dridex | 64f123d80872e8fd401f1ab89fa83ac61c744be1fb30b3ef2f1b1236b0db62a1

Analysis

max time kernel
151s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
19-04-2022 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64f123d80872e8fd401f1ab89fa83ac61c744be1fb30b3ef2f1b1236b0db62a1.dll
Size

1.2MB
MD5

fc7cd6f0409c5a8d3fc4c29652781e38
SHA1

84ea9d31cedb77e804a6b4941eeeb6081bd8ee84
SHA256

64f123d80872e8fd401f1ab89fa83ac61c744be1fb30b3ef2f1b1236b0db62a1
SHA512

05688c205f8ae6045500262bf865e230ad52fdc0fb08f1de4bcb9666e29c65cd45a85f5b05542bf7b4f5d9302cf1128a1bcc9cbb2b456ce2839910f8ae689943

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 2 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1372-54-0x0000000140000000-0x0000000140140000-memory.dmp	dridex_payload
behavioral1/memory/1896-86-0x0000000140000000-0x0000000140141000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1200-58-0x0000000002980000-0x0000000002981000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesRemote.exeshrpubw.execmstp.exe

pid process

1896 SystemPropertiesRemote.exe
836 shrpubw.exe
1040 cmstp.exe
Loads dropped DLL 7 IoCs

Processes:

SystemPropertiesRemote.exeshrpubw.execmstp.exe

pid process

1200
1896 SystemPropertiesRemote.exe
1200
836 shrpubw.exe
1200
1040 cmstp.exe
1200

pid	process
1896	SystemPropertiesRemote.exe
836	shrpubw.exe
1040	cmstp.exe

pid	process
1200
1896	SystemPropertiesRemote.exe
1200
836	shrpubw.exe
1200
1040	cmstp.exe
1200

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Evgmngveltmlhb = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\cDHJJPEyT5u\\shrpubw.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSystemPropertiesRemote.exeshrpubw.execmstp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesRemote.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeSystemPropertiesRemote.exeshrpubw.execmstp.exe

pid	process
1372	rundll32.exe
1372	rundll32.exe
1372	rundll32.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1896	SystemPropertiesRemote.exe
1896	SystemPropertiesRemote.exe
1200
1200
1200
1200
1200
1200
836	shrpubw.exe
836	shrpubw.exe
1200
1200
1200
1200
1200
1200
1200
1200
1040	cmstp.exe
1040	cmstp.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1200 wrote to memory of 912	1200	SystemPropertiesRemote.exe
PID 1200 wrote to memory of 912	1200	SystemPropertiesRemote.exe
PID 1200 wrote to memory of 912	1200	SystemPropertiesRemote.exe
PID 1200 wrote to memory of 1896	1200	SystemPropertiesRemote.exe
PID 1200 wrote to memory of 1896	1200	SystemPropertiesRemote.exe
PID 1200 wrote to memory of 1896	1200	SystemPropertiesRemote.exe
PID 1200 wrote to memory of 1284	1200	shrpubw.exe
PID 1200 wrote to memory of 1284	1200	shrpubw.exe
PID 1200 wrote to memory of 1284	1200	shrpubw.exe
PID 1200 wrote to memory of 836	1200	shrpubw.exe
PID 1200 wrote to memory of 836	1200	shrpubw.exe
PID 1200 wrote to memory of 836	1200	shrpubw.exe
PID 1200 wrote to memory of 1044	1200	cmstp.exe
PID 1200 wrote to memory of 1044	1200	cmstp.exe
PID 1200 wrote to memory of 1044	1200	cmstp.exe
PID 1200 wrote to memory of 1040	1200	cmstp.exe
PID 1200 wrote to memory of 1040	1200	cmstp.exe
PID 1200 wrote to memory of 1040	1200	cmstp.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\64f123d80872e8fd401f1ab89fa83ac61c744be1fb30b3ef2f1b1236b0db62a1.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1372

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:912

C:\Users\Admin\AppData\Local\D1C\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\D1C\SystemPropertiesRemote.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1896

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:1284

C:\Users\Admin\AppData\Local\TIH8h5fEo\shrpubw.exe
C:\Users\Admin\AppData\Local\TIH8h5fEo\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:836

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:1044

C:\Users\Admin\AppData\Local\ykHmR\cmstp.exe
C:\Users\Admin\AppData\Local\ykHmR\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1040

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D1C\SYSDM.CPL
Filesize
1.2MB

MD5
9c79686a0ca07544a632259bbe21f0fb

SHA1
f26969541f0017480fac54df5dc53b40e5949d6f

SHA256
1e268261408b959618526e96510890a72f2ce66cbb6a4d63a90ec25ebdaad55b

SHA512
8fd061699a30c4a7fd180a55538e015250ae544082fc68a3be7346d0870273ca140ebe2e77618c1de0ab390c4e8fb3d88316aa001a8822be96a6143cd4766972

Download Submit
C:\Users\Admin\AppData\Local\D1C\SystemPropertiesRemote.exe
Filesize
80KB

MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
C:\Users\Admin\AppData\Local\TIH8h5fEo\ACLUI.dll
Filesize
1.2MB

MD5
35dc4b44b7c9f02bb9fd69b47ec83569

SHA1
659e6e04f0a2b43d7458d73fd7254ae1bc5151ef

SHA256
c4de8a2011b7155466f19f6c3ef001f293442b9ee40dc3f7eb688e136fbc180c

SHA512
7ab5f4ff92ee8f5c77f422b667f2263a0ba9c85723011c10e1c2fa28b6532a3ff7c9b32020e3830475ab73087e93b02b1bf6e8baa9989fe69becc0cbcd6c65ac

Download Submit
C:\Users\Admin\AppData\Local\TIH8h5fEo\shrpubw.exe
Filesize
398KB

MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
C:\Users\Admin\AppData\Local\ykHmR\VERSION.dll
Filesize
1.2MB

MD5
84f0d24e28ad9cf08aa4ebaa29b36ce5

SHA1
ca10c46ef59498900d7e0fdc5170cc47e3adbff1

SHA256
4bba5174e29c890e71772620b47ac3e7ad724c252fb7532790c360c0b992b777

SHA512
04c3dc87d71b473a3bb4e057b85c3e22fb6513c90fbf245be0d526bcf9ec18720a850eeaf31dc78e9e1d4dc139764cb47af4af5f1b7de8fced3512a6dcf42843

Download Submit
C:\Users\Admin\AppData\Local\ykHmR\cmstp.exe
Filesize
90KB

MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
\Users\Admin\AppData\Local\D1C\SYSDM.CPL
Filesize
1.2MB

MD5
9c79686a0ca07544a632259bbe21f0fb

SHA1
f26969541f0017480fac54df5dc53b40e5949d6f

SHA256
1e268261408b959618526e96510890a72f2ce66cbb6a4d63a90ec25ebdaad55b

SHA512
8fd061699a30c4a7fd180a55538e015250ae544082fc68a3be7346d0870273ca140ebe2e77618c1de0ab390c4e8fb3d88316aa001a8822be96a6143cd4766972

Download Submit
\Users\Admin\AppData\Local\D1C\SystemPropertiesRemote.exe
Filesize
80KB

MD5
d0d7ac869aa4e179da2cc333f0440d71

SHA1
e7b9a58f5bfc1ec321f015641a60978c0c683894

SHA256
5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a

SHA512
1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

Download Submit
\Users\Admin\AppData\Local\TIH8h5fEo\ACLUI.dll
Filesize
1.2MB

MD5
35dc4b44b7c9f02bb9fd69b47ec83569

SHA1
659e6e04f0a2b43d7458d73fd7254ae1bc5151ef

SHA256
c4de8a2011b7155466f19f6c3ef001f293442b9ee40dc3f7eb688e136fbc180c

SHA512
7ab5f4ff92ee8f5c77f422b667f2263a0ba9c85723011c10e1c2fa28b6532a3ff7c9b32020e3830475ab73087e93b02b1bf6e8baa9989fe69becc0cbcd6c65ac

Download Submit
\Users\Admin\AppData\Local\TIH8h5fEo\shrpubw.exe
Filesize
398KB

MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
\Users\Admin\AppData\Local\ykHmR\VERSION.dll
Filesize
1.2MB

MD5
84f0d24e28ad9cf08aa4ebaa29b36ce5

SHA1
ca10c46ef59498900d7e0fdc5170cc47e3adbff1

SHA256
4bba5174e29c890e71772620b47ac3e7ad724c252fb7532790c360c0b992b777

SHA512
04c3dc87d71b473a3bb4e057b85c3e22fb6513c90fbf245be0d526bcf9ec18720a850eeaf31dc78e9e1d4dc139764cb47af4af5f1b7de8fced3512a6dcf42843

Download Submit
\Users\Admin\AppData\Local\ykHmR\cmstp.exe
Filesize
90KB

MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
\Users\Admin\AppData\Roaming\Adobe\K3g4MO4I9Uw\cmstp.exe
Filesize
90KB

MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
memory/836-93-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmp

Filesize
8KB

Download
memory/836-91-0x0000000000000000-mapping.dmp

Download
memory/1040-100-0x0000000000000000-mapping.dmp

Download
memory/1040-107-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/1200-67-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1200-69-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1200-79-0x0000000002640000-0x0000000002647000-memory.dmp

Filesize
28KB

Download
memory/1200-80-0x0000000077810000-0x0000000077812000-memory.dmp

Filesize
8KB

Download
memory/1200-70-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1200-58-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/1200-59-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1200-63-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1200-64-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1200-65-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1200-66-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1200-60-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1200-68-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1200-62-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1200-61-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1372-54-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1372-57-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1896-82-0x0000000000000000-mapping.dmp

Download
memory/1896-89-0x0000000001B30000-0x0000000001B37000-memory.dmp

Filesize
28KB

Download
memory/1896-86-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads