dridex | 1f10d52854a4e7eb1eb2045e481d7c4a4fa84c9f3bf698de800f055f7bfd04a9

Analysis

max time kernel
186s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f10d52854a4e7eb1eb2045e481d7c4a4fa84c9f3bf698de800f055f7bfd04a9.dll
Size

687KB
MD5

2dec966f89ae3919024a4515677f9ebc
SHA1

a0b4f328df803150f21a74e513020f2134f81a9e
SHA256

1f10d52854a4e7eb1eb2045e481d7c4a4fa84c9f3bf698de800f055f7bfd04a9
SHA512

a74825d7baadb04927367be6f2ad3bd4efb60b791ccb8eea5447dc665f1c93565b1d01d6de552a977ce8e0e5482d16801b4f6a4bfc76661c28f318982d9adae1

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 2 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/976-130-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral2/memory/3600-159-0x0000000140000000-0x00000001400B2000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3172-134-0x0000000000620000-0x0000000000621000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

usocoreworker.exeApplySettingsTemplateCatalog.exeMoUsoCoreWorker.exe

pid process

3600 usocoreworker.exe
4704 ApplySettingsTemplateCatalog.exe
4488 MoUsoCoreWorker.exe
Loads dropped DLL 3 IoCs

Processes:

usocoreworker.exeApplySettingsTemplateCatalog.exeMoUsoCoreWorker.exe

pid process

3600 usocoreworker.exe
4704 ApplySettingsTemplateCatalog.exe
4488 MoUsoCoreWorker.exe

pid	process
3600	usocoreworker.exe
4704	ApplySettingsTemplateCatalog.exe
4488	MoUsoCoreWorker.exe

pid	process
3600	usocoreworker.exe
4704	ApplySettingsTemplateCatalog.exe
4488	MoUsoCoreWorker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eqzhtortkjjc = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\nxOtbZMhgED\\ApplySettingsTemplateCatalog.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeusocoreworker.exeApplySettingsTemplateCatalog.exeMoUsoCoreWorker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	usocoreworker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplySettingsTemplateCatalog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MoUsoCoreWorker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
976	rundll32.exe
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172
3172

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3172

pid	process
3172

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3172 wrote to memory of 3300	3172	usocoreworker.exe
PID 3172 wrote to memory of 3300	3172	usocoreworker.exe
PID 3172 wrote to memory of 3600	3172	usocoreworker.exe
PID 3172 wrote to memory of 3600	3172	usocoreworker.exe
PID 3172 wrote to memory of 4688	3172	ApplySettingsTemplateCatalog.exe
PID 3172 wrote to memory of 4688	3172	ApplySettingsTemplateCatalog.exe
PID 3172 wrote to memory of 4704	3172	ApplySettingsTemplateCatalog.exe
PID 3172 wrote to memory of 4704	3172	ApplySettingsTemplateCatalog.exe
PID 3172 wrote to memory of 5032	3172	MoUsoCoreWorker.exe
PID 3172 wrote to memory of 5032	3172	MoUsoCoreWorker.exe
PID 3172 wrote to memory of 4488	3172	MoUsoCoreWorker.exe
PID 3172 wrote to memory of 4488	3172	MoUsoCoreWorker.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f10d52854a4e7eb1eb2045e481d7c4a4fa84c9f3bf698de800f055f7bfd04a9.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:976

C:\Windows\system32\usocoreworker.exe
C:\Windows\system32\usocoreworker.exe
1⤵
PID:3300

C:\Users\Admin\AppData\Local\gP4Fo7H\usocoreworker.exe
C:\Users\Admin\AppData\Local\gP4Fo7H\usocoreworker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3600

C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
1⤵
PID:4688

C:\Users\Admin\AppData\Local\whHPYUp\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\whHPYUp\ApplySettingsTemplateCatalog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4704

C:\Windows\system32\MoUsoCoreWorker.exe
C:\Windows\system32\MoUsoCoreWorker.exe
1⤵
PID:5032

C:\Users\Admin\AppData\Local\NhHDlov6\MoUsoCoreWorker.exe
C:\Users\Admin\AppData\Local\NhHDlov6\MoUsoCoreWorker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NhHDlov6\MoUsoCoreWorker.exe
Filesize
1.6MB

MD5
47c6b45ff22b73caf40bb29392386ce3

SHA1
7e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9

SHA256
cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0

SHA512
c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331

Download Submit
C:\Users\Admin\AppData\Local\NhHDlov6\XmlLite.dll
Filesize
688KB

MD5
3201bd1bd548a25fe830e6afd7a53524

SHA1
6e286255da111cfd6930b21b149e5926d2ec9971

SHA256
63183383fd1a05ad8b703e766be759bea9d8e2468a0b4bfa926609b1cb7ecb28

SHA512
0c30057c3d14700c9607974082587cd78634239d6951a5bc87e1c0e39dfe00b5b5608b871b370ec4ade86267f972e775a8527393d878f3a50591bcff0d80a4cd

Download Submit
C:\Users\Admin\AppData\Local\NhHDlov6\XmlLite.dll
Filesize
688KB

MD5
3201bd1bd548a25fe830e6afd7a53524

SHA1
6e286255da111cfd6930b21b149e5926d2ec9971

SHA256
63183383fd1a05ad8b703e766be759bea9d8e2468a0b4bfa926609b1cb7ecb28

SHA512
0c30057c3d14700c9607974082587cd78634239d6951a5bc87e1c0e39dfe00b5b5608b871b370ec4ade86267f972e775a8527393d878f3a50591bcff0d80a4cd

Download Submit
C:\Users\Admin\AppData\Local\gP4Fo7H\XmlLite.dll
Filesize
688KB

MD5
27913c539db3e83b56eb7feaa263dbfa

SHA1
5953e1d459f52ab3cc22ad0ee08270b9d538af79

SHA256
fbadb21ccb6f917752ec2d1fa35ba903b02c440e36aae097b3910b3d3efe01cf

SHA512
41107163c9155587df8c29ba3ce5366847184f097d0aead6fca5ff5a6f0f0e3f945f67d290a53133091eb8abe6b3330ae225565036de8f96577bf829cf9ef6cd

Download Submit
C:\Users\Admin\AppData\Local\gP4Fo7H\XmlLite.dll
Filesize
688KB

MD5
27913c539db3e83b56eb7feaa263dbfa

SHA1
5953e1d459f52ab3cc22ad0ee08270b9d538af79

SHA256
fbadb21ccb6f917752ec2d1fa35ba903b02c440e36aae097b3910b3d3efe01cf

SHA512
41107163c9155587df8c29ba3ce5366847184f097d0aead6fca5ff5a6f0f0e3f945f67d290a53133091eb8abe6b3330ae225565036de8f96577bf829cf9ef6cd

Download Submit
C:\Users\Admin\AppData\Local\gP4Fo7H\usocoreworker.exe
Filesize
1.3MB

MD5
2c5efb321aa64af37dedc6383ce3198e

SHA1
a06d7020dd43a57047a62bfb443091cd9de946ba

SHA256
0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

SHA512
5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

Download Submit
C:\Users\Admin\AppData\Local\whHPYUp\ACTIVEDS.dll
Filesize
689KB

MD5
2f8f1a9be651c507dbd0d2ed5612f5c7

SHA1
79cc0c0782d1c4716406e2596e5486359257c716

SHA256
3e2a1894bdba4f15c2e207610be6ec726b20f129847cee56f87fd07d643ce81b

SHA512
944cb63bb882621d3a74a368248ad7136edf34479d46d82abae6a550ad606afbc19a7995cfe4695c354ec0bfffc6113f094340841f5bc7c9f6f1d1b1c76ce3cc

Download Submit
C:\Users\Admin\AppData\Local\whHPYUp\ACTIVEDS.dll
Filesize
689KB

MD5
2f8f1a9be651c507dbd0d2ed5612f5c7

SHA1
79cc0c0782d1c4716406e2596e5486359257c716

SHA256
3e2a1894bdba4f15c2e207610be6ec726b20f129847cee56f87fd07d643ce81b

SHA512
944cb63bb882621d3a74a368248ad7136edf34479d46d82abae6a550ad606afbc19a7995cfe4695c354ec0bfffc6113f094340841f5bc7c9f6f1d1b1c76ce3cc

Download Submit
C:\Users\Admin\AppData\Local\whHPYUp\ApplySettingsTemplateCatalog.exe
Filesize
1.1MB

MD5
13af41b1c1c53c7360cd582a82ec2093

SHA1
7425f893d1245e351483ab4a20a5f59d114df4e1

SHA256
a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

SHA512
c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

Download Submit
memory/976-130-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/976-133-0x000001E5E04B0000-0x000001E5E04B7000-memory.dmp

Filesize
28KB

Download
memory/3172-151-0x00007FFAD2C5C000-0x00007FFAD2C5D000-memory.dmp

Filesize
4KB

Download
memory/3172-140-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/3172-154-0x00007FFAD2B70000-0x00007FFAD2B80000-memory.dmp

Filesize
64KB

Download
memory/3172-152-0x00007FFAD2C2C000-0x00007FFAD2C2D000-memory.dmp

Filesize
4KB

Download
memory/3172-134-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/3172-142-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/3172-135-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/3172-136-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/3172-138-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/3172-139-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/3172-153-0x00000000005F0000-0x00000000005F7000-memory.dmp

Filesize
28KB

Download
memory/3172-137-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/3172-141-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/3600-162-0x0000019E4C6A0000-0x0000019E4C6A7000-memory.dmp

Filesize
28KB

Download
memory/3600-159-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/3600-155-0x0000000000000000-mapping.dmp

Download
memory/4488-171-0x0000000000000000-mapping.dmp

Download
memory/4488-178-0x0000020424880000-0x0000020424887000-memory.dmp

Filesize
28KB

Download
memory/4704-163-0x0000000000000000-mapping.dmp

Download
memory/4704-170-0x0000020044E30000-0x0000020044E37000-memory.dmp

Filesize
28KB

Download