dridex | edcea095b435ff1197fd722520e26b402b4e0e170cc9560994b0c59816a1ebc6

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-04-2022 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edcea095b435ff1197fd722520e26b402b4e0e170cc9560994b0c59816a1ebc6.dll
Size

1.2MB
MD5

b87e7b934cf7027bc3725dcc7b19a6ef
SHA1

08c3b9cfd005eafe1b9c149ba1ef39d9c6e18b7f
SHA256

edcea095b435ff1197fd722520e26b402b4e0e170cc9560994b0c59816a1ebc6
SHA512

d879ef05c96ea20f26a40a28f457b57e58f51d4a7a9138d95cd32dcd4c3038e5b8fc1742a887732ea33767a48ff9532bf3d20179d9afbdfed481c9605a281d24

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3292-135-0x0000000001600000-0x0000000001601000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

eudcedit.exeMoUsoCoreWorker.exerdpinit.exe

pid process

4924 eudcedit.exe
2880 MoUsoCoreWorker.exe
3204 rdpinit.exe
Loads dropped DLL 3 IoCs

Processes:

eudcedit.exeMoUsoCoreWorker.exerdpinit.exe

pid process

4924 eudcedit.exe
2880 MoUsoCoreWorker.exe
3204 rdpinit.exe

pid	process
4924	eudcedit.exe
2880	MoUsoCoreWorker.exe
3204	rdpinit.exe

pid	process
4924	eudcedit.exe
2880	MoUsoCoreWorker.exe
3204	rdpinit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eqzhtortkjjc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\xH0s\\MoUsoCoreWorker.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeeudcedit.exeMoUsoCoreWorker.exerdpinit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eudcedit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MoUsoCoreWorker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1244	rundll32.exe
1244	rundll32.exe
1244	rundll32.exe
1244	rundll32.exe
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292
3292

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3292

pid	process
3292

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3292 wrote to memory of 4412	3292	eudcedit.exe
PID 3292 wrote to memory of 4412	3292	eudcedit.exe
PID 3292 wrote to memory of 4924	3292	eudcedit.exe
PID 3292 wrote to memory of 4924	3292	eudcedit.exe
PID 3292 wrote to memory of 2072	3292	MoUsoCoreWorker.exe
PID 3292 wrote to memory of 2072	3292	MoUsoCoreWorker.exe
PID 3292 wrote to memory of 2880	3292	MoUsoCoreWorker.exe
PID 3292 wrote to memory of 2880	3292	MoUsoCoreWorker.exe
PID 3292 wrote to memory of 4668	3292	rdpinit.exe
PID 3292 wrote to memory of 4668	3292	rdpinit.exe
PID 3292 wrote to memory of 3204	3292	rdpinit.exe
PID 3292 wrote to memory of 3204	3292	rdpinit.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\edcea095b435ff1197fd722520e26b402b4e0e170cc9560994b0c59816a1ebc6.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1244

C:\Windows\system32\eudcedit.exe
C:\Windows\system32\eudcedit.exe
1⤵
PID:4412

C:\Users\Admin\AppData\Local\9dH3GbXv\eudcedit.exe
C:\Users\Admin\AppData\Local\9dH3GbXv\eudcedit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4924

C:\Windows\system32\MoUsoCoreWorker.exe
C:\Windows\system32\MoUsoCoreWorker.exe
1⤵
PID:2072

C:\Users\Admin\AppData\Local\nYrjZagb\MoUsoCoreWorker.exe
C:\Users\Admin\AppData\Local\nYrjZagb\MoUsoCoreWorker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2880

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:4668

C:\Users\Admin\AppData\Local\Tf3JUu\rdpinit.exe
C:\Users\Admin\AppData\Local\Tf3JUu\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9dH3GbXv\MFC42u.dll
Filesize
1.2MB

MD5
4e5edeb4a5424d2c451b68368103b468

SHA1
250d78a5ccb68688555e07520fe2e40307da8323

SHA256
f55bae722fb18f8d9ecf7cd6d751e5ec3e9ec49e3a4a38b814f3afb196058af9

SHA512
805c8ae2c7e2742c86e8bf87b7ce4ccf065168d6238cc64001f15cb79cdf2cd4dfd224f45d477a684012860144eebb0efc272315b01b76956b3639f154637394

Download Submit
C:\Users\Admin\AppData\Local\9dH3GbXv\MFC42u.dll
Filesize
1.2MB

MD5
4e5edeb4a5424d2c451b68368103b468

SHA1
250d78a5ccb68688555e07520fe2e40307da8323

SHA256
f55bae722fb18f8d9ecf7cd6d751e5ec3e9ec49e3a4a38b814f3afb196058af9

SHA512
805c8ae2c7e2742c86e8bf87b7ce4ccf065168d6238cc64001f15cb79cdf2cd4dfd224f45d477a684012860144eebb0efc272315b01b76956b3639f154637394

Download Submit
C:\Users\Admin\AppData\Local\9dH3GbXv\eudcedit.exe
Filesize
365KB

MD5
a9de6557179d371938fbe52511b551ce

SHA1
def460b4028788ded82dc55c36cb0df28599fd5f

SHA256
83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe

SHA512
5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

Download Submit
C:\Users\Admin\AppData\Local\Tf3JUu\WTSAPI32.dll
Filesize
1.2MB

MD5
42ad9d8a71f05581bd1b41120912426f

SHA1
4414136eecf9f00b4d5cb5016984356263df8568

SHA256
1ba840e30325d852f2b4cacdbee3af75cb38007984f2e97214ba2edc797995b2

SHA512
2df1232a26a2ac9e2e5499b6b3c5fdb66520c3602d10d853fc49c7eac8289b7f5cf051206a73350891ee68c6058e7cb25a7f2911f409715fd4578360bb19e6f3

Download Submit
C:\Users\Admin\AppData\Local\Tf3JUu\WTSAPI32.dll
Filesize
1.2MB

MD5
42ad9d8a71f05581bd1b41120912426f

SHA1
4414136eecf9f00b4d5cb5016984356263df8568

SHA256
1ba840e30325d852f2b4cacdbee3af75cb38007984f2e97214ba2edc797995b2

SHA512
2df1232a26a2ac9e2e5499b6b3c5fdb66520c3602d10d853fc49c7eac8289b7f5cf051206a73350891ee68c6058e7cb25a7f2911f409715fd4578360bb19e6f3

Download Submit
C:\Users\Admin\AppData\Local\Tf3JUu\rdpinit.exe
Filesize
343KB

MD5
b0ecd76d99c5f5134aeb52460add6f80

SHA1
51462078092c9d6b7fa2b9544ffe0a49eb258106

SHA256
51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

SHA512
16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

Download Submit
C:\Users\Admin\AppData\Local\nYrjZagb\MoUsoCoreWorker.exe
Filesize
1.6MB

MD5
47c6b45ff22b73caf40bb29392386ce3

SHA1
7e29a8d98fbb9b02d3d22e3576f4fd61ab50ffe9

SHA256
cbccb642725edb42e749e26ded68a16b3aa20e291a1a7793a2d4efebb75f99c0

SHA512
c919ab84a497616e7969d58c251f4e6efc337b41ef6956864b86d66ae1437294c124232fec54433eab3a6518ed529f8445dd0b23706b2f42f3fa42e69711f331

Download Submit
C:\Users\Admin\AppData\Local\nYrjZagb\XmlLite.dll
Filesize
1.2MB

MD5
a2f26922d13d16e9b5d2fd0561a9a180

SHA1
e19901e2b52bc4bc1d953786cb74504e5ceb9256

SHA256
67714e5a93f5c68ed67f2dff30f554130c84a9873543d08f6daf714c5d6fddc2

SHA512
3f5df0d56881a66bf4b64b23c0df7212f4818700f8e4e54f7b9b63015330d036bfede6e28f9b0a76834bbde77183fd210f84ecbb33d53771c9684243f16e4faf

Download Submit
C:\Users\Admin\AppData\Local\nYrjZagb\XmlLite.dll
Filesize
1.2MB

MD5
a2f26922d13d16e9b5d2fd0561a9a180

SHA1
e19901e2b52bc4bc1d953786cb74504e5ceb9256

SHA256
67714e5a93f5c68ed67f2dff30f554130c84a9873543d08f6daf714c5d6fddc2

SHA512
3f5df0d56881a66bf4b64b23c0df7212f4818700f8e4e54f7b9b63015330d036bfede6e28f9b0a76834bbde77183fd210f84ecbb33d53771c9684243f16e4faf

Download Submit
memory/1244-130-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1244-134-0x0000023065DE0000-0x0000023065DE7000-memory.dmp

Filesize
28KB

Download
memory/2880-176-0x0000022E20B40000-0x0000022E20B47000-memory.dmp

Filesize
28KB

Download
memory/2880-172-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/2880-168-0x0000000000000000-mapping.dmp

Download
memory/3204-177-0x0000000000000000-mapping.dmp

Download
memory/3204-185-0x000002EA0BEE0000-0x000002EA0BEE7000-memory.dmp

Filesize
28KB

Download
memory/3292-141-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3292-145-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3292-135-0x0000000001600000-0x0000000001601000-memory.dmp

Filesize
4KB

Download
memory/3292-156-0x00007FFDFAB3C000-0x00007FFDFAB3D000-memory.dmp

Filesize
4KB

Download
memory/3292-157-0x00007FFDFAB0C000-0x00007FFDFAB0D000-memory.dmp

Filesize
4KB

Download
memory/3292-150-0x00000000013B0000-0x00000000013B7000-memory.dmp

Filesize
28KB

Download
memory/3292-136-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3292-137-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3292-146-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3292-158-0x00007FFDFAA50000-0x00007FFDFAA60000-memory.dmp

Filesize
64KB

Download
memory/3292-144-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3292-143-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3292-142-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3292-139-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3292-140-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/3292-138-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/4924-167-0x000001F7CAF10000-0x000001F7CAF17000-memory.dmp

Filesize
28KB

Download
memory/4924-163-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4924-159-0x0000000000000000-mapping.dmp

Download