dridex | 304e9cf63a3f1ecb2c5b6c2caa051d99d40c82509ad38a04eea875b88ae6bbc1

Analysis

max time kernel
157s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-04-2022 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

304e9cf63a3f1ecb2c5b6c2caa051d99d40c82509ad38a04eea875b88ae6bbc1.dll
Size

1.1MB
MD5

7cca7aee7626697e6b693c69d1229d01
SHA1

f347e468dcef3ea589f1d2f3a5c277c6c18f80b8
SHA256

304e9cf63a3f1ecb2c5b6c2caa051d99d40c82509ad38a04eea875b88ae6bbc1
SHA512

dda90326027903be92a4b6b54f829ccbf1b3bc7d00c3bface15e47b54b5ecb68b1bbe02143afc86d164e45fdb36bec40e687d86cb203866acc004633ec7eedbd

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2952-135-0x00000000007E0000-0x00000000007E1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

unregmp2.exesethc.exesigverif.exe

pid process

2984 unregmp2.exe
1480 sethc.exe
1732 sigverif.exe
Loads dropped DLL 3 IoCs

Processes:

unregmp2.exesethc.exesigverif.exe

pid process

2984 unregmp2.exe
1480 sethc.exe
1732 sigverif.exe

pid	process
2984	unregmp2.exe
1480	sethc.exe
1732	sigverif.exe

pid	process
2984	unregmp2.exe
1480	sethc.exe
1732	sigverif.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wurgjldbctt = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\Sp\\sethc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sigverif.exerundll32.exeunregmp2.exesethc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unregmp2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sethc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3164	rundll32.exe
3164	rundll32.exe
3164	rundll32.exe
3164	rundll32.exe
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952
2952

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2952

pid	process
2952

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2952 wrote to memory of 5076	2952	unregmp2.exe
PID 2952 wrote to memory of 5076	2952	unregmp2.exe
PID 2952 wrote to memory of 2984	2952	unregmp2.exe
PID 2952 wrote to memory of 2984	2952	unregmp2.exe
PID 2952 wrote to memory of 4292	2952	sethc.exe
PID 2952 wrote to memory of 4292	2952	sethc.exe
PID 2952 wrote to memory of 1480	2952	sethc.exe
PID 2952 wrote to memory of 1480	2952	sethc.exe
PID 2952 wrote to memory of 4444	2952	sigverif.exe
PID 2952 wrote to memory of 4444	2952	sigverif.exe
PID 2952 wrote to memory of 1732	2952	sigverif.exe
PID 2952 wrote to memory of 1732	2952	sigverif.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\304e9cf63a3f1ecb2c5b6c2caa051d99d40c82509ad38a04eea875b88ae6bbc1.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3164

C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
1⤵
PID:5076

C:\Users\Admin\AppData\Local\P59CpYL\unregmp2.exe
C:\Users\Admin\AppData\Local\P59CpYL\unregmp2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2984

C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
1⤵
PID:4292

C:\Users\Admin\AppData\Local\eRAoPfr\sethc.exe
C:\Users\Admin\AppData\Local\eRAoPfr\sethc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1480

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:4444

C:\Users\Admin\AppData\Local\bfdlDMqr\sigverif.exe
C:\Users\Admin\AppData\Local\bfdlDMqr\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\P59CpYL\VERSION.dll
Filesize
1.1MB

MD5
04c5abdf61359acb84ec05b815e0e673

SHA1
5dc727584f5e3bb7aec922a99b53ff403cd215af

SHA256
3acdea514b7af7ca567b3141819883e657c8718577556c52f687f2fbed782a7b

SHA512
b4ba684a77b663d11f2a87345a916eec36cadd9d1a0a98e394e1ae51dffae9451c8153c46e0cc2a923633d276d1cd9d64407bafa7ee45f9ac59e1bded48b134e

Download Submit
C:\Users\Admin\AppData\Local\P59CpYL\VERSION.dll
Filesize
1.1MB

MD5
04c5abdf61359acb84ec05b815e0e673

SHA1
5dc727584f5e3bb7aec922a99b53ff403cd215af

SHA256
3acdea514b7af7ca567b3141819883e657c8718577556c52f687f2fbed782a7b

SHA512
b4ba684a77b663d11f2a87345a916eec36cadd9d1a0a98e394e1ae51dffae9451c8153c46e0cc2a923633d276d1cd9d64407bafa7ee45f9ac59e1bded48b134e

Download Submit
C:\Users\Admin\AppData\Local\P59CpYL\unregmp2.exe
Filesize
259KB

MD5
a6fc8ce566dec7c5873cb9d02d7b874e

SHA1
a30040967f75df85a1e3927bdce159b102011a61

SHA256
21f41fea24dddc8a32f902af7b0387a53a745013429d8fd3f5fa6916eadc839d

SHA512
f83e17dd305eb1bc24cca1f197e2440f9b501eafb9c9d44ede7c88b1520030a87d059bdcb8eadeac1eaedabcbc4fe50206821965d73f0f6671e27edd55c01cbc

Download Submit
C:\Users\Admin\AppData\Local\bfdlDMqr\VERSION.dll
Filesize
1.1MB

MD5
6b7752b445d19b480a9e279222c7091b

SHA1
f7838ffecff41f6c0125d8b5cefd864f2a87a941

SHA256
65fd7b8ddc336d2c1822bed3af5b815749de9f0d7c0feb4a2357a1bdd9a069b6

SHA512
7c9efebf1d5e634fc9b79cc8f7d53c873afdb527aba988b3db0446e5f2c6116b295e52c9211032e66783bb85625b6cfd47ffb2850b314ea45324b6f6fe3f7c9c

Download Submit
C:\Users\Admin\AppData\Local\bfdlDMqr\VERSION.dll
Filesize
1.1MB

MD5
6b7752b445d19b480a9e279222c7091b

SHA1
f7838ffecff41f6c0125d8b5cefd864f2a87a941

SHA256
65fd7b8ddc336d2c1822bed3af5b815749de9f0d7c0feb4a2357a1bdd9a069b6

SHA512
7c9efebf1d5e634fc9b79cc8f7d53c873afdb527aba988b3db0446e5f2c6116b295e52c9211032e66783bb85625b6cfd47ffb2850b314ea45324b6f6fe3f7c9c

Download Submit
C:\Users\Admin\AppData\Local\bfdlDMqr\sigverif.exe
Filesize
77KB

MD5
2151a535274b53ba8a728e542cbc07a8

SHA1
a2304c0f2616a7d12298540dce459dd9ccf07443

SHA256
064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

SHA512
e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

Download Submit
C:\Users\Admin\AppData\Local\eRAoPfr\DUI70.dll
Filesize
1.4MB

MD5
4cd94767d276605d0ed9201744b2dd59

SHA1
de9231c926d20fb89e1143f9bde693ce92504a3a

SHA256
955bc4818a8547ae92794e32fb9fb6c7d38fcedf9f31ae255a7f959f2f228e01

SHA512
335cc893732ca45d4c75470d0b4b1dfbb5d3b1d356229c39165c8971e40ea475849f73f3dbd1a2bc525e9cc465d4008ac49cebb0762d190e22aaf7813a55824e

Download Submit
C:\Users\Admin\AppData\Local\eRAoPfr\DUI70.dll
Filesize
1.4MB

MD5
4cd94767d276605d0ed9201744b2dd59

SHA1
de9231c926d20fb89e1143f9bde693ce92504a3a

SHA256
955bc4818a8547ae92794e32fb9fb6c7d38fcedf9f31ae255a7f959f2f228e01

SHA512
335cc893732ca45d4c75470d0b4b1dfbb5d3b1d356229c39165c8971e40ea475849f73f3dbd1a2bc525e9cc465d4008ac49cebb0762d190e22aaf7813a55824e

Download Submit
C:\Users\Admin\AppData\Local\eRAoPfr\sethc.exe
Filesize
104KB

MD5
8ba3a9702a3f1799431cad6a290223a6

SHA1
9c7dc9b6830297c8f759d1f46c8b36664e26c031

SHA256
615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8

SHA512
680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746

Download Submit
memory/1480-172-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/1480-176-0x000001D50DE60000-0x000001D50DE67000-memory.dmp

Filesize
28KB

Download
memory/1480-168-0x0000000000000000-mapping.dmp

Download
memory/1732-177-0x0000000000000000-mapping.dmp

Download
memory/1732-185-0x000001B4E95F0000-0x000001B4E95F7000-memory.dmp

Filesize
28KB

Download
memory/2952-141-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2952-143-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2952-157-0x00007FFCCF82C000-0x00007FFCCF82D000-memory.dmp

Filesize
4KB

Download
memory/2952-158-0x00007FFCCF770000-0x00007FFCCF780000-memory.dmp

Filesize
64KB

Download
memory/2952-135-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/2952-147-0x00000000007B0000-0x00000000007B7000-memory.dmp

Filesize
28KB

Download
memory/2952-146-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2952-145-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2952-137-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2952-138-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2952-144-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2952-156-0x00007FFCCF85C000-0x00007FFCCF85D000-memory.dmp

Filesize
4KB

Download
memory/2952-142-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2952-136-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2952-140-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2952-139-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2984-167-0x000002416EEF0000-0x000002416EEF7000-memory.dmp

Filesize
28KB

Download
memory/2984-163-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/2984-159-0x0000000000000000-mapping.dmp

Download
memory/3164-130-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3164-134-0x000001B0379B0000-0x000001B0379B7000-memory.dmp

Filesize
28KB

Download