dridex | c628d9de914a3bf9ae9ae4ed0f1e5c25e08a87419bdb8292e44ade1c7f09c76d

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10-03-2023 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100.dll
Size

768KB
MD5

bd5cfa593ed87901f8184eaa44c0a8b8
SHA1

963a57fb83ca6361624fb057058ea4fb538015dc
SHA256

86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100
SHA512

f6235abb0503db5a7cc7a0f6d2a4682db1491127a4f5700d3f68e15535b838651e1df8a8292643e46febb678e16abe9f36f6990db57db3f58c60ceae186ae489
SSDEEP

12288:4lORVEAueQmTmQKO2nMlqVaSEwzH7YxiCyJ86azEZy1f11pNx:8ORVEVNmaDznMlqVNE27dJ8J2inNx

Score

10^/10

dridex botnet evasion payload trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1292-59-0x0000000002970000-0x0000000002971000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 2 IoCs

Processes:

PresentationSettings.exeSystemPropertiesPerformance.exe

pid process

828 PresentationSettings.exe
1704 SystemPropertiesPerformance.exe
Loads dropped DLL 4 IoCs

Processes:

PresentationSettings.exeSystemPropertiesPerformance.exe

pid process

1292
828 PresentationSettings.exe
1292
1704 SystemPropertiesPerformance.exe

pid	process
828	PresentationSettings.exe
1704	SystemPropertiesPerformance.exe

pid	process
1292
828	PresentationSettings.exe
1292
1704	SystemPropertiesPerformance.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exePresentationSettings.exeSystemPropertiesPerformance.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exePresentationSettings.exe

pid	process
1444	rundll32.exe
1444	rundll32.exe
1444	rundll32.exe
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
828	PresentationSettings.exe
828	PresentationSettings.exe
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1292

pid	process
1292

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 1292 wrote to memory of 1784	1292	PresentationSettings.exe
PID 1292 wrote to memory of 1784	1292	PresentationSettings.exe
PID 1292 wrote to memory of 1784	1292	PresentationSettings.exe
PID 1292 wrote to memory of 828	1292	PresentationSettings.exe
PID 1292 wrote to memory of 828	1292	PresentationSettings.exe
PID 1292 wrote to memory of 828	1292	PresentationSettings.exe
PID 1292 wrote to memory of 1160	1292	SystemPropertiesPerformance.exe
PID 1292 wrote to memory of 1160	1292	SystemPropertiesPerformance.exe
PID 1292 wrote to memory of 1160	1292	SystemPropertiesPerformance.exe
PID 1292 wrote to memory of 1704	1292	SystemPropertiesPerformance.exe
PID 1292 wrote to memory of 1704	1292	SystemPropertiesPerformance.exe
PID 1292 wrote to memory of 1704	1292	SystemPropertiesPerformance.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1444

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:1784

C:\Users\Admin\AppData\Local\EDVdbZ69\PresentationSettings.exe
C:\Users\Admin\AppData\Local\EDVdbZ69\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:828

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:1160

C:\Users\Admin\AppData\Local\2DzWE\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\2DzWE\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1704

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2DzWE\SYSDM.CPL
Filesize
768KB

MD5
04509c0228e11c1b9cc5c1d979cd103e

SHA1
b0e5dfab26eb027d0beb8a37bf15d4f2dd0e7f46

SHA256
70f6cd6555f07a9b7e0227f86dd9f1aceccb0e9e0a746132afb57241540b954b

SHA512
c26484a3337d014bf7b2599776b4adb5383bcf6e98eabec4cca2e7e03b8999499f5b83d9705b5f1a751340e63a80174eda1a420f86666f3980e71243dfdbdc6f

Download Submit
C:\Users\Admin\AppData\Local\2DzWE\SystemPropertiesPerformance.exe
Filesize
80KB

MD5
870726cdcc241a92785572628b89cc07

SHA1
63d47cc4fe9beb75862add1abca1d8ae8235710a

SHA256
1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

SHA512
89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

Download Submit
C:\Users\Admin\AppData\Local\2DzWE\SystemPropertiesPerformance.exe
Filesize
80KB

MD5
870726cdcc241a92785572628b89cc07

SHA1
63d47cc4fe9beb75862add1abca1d8ae8235710a

SHA256
1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

SHA512
89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

Download Submit
C:\Users\Admin\AppData\Local\EDVdbZ69\PresentationSettings.exe
Filesize
172KB

MD5
a6f8d318f6041334889481b472000081

SHA1
b8cf08ec17b30c8811f2514246fcdff62731dd58

SHA256
208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

SHA512
60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

Download Submit
C:\Users\Admin\AppData\Local\EDVdbZ69\PresentationSettings.exe
Filesize
172KB

MD5
a6f8d318f6041334889481b472000081

SHA1
b8cf08ec17b30c8811f2514246fcdff62731dd58

SHA256
208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

SHA512
60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

Download Submit
C:\Users\Admin\AppData\Local\EDVdbZ69\slc.dll
Filesize
768KB

MD5
555a4fccf3f37a18a4fa323431a13fd7

SHA1
c1245590c451cb6b17c6dd90c9063b7d42e9e505

SHA256
6488caec73b32e3f17a7cf06b9acd8ca85e36556f4ed75a0647ecd4c8d9e306c

SHA512
94101a0c0ca7e077f0b5f0a6703d718e7d441701354fc76583e48cd7ddf1bbe13e7fa9b8320be7dbe32240f662819b8b99b7d8196a0b0c0a4e77b8d307a64f1c

Download Submit
\Users\Admin\AppData\Local\2DzWE\SYSDM.CPL
Filesize
768KB

MD5
04509c0228e11c1b9cc5c1d979cd103e

SHA1
b0e5dfab26eb027d0beb8a37bf15d4f2dd0e7f46

SHA256
70f6cd6555f07a9b7e0227f86dd9f1aceccb0e9e0a746132afb57241540b954b

SHA512
c26484a3337d014bf7b2599776b4adb5383bcf6e98eabec4cca2e7e03b8999499f5b83d9705b5f1a751340e63a80174eda1a420f86666f3980e71243dfdbdc6f

Download Submit
\Users\Admin\AppData\Local\2DzWE\SystemPropertiesPerformance.exe
Filesize
80KB

MD5
870726cdcc241a92785572628b89cc07

SHA1
63d47cc4fe9beb75862add1abca1d8ae8235710a

SHA256
1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

SHA512
89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

Download Submit
\Users\Admin\AppData\Local\EDVdbZ69\PresentationSettings.exe
Filesize
172KB

MD5
a6f8d318f6041334889481b472000081

SHA1
b8cf08ec17b30c8811f2514246fcdff62731dd58

SHA256
208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

SHA512
60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

Download Submit
\Users\Admin\AppData\Local\EDVdbZ69\slc.dll
Filesize
768KB

MD5
555a4fccf3f37a18a4fa323431a13fd7

SHA1
c1245590c451cb6b17c6dd90c9063b7d42e9e505

SHA256
6488caec73b32e3f17a7cf06b9acd8ca85e36556f4ed75a0647ecd4c8d9e306c

SHA512
94101a0c0ca7e077f0b5f0a6703d718e7d441701354fc76583e48cd7ddf1bbe13e7fa9b8320be7dbe32240f662819b8b99b7d8196a0b0c0a4e77b8d307a64f1c

Download Submit
memory/828-104-0x000007FEFAF70000-0x000007FEFB030000-memory.dmp

Filesize
768KB

Download
memory/828-101-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/828-98-0x000007FEFAF70000-0x000007FEFB030000-memory.dmp

Filesize
768KB

Download
memory/1292-67-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1292-65-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1292-80-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1292-86-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1292-89-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1292-76-0x0000000002950000-0x0000000002957000-memory.dmp

Filesize
28KB

Download
memory/1292-75-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1292-69-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1292-68-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1292-66-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1292-59-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/1292-77-0x0000000077860000-0x0000000077862000-memory.dmp

Filesize
8KB

Download
memory/1292-64-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1292-107-0x000007FED47D0000-0x000007FED47DA000-memory.dmp

Filesize
40KB

Download
memory/1292-63-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1292-61-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1444-54-0x000007FEFACE0000-0x000007FEFADA0000-memory.dmp

Filesize
768KB

Download
memory/1444-58-0x000007FEFACE0000-0x000007FEFADA0000-memory.dmp

Filesize
768KB

Download
memory/1444-57-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1704-117-0x000007FEF6200000-0x000007FEF62C0000-memory.dmp

Filesize
768KB

Download
memory/1704-120-0x00000000001E0000-0x00000000001E7000-memory.dmp

Filesize
28KB

Download
memory/1704-123-0x000007FEF6200000-0x000007FEF62C0000-memory.dmp

Filesize
768KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads