dridex | 304e9cf63a3f1ecb2c5b6c2caa051d99d40c82509ad38a04eea875b88ae6bbc1

Analysis

max time kernel
152s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
19-04-2022 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

304e9cf63a3f1ecb2c5b6c2caa051d99d40c82509ad38a04eea875b88ae6bbc1.dll
Size

1.1MB
MD5

7cca7aee7626697e6b693c69d1229d01
SHA1

f347e468dcef3ea589f1d2f3a5c277c6c18f80b8
SHA256

304e9cf63a3f1ecb2c5b6c2caa051d99d40c82509ad38a04eea875b88ae6bbc1
SHA512

dda90326027903be92a4b6b54f829ccbf1b3bc7d00c3bface15e47b54b5ecb68b1bbe02143afc86d164e45fdb36bec40e687d86cb203866acc004633ec7eedbd

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1268-59-0x0000000002690000-0x0000000002691000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

spinstall.exemfpmp.exewscript.exe

pid process

736 spinstall.exe
1176 mfpmp.exe
1492 wscript.exe
Loads dropped DLL 8 IoCs

Processes:

spinstall.exemfpmp.exewscript.exe

pid process

1268
736 spinstall.exe
1268
1176 mfpmp.exe
1268
1268
1492 wscript.exe
1268

pid	process
736	spinstall.exe
1176	mfpmp.exe
1492	wscript.exe

pid	process
1268
736	spinstall.exe
1268
1176	mfpmp.exe
1268
1268
1492	wscript.exe
1268

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Evgmngveltmlhb = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\Collab\\x9Fa\\mfpmp.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exespinstall.exemfpmp.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spinstall.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exespinstall.exe

pid	process
908	rundll32.exe
908	rundll32.exe
908	rundll32.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
736	spinstall.exe
736	spinstall.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1268

description	pid	process
Token: SeShutdownPrivilege	1268

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1268 wrote to memory of 844	1268	spinstall.exe
PID 1268 wrote to memory of 844	1268	spinstall.exe
PID 1268 wrote to memory of 844	1268	spinstall.exe
PID 1268 wrote to memory of 736	1268	spinstall.exe
PID 1268 wrote to memory of 736	1268	spinstall.exe
PID 1268 wrote to memory of 736	1268	spinstall.exe
PID 1268 wrote to memory of 1248	1268	mfpmp.exe
PID 1268 wrote to memory of 1248	1268	mfpmp.exe
PID 1268 wrote to memory of 1248	1268	mfpmp.exe
PID 1268 wrote to memory of 1176	1268	mfpmp.exe
PID 1268 wrote to memory of 1176	1268	mfpmp.exe
PID 1268 wrote to memory of 1176	1268	mfpmp.exe
PID 1268 wrote to memory of 1556	1268	wscript.exe
PID 1268 wrote to memory of 1556	1268	wscript.exe
PID 1268 wrote to memory of 1556	1268	wscript.exe
PID 1268 wrote to memory of 1492	1268	wscript.exe
PID 1268 wrote to memory of 1492	1268	wscript.exe
PID 1268 wrote to memory of 1492	1268	wscript.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\304e9cf63a3f1ecb2c5b6c2caa051d99d40c82509ad38a04eea875b88ae6bbc1.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:908

C:\Windows\system32\spinstall.exe
C:\Windows\system32\spinstall.exe
1⤵
PID:844

C:\Users\Admin\AppData\Local\wtnbW98Qx\spinstall.exe
C:\Users\Admin\AppData\Local\wtnbW98Qx\spinstall.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:736

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:1248

C:\Users\Admin\AppData\Local\cViM0U0s\mfpmp.exe
C:\Users\Admin\AppData\Local\cViM0U0s\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1176

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:1556

C:\Users\Admin\AppData\Local\3zPArh\wscript.exe
C:\Users\Admin\AppData\Local\3zPArh\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1492

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3zPArh\VERSION.dll
Filesize
1.1MB

MD5
da0235d8f7361bcee788dc4dfc79aa6a

SHA1
c1b1e37f612be90ef878456ce51588d5bf481adb

SHA256
023991967a7b7ba30b7a033fa2e292f999762ac2948d1d1ddd1093d4ec2a4c97

SHA512
bbf2c77eae2d847fcf2764399e30519a49983e27294aedade94e2618338c3dfc334b7435a305c780ce8dd4f7e11cfa1cf3721aafc8b8c41c6b8fe1370acf4594

Download Submit
C:\Users\Admin\AppData\Local\3zPArh\wscript.exe
Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
C:\Users\Admin\AppData\Local\cViM0U0s\MFPlat.DLL
Filesize
1.2MB

MD5
2bd0df9d85f2a8e28938e7bc5765367f

SHA1
da49e3ef7070813f207862e526b07992fc4bb85e

SHA256
a7e433458d48ca15f62050c8320d728d765f8cec316fc666d78a4c39e5920bf0

SHA512
c546533ac64f848a5384c52c1c5a40998932a285ef89e06e686765a4de209356235a4afc6d78ef093df77530d950ef5ae189525255dbec30b12a6960d9240d8f

Download Submit
C:\Users\Admin\AppData\Local\cViM0U0s\mfpmp.exe
Filesize
24KB

MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
C:\Users\Admin\AppData\Local\wtnbW98Qx\XmlLite.dll
Filesize
1.1MB

MD5
dda897f022c759dae3c2137574f61d32

SHA1
bd65252b6bf341cef650ba9d8463951f0d21368f

SHA256
1f831ec1c2d9ac87d1d46f8eabd3f7137fcb5a0fe627450f7b1d954aeefca0f2

SHA512
1c8fac769fd4e3c6502213d80cbfc6ff347beb9c80801bc409558b31513a6daf38fff42171dbc4cb382ec346e81f03fc67adc8ef528791f3403894db680dd973

Download Submit
C:\Users\Admin\AppData\Local\wtnbW98Qx\spinstall.exe
Filesize
584KB

MD5
29c1d5b330b802efa1a8357373bc97fe

SHA1
90797aaa2c56fc2a667c74475996ea1841bc368f

SHA256
048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f

SHA512
66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

Download Submit
\Users\Admin\AppData\Local\3zPArh\VERSION.dll
Filesize
1.1MB

MD5
da0235d8f7361bcee788dc4dfc79aa6a

SHA1
c1b1e37f612be90ef878456ce51588d5bf481adb

SHA256
023991967a7b7ba30b7a033fa2e292f999762ac2948d1d1ddd1093d4ec2a4c97

SHA512
bbf2c77eae2d847fcf2764399e30519a49983e27294aedade94e2618338c3dfc334b7435a305c780ce8dd4f7e11cfa1cf3721aafc8b8c41c6b8fe1370acf4594

Download Submit
\Users\Admin\AppData\Local\3zPArh\wscript.exe
Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\3zPArh\wscript.exe
Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\cViM0U0s\MFPlat.DLL
Filesize
1.2MB

MD5
2bd0df9d85f2a8e28938e7bc5765367f

SHA1
da49e3ef7070813f207862e526b07992fc4bb85e

SHA256
a7e433458d48ca15f62050c8320d728d765f8cec316fc666d78a4c39e5920bf0

SHA512
c546533ac64f848a5384c52c1c5a40998932a285ef89e06e686765a4de209356235a4afc6d78ef093df77530d950ef5ae189525255dbec30b12a6960d9240d8f

Download Submit
\Users\Admin\AppData\Local\cViM0U0s\mfpmp.exe
Filesize
24KB

MD5
2d8600b94de72a9d771cbb56b9f9c331

SHA1
a0e2ac409159546183aa45875497844c4adb5aac

SHA256
7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185

SHA512
3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

Download Submit
\Users\Admin\AppData\Local\wtnbW98Qx\XmlLite.dll
Filesize
1.1MB

MD5
dda897f022c759dae3c2137574f61d32

SHA1
bd65252b6bf341cef650ba9d8463951f0d21368f

SHA256
1f831ec1c2d9ac87d1d46f8eabd3f7137fcb5a0fe627450f7b1d954aeefca0f2

SHA512
1c8fac769fd4e3c6502213d80cbfc6ff347beb9c80801bc409558b31513a6daf38fff42171dbc4cb382ec346e81f03fc67adc8ef528791f3403894db680dd973

Download Submit
\Users\Admin\AppData\Local\wtnbW98Qx\spinstall.exe
Filesize
584KB

MD5
29c1d5b330b802efa1a8357373bc97fe

SHA1
90797aaa2c56fc2a667c74475996ea1841bc368f

SHA256
048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f

SHA512
66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\kVQ\wscript.exe
Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
memory/736-87-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/736-91-0x0000000000370000-0x0000000000377000-memory.dmp

Filesize
28KB

Download
memory/736-82-0x0000000000000000-mapping.dmp

Download
memory/736-86-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

Filesize
8KB

Download
memory/908-58-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/908-54-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1176-101-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1176-97-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1176-93-0x0000000000000000-mapping.dmp

Download
memory/1268-66-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1268-67-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1268-80-0x0000000077320000-0x0000000077322000-memory.dmp

Filesize
8KB

Download
memory/1268-61-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1268-64-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1268-68-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1268-70-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1268-62-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1268-60-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1268-69-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1268-63-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1268-59-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1268-79-0x0000000002670000-0x0000000002677000-memory.dmp

Filesize
28KB

Download
memory/1268-65-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1492-112-0x00000000001E0000-0x00000000001E7000-memory.dmp

Filesize
28KB

Download
memory/1492-104-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads