dridex | 64f123d80872e8fd401f1ab89fa83ac61c744be1fb30b3ef2f1b1236b0db62a1

Analysis

max time kernel
150s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-04-2022 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64f123d80872e8fd401f1ab89fa83ac61c744be1fb30b3ef2f1b1236b0db62a1.dll
Size

1.2MB
MD5

fc7cd6f0409c5a8d3fc4c29652781e38
SHA1

84ea9d31cedb77e804a6b4941eeeb6081bd8ee84
SHA256

64f123d80872e8fd401f1ab89fa83ac61c744be1fb30b3ef2f1b1236b0db62a1
SHA512

05688c205f8ae6045500262bf865e230ad52fdc0fb08f1de4bcb9666e29c65cd45a85f5b05542bf7b4f5d9302cf1128a1bcc9cbb2b456ce2839910f8ae689943

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 3 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/1560-130-0x0000000140000000-0x0000000140140000-memory.dmp	dridex_payload
behavioral2/memory/3156-164-0x0000000140000000-0x0000000140142000-memory.dmp	dridex_payload
behavioral2/memory/2156-172-0x0000000140000000-0x0000000140141000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3140-134-0x0000000000910000-0x0000000000911000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

mmc.exemblctr.execmstp.exe

pid process

3156 mmc.exe
2156 mblctr.exe
1668 cmstp.exe
Loads dropped DLL 4 IoCs

Processes:

mmc.exemblctr.execmstp.exe

pid process

3156 mmc.exe
2156 mblctr.exe
1668 cmstp.exe
1668 cmstp.exe

pid	process
3156	mmc.exe
2156	mblctr.exe
1668	cmstp.exe

pid	process
3156	mmc.exe
2156	mblctr.exe
1668	cmstp.exe
1668	cmstp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eqzhtortkjjc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\kZQ\\mblctr.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemmc.exemblctr.execmstp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mmc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mblctr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140
3140

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3140

pid	process
3140

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3140 wrote to memory of 3700	3140	mmc.exe
PID 3140 wrote to memory of 3700	3140	mmc.exe
PID 3140 wrote to memory of 3156	3140	mmc.exe
PID 3140 wrote to memory of 3156	3140	mmc.exe
PID 3140 wrote to memory of 4352	3140	mblctr.exe
PID 3140 wrote to memory of 4352	3140	mblctr.exe
PID 3140 wrote to memory of 2156	3140	mblctr.exe
PID 3140 wrote to memory of 2156	3140	mblctr.exe
PID 3140 wrote to memory of 1632	3140	cmstp.exe
PID 3140 wrote to memory of 1632	3140	cmstp.exe
PID 3140 wrote to memory of 1668	3140	cmstp.exe
PID 3140 wrote to memory of 1668	3140	cmstp.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\64f123d80872e8fd401f1ab89fa83ac61c744be1fb30b3ef2f1b1236b0db62a1.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1560

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
1⤵
PID:3700

C:\Users\Admin\AppData\Local\XcIYA6nH\mmc.exe
C:\Users\Admin\AppData\Local\XcIYA6nH\mmc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3156

C:\Windows\system32\mblctr.exe
C:\Windows\system32\mblctr.exe
1⤵
PID:4352

C:\Users\Admin\AppData\Local\Qx9BSuh\mblctr.exe
C:\Users\Admin\AppData\Local\Qx9BSuh\mblctr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2156

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:1632

C:\Users\Admin\AppData\Local\YY1jtY\cmstp.exe
C:\Users\Admin\AppData\Local\YY1jtY\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Qx9BSuh\dwmapi.dll
Filesize
1.2MB

MD5
26b4cf0ed87b8cdd3a10cef42d593fc1

SHA1
d753ee17569adb92c7617222ab54f7d53ff13f0d

SHA256
497afaaaafb4828dcb6cebf9039c60b0384e389641f29c982ce6724a5d788307

SHA512
f1c4458d129b513ed7db6e62fb61c89a6eaaec3232d254bab6214b31d1ecf1f64aa9e30e8c6ff093fe5cb4328c6fc41b665da9bed06b36e4ad350fba6ee42fe6

Download Submit
C:\Users\Admin\AppData\Local\Qx9BSuh\dwmapi.dll
Filesize
1.2MB

MD5
26b4cf0ed87b8cdd3a10cef42d593fc1

SHA1
d753ee17569adb92c7617222ab54f7d53ff13f0d

SHA256
497afaaaafb4828dcb6cebf9039c60b0384e389641f29c982ce6724a5d788307

SHA512
f1c4458d129b513ed7db6e62fb61c89a6eaaec3232d254bab6214b31d1ecf1f64aa9e30e8c6ff093fe5cb4328c6fc41b665da9bed06b36e4ad350fba6ee42fe6

Download Submit
C:\Users\Admin\AppData\Local\Qx9BSuh\mblctr.exe
Filesize
790KB

MD5
d3db14eabb2679e08020bcd0c96fa9f6

SHA1
578dca7aad29409634064579d269e61e1f07d9dd

SHA256
3baa1dc0756ebb0c2c70a31be7147863d8d8ba056c1aa7f979307f8790d1ff69

SHA512
14dc895ae458ff0ca13d9c27aa5b4cfc906d338603d43389bb5f4429be593a587818855d1fe938f9ebebf46467fb0c1ab28247e8f9f5357098e8b822ecd8fffe

Download Submit
C:\Users\Admin\AppData\Local\XcIYA6nH\mmc.exe
Filesize
1.8MB

MD5
8c86b80518406f14a4952d67185032d6

SHA1
9269f1fbcf65fefbc88a2e239519c21efe0f6ba5

SHA256
895eef1eda5700a425934ae3782d4741dfefb7deafa53891bde490150187b98a

SHA512
1bbdaa3ae8b5716ad2bd517055533e286ddb8a6c23cbc7aa602143dbb1ae132b513088ab61527c49737c554269c51416cceb80206ac8128ac6b003f1864eb099

Download Submit
C:\Users\Admin\AppData\Local\XcIYA6nH\mmc.exe
Filesize
1.8MB

MD5
8c86b80518406f14a4952d67185032d6

SHA1
9269f1fbcf65fefbc88a2e239519c21efe0f6ba5

SHA256
895eef1eda5700a425934ae3782d4741dfefb7deafa53891bde490150187b98a

SHA512
1bbdaa3ae8b5716ad2bd517055533e286ddb8a6c23cbc7aa602143dbb1ae132b513088ab61527c49737c554269c51416cceb80206ac8128ac6b003f1864eb099

Download Submit
C:\Users\Admin\AppData\Local\XcIYA6nH\mmcbase.DLL
Filesize
1.2MB

MD5
6e76347bdfe064a3300276c233eb3061

SHA1
0211f1270e89b49f35336af8a9ee5f6546431df0

SHA256
20df3d964935df714e4e7bbf424fa3478a06c84d5b0f93a9209ceb4b52b44651

SHA512
f118e92d4786dd53af23e3dd17c711c07d2cde13fe6911b0001a6c115cf3bee2feb03212dfcf97f2d9c00b73c4fcace048c72d03e177f2da8301447aa0bc11f0

Download Submit
C:\Users\Admin\AppData\Local\XcIYA6nH\mmcbase.DLL
Filesize
1.2MB

MD5
6e76347bdfe064a3300276c233eb3061

SHA1
0211f1270e89b49f35336af8a9ee5f6546431df0

SHA256
20df3d964935df714e4e7bbf424fa3478a06c84d5b0f93a9209ceb4b52b44651

SHA512
f118e92d4786dd53af23e3dd17c711c07d2cde13fe6911b0001a6c115cf3bee2feb03212dfcf97f2d9c00b73c4fcace048c72d03e177f2da8301447aa0bc11f0

Download Submit
C:\Users\Admin\AppData\Local\YY1jtY\VERSION.dll
Filesize
1.2MB

MD5
8ebe3c560364225dcbe5f87d0e96b8a1

SHA1
2411bd9f6db88feeae674feb787f5ea3d747386f

SHA256
5b72d5156974e9e331aa294c221b5aa2305023b7d3300dd3027ad1d4d74d1aa6

SHA512
82e5f4b3452d0bcb2a8633e17ec3adb527b95b0f43598d0c33dee4c309eb85dc6df54d7e1006ba90d1410c871c4c2f7b56803de55b71a9ed1e5df55faf89d1e5

Download Submit
C:\Users\Admin\AppData\Local\YY1jtY\VERSION.dll
Filesize
1.2MB

MD5
8ebe3c560364225dcbe5f87d0e96b8a1

SHA1
2411bd9f6db88feeae674feb787f5ea3d747386f

SHA256
5b72d5156974e9e331aa294c221b5aa2305023b7d3300dd3027ad1d4d74d1aa6

SHA512
82e5f4b3452d0bcb2a8633e17ec3adb527b95b0f43598d0c33dee4c309eb85dc6df54d7e1006ba90d1410c871c4c2f7b56803de55b71a9ed1e5df55faf89d1e5

Download Submit
C:\Users\Admin\AppData\Local\YY1jtY\VERSION.dll
Filesize
1.2MB

MD5
8ebe3c560364225dcbe5f87d0e96b8a1

SHA1
2411bd9f6db88feeae674feb787f5ea3d747386f

SHA256
5b72d5156974e9e331aa294c221b5aa2305023b7d3300dd3027ad1d4d74d1aa6

SHA512
82e5f4b3452d0bcb2a8633e17ec3adb527b95b0f43598d0c33dee4c309eb85dc6df54d7e1006ba90d1410c871c4c2f7b56803de55b71a9ed1e5df55faf89d1e5

Download Submit
C:\Users\Admin\AppData\Local\YY1jtY\cmstp.exe
Filesize
96KB

MD5
4cc43fe4d397ff79fa69f397e016df52

SHA1
8fd6cf81ad40c9b123cd75611860a8b95c72869c

SHA256
f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c

SHA512
851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157

Download Submit
memory/1560-130-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1560-133-0x000001CA24C30000-0x000001CA24C37000-memory.dmp

Filesize
28KB

Download
memory/1668-175-0x0000000000000000-mapping.dmp

Download
memory/1668-183-0x000001EA65B60000-0x000001EA65B67000-memory.dmp

Filesize
28KB

Download
memory/2156-172-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2156-168-0x0000000000000000-mapping.dmp

Download
memory/3140-141-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3140-145-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3140-134-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/3140-156-0x00007FFCDC0FC000-0x00007FFCDC0FD000-memory.dmp

Filesize
4KB

Download
memory/3140-157-0x00007FFCDC0CC000-0x00007FFCDC0CD000-memory.dmp

Filesize
4KB

Download
memory/3140-147-0x00000000008D0000-0x00000000008D7000-memory.dmp

Filesize
28KB

Download
memory/3140-146-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3140-136-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3140-135-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3140-158-0x00007FFCDC010000-0x00007FFCDC020000-memory.dmp

Filesize
64KB

Download
memory/3140-144-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3140-143-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3140-142-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3140-140-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3140-139-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3140-138-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3140-137-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3156-167-0x0000000000820000-0x0000000000827000-memory.dmp

Filesize
28KB

Download
memory/3156-164-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3156-159-0x0000000000000000-mapping.dmp

Download