dridex | 3c7bd82f6f0bc019c1188e929bd012ec14f8be0671f3e678c0836d01a007994d

Analysis

max time kernel
152s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
19-04-2022 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c7bd82f6f0bc019c1188e929bd012ec14f8be0671f3e678c0836d01a007994d.dll
Size

967KB
MD5

9634f1a7a6036a22b6ad86a1a671ad58
SHA1

2b8e333675aaa8b8211cbbd56bcf8996d0380b92
SHA256

3c7bd82f6f0bc019c1188e929bd012ec14f8be0671f3e678c0836d01a007994d
SHA512

b73d2053f4ee906be366ae8631833cc9ce5837234768f7796cfb4f3c5eccebb78767191f16165303cddfec4706ed9669c348d7e2bafe1d98d8a1e62c7e8ff61a

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1272-59-0x0000000002980000-0x0000000002981000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

fvenotify.exeMpSigStub.exeSystemPropertiesProtection.exe

pid process

1784 fvenotify.exe
776 MpSigStub.exe
1316 SystemPropertiesProtection.exe
Loads dropped DLL 7 IoCs

Processes:

fvenotify.exeMpSigStub.exeSystemPropertiesProtection.exe

pid process

1272
1784 fvenotify.exe
1272
776 MpSigStub.exe
1272
1316 SystemPropertiesProtection.exe
1272

pid	process
1784	fvenotify.exe
776	MpSigStub.exe
1316	SystemPropertiesProtection.exe

pid	process
1272
1784	fvenotify.exe
1272
776	MpSigStub.exe
1272
1316	SystemPropertiesProtection.exe
1272

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Evgmngveltmlhb = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\yEvEE\\MpSigStub.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesProtection.exerundll32.exefvenotify.exeMpSigStub.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fvenotify.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MpSigStub.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exefvenotify.exe

pid	process
596	rundll32.exe
596	rundll32.exe
596	rundll32.exe
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1784	fvenotify.exe
1784	fvenotify.exe
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1272 wrote to memory of 892	1272	fvenotify.exe
PID 1272 wrote to memory of 892	1272	fvenotify.exe
PID 1272 wrote to memory of 892	1272	fvenotify.exe
PID 1272 wrote to memory of 1784	1272	fvenotify.exe
PID 1272 wrote to memory of 1784	1272	fvenotify.exe
PID 1272 wrote to memory of 1784	1272	fvenotify.exe
PID 1272 wrote to memory of 1520	1272	MpSigStub.exe
PID 1272 wrote to memory of 1520	1272	MpSigStub.exe
PID 1272 wrote to memory of 1520	1272	MpSigStub.exe
PID 1272 wrote to memory of 776	1272	MpSigStub.exe
PID 1272 wrote to memory of 776	1272	MpSigStub.exe
PID 1272 wrote to memory of 776	1272	MpSigStub.exe
PID 1272 wrote to memory of 304	1272	SystemPropertiesProtection.exe
PID 1272 wrote to memory of 304	1272	SystemPropertiesProtection.exe
PID 1272 wrote to memory of 304	1272	SystemPropertiesProtection.exe
PID 1272 wrote to memory of 1316	1272	SystemPropertiesProtection.exe
PID 1272 wrote to memory of 1316	1272	SystemPropertiesProtection.exe
PID 1272 wrote to memory of 1316	1272	SystemPropertiesProtection.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c7bd82f6f0bc019c1188e929bd012ec14f8be0671f3e678c0836d01a007994d.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:596

C:\Windows\system32\fvenotify.exe
C:\Windows\system32\fvenotify.exe
1⤵
PID:892

C:\Users\Admin\AppData\Local\4wrxu\fvenotify.exe
C:\Users\Admin\AppData\Local\4wrxu\fvenotify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1784

C:\Windows\system32\MpSigStub.exe
C:\Windows\system32\MpSigStub.exe
1⤵
PID:1520

C:\Users\Admin\AppData\Local\17WLKIB\MpSigStub.exe
C:\Users\Admin\AppData\Local\17WLKIB\MpSigStub.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:776

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:304

C:\Users\Admin\AppData\Local\8Pr05\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\8Pr05\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1316

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\17WLKIB\MpSigStub.exe
Filesize
264KB

MD5
2e6bd16aa62e5e95c7b256b10d637f8f

SHA1
350be084477b1fe581af83ca79eb58d4defe260f

SHA256
d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

SHA512
1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

Download Submit
C:\Users\Admin\AppData\Local\17WLKIB\VERSION.dll
Filesize
968KB

MD5
e67af3003d9d8c41aff343cba5e7bdef

SHA1
52c59afdf1c045ac268e4a5dd09cb9ccadfa6818

SHA256
e46b321b9bfed0472287da0eb3bac21084778ee8789d245b3003b0398dae048e

SHA512
e5a5bb1a383d22b3c1b5a629d93daaf9d2f4904d41fe53f3381db3f6fd4a24f514dafdaf3cbf7425d7ef2c2ffe5b023e2ae5cc02aa5039ead8a0e4bf1e7d3d24

Download Submit
C:\Users\Admin\AppData\Local\4wrxu\fvenotify.exe
Filesize
117KB

MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
C:\Users\Admin\AppData\Local\4wrxu\slc.dll
Filesize
969KB

MD5
9bcd1bbbc8962a06a048554be297c3de

SHA1
35385dd90556b8239cfe68ed7b14bf835c036a50

SHA256
23e1120a37e8d35c3284b53c5345191c9d0cddfcb95616256bfb3ac90a5e6e5f

SHA512
f05c8b5171ab5ca0ccb81a600c9308a5f0878d1678b8efa413811d298fa20dcc9f28fe2336203cd654f64ec3983622f34963e0d4b335beb81ba140aa70a1ec30

Download Submit
C:\Users\Admin\AppData\Local\8Pr05\SYSDM.CPL
Filesize
968KB

MD5
bce22d613e2a2f6c42188b262b8da961

SHA1
2df0fdf8c31d249a6d484038d16f439aabf929ab

SHA256
f19d63415c81cee4b0b6f88b9d272e782569669e4c10c667e85fff03bdadc41e

SHA512
a57e000779035608784b69c93a181d4278633b2fcabeea42ee202bb3fe47bb32df5ea97608fd0e412687cc80fd1c2df5a096cda682911161ac91c3643de4753c

Download Submit
C:\Users\Admin\AppData\Local\8Pr05\SystemPropertiesProtection.exe
Filesize
80KB

MD5
05138d8f952d3fff1362f7c50158bc38

SHA1
780bc59fcddf06a7494d09771b8340acffdcc720

SHA256
753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

SHA512
27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

Download Submit
\Users\Admin\AppData\Local\17WLKIB\MpSigStub.exe
Filesize
264KB

MD5
2e6bd16aa62e5e95c7b256b10d637f8f

SHA1
350be084477b1fe581af83ca79eb58d4defe260f

SHA256
d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3

SHA512
1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

Download Submit
\Users\Admin\AppData\Local\17WLKIB\VERSION.dll
Filesize
968KB

MD5
e67af3003d9d8c41aff343cba5e7bdef

SHA1
52c59afdf1c045ac268e4a5dd09cb9ccadfa6818

SHA256
e46b321b9bfed0472287da0eb3bac21084778ee8789d245b3003b0398dae048e

SHA512
e5a5bb1a383d22b3c1b5a629d93daaf9d2f4904d41fe53f3381db3f6fd4a24f514dafdaf3cbf7425d7ef2c2ffe5b023e2ae5cc02aa5039ead8a0e4bf1e7d3d24

Download Submit
\Users\Admin\AppData\Local\4wrxu\fvenotify.exe
Filesize
117KB

MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
\Users\Admin\AppData\Local\4wrxu\slc.dll
Filesize
969KB

MD5
9bcd1bbbc8962a06a048554be297c3de

SHA1
35385dd90556b8239cfe68ed7b14bf835c036a50

SHA256
23e1120a37e8d35c3284b53c5345191c9d0cddfcb95616256bfb3ac90a5e6e5f

SHA512
f05c8b5171ab5ca0ccb81a600c9308a5f0878d1678b8efa413811d298fa20dcc9f28fe2336203cd654f64ec3983622f34963e0d4b335beb81ba140aa70a1ec30

Download Submit
\Users\Admin\AppData\Local\8Pr05\SYSDM.CPL
Filesize
968KB

MD5
bce22d613e2a2f6c42188b262b8da961

SHA1
2df0fdf8c31d249a6d484038d16f439aabf929ab

SHA256
f19d63415c81cee4b0b6f88b9d272e782569669e4c10c667e85fff03bdadc41e

SHA512
a57e000779035608784b69c93a181d4278633b2fcabeea42ee202bb3fe47bb32df5ea97608fd0e412687cc80fd1c2df5a096cda682911161ac91c3643de4753c

Download Submit
\Users\Admin\AppData\Local\8Pr05\SystemPropertiesProtection.exe
Filesize
80KB

MD5
05138d8f952d3fff1362f7c50158bc38

SHA1
780bc59fcddf06a7494d09771b8340acffdcc720

SHA256
753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

SHA512
27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\Y2NEjKiPCQq\SystemPropertiesProtection.exe
Filesize
80KB

MD5
05138d8f952d3fff1362f7c50158bc38

SHA1
780bc59fcddf06a7494d09771b8340acffdcc720

SHA256
753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

SHA512
27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

Download Submit
memory/596-54-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/596-58-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/776-100-0x0000000000270000-0x0000000000277000-memory.dmp

Filesize
28KB

Download
memory/776-92-0x0000000000000000-mapping.dmp

Download
memory/1272-68-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/1272-64-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/1272-59-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/1272-79-0x0000000077B80000-0x0000000077B82000-memory.dmp

Filesize
8KB

Download
memory/1272-61-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/1272-63-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/1272-60-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/1272-62-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/1272-74-0x0000000002960000-0x0000000002967000-memory.dmp

Filesize
28KB

Download
memory/1272-66-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/1272-69-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/1272-67-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/1272-65-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/1316-102-0x0000000000000000-mapping.dmp

Download
memory/1316-111-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/1784-83-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

Filesize
8KB

Download
memory/1784-90-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/1784-86-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1784-81-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads