dridex | 6a3d27d8cfaa5e942d3c5eefa9181ef2edfedeae70d1dca0eaad53138fa56add

Analysis

max time kernel
152s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
19-04-2022 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a3d27d8cfaa5e942d3c5eefa9181ef2edfedeae70d1dca0eaad53138fa56add.dll
Size

1.2MB
MD5

f15fa93fc3fc644f39f866875f3a69b7
SHA1

6a5c36ae6673e150502f07fd23677fc76033fa06
SHA256

6a3d27d8cfaa5e942d3c5eefa9181ef2edfedeae70d1dca0eaad53138fa56add
SHA512

ab2f22a9496b2e51f387498b5d8933912221c4e7a5fd141ac5b0b964832c7565291e2db7db13cc06782c2c36f0144d265bb2ede24308eafd1e21bc283bad8d90

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1280-59-0x00000000029F0000-0x00000000029F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

sigverif.exeBdeUISrv.exeraserver.exe

pid process

320 sigverif.exe
1576 BdeUISrv.exe
1044 raserver.exe
Loads dropped DLL 7 IoCs

Processes:

sigverif.exeBdeUISrv.exeraserver.exe

pid process

1280
320 sigverif.exe
1280
1576 BdeUISrv.exe
1280
1044 raserver.exe
1280

pid	process
320	sigverif.exe
1576	BdeUISrv.exe
1044	raserver.exe

pid	process
1280
320	sigverif.exe
1280
1576	BdeUISrv.exe
1280
1044	raserver.exe
1280

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Evgmngveltmlhb = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\fuo3wg\\BdeUISrv.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BdeUISrv.exeraserver.exerundll32.exesigverif.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BdeUISrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exesigverif.exe

pid	process
1964	rundll32.exe
1964	rundll32.exe
1964	rundll32.exe
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
320	sigverif.exe
320	sigverif.exe
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1280 wrote to memory of 472	1280	sigverif.exe
PID 1280 wrote to memory of 472	1280	sigverif.exe
PID 1280 wrote to memory of 472	1280	sigverif.exe
PID 1280 wrote to memory of 320	1280	sigverif.exe
PID 1280 wrote to memory of 320	1280	sigverif.exe
PID 1280 wrote to memory of 320	1280	sigverif.exe
PID 1280 wrote to memory of 1572	1280	BdeUISrv.exe
PID 1280 wrote to memory of 1572	1280	BdeUISrv.exe
PID 1280 wrote to memory of 1572	1280	BdeUISrv.exe
PID 1280 wrote to memory of 1576	1280	BdeUISrv.exe
PID 1280 wrote to memory of 1576	1280	BdeUISrv.exe
PID 1280 wrote to memory of 1576	1280	BdeUISrv.exe
PID 1280 wrote to memory of 1328	1280	raserver.exe
PID 1280 wrote to memory of 1328	1280	raserver.exe
PID 1280 wrote to memory of 1328	1280	raserver.exe
PID 1280 wrote to memory of 1044	1280	raserver.exe
PID 1280 wrote to memory of 1044	1280	raserver.exe
PID 1280 wrote to memory of 1044	1280	raserver.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a3d27d8cfaa5e942d3c5eefa9181ef2edfedeae70d1dca0eaad53138fa56add.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1964

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:472

C:\Users\Admin\AppData\Local\1zMvPqlv\sigverif.exe
C:\Users\Admin\AppData\Local\1zMvPqlv\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:320

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:1572

C:\Users\Admin\AppData\Local\t7DgHsm\BdeUISrv.exe
C:\Users\Admin\AppData\Local\t7DgHsm\BdeUISrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1576

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:1328

C:\Users\Admin\AppData\Local\IHewH7c3\raserver.exe
C:\Users\Admin\AppData\Local\IHewH7c3\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1044

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1zMvPqlv\VERSION.dll
Filesize
1.2MB

MD5
663ed5b71bb2c32439da6e0971d76ad7

SHA1
d0d59120193d141ff7d994f7992eff05d8d526c2

SHA256
f80e9307d05c856371ad312f1ca228789c9a8b291a14f85fc73263612e33275c

SHA512
93e4894d00012e404700c8e084758e93a2c8501c65a823ddd8efecaf9abd883556c6ccaba65634a734cb9a816dc3013da5c42f57c2c85856da0e0073728cf135

Download Submit
C:\Users\Admin\AppData\Local\1zMvPqlv\sigverif.exe
Filesize
73KB

MD5
e8e95ae5534553fc055051cee99a7f55

SHA1
4e0f668849fd546edd083d5981ed685d02a68df4

SHA256
9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

SHA512
5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

Download Submit
C:\Users\Admin\AppData\Local\IHewH7c3\WTSAPI32.dll
Filesize
1.2MB

MD5
28d9507d61c84a88b8603da32e247202

SHA1
80644f83d2510f14008aa7ae1bc0d33e991ff225

SHA256
9b733d6cdc1f60b64590b803c5eacd18f9a2af59b31364d4de0c5ff39310874f

SHA512
b1944158eeaa1e4689b46f4f1b0cf4fe398b0e88548b4276e063c0eb6e9c749c5a45dac095deac4bff048847d68fcfc970773babb8880d72d0a8b7ee02bb6017

Download Submit
C:\Users\Admin\AppData\Local\IHewH7c3\raserver.exe
Filesize
123KB

MD5
cd0bc0b6b8d219808aea3ecd4e889b19

SHA1
9f8f4071ce2484008e36fdfd963378f4ebad703f

SHA256
16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

SHA512
84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

Download Submit
C:\Users\Admin\AppData\Local\t7DgHsm\BdeUISrv.exe
Filesize
47KB

MD5
1da6b19be5d4949c868a264bc5e74206

SHA1
d5ee86ba03a03ef8c93d93accafe40461084c839

SHA256
00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

SHA512
9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

Download Submit
C:\Users\Admin\AppData\Local\t7DgHsm\WTSAPI32.dll
Filesize
1.2MB

MD5
b2e10edf3a64d61bfff05cf8191c2d05

SHA1
8a62ac4b3795846cf04df981ce1c813c6951d07a

SHA256
15597bd79189b0a73372deef20ec68e4e646ae67c57c7570fb01fd678490a41c

SHA512
69fadd85b4fe5a1bdfe0b4bd186f707537ee83c9f39d4db737663db87c34099ac09503a3fb6b110bbc002ccb27ab05bf514705b6dd6061c6fca75dfd5f4a13a5

Download Submit
\Users\Admin\AppData\Local\1zMvPqlv\VERSION.dll
Filesize
1.2MB

MD5
663ed5b71bb2c32439da6e0971d76ad7

SHA1
d0d59120193d141ff7d994f7992eff05d8d526c2

SHA256
f80e9307d05c856371ad312f1ca228789c9a8b291a14f85fc73263612e33275c

SHA512
93e4894d00012e404700c8e084758e93a2c8501c65a823ddd8efecaf9abd883556c6ccaba65634a734cb9a816dc3013da5c42f57c2c85856da0e0073728cf135

Download Submit
\Users\Admin\AppData\Local\1zMvPqlv\sigverif.exe
Filesize
73KB

MD5
e8e95ae5534553fc055051cee99a7f55

SHA1
4e0f668849fd546edd083d5981ed685d02a68df4

SHA256
9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

SHA512
5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

Download Submit
\Users\Admin\AppData\Local\IHewH7c3\WTSAPI32.dll
Filesize
1.2MB

MD5
28d9507d61c84a88b8603da32e247202

SHA1
80644f83d2510f14008aa7ae1bc0d33e991ff225

SHA256
9b733d6cdc1f60b64590b803c5eacd18f9a2af59b31364d4de0c5ff39310874f

SHA512
b1944158eeaa1e4689b46f4f1b0cf4fe398b0e88548b4276e063c0eb6e9c749c5a45dac095deac4bff048847d68fcfc970773babb8880d72d0a8b7ee02bb6017

Download Submit
\Users\Admin\AppData\Local\IHewH7c3\raserver.exe
Filesize
123KB

MD5
cd0bc0b6b8d219808aea3ecd4e889b19

SHA1
9f8f4071ce2484008e36fdfd963378f4ebad703f

SHA256
16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

SHA512
84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

Download Submit
\Users\Admin\AppData\Local\t7DgHsm\BdeUISrv.exe
Filesize
47KB

MD5
1da6b19be5d4949c868a264bc5e74206

SHA1
d5ee86ba03a03ef8c93d93accafe40461084c839

SHA256
00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

SHA512
9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

Download Submit
\Users\Admin\AppData\Local\t7DgHsm\WTSAPI32.dll
Filesize
1.2MB

MD5
b2e10edf3a64d61bfff05cf8191c2d05

SHA1
8a62ac4b3795846cf04df981ce1c813c6951d07a

SHA256
15597bd79189b0a73372deef20ec68e4e646ae67c57c7570fb01fd678490a41c

SHA512
69fadd85b4fe5a1bdfe0b4bd186f707537ee83c9f39d4db737663db87c34099ac09503a3fb6b110bbc002ccb27ab05bf514705b6dd6061c6fca75dfd5f4a13a5

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\2FLV6XPD\EKR57b3LAi\raserver.exe
Filesize
123KB

MD5
cd0bc0b6b8d219808aea3ecd4e889b19

SHA1
9f8f4071ce2484008e36fdfd963378f4ebad703f

SHA256
16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

SHA512
84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

Download Submit
memory/320-82-0x0000000000000000-mapping.dmp

Download
memory/320-84-0x000007FEFBA51000-0x000007FEFBA53000-memory.dmp

Filesize
8KB

Download
memory/320-91-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/320-87-0x0000000140000000-0x000000014013D000-memory.dmp

Filesize
1.2MB

Download
memory/1044-111-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/1044-103-0x0000000000000000-mapping.dmp

Download
memory/1280-66-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1280-60-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1280-68-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1280-80-0x00000000773B0000-0x00000000773B2000-memory.dmp

Filesize
8KB

Download
memory/1280-69-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1280-71-0x00000000029D0000-0x00000000029D7000-memory.dmp

Filesize
28KB

Download
memory/1280-59-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1280-65-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1280-64-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1280-67-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1280-61-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1280-63-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1280-70-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1280-62-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1576-101-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1576-93-0x0000000000000000-mapping.dmp

Download
memory/1964-54-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1964-58-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads