dridex | 1db516ec44d7e582128b742a21ad262b118ede5823969eae29b8d0c6eace59f5

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
19-04-2022 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1db516ec44d7e582128b742a21ad262b118ede5823969eae29b8d0c6eace59f5.dll
Size

1000KB
MD5

3558b7179725f016656dd90085f93678
SHA1

6f86ad7ebacc70ba7c1a032fe9964d4fec4c71cf
SHA256

1db516ec44d7e582128b742a21ad262b118ede5823969eae29b8d0c6eace59f5
SHA512

84845486787de8e7bd64a9df0a50720c68619fbb383d078013470ce6d935d86b843768f6d1253979e91c9da01adf82db04691a0fbf0002b4a4cf45f59e8f708f

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1232-59-0x0000000002140000-0x0000000002141000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

ComputerDefaults.exenotepad.exeeudcedit.exe

pid process

1464 ComputerDefaults.exe
1832 notepad.exe
672 eudcedit.exe
Loads dropped DLL 7 IoCs

Processes:

ComputerDefaults.exenotepad.exeeudcedit.exe

pid process

1232
1464 ComputerDefaults.exe
1232
1832 notepad.exe
1232
672 eudcedit.exe
1232

pid	process
1464	ComputerDefaults.exe
1832	notepad.exe
672	eudcedit.exe

pid	process
1232
1464	ComputerDefaults.exe
1232
1832	notepad.exe
1232
672	eudcedit.exe
1232

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gcehmtlftxqmyqm = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\PL6E\\notepad.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

notepad.exeeudcedit.exerundll32.exeComputerDefaults.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	notepad.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eudcedit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ComputerDefaults.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1080	rundll32.exe
1080	rundll32.exe
1080	rundll32.exe
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232
1232

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1232 wrote to memory of 320	1232	ComputerDefaults.exe
PID 1232 wrote to memory of 320	1232	ComputerDefaults.exe
PID 1232 wrote to memory of 320	1232	ComputerDefaults.exe
PID 1232 wrote to memory of 1464	1232	ComputerDefaults.exe
PID 1232 wrote to memory of 1464	1232	ComputerDefaults.exe
PID 1232 wrote to memory of 1464	1232	ComputerDefaults.exe
PID 1232 wrote to memory of 824	1232	notepad.exe
PID 1232 wrote to memory of 824	1232	notepad.exe
PID 1232 wrote to memory of 824	1232	notepad.exe
PID 1232 wrote to memory of 1832	1232	notepad.exe
PID 1232 wrote to memory of 1832	1232	notepad.exe
PID 1232 wrote to memory of 1832	1232	notepad.exe
PID 1232 wrote to memory of 1088	1232	eudcedit.exe
PID 1232 wrote to memory of 1088	1232	eudcedit.exe
PID 1232 wrote to memory of 1088	1232	eudcedit.exe
PID 1232 wrote to memory of 672	1232	eudcedit.exe
PID 1232 wrote to memory of 672	1232	eudcedit.exe
PID 1232 wrote to memory of 672	1232	eudcedit.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1db516ec44d7e582128b742a21ad262b118ede5823969eae29b8d0c6eace59f5.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1080

C:\Windows\system32\ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
1⤵
PID:320

C:\Users\Admin\AppData\Local\733\ComputerDefaults.exe
C:\Users\Admin\AppData\Local\733\ComputerDefaults.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1464

C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
1⤵
PID:824

C:\Users\Admin\AppData\Local\Enm\notepad.exe
C:\Users\Admin\AppData\Local\Enm\notepad.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1832

C:\Windows\system32\eudcedit.exe
C:\Windows\system32\eudcedit.exe
1⤵
PID:1088

C:\Users\Admin\AppData\Local\VK52JDL3\eudcedit.exe
C:\Users\Admin\AppData\Local\VK52JDL3\eudcedit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:672

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\733\ComputerDefaults.exe
Filesize
36KB

MD5
86bd981f55341273753ac42ea200a81e

SHA1
14fe410efc9aeb0a905b984ac27719ff0dd10ea7

SHA256
40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

SHA512
49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

Download Submit
C:\Users\Admin\AppData\Local\733\appwiz.cpl
Filesize
1001KB

MD5
983b8e01149483b018b0060a426e35d3

SHA1
1009f6e60c3dffce51819cd1292b460f34efdc4a

SHA256
80808ed46ea306e7a2360576bd88cac1c73d44ffdf7b71580913a169086099f1

SHA512
9aa25cdeba49a1cd16b23740adc97debd0129713606c328d91b39c53e8c29c2ac708d810d51d7190e535631acc815f9b6122f87ddfd43b7bb6bc1dbca68150cf

Download Submit
C:\Users\Admin\AppData\Local\Enm\VERSION.dll
Filesize
1001KB

MD5
223ba5df91236beca01b516a62439093

SHA1
88cdf4e6bf8e1d82661c1304605f734a85b14806

SHA256
b3345c942ddcf4c3b3add9088ee46bd7e43c3ac3f8bf583dea2b934b02b4a365

SHA512
1c3d87a854e1eeff7632ab5bfbb4c5cd9fcc72e3c6f3aceae2ae231c1531031b782c5e579d21291a5464641a73be8263034763018051d797f140cea8f214f017

Download Submit
C:\Users\Admin\AppData\Local\Enm\notepad.exe
Filesize
189KB

MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
C:\Users\Admin\AppData\Local\VK52JDL3\MFC42u.dll
Filesize
1.0MB

MD5
3ef5f90781ba7b218173fc058cd0c2b8

SHA1
2c94e504cf0ebd74820ea5aafb6d6ab2a1f72545

SHA256
4eca3a6be37642cbfe13760f6c0ff2e4c4dd7a4f619fa1902d191593b22e011a

SHA512
528cca37e9d355ff7b456ea8c146fbd12f71c23dd2a289937d41875336b315cc43cd88da52a650de688d3368d3ab8da25e0bd2c07b8a5a838698fd5deeb6b5ce

Download Submit
C:\Users\Admin\AppData\Local\VK52JDL3\eudcedit.exe
Filesize
351KB

MD5
35e397d6ca8407b86d8a7972f0c90711

SHA1
6b39830003906ef82442522d22b80460c03f6082

SHA256
1f64118bdc3515e8e9fce6ad182f6d0c8a6528d638fedb4901a6152cde4c7cde

SHA512
71b0c4ac120e5841308b0c19718bdc28366b0d79c8177091328ef5421392b9ee5e4758816ffb8c0977f178e1b33ed064f64781eaf7d6952878dc8aea402f035e

Download Submit
\Users\Admin\AppData\Local\733\ComputerDefaults.exe
Filesize
36KB

MD5
86bd981f55341273753ac42ea200a81e

SHA1
14fe410efc9aeb0a905b984ac27719ff0dd10ea7

SHA256
40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

SHA512
49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

Download Submit
\Users\Admin\AppData\Local\733\appwiz.cpl
Filesize
1001KB

MD5
983b8e01149483b018b0060a426e35d3

SHA1
1009f6e60c3dffce51819cd1292b460f34efdc4a

SHA256
80808ed46ea306e7a2360576bd88cac1c73d44ffdf7b71580913a169086099f1

SHA512
9aa25cdeba49a1cd16b23740adc97debd0129713606c328d91b39c53e8c29c2ac708d810d51d7190e535631acc815f9b6122f87ddfd43b7bb6bc1dbca68150cf

Download Submit
\Users\Admin\AppData\Local\Enm\VERSION.dll
Filesize
1001KB

MD5
223ba5df91236beca01b516a62439093

SHA1
88cdf4e6bf8e1d82661c1304605f734a85b14806

SHA256
b3345c942ddcf4c3b3add9088ee46bd7e43c3ac3f8bf583dea2b934b02b4a365

SHA512
1c3d87a854e1eeff7632ab5bfbb4c5cd9fcc72e3c6f3aceae2ae231c1531031b782c5e579d21291a5464641a73be8263034763018051d797f140cea8f214f017

Download Submit
\Users\Admin\AppData\Local\Enm\notepad.exe
Filesize
189KB

MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
\Users\Admin\AppData\Local\VK52JDL3\MFC42u.dll
Filesize
1.0MB

MD5
3ef5f90781ba7b218173fc058cd0c2b8

SHA1
2c94e504cf0ebd74820ea5aafb6d6ab2a1f72545

SHA256
4eca3a6be37642cbfe13760f6c0ff2e4c4dd7a4f619fa1902d191593b22e011a

SHA512
528cca37e9d355ff7b456ea8c146fbd12f71c23dd2a289937d41875336b315cc43cd88da52a650de688d3368d3ab8da25e0bd2c07b8a5a838698fd5deeb6b5ce

Download Submit
\Users\Admin\AppData\Local\VK52JDL3\eudcedit.exe
Filesize
351KB

MD5
35e397d6ca8407b86d8a7972f0c90711

SHA1
6b39830003906ef82442522d22b80460c03f6082

SHA256
1f64118bdc3515e8e9fce6ad182f6d0c8a6528d638fedb4901a6152cde4c7cde

SHA512
71b0c4ac120e5841308b0c19718bdc28366b0d79c8177091328ef5421392b9ee5e4758816ffb8c0977f178e1b33ed064f64781eaf7d6952878dc8aea402f035e

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Acrobat\mo5kMCgj\eudcedit.exe
Filesize
351KB

MD5
35e397d6ca8407b86d8a7972f0c90711

SHA1
6b39830003906ef82442522d22b80460c03f6082

SHA256
1f64118bdc3515e8e9fce6ad182f6d0c8a6528d638fedb4901a6152cde4c7cde

SHA512
71b0c4ac120e5841308b0c19718bdc28366b0d79c8177091328ef5421392b9ee5e4758816ffb8c0977f178e1b33ed064f64781eaf7d6952878dc8aea402f035e

Download Submit
memory/672-114-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/672-110-0x0000000140000000-0x0000000140108000-memory.dmp

Filesize
1.0MB

Download
memory/672-109-0x00000000FFE51000-0x00000000FFE53000-memory.dmp

Filesize
8KB

Download
memory/672-104-0x0000000000000000-mapping.dmp

Download
memory/1080-58-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1080-54-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1232-66-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1232-60-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1232-64-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1232-63-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1232-62-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1232-68-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1232-70-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1232-61-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1232-67-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1232-69-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1232-80-0x00000000775B0000-0x00000000775B2000-memory.dmp

Filesize
8KB

Download
memory/1232-79-0x0000000002120000-0x0000000002127000-memory.dmp

Filesize
28KB

Download
memory/1232-59-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1232-65-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1464-82-0x0000000000000000-mapping.dmp

Download
memory/1464-91-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1464-87-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1464-86-0x000007FEFBC21000-0x000007FEFBC23000-memory.dmp

Filesize
8KB

Download
memory/1832-102-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/1832-93-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads