dridex | c76536d2ace8f628cd93c78ba8e4825f94ca5a4694a290dd0fb95cae08e77be4

Analysis

max time kernel
150s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
18-04-2022 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c76536d2ace8f628cd93c78ba8e4825f94ca5a4694a290dd0fb95cae08e77be4.dll
Size

886KB
MD5

1e813a7ad4be6645921f8b0516b8b00c
SHA1

02da546df7f9a3507497a1443a0c46cb1fbd0c15
SHA256

c76536d2ace8f628cd93c78ba8e4825f94ca5a4694a290dd0fb95cae08e77be4
SHA512

a54ed387d7511ae83c8d7adacad93ae0acd0364c09ad6e931f36443aa62dbb496e7dc3afae71e1b42ea9ce62354770d4f72a52b5d8a6dfd86b796299902d86ad

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1256-55-0x00000000029D0000-0x00000000029D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

WindowsAnytimeUpgradeResults.exeWFS.exetaskmgr.exe

pid process

908 WindowsAnytimeUpgradeResults.exe
288 WFS.exe
1152 taskmgr.exe
Loads dropped DLL 7 IoCs

Processes:

WindowsAnytimeUpgradeResults.exeWFS.exetaskmgr.exe

pid process

1256
908 WindowsAnytimeUpgradeResults.exe
1256
288 WFS.exe
1256
1152 taskmgr.exe
1256

pid	process
908	WindowsAnytimeUpgradeResults.exe
288	WFS.exe
1152	taskmgr.exe

pid	process
1256
908	WindowsAnytimeUpgradeResults.exe
1256
288	WFS.exe
1256
1152	taskmgr.exe
1256

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gcehmtlftxqmyqm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\090iR\\WFS.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WindowsAnytimeUpgradeResults.exeWFS.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsAnytimeUpgradeResults.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
1376	regsvr32.exe
1376	regsvr32.exe
1376	regsvr32.exe
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1256 wrote to memory of 1672	1256	WindowsAnytimeUpgradeResults.exe
PID 1256 wrote to memory of 1672	1256	WindowsAnytimeUpgradeResults.exe
PID 1256 wrote to memory of 1672	1256	WindowsAnytimeUpgradeResults.exe
PID 1256 wrote to memory of 908	1256	WindowsAnytimeUpgradeResults.exe
PID 1256 wrote to memory of 908	1256	WindowsAnytimeUpgradeResults.exe
PID 1256 wrote to memory of 908	1256	WindowsAnytimeUpgradeResults.exe
PID 1256 wrote to memory of 548	1256	WFS.exe
PID 1256 wrote to memory of 548	1256	WFS.exe
PID 1256 wrote to memory of 548	1256	WFS.exe
PID 1256 wrote to memory of 288	1256	WFS.exe
PID 1256 wrote to memory of 288	1256	WFS.exe
PID 1256 wrote to memory of 288	1256	WFS.exe
PID 1256 wrote to memory of 1108	1256	taskmgr.exe
PID 1256 wrote to memory of 1108	1256	taskmgr.exe
PID 1256 wrote to memory of 1108	1256	taskmgr.exe
PID 1256 wrote to memory of 1152	1256	taskmgr.exe
PID 1256 wrote to memory of 1152	1256	taskmgr.exe
PID 1256 wrote to memory of 1152	1256	taskmgr.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c76536d2ace8f628cd93c78ba8e4825f94ca5a4694a290dd0fb95cae08e77be4.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1376

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
1⤵
PID:1672

C:\Users\Admin\AppData\Local\6lZ\WindowsAnytimeUpgradeResults.exe
C:\Users\Admin\AppData\Local\6lZ\WindowsAnytimeUpgradeResults.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:908

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:548

C:\Users\Admin\AppData\Local\W8gw7zE\WFS.exe
C:\Users\Admin\AppData\Local\W8gw7zE\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:288

C:\Windows\system32\taskmgr.exe
C:\Windows\system32\taskmgr.exe
1⤵
PID:1108

C:\Users\Admin\AppData\Local\gZfJws6ss\taskmgr.exe
C:\Users\Admin\AppData\Local\gZfJws6ss\taskmgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1152

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6lZ\WINBRAND.dll
Filesize
887KB

MD5
81d7cc9262d8cb92657b7092c31519be

SHA1
8863b463b13796bbe60bffd5ff5f338d350eb012

SHA256
3fa02cbfb28f89cd86c00f0f6475439d4cb93d09a716244813d5dbba0c13281a

SHA512
1ee9286f91c78c1fe7db6461c751e7ec3bcd45106e1a5e8577332704d8e6482c404b5e304fad2f49b7e616ce88a60970b58a3209cb7142e3397f940710f338d2

Download Submit
C:\Users\Admin\AppData\Local\6lZ\WindowsAnytimeUpgradeResults.exe
Filesize
288KB

MD5
6f3f29905f0ec4ce22c1fd8acbf6c6de

SHA1
68bdfefe549dfa6262ad659f1578f3e87d862773

SHA256
e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b

SHA512
16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

Download Submit
C:\Users\Admin\AppData\Local\W8gw7zE\WFS.exe
Filesize
951KB

MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
C:\Users\Admin\AppData\Local\W8gw7zE\WINMM.dll
Filesize
892KB

MD5
1e817c840cf0ba36568156c53af7df5b

SHA1
a98a3869da7b5f74f3afe4361e503c78f3d12ff2

SHA256
859c540696bb5fae9083f14171d7aedcd7047330c2961349d8b187c2aecd3515

SHA512
d4e4bedefdf1e986788bdfe8e76efc6f05d5b053d58aa6ed14729abcf16675b2918566739c581f67755a471cd1e09c78bbc635e15a62d22d8ced7d4e2d175691

Download Submit
C:\Users\Admin\AppData\Local\gZfJws6ss\UxTheme.dll
Filesize
889KB

MD5
0ffa5f4832d02cbb4fbde0367d9adc5c

SHA1
7e053a95ea2a0b1e73479b86797defea746f4d66

SHA256
58e8beec9f81fd4394a33fa6d4cfd3289271788eaed55284954c7aff20346433

SHA512
71fc54966d6060bbcb982da3091e68203bae99aac5a239bf3d9609058395cbe23258249fbe0351c6fae1e2f47e8f86f937b27cf2a386eebf5a98db3f9dbcee63

Download Submit
C:\Users\Admin\AppData\Local\gZfJws6ss\taskmgr.exe
Filesize
251KB

MD5
09f7401d56f2393c6ca534ff0241a590

SHA1
e8b4d84a28e5ea17272416ec45726964fdf25883

SHA256
6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1

SHA512
7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192

Download Submit
\Users\Admin\AppData\Local\6lZ\WINBRAND.dll
Filesize
887KB

MD5
81d7cc9262d8cb92657b7092c31519be

SHA1
8863b463b13796bbe60bffd5ff5f338d350eb012

SHA256
3fa02cbfb28f89cd86c00f0f6475439d4cb93d09a716244813d5dbba0c13281a

SHA512
1ee9286f91c78c1fe7db6461c751e7ec3bcd45106e1a5e8577332704d8e6482c404b5e304fad2f49b7e616ce88a60970b58a3209cb7142e3397f940710f338d2

Download Submit
\Users\Admin\AppData\Local\6lZ\WindowsAnytimeUpgradeResults.exe
Filesize
288KB

MD5
6f3f29905f0ec4ce22c1fd8acbf6c6de

SHA1
68bdfefe549dfa6262ad659f1578f3e87d862773

SHA256
e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b

SHA512
16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

Download Submit
\Users\Admin\AppData\Local\W8gw7zE\WFS.exe
Filesize
951KB

MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
\Users\Admin\AppData\Local\W8gw7zE\WINMM.dll
Filesize
892KB

MD5
1e817c840cf0ba36568156c53af7df5b

SHA1
a98a3869da7b5f74f3afe4361e503c78f3d12ff2

SHA256
859c540696bb5fae9083f14171d7aedcd7047330c2961349d8b187c2aecd3515

SHA512
d4e4bedefdf1e986788bdfe8e76efc6f05d5b053d58aa6ed14729abcf16675b2918566739c581f67755a471cd1e09c78bbc635e15a62d22d8ced7d4e2d175691

Download Submit
\Users\Admin\AppData\Local\gZfJws6ss\UxTheme.dll
Filesize
889KB

MD5
0ffa5f4832d02cbb4fbde0367d9adc5c

SHA1
7e053a95ea2a0b1e73479b86797defea746f4d66

SHA256
58e8beec9f81fd4394a33fa6d4cfd3289271788eaed55284954c7aff20346433

SHA512
71fc54966d6060bbcb982da3091e68203bae99aac5a239bf3d9609058395cbe23258249fbe0351c6fae1e2f47e8f86f937b27cf2a386eebf5a98db3f9dbcee63

Download Submit
\Users\Admin\AppData\Local\gZfJws6ss\taskmgr.exe
Filesize
251KB

MD5
09f7401d56f2393c6ca534ff0241a590

SHA1
e8b4d84a28e5ea17272416ec45726964fdf25883

SHA256
6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1

SHA512
7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Credentials\Rj76Kj7nVuG\taskmgr.exe
Filesize
251KB

MD5
09f7401d56f2393c6ca534ff0241a590

SHA1
e8b4d84a28e5ea17272416ec45726964fdf25883

SHA256
6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1

SHA512
7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192

Download Submit
memory/288-80-0x000000013FF91000-0x000000013FF93000-memory.dmp

Filesize
8KB

Download
memory/288-75-0x0000000000000000-mapping.dmp

Download
memory/908-70-0x0000000000000000-mapping.dmp

Download
memory/1152-82-0x0000000000000000-mapping.dmp

Download
memory/1256-61-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1256-60-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1256-67-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1256-65-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1256-63-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1256-64-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1256-66-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1256-55-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1256-62-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1256-59-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1256-68-0x00000000778F0000-0x00000000778F2000-memory.dmp

Filesize
8KB

Download
memory/1256-58-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1256-57-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1256-56-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1376-54-0x000007FEFBF91000-0x000007FEFBF93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads