dridex | 7267885574387dc8769908893f2c1ba297a0e4da0798105e1301247df2d8b97a

Analysis

max time kernel
151s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-04-2022 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7267885574387dc8769908893f2c1ba297a0e4da0798105e1301247df2d8b97a.dll
Size

1.2MB
MD5

513fc64fd591db4f601b9ce9f2da15e0
SHA1

c26e626dcf7c5328675ea73a672ff1b5d27d44a8
SHA256

7267885574387dc8769908893f2c1ba297a0e4da0798105e1301247df2d8b97a
SHA512

a120c47877119d939776c1532592a5b788b8af2185ad15a00fb466c07b916a7f46ac815cd1f2cf19f1974690d29bb812b4c664aa1a47199bc4f10788b2a6e8b1

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 2 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/5056-130-0x0000000140000000-0x000000014013F000-memory.dmp	dridex_payload
behavioral2/memory/836-160-0x0000000140000000-0x0000000140140000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

osk.exeRecoveryDrive.exeddodiag.exe

pid process

836 osk.exe
4568 RecoveryDrive.exe
3784 ddodiag.exe
Loads dropped DLL 3 IoCs

Processes:

osk.exeRecoveryDrive.exeddodiag.exe

pid process

836 osk.exe
4568 RecoveryDrive.exe
3784 ddodiag.exe

pid	process
836	osk.exe
4568	RecoveryDrive.exe
3784	ddodiag.exe

pid	process
836	osk.exe
4568	RecoveryDrive.exe
3784	ddodiag.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mozskmmhgssfnvj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\By2Pzt9J\\RecoveryDrive.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeosk.exeRecoveryDrive.exeddodiag.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RecoveryDrive.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddodiag.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
5056	rundll32.exe
5056	rundll32.exe
5056	rundll32.exe
5056	rundll32.exe
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032
1032

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1032

pid	process
1032

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 1032 wrote to memory of 2584	1032	osk.exe
PID 1032 wrote to memory of 2584	1032	osk.exe
PID 1032 wrote to memory of 836	1032	osk.exe
PID 1032 wrote to memory of 836	1032	osk.exe
PID 1032 wrote to memory of 4772	1032	RecoveryDrive.exe
PID 1032 wrote to memory of 4772	1032	RecoveryDrive.exe
PID 1032 wrote to memory of 4568	1032	RecoveryDrive.exe
PID 1032 wrote to memory of 4568	1032	RecoveryDrive.exe
PID 1032 wrote to memory of 3324	1032	ddodiag.exe
PID 1032 wrote to memory of 3324	1032	ddodiag.exe
PID 1032 wrote to memory of 3784	1032	ddodiag.exe
PID 1032 wrote to memory of 3784	1032	ddodiag.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7267885574387dc8769908893f2c1ba297a0e4da0798105e1301247df2d8b97a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5056

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:2584

C:\Users\Admin\AppData\Local\mizHKN\osk.exe
C:\Users\Admin\AppData\Local\mizHKN\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:836

C:\Windows\system32\RecoveryDrive.exe
C:\Windows\system32\RecoveryDrive.exe
1⤵
PID:4772

C:\Users\Admin\AppData\Local\9coIMvq\RecoveryDrive.exe
C:\Users\Admin\AppData\Local\9coIMvq\RecoveryDrive.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4568

C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
1⤵
PID:3324

C:\Users\Admin\AppData\Local\q923\ddodiag.exe
C:\Users\Admin\AppData\Local\q923\ddodiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\9coIMvq\RecoveryDrive.exe
Filesize
911KB

MD5
b9b3dc6f2eb89e41ff27400952602c74

SHA1
24ae07e0db3ace0809d08bbd039db3a9d533e81b

SHA256
630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

SHA512
7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

Download Submit
C:\Users\Admin\AppData\Local\9coIMvq\UxTheme.dll
Filesize
1.2MB

MD5
3bfada153f4013966de7e1b784d25861

SHA1
734baaf0c98f00ba1c49d0d2f2813451416f956c

SHA256
9760fda885693f325587e40cd4d851aaf663a780670cb78b401a5c938b90935e

SHA512
54f23aa5696a6bd8d779ed6f1e05d84473aa9d246ec3ada5a3f163b10bfc3a951ab1aa56d8a34f34768bd37776dd2622d3047ccf6ab32d1c55e752835c625dfd

Download Submit
C:\Users\Admin\AppData\Local\9coIMvq\UxTheme.dll
Filesize
1.2MB

MD5
3bfada153f4013966de7e1b784d25861

SHA1
734baaf0c98f00ba1c49d0d2f2813451416f956c

SHA256
9760fda885693f325587e40cd4d851aaf663a780670cb78b401a5c938b90935e

SHA512
54f23aa5696a6bd8d779ed6f1e05d84473aa9d246ec3ada5a3f163b10bfc3a951ab1aa56d8a34f34768bd37776dd2622d3047ccf6ab32d1c55e752835c625dfd

Download Submit
C:\Users\Admin\AppData\Local\mizHKN\WMsgAPI.dll
Filesize
1.2MB

MD5
c26961b8439bcdc95f1fe285eaf2266d

SHA1
e1ce297f490f1ba084303dead8c03f16ce98d98a

SHA256
4669acf1901d08e53714d5cb14009405bdaad7e5a6ce77e490145542f4ffaf4f

SHA512
8a1cda83728fa49d23a9821fa1b7e38439a74fc769b661a8890e9014b5825e31754a94bbb08177554d825995e92f47ea0dfe155095d56fc2eea5187fdc81cd5f

Download Submit
C:\Users\Admin\AppData\Local\mizHKN\WMsgAPI.dll
Filesize
1.2MB

MD5
c26961b8439bcdc95f1fe285eaf2266d

SHA1
e1ce297f490f1ba084303dead8c03f16ce98d98a

SHA256
4669acf1901d08e53714d5cb14009405bdaad7e5a6ce77e490145542f4ffaf4f

SHA512
8a1cda83728fa49d23a9821fa1b7e38439a74fc769b661a8890e9014b5825e31754a94bbb08177554d825995e92f47ea0dfe155095d56fc2eea5187fdc81cd5f

Download Submit
C:\Users\Admin\AppData\Local\mizHKN\osk.exe
Filesize
638KB

MD5
745f2df5beed97b8c751df83938cb418

SHA1
2f9fc33b1bf28e0f14fd75646a7b427ddbe14d25

SHA256
f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51

SHA512
2125d021e6f45a81bd75c9129f4b098ad9aa15c25d270051f4da42458a9737bff44d6adf17aa1f2547715d159fb621829f7cd3b9d42f1521c919549cc7deb228

Download Submit
C:\Users\Admin\AppData\Local\q923\XmlLite.dll
Filesize
1.2MB

MD5
89487698b890a9f909286cff5f77364c

SHA1
a65e691d4101e15e82fb2763eb656a48e1167177

SHA256
56bbc010db9204af2e21304a855ed4e9cfe1c0b23322b45671000bea3c50f475

SHA512
d20f78c54c304d69cc7d3f025a549f090a0797542ea541432e848800e5748d02ceb44847fc5dd3eed167c592c53ddfbf8ab4b0ed022dec9595717c53d8b7cdab

Download Submit
C:\Users\Admin\AppData\Local\q923\XmlLite.dll
Filesize
1.2MB

MD5
89487698b890a9f909286cff5f77364c

SHA1
a65e691d4101e15e82fb2763eb656a48e1167177

SHA256
56bbc010db9204af2e21304a855ed4e9cfe1c0b23322b45671000bea3c50f475

SHA512
d20f78c54c304d69cc7d3f025a549f090a0797542ea541432e848800e5748d02ceb44847fc5dd3eed167c592c53ddfbf8ab4b0ed022dec9595717c53d8b7cdab

Download Submit
C:\Users\Admin\AppData\Local\q923\ddodiag.exe
Filesize
39KB

MD5
85feee634a6aee90f0108e26d3d9bc1f

SHA1
a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2

SHA256
99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6

SHA512
b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff

Download Submit
memory/836-156-0x0000000000000000-mapping.dmp

Download
memory/836-160-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/836-163-0x000002006F530000-0x000002006F537000-memory.dmp

Filesize
28KB

Download
memory/1032-155-0x00007FFECB370000-0x00007FFECB380000-memory.dmp

Filesize
64KB

Download
memory/1032-143-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1032-154-0x0000000000D70000-0x0000000000D77000-memory.dmp

Filesize
28KB

Download
memory/1032-142-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1032-134-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1032-141-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1032-140-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1032-139-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1032-144-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1032-145-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1032-135-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1032-138-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1032-137-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1032-136-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3784-172-0x0000000000000000-mapping.dmp

Download
memory/3784-179-0x0000025D014A0000-0x0000025D014A7000-memory.dmp

Filesize
28KB

Download
memory/4568-171-0x000001E6E2F10000-0x000001E6E2F17000-memory.dmp

Filesize
28KB

Download
memory/4568-164-0x0000000000000000-mapping.dmp

Download
memory/5056-130-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/5056-133-0x0000024C93400000-0x0000024C93407000-memory.dmp

Filesize
28KB

Download