d66a7037c7ef59db9e235db49bafd874f6e7e862204dc

Download Submit
C:\Users\Admin\AppData\Local\DwXo\ie4ushowIE.exe
Filesize
76KB

MD5
9de952f476abab0cd62bfd81e20a3deb

SHA1
109cc4467b78dad4b12a3225020ea590bccee3e6

SHA256
e9cb6336359ac6f71ac75af2836efb28daa3bafd10a1f0b775dcdc2ec8850a6b

SHA512
3cbe50a146ca50b0657a78a2d89a34630c69823005668906785b2d2015cc6139c8dbbf7aefa5fe55957ef55ae06e758933b3b41eaf822e49dba3b7700582e2c9

Download Submit
C:\Users\Admin\AppData\Local\ROULx\CameraSettingsUIHost.exe
Filesize
31KB

MD5
9e98636523a653c7a648f37be229cf69

SHA1
bd4da030e7cf4d55b7c644dfacd26b152e6a14c4

SHA256
3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717

SHA512
41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

Download Submit
C:\Users\Admin\AppData\Local\ROULx\DUI70.dll
Filesize
966KB

MD5
62d1fc83c9e5a54536af5380936aa90b

SHA1
88c80b4d2ea19e3221a30a21cc8aec3d16a53a9d

SHA256
7031fd6625cc8314f40b7b2cc3e2676fda1c02ff5b635d0e730ff199960be4f1

SHA512
dd4bde34bbad1dac2e6e2e3437813254024d9457a2c5c5a09e7bbc800df9f7d8b43679a70b3a89b382234da0019fdb6d827fc5669f3367e6fba528db42b9af9f

Download Submit
C:\Users\Admin\AppData\Local\ROULx\DUI70.dll
Filesize
966KB

MD5
62d1fc83c9e5a54536af5380936aa90b

SHA1
88c80b4d2ea19e3221a30a21cc8aec3d16a53a9d

SHA256
7031fd6625cc8314f40b7b2cc3e2676fda1c02ff5b635d0e730ff199960be4f1

SHA512
dd4bde34bbad1dac2e6e2e3437813254024d9457a2c5c5a09e7bbc800df9f7d8b43679a70b3a89b382234da0019fdb6d827fc5669f3367e6fba528db42b9af9f

Download Submit
memory/3032-139-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/3032-150-0x0000000000F80000-0x0000000000F87000-memory.dmp

Filesize
28KB

Download
memory/3032-151-0x00007FFDA7D10000-0x00007FFDA7D20000-memory.dmp

Filesize
64KB

Download
memory/3032-137-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/3032-141-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/3032-134-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/3032-140-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/3032-138-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/3032-136-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/3032-135-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/3096-164-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/3096-160-0x0000000000000000-mapping.dmp

Download
memory/3096-167-0x000002B252C30000-0x000002B252C37000-memory.dmp

Filesize
28KB

Download
memory/3984-133-0x000001DFA0200000-0x000001DFA0207000-memory.dmp

Filesize
28KB

Download
memory/3984-130-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/4404-168-0x0000000000000000-mapping.dmp

Download
memory/4404-172-0x0000000140000000-0x00000001400F7000-memory.dmp

Filesize
988KB

Download
memory/4404-175-0x00000205E9290000-0x00000205E9297000-memory.dmp

Filesize
28KB

Download
memory/4632-159-0x00000259127F0000-0x00000259127F7000-memory.dmp

Filesize
28KB

Download
memory/4632-156-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/4632-152-0x0000000000000000-mapping.dmp

Download