dridex | 4c50f5f9e103236b5a05eefa06dd459b73e3b562ff7789c05a3a1c0591860f91

Analysis

max time kernel
152s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
19-04-2022 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c50f5f9e103236b5a05eefa06dd459b73e3b562ff7789c05a3a1c0591860f91.dll
Size

1.2MB
MD5

6e082f88f99a2f0e6dbc17609e8ebcc6
SHA1

2454239c5fb616d83814145a77596064942a4f20
SHA256

4c50f5f9e103236b5a05eefa06dd459b73e3b562ff7789c05a3a1c0591860f91
SHA512

e0edb0858e02adbc7d0bec75e4a3b82c5dda7811c022cf503e5862ff03fe396dcbb814144517f96363e889f1c67264079b4b9b5d62fbed21f7fd5e46c56f4dc1

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 3 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1692-54-0x0000000140000000-0x0000000140141000-memory.dmp	dridex_payload
behavioral1/memory/1420-87-0x0000000140000000-0x0000000140142000-memory.dmp	dridex_payload
behavioral1/memory/668-107-0x0000000140000000-0x0000000140148000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1236-58-0x0000000002150000-0x0000000002151000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

fvenotify.exemsdtc.exeFXSCOVER.exe

pid process

1420 fvenotify.exe
1100 msdtc.exe
668 FXSCOVER.exe
Loads dropped DLL 7 IoCs

Processes:

fvenotify.exemsdtc.exeFXSCOVER.exe

pid process

1236
1420 fvenotify.exe
1236
1100 msdtc.exe
1236
668 FXSCOVER.exe
1236

pid	process
1420	fvenotify.exe
1100	msdtc.exe
668	FXSCOVER.exe

pid	process
1236
1420	fvenotify.exe
1236
1100	msdtc.exe
1236
668	FXSCOVER.exe
1236

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Evgmngveltmlhb = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\uVIwM0JYrBR\\msdtc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exefvenotify.exemsdtc.exeFXSCOVER.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fvenotify.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdtc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exefvenotify.exemsdtc.exeFXSCOVER.exe

pid	process
1692	rundll32.exe
1692	rundll32.exe
1692	rundll32.exe
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1420	fvenotify.exe
1420	fvenotify.exe
1236
1236
1236
1236
1236
1236
1236
1236
1100	msdtc.exe
1100	msdtc.exe
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
668	FXSCOVER.exe
668	FXSCOVER.exe
1236
1236
1236
1236
1236
1236
1236

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1236 wrote to memory of 1452	1236	fvenotify.exe
PID 1236 wrote to memory of 1452	1236	fvenotify.exe
PID 1236 wrote to memory of 1452	1236	fvenotify.exe
PID 1236 wrote to memory of 1420	1236	fvenotify.exe
PID 1236 wrote to memory of 1420	1236	fvenotify.exe
PID 1236 wrote to memory of 1420	1236	fvenotify.exe
PID 1236 wrote to memory of 1548	1236	msdtc.exe
PID 1236 wrote to memory of 1548	1236	msdtc.exe
PID 1236 wrote to memory of 1548	1236	msdtc.exe
PID 1236 wrote to memory of 1100	1236	msdtc.exe
PID 1236 wrote to memory of 1100	1236	msdtc.exe
PID 1236 wrote to memory of 1100	1236	msdtc.exe
PID 1236 wrote to memory of 1040	1236	FXSCOVER.exe
PID 1236 wrote to memory of 1040	1236	FXSCOVER.exe
PID 1236 wrote to memory of 1040	1236	FXSCOVER.exe
PID 1236 wrote to memory of 668	1236	FXSCOVER.exe
PID 1236 wrote to memory of 668	1236	FXSCOVER.exe
PID 1236 wrote to memory of 668	1236	FXSCOVER.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c50f5f9e103236b5a05eefa06dd459b73e3b562ff7789c05a3a1c0591860f91.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1692

C:\Windows\system32\fvenotify.exe
C:\Windows\system32\fvenotify.exe
1⤵
PID:1452

C:\Users\Admin\AppData\Local\C7wdF1g\fvenotify.exe
C:\Users\Admin\AppData\Local\C7wdF1g\fvenotify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1420

C:\Windows\system32\msdtc.exe
C:\Windows\system32\msdtc.exe
1⤵
PID:1548

C:\Users\Admin\AppData\Local\lf8S\msdtc.exe
C:\Users\Admin\AppData\Local\lf8S\msdtc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1100

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:1040

C:\Users\Admin\AppData\Local\8QJq\FXSCOVER.exe
C:\Users\Admin\AppData\Local\8QJq\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:668

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8QJq\FXSCOVER.exe
Filesize
261KB

MD5
5e2c61be8e093dbfe7fc37585be42869

SHA1
ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

SHA256
3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

SHA512
90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

Download Submit
C:\Users\Admin\AppData\Local\8QJq\MFC42u.dll
Filesize
1.3MB

MD5
cb045f2c1758ad793106c2574f18b374

SHA1
be069d8625cfb858b3d465132465b85466cc1ba9

SHA256
72bd1235474472ebf2a2da1adc59422bec24ecfbfd5954a18a7095a8f2f3a20f

SHA512
bae86129fb8049d4edcb7c7dbf1d6606e8ad6062967435b0a388f5a6f55c3703e75b5910b28bdea8e6ce909292843359cbba14085e1ab35913944535521a1f90

Download Submit
C:\Users\Admin\AppData\Local\C7wdF1g\fvenotify.exe
Filesize
117KB

MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
C:\Users\Admin\AppData\Local\C7wdF1g\slc.dll
Filesize
1.2MB

MD5
423286e3ad08b166a4a4723e2915a7a0

SHA1
995a9c18cc28afb22a191746690679cc5f084d68

SHA256
2487ff42953e1a0c149430718483a3900e55b3eeccd9819c857677ae5eb388b2

SHA512
e48432750f4e1c3b672890f9132ad6686fe5769cee7fb68bedea0eea686b871d812c1fb14517244da4d95f43de523f61d5835013242f476867b3b14a31d0e6ce

Download Submit
C:\Users\Admin\AppData\Local\lf8S\VERSION.dll
Filesize
1.2MB

MD5
0663ee5cff61254ec136ca946ae4490c

SHA1
bca7567656ee47291adaa28438b7ea8aa4d30dc2

SHA256
ffb1e248e1e605149af3e00a56f0f58863a4454a6e9fa4bbf8f66df898b0df86

SHA512
98a8e6719de17419b6aad904e02b8377c864272ad7164b6445f165f54566e9921fa72fed86197c73717e7ba66d82701fe44bf7bb238732add436696445cae005

Download Submit
C:\Users\Admin\AppData\Local\lf8S\msdtc.exe
Filesize
138KB

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
\Users\Admin\AppData\Local\8QJq\FXSCOVER.exe
Filesize
261KB

MD5
5e2c61be8e093dbfe7fc37585be42869

SHA1
ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

SHA256
3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

SHA512
90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

Download Submit
\Users\Admin\AppData\Local\8QJq\MFC42u.dll
Filesize
1.3MB

MD5
cb045f2c1758ad793106c2574f18b374

SHA1
be069d8625cfb858b3d465132465b85466cc1ba9

SHA256
72bd1235474472ebf2a2da1adc59422bec24ecfbfd5954a18a7095a8f2f3a20f

SHA512
bae86129fb8049d4edcb7c7dbf1d6606e8ad6062967435b0a388f5a6f55c3703e75b5910b28bdea8e6ce909292843359cbba14085e1ab35913944535521a1f90

Download Submit
\Users\Admin\AppData\Local\C7wdF1g\fvenotify.exe
Filesize
117KB

MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
\Users\Admin\AppData\Local\C7wdF1g\slc.dll
Filesize
1.2MB

MD5
423286e3ad08b166a4a4723e2915a7a0

SHA1
995a9c18cc28afb22a191746690679cc5f084d68

SHA256
2487ff42953e1a0c149430718483a3900e55b3eeccd9819c857677ae5eb388b2

SHA512
e48432750f4e1c3b672890f9132ad6686fe5769cee7fb68bedea0eea686b871d812c1fb14517244da4d95f43de523f61d5835013242f476867b3b14a31d0e6ce

Download Submit
\Users\Admin\AppData\Local\lf8S\VERSION.dll
Filesize
1.2MB

MD5
0663ee5cff61254ec136ca946ae4490c

SHA1
bca7567656ee47291adaa28438b7ea8aa4d30dc2

SHA256
ffb1e248e1e605149af3e00a56f0f58863a4454a6e9fa4bbf8f66df898b0df86

SHA512
98a8e6719de17419b6aad904e02b8377c864272ad7164b6445f165f54566e9921fa72fed86197c73717e7ba66d82701fe44bf7bb238732add436696445cae005

Download Submit
\Users\Admin\AppData\Local\lf8S\msdtc.exe
Filesize
138KB

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\OQ1fo\FXSCOVER.exe
Filesize
261KB

MD5
5e2c61be8e093dbfe7fc37585be42869

SHA1
ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

SHA256
3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

SHA512
90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

Download Submit
memory/668-106-0x000000013F9E1000-0x000000013F9E3000-memory.dmp

Filesize
8KB

Download
memory/668-101-0x0000000000000000-mapping.dmp

Download
memory/668-107-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/668-110-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1100-92-0x0000000000000000-mapping.dmp

Download
memory/1100-99-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/1236-67-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1236-64-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1236-58-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1236-80-0x00000000777B0000-0x00000000777B2000-memory.dmp

Filesize
8KB

Download
memory/1236-61-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1236-63-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1236-73-0x0000000002120000-0x0000000002127000-memory.dmp

Filesize
28KB

Download
memory/1236-59-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1236-68-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1236-69-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1236-70-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1236-65-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1236-60-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1236-62-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1236-66-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1420-84-0x000007FEFBE51000-0x000007FEFBE53000-memory.dmp

Filesize
8KB

Download
memory/1420-90-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/1420-87-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1420-82-0x0000000000000000-mapping.dmp

Download
memory/1692-54-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1692-57-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads