dridex | c76536d2ace8f628cd93c78ba8e4825f94ca5a4694a290dd0fb95cae08e77be4

Analysis

max time kernel
159s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18-04-2022 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c76536d2ace8f628cd93c78ba8e4825f94ca5a4694a290dd0fb95cae08e77be4.dll
Size

886KB
MD5

1e813a7ad4be6645921f8b0516b8b00c
SHA1

02da546df7f9a3507497a1443a0c46cb1fbd0c15
SHA256

c76536d2ace8f628cd93c78ba8e4825f94ca5a4694a290dd0fb95cae08e77be4
SHA512

a54ed387d7511ae83c8d7adacad93ae0acd0364c09ad6e931f36443aa62dbb496e7dc3afae71e1b42ea9ce62354770d4f72a52b5d8a6dfd86b796299902d86ad

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/892-130-0x00000000001A0000-0x00000000001A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

MusNotifyIcon.exerecdisc.exerdpshell.exe

pid process

4260 MusNotifyIcon.exe
4352 recdisc.exe
1732 rdpshell.exe
Loads dropped DLL 3 IoCs

Processes:

MusNotifyIcon.exerecdisc.exerdpshell.exe

pid process

4260 MusNotifyIcon.exe
4352 recdisc.exe
1732 rdpshell.exe

pid	process
4260	MusNotifyIcon.exe
4352	recdisc.exe
1732	rdpshell.exe

pid	process
4260	MusNotifyIcon.exe
4352	recdisc.exe
1732	rdpshell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wurgjldbctt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\ecfTWNy\\recdisc.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

MusNotifyIcon.exerecdisc.exerdpshell.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	recdisc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpshell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
4056	regsvr32.exe
4056	regsvr32.exe
4056	regsvr32.exe
4056	regsvr32.exe
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892
892

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

892

pid	process
892

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 892 wrote to memory of 4264	892	MusNotifyIcon.exe
PID 892 wrote to memory of 4264	892	MusNotifyIcon.exe
PID 892 wrote to memory of 4260	892	MusNotifyIcon.exe
PID 892 wrote to memory of 4260	892	MusNotifyIcon.exe
PID 892 wrote to memory of 3832	892	recdisc.exe
PID 892 wrote to memory of 3832	892	recdisc.exe
PID 892 wrote to memory of 4352	892	recdisc.exe
PID 892 wrote to memory of 4352	892	recdisc.exe
PID 892 wrote to memory of 2076	892	rdpshell.exe
PID 892 wrote to memory of 2076	892	rdpshell.exe
PID 892 wrote to memory of 1732	892	rdpshell.exe
PID 892 wrote to memory of 1732	892	rdpshell.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\c76536d2ace8f628cd93c78ba8e4825f94ca5a4694a290dd0fb95cae08e77be4.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4056

C:\Windows\system32\MusNotifyIcon.exe
C:\Windows\system32\MusNotifyIcon.exe
1⤵
PID:4264

C:\Users\Admin\AppData\Local\QB1lBPIp9\MusNotifyIcon.exe
C:\Users\Admin\AppData\Local\QB1lBPIp9\MusNotifyIcon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4260

C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
1⤵
PID:3832

C:\Users\Admin\AppData\Local\73XntlDd\recdisc.exe
C:\Users\Admin\AppData\Local\73XntlDd\recdisc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4352

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:2076

C:\Users\Admin\AppData\Local\7nhGsL\rdpshell.exe
C:\Users\Admin\AppData\Local\7nhGsL\rdpshell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\73XntlDd\ReAgent.dll
Filesize
889KB

MD5
4072918ce551e0ff2d25a17f82a79eac

SHA1
63d17be4b38015d5ed3d3fbe24b94c1c29915961

SHA256
930e0c4f4b5af37378733e8d47c417bf4d8d33e11481a8df7ac75e2ea4aafb8e

SHA512
6ab6959eab01f86aa07640597e93d4f829f107fb09f8e8fa360c7fa679122db41bd09e8fff0f1a5f784291494965b5594d1872c05405754da37e376a41bb8313

Download Submit
C:\Users\Admin\AppData\Local\73XntlDd\ReAgent.dll
Filesize
889KB

MD5
4072918ce551e0ff2d25a17f82a79eac

SHA1
63d17be4b38015d5ed3d3fbe24b94c1c29915961

SHA256
930e0c4f4b5af37378733e8d47c417bf4d8d33e11481a8df7ac75e2ea4aafb8e

SHA512
6ab6959eab01f86aa07640597e93d4f829f107fb09f8e8fa360c7fa679122db41bd09e8fff0f1a5f784291494965b5594d1872c05405754da37e376a41bb8313

Download Submit
C:\Users\Admin\AppData\Local\73XntlDd\recdisc.exe
Filesize
193KB

MD5
18afee6824c84bf5115bada75ff0a3e7

SHA1
d10f287a7176f57b3b2b315a5310d25b449795aa

SHA256
0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e

SHA512
517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845

Download Submit
C:\Users\Admin\AppData\Local\7nhGsL\WTSAPI32.dll
Filesize
889KB

MD5
11061d9c818c761056efe249eb74aceb

SHA1
f5fa675115af3d4a104342168b8df40c5f27b69c

SHA256
f99fb908ccabfa1df602ced677ff8b26e4caf352c9aed50ed6f8d4f8b7e824d5

SHA512
89dd06eee45fb55560c94f25650746cb94c4dcf3a230683acea6238146b660474f37aab14865513282e1efef4a15f3f8dc839d43917ac598b88aab971793bd2e

Download Submit
C:\Users\Admin\AppData\Local\7nhGsL\WTSAPI32.dll
Filesize
889KB

MD5
11061d9c818c761056efe249eb74aceb

SHA1
f5fa675115af3d4a104342168b8df40c5f27b69c

SHA256
f99fb908ccabfa1df602ced677ff8b26e4caf352c9aed50ed6f8d4f8b7e824d5

SHA512
89dd06eee45fb55560c94f25650746cb94c4dcf3a230683acea6238146b660474f37aab14865513282e1efef4a15f3f8dc839d43917ac598b88aab971793bd2e

Download Submit
C:\Users\Admin\AppData\Local\7nhGsL\rdpshell.exe
Filesize
468KB

MD5
428066713f225bb8431340fa670671d4

SHA1
47f6878ff33317c3fc09c494df729a463bda174c

SHA256
da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

SHA512
292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

Download Submit
C:\Users\Admin\AppData\Local\QB1lBPIp9\MusNotifyIcon.exe
Filesize
629KB

MD5
c54b1a69a21e03b83ebb0aeb3758b6f7

SHA1
b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c

SHA256
ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf

SHA512
2680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19

Download Submit
C:\Users\Admin\AppData\Local\QB1lBPIp9\XmlLite.dll
Filesize
887KB

MD5
af8547eedba8136a0b933f04971dc5ac

SHA1
464974679087119f1b3b7b21082da8deb166c15e

SHA256
c9d545aae0672a0a008a6a5ca1adf80695cb26c8184340e316cb79d03d8c1a67

SHA512
ff27c6a0f29c97944217f7f0088ebd6ab86037520184d1664d3af146c8f0a449eabfe5417ac29c0379346d22327b5df4f97e4b8f4860948489aed17f308ecd2f

Download Submit
C:\Users\Admin\AppData\Local\QB1lBPIp9\XmlLite.dll
Filesize
887KB

MD5
af8547eedba8136a0b933f04971dc5ac

SHA1
464974679087119f1b3b7b21082da8deb166c15e

SHA256
c9d545aae0672a0a008a6a5ca1adf80695cb26c8184340e316cb79d03d8c1a67

SHA512
ff27c6a0f29c97944217f7f0088ebd6ab86037520184d1664d3af146c8f0a449eabfe5417ac29c0379346d22327b5df4f97e4b8f4860948489aed17f308ecd2f

Download Submit
memory/892-137-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/892-138-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/892-141-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/892-142-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/892-143-0x00007FFDEE43C000-0x00007FFDEE43D000-memory.dmp

Filesize
4KB

Download
memory/892-144-0x00007FFDEE40C000-0x00007FFDEE40D000-memory.dmp

Filesize
4KB

Download
memory/892-145-0x00007FFDEE350000-0x00007FFDEE360000-memory.dmp

Filesize
64KB

Download
memory/892-139-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/892-132-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/892-140-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/892-130-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/892-131-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/892-135-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/892-136-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/892-134-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/892-133-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1732-154-0x0000000000000000-mapping.dmp

Download
memory/4260-146-0x0000000000000000-mapping.dmp

Download
memory/4352-150-0x0000000000000000-mapping.dmp

Download