dridex | 30316f6ec4932f0788a2ecc6a93e5f7313121241d94caf544f314f1a2615fa46

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
19-04-2022 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30316f6ec4932f0788a2ecc6a93e5f7313121241d94caf544f314f1a2615fa46.dll
Size

969KB
MD5

cfc7e196da21d39bd421129550403f36
SHA1

fbf099967e30871fc4f12c9b448b988aefbeafb5
SHA256

30316f6ec4932f0788a2ecc6a93e5f7313121241d94caf544f314f1a2615fa46
SHA512

29ed93906917a1d12151e561a93118fc4278787f6cd7b471136ff22643b1da032441d86b8687c445352774c32dc7cc563ec4759f51b24ac13a8d6dc81ed6ab6a

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1256-59-0x0000000002A40000-0x0000000002A41000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesAdvanced.exeperfmon.exeMagnify.exe

pid process

588 SystemPropertiesAdvanced.exe
1068 perfmon.exe
1960 Magnify.exe
Loads dropped DLL 7 IoCs

Processes:

SystemPropertiesAdvanced.exeperfmon.exeMagnify.exe

pid process

1256
588 SystemPropertiesAdvanced.exe
1256
1068 perfmon.exe
1256
1960 Magnify.exe
1256

pid	process
588	SystemPropertiesAdvanced.exe
1068	perfmon.exe
1960	Magnify.exe

pid	process
1256
588	SystemPropertiesAdvanced.exe
1256
1068	perfmon.exe
1256
1960	Magnify.exe
1256

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gcehmtlftxqmyqm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\i9LGdf\\perfmon.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesAdvanced.exeperfmon.exeMagnify.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magnify.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeSystemPropertiesAdvanced.exeperfmon.exe

pid	process
904	rundll32.exe
904	rundll32.exe
904	rundll32.exe
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
588	SystemPropertiesAdvanced.exe
588	SystemPropertiesAdvanced.exe
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1068	perfmon.exe
1068	perfmon.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1256 wrote to memory of 592	1256	SystemPropertiesAdvanced.exe
PID 1256 wrote to memory of 592	1256	SystemPropertiesAdvanced.exe
PID 1256 wrote to memory of 592	1256	SystemPropertiesAdvanced.exe
PID 1256 wrote to memory of 588	1256	SystemPropertiesAdvanced.exe
PID 1256 wrote to memory of 588	1256	SystemPropertiesAdvanced.exe
PID 1256 wrote to memory of 588	1256	SystemPropertiesAdvanced.exe
PID 1256 wrote to memory of 1680	1256	perfmon.exe
PID 1256 wrote to memory of 1680	1256	perfmon.exe
PID 1256 wrote to memory of 1680	1256	perfmon.exe
PID 1256 wrote to memory of 1068	1256	perfmon.exe
PID 1256 wrote to memory of 1068	1256	perfmon.exe
PID 1256 wrote to memory of 1068	1256	perfmon.exe
PID 1256 wrote to memory of 576	1256	Magnify.exe
PID 1256 wrote to memory of 576	1256	Magnify.exe
PID 1256 wrote to memory of 576	1256	Magnify.exe
PID 1256 wrote to memory of 1960	1256	Magnify.exe
PID 1256 wrote to memory of 1960	1256	Magnify.exe
PID 1256 wrote to memory of 1960	1256	Magnify.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\30316f6ec4932f0788a2ecc6a93e5f7313121241d94caf544f314f1a2615fa46.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:904

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:592

C:\Users\Admin\AppData\Local\kUm\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\kUm\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:588

C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
1⤵
PID:1680

C:\Users\Admin\AppData\Local\xz4QE6\perfmon.exe
C:\Users\Admin\AppData\Local\xz4QE6\perfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1068

C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
1⤵
PID:576

C:\Users\Admin\AppData\Local\wMuEb\Magnify.exe
C:\Users\Admin\AppData\Local\wMuEb\Magnify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1960

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\kUm\SYSDM.CPL
Filesize
970KB

MD5
5c83e7ddb1f799369cfe2dfd621c92f5

SHA1
45d9c4beb8f9321fcd7a6a25fe57174821a02961

SHA256
5017e4ded65a3dde8c061b64ce37f455f91bc9ca73e5700f4bfa85193f1822a6

SHA512
d270747361e50bb4b50e6a1fc0cce02f932714744e05f5b1c92f7df1d02475f6659c8ccfb756091f805b3d1a5b286c7e8eb77ced6dd0249bd2f76d69c1d9b8d5

Download Submit
C:\Users\Admin\AppData\Local\kUm\SystemPropertiesAdvanced.exe
Filesize
80KB

MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
C:\Users\Admin\AppData\Local\wMuEb\Magnify.exe
Filesize
637KB

MD5
233b45ddf77bd45e53872881cff1839b

SHA1
d4b8cafce4664bb339859a90a9dd1506f831756d

SHA256
adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a

SHA512
6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

Download Submit
C:\Users\Admin\AppData\Local\wMuEb\Magnify.exe
Filesize
637KB

MD5
233b45ddf77bd45e53872881cff1839b

SHA1
d4b8cafce4664bb339859a90a9dd1506f831756d

SHA256
adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a

SHA512
6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

Download Submit
C:\Users\Admin\AppData\Local\wMuEb\dwmapi.dll
Filesize
971KB

MD5
30255a2045fd63625bd4fb23c5593abe

SHA1
feab1a140f650c225c0cf3aee18e36ed5481d559

SHA256
6b45d8cea2d5e8c1ab45b6ed61c428eaf9365a4cf0c9ab981ccfb871673e7fdd

SHA512
ea3138514c9fa6daaa3247a89d048ecdaaf10220e40d89779389224767131a835c2d8a86c3ed713f0ac7c7705ec2ac554d8f5f02e7cd63b1571d21d8b938392f

Download Submit
C:\Users\Admin\AppData\Local\xz4QE6\Secur32.dll
Filesize
973KB

MD5
55630297883cc907856f1b1aa1dcd9c0

SHA1
94854b535539b03776a01eacdbe226ed1a416238

SHA256
f3eb702091453d6b15bee47af7ac5e3c3e388203eeb649e5e25a8a6466e9672b

SHA512
f4d76049cd10ac2607205477ad3eacb5a8a3da772bb1aea136e8fc45d905e27dde1d01f24f5e48f3c9e69adf6bd4cadbf5163d70d62b5017f41e1749a3e28d76

Download Submit
C:\Users\Admin\AppData\Local\xz4QE6\perfmon.exe
Filesize
168KB

MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
\Users\Admin\AppData\Local\kUm\SYSDM.CPL
Filesize
970KB

MD5
5c83e7ddb1f799369cfe2dfd621c92f5

SHA1
45d9c4beb8f9321fcd7a6a25fe57174821a02961

SHA256
5017e4ded65a3dde8c061b64ce37f455f91bc9ca73e5700f4bfa85193f1822a6

SHA512
d270747361e50bb4b50e6a1fc0cce02f932714744e05f5b1c92f7df1d02475f6659c8ccfb756091f805b3d1a5b286c7e8eb77ced6dd0249bd2f76d69c1d9b8d5

Download Submit
\Users\Admin\AppData\Local\kUm\SystemPropertiesAdvanced.exe
Filesize
80KB

MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
\Users\Admin\AppData\Local\wMuEb\Magnify.exe
Filesize
637KB

MD5
233b45ddf77bd45e53872881cff1839b

SHA1
d4b8cafce4664bb339859a90a9dd1506f831756d

SHA256
adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a

SHA512
6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

Download Submit
\Users\Admin\AppData\Local\wMuEb\dwmapi.dll
Filesize
971KB

MD5
30255a2045fd63625bd4fb23c5593abe

SHA1
feab1a140f650c225c0cf3aee18e36ed5481d559

SHA256
6b45d8cea2d5e8c1ab45b6ed61c428eaf9365a4cf0c9ab981ccfb871673e7fdd

SHA512
ea3138514c9fa6daaa3247a89d048ecdaaf10220e40d89779389224767131a835c2d8a86c3ed713f0ac7c7705ec2ac554d8f5f02e7cd63b1571d21d8b938392f

Download Submit
\Users\Admin\AppData\Local\xz4QE6\Secur32.dll
Filesize
973KB

MD5
55630297883cc907856f1b1aa1dcd9c0

SHA1
94854b535539b03776a01eacdbe226ed1a416238

SHA256
f3eb702091453d6b15bee47af7ac5e3c3e388203eeb649e5e25a8a6466e9672b

SHA512
f4d76049cd10ac2607205477ad3eacb5a8a3da772bb1aea136e8fc45d905e27dde1d01f24f5e48f3c9e69adf6bd4cadbf5163d70d62b5017f41e1749a3e28d76

Download Submit
\Users\Admin\AppData\Local\xz4QE6\perfmon.exe
Filesize
168KB

MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\SystemExtensionsDev\gbl23\Magnify.exe
Filesize
637KB

MD5
233b45ddf77bd45e53872881cff1839b

SHA1
d4b8cafce4664bb339859a90a9dd1506f831756d

SHA256
adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a

SHA512
6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

Download Submit
memory/588-87-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/588-91-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/588-82-0x0000000000000000-mapping.dmp

Download
memory/588-86-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download
memory/904-58-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/904-54-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1068-102-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/1068-93-0x0000000000000000-mapping.dmp

Download
memory/1256-70-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1256-69-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1256-62-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1256-79-0x0000000002A20000-0x0000000002A27000-memory.dmp

Filesize
28KB

Download
memory/1256-63-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1256-61-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1256-64-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1256-68-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1256-65-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1256-67-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1256-60-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1256-59-0x0000000002A40000-0x0000000002A41000-memory.dmp

Filesize
4KB

Download
memory/1256-66-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/1256-80-0x00000000771D0000-0x00000000771D2000-memory.dmp

Filesize
8KB

Download
memory/1960-114-0x0000000001AD0000-0x0000000001AD7000-memory.dmp

Filesize
28KB

Download
memory/1960-104-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads