dridex | 42012850646049ef86749410810b29abfd3c823e9987c9e1b5ac551ed3cc4101

Analysis

max time kernel
155s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2023 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100.dll
Size

768KB
MD5

bd5cfa593ed87901f8184eaa44c0a8b8
SHA1

963a57fb83ca6361624fb057058ea4fb538015dc
SHA256

86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100
SHA512

f6235abb0503db5a7cc7a0f6d2a4682db1491127a4f5700d3f68e15535b838651e1df8a8292643e46febb678e16abe9f36f6990db57db3f58c60ceae186ae489
SSDEEP

12288:4lORVEAueQmTmQKO2nMlqVaSEwzH7YxiCyJ86azEZy1f11pNx:8ORVEVNmaDznMlqVNE27dJ8J2inNx

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3132-138-0x00000000032D0000-0x00000000032D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

mfpmp.exewlrmdr.exeEhStorAuthn.exe

pid process

4044 mfpmp.exe
3116 wlrmdr.exe
3716 EhStorAuthn.exe
Loads dropped DLL 3 IoCs

Processes:

mfpmp.exewlrmdr.exeEhStorAuthn.exe

pid process

4044 mfpmp.exe
3116 wlrmdr.exe
3716 EhStorAuthn.exe

pid	process
4044	mfpmp.exe
3116	wlrmdr.exe
3716	EhStorAuthn.exe

pid	process
4044	mfpmp.exe
3116	wlrmdr.exe
3716	EhStorAuthn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vbkzszunqcp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\za3\\wlrmdr.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

wlrmdr.exeEhStorAuthn.exerundll32.exemfpmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wlrmdr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mfpmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exemfpmp.exe

pid	process
4924	rundll32.exe
4924	rundll32.exe
4924	rundll32.exe
4924	rundll32.exe
4924	rundll32.exe
4924	rundll32.exe
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
3132
4044	mfpmp.exe
4044	mfpmp.exe
3132
3132
3132
3132
3132
3132

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3132

pid	process
3132

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3132 wrote to memory of 432	3132	mfpmp.exe
PID 3132 wrote to memory of 432	3132	mfpmp.exe
PID 3132 wrote to memory of 4044	3132	mfpmp.exe
PID 3132 wrote to memory of 4044	3132	mfpmp.exe
PID 3132 wrote to memory of 3376	3132	wlrmdr.exe
PID 3132 wrote to memory of 3376	3132	wlrmdr.exe
PID 3132 wrote to memory of 3116	3132	wlrmdr.exe
PID 3132 wrote to memory of 3116	3132	wlrmdr.exe
PID 3132 wrote to memory of 3760	3132	EhStorAuthn.exe
PID 3132 wrote to memory of 3760	3132	EhStorAuthn.exe
PID 3132 wrote to memory of 3716	3132	EhStorAuthn.exe
PID 3132 wrote to memory of 3716	3132	EhStorAuthn.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4924

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:432

C:\Users\Admin\AppData\Local\1099\mfpmp.exe
C:\Users\Admin\AppData\Local\1099\mfpmp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4044

C:\Windows\system32\wlrmdr.exe
C:\Windows\system32\wlrmdr.exe
1⤵
PID:3376

C:\Users\Admin\AppData\Local\fOV\wlrmdr.exe
C:\Users\Admin\AppData\Local\fOV\wlrmdr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3116

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:3760

C:\Users\Admin\AppData\Local\zGposDA\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\zGposDA\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1099\MFPlat.DLL
Filesize
776KB

MD5
8bd1ad854a823e6d56dc12a541dbf378

SHA1
63d97d73fc935d734dd7c048a0b1b64f252de1cf

SHA256
7188c77863a41005609cea996b60ea36aa6546c64f928d8518f3f7e1d8750ac9

SHA512
3adb25cfb9c912b3f2366b6eb752fda075aef672585c778f7fceb5e45ad7c55796b677808fc1179ea0250ae2fc874e1b8ca3c2a8f38b45c12ec7321bec45862e

Download Submit
C:\Users\Admin\AppData\Local\1099\MFPlat.DLL
Filesize
776KB

MD5
8bd1ad854a823e6d56dc12a541dbf378

SHA1
63d97d73fc935d734dd7c048a0b1b64f252de1cf

SHA256
7188c77863a41005609cea996b60ea36aa6546c64f928d8518f3f7e1d8750ac9

SHA512
3adb25cfb9c912b3f2366b6eb752fda075aef672585c778f7fceb5e45ad7c55796b677808fc1179ea0250ae2fc874e1b8ca3c2a8f38b45c12ec7321bec45862e

Download Submit
C:\Users\Admin\AppData\Local\1099\mfpmp.exe
Filesize
46KB

MD5
8f8fd1988973bac0c5244431473b96a5

SHA1
ce81ea37260d7cafe27612606cf044921ad1304c

SHA256
27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e

SHA512
a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

Download Submit
C:\Users\Admin\AppData\Local\1099\mfpmp.exe
Filesize
46KB

MD5
8f8fd1988973bac0c5244431473b96a5

SHA1
ce81ea37260d7cafe27612606cf044921ad1304c

SHA256
27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e

SHA512
a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

Download Submit
C:\Users\Admin\AppData\Local\fOV\DUI70.dll
Filesize
1.0MB

MD5
e7ba2d9e3646d7379abda62532ec460a

SHA1
495eb8147bec323bb6dff29cb971024eed26e701

SHA256
ada3aeecd337de23b976253ed975998850c1a13fc03a0077895cb0dee216d166

SHA512
44d4532c79c45dd22b15ae2f9c816335d88086c386ddabc5410c9d862ff2e8751460a967446c38210875747b36f1166162d657606e3d971d7890d7ad3bbea999

Download Submit
C:\Users\Admin\AppData\Local\fOV\DUI70.dll
Filesize
1.0MB

MD5
e7ba2d9e3646d7379abda62532ec460a

SHA1
495eb8147bec323bb6dff29cb971024eed26e701

SHA256
ada3aeecd337de23b976253ed975998850c1a13fc03a0077895cb0dee216d166

SHA512
44d4532c79c45dd22b15ae2f9c816335d88086c386ddabc5410c9d862ff2e8751460a967446c38210875747b36f1166162d657606e3d971d7890d7ad3bbea999

Download Submit
C:\Users\Admin\AppData\Local\fOV\wlrmdr.exe
Filesize
66KB

MD5
ef9bba7a637a11b224a90bf90a8943ac

SHA1
4747ec6efd2d41e049159249c2d888189bb33d1d

SHA256
2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

SHA512
4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

Download Submit
C:\Users\Admin\AppData\Local\fOV\wlrmdr.exe
Filesize
66KB

MD5
ef9bba7a637a11b224a90bf90a8943ac

SHA1
4747ec6efd2d41e049159249c2d888189bb33d1d

SHA256
2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

SHA512
4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

Download Submit
C:\Users\Admin\AppData\Local\zGposDA\EhStorAuthn.exe
Filesize
128KB

MD5
d45618e58303edb4268a6cca5ec99ecc

SHA1
1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

SHA256
d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

SHA512
5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

Download Submit
C:\Users\Admin\AppData\Local\zGposDA\EhStorAuthn.exe
Filesize
128KB

MD5
d45618e58303edb4268a6cca5ec99ecc

SHA1
1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

SHA256
d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

SHA512
5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

Download Submit
C:\Users\Admin\AppData\Local\zGposDA\UxTheme.dll
Filesize
772KB

MD5
b99d2e934427a5e45de1314c35698603

SHA1
399cd0e0db2deaa84eb21dc5d936f772e0b19fd4

SHA256
8e9d94a25c80fce115291b4f287bb170f5a6cd5d39ba52ac181bfadc4ccad9fc

SHA512
704da4e61bdb7ec0c6293ccc4f0e241a3823afe64df9e2f0fb2053118b3bab20562fba421ca015ecbf29d3057abaeb9d20e1e9137d432bf877d28a849975b2cc

Download Submit
C:\Users\Admin\AppData\Local\zGposDA\UxTheme.dll
Filesize
772KB

MD5
b99d2e934427a5e45de1314c35698603

SHA1
399cd0e0db2deaa84eb21dc5d936f772e0b19fd4

SHA256
8e9d94a25c80fce115291b4f287bb170f5a6cd5d39ba52ac181bfadc4ccad9fc

SHA512
704da4e61bdb7ec0c6293ccc4f0e241a3823afe64df9e2f0fb2053118b3bab20562fba421ca015ecbf29d3057abaeb9d20e1e9137d432bf877d28a849975b2cc

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ysexmho.lnk
Filesize
1KB

MD5
70aa824049fb96820b0f8f2c0c81b10e

SHA1
e1c4a152102997e5dafe13dd122cd84852dd16cb

SHA256
4cdcadbd242fef48b958354c78fd3bb7756792b01af7c17fa76c0903c230ab26

SHA512
5194acd897d8e5ae70acae1269888562dcc2ad54c69ae460701826dbc730519e3882199f57673f4c96eb28ddcdeb3aec8587d322a13e269a812408e27c4c07ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\BnuuFI\UxTheme.dll
Filesize
772KB

MD5
b99d2e934427a5e45de1314c35698603

SHA1
399cd0e0db2deaa84eb21dc5d936f772e0b19fd4

SHA256
8e9d94a25c80fce115291b4f287bb170f5a6cd5d39ba52ac181bfadc4ccad9fc

SHA512
704da4e61bdb7ec0c6293ccc4f0e241a3823afe64df9e2f0fb2053118b3bab20562fba421ca015ecbf29d3057abaeb9d20e1e9137d432bf877d28a849975b2cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\za3\DUI70.dll
Filesize
1.0MB

MD5
e7ba2d9e3646d7379abda62532ec460a

SHA1
495eb8147bec323bb6dff29cb971024eed26e701

SHA256
ada3aeecd337de23b976253ed975998850c1a13fc03a0077895cb0dee216d166

SHA512
44d4532c79c45dd22b15ae2f9c816335d88086c386ddabc5410c9d862ff2e8751460a967446c38210875747b36f1166162d657606e3d971d7890d7ad3bbea999

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\0eKMDFXmZv\MFPlat.DLL
Filesize
776KB

MD5
8bd1ad854a823e6d56dc12a541dbf378

SHA1
63d97d73fc935d734dd7c048a0b1b64f252de1cf

SHA256
7188c77863a41005609cea996b60ea36aa6546c64f928d8518f3f7e1d8750ac9

SHA512
3adb25cfb9c912b3f2366b6eb752fda075aef672585c778f7fceb5e45ad7c55796b677808fc1179ea0250ae2fc874e1b8ca3c2a8f38b45c12ec7321bec45862e

Download Submit
memory/3116-193-0x00007FFBF9060000-0x00007FFBF9166000-memory.dmp

Filesize
1.0MB

Download
memory/3116-196-0x000002207DCB0000-0x000002207DCB7000-memory.dmp

Filesize
28KB

Download
memory/3116-199-0x00007FFBF9060000-0x00007FFBF9166000-memory.dmp

Filesize
1.0MB

Download
memory/3132-147-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3132-146-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3132-138-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/3132-140-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3132-142-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3132-166-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3132-164-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3132-155-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3132-148-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3132-149-0x00000000014B0000-0x00000000014B7000-memory.dmp

Filesize
28KB

Download
memory/3132-143-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3132-178-0x00007FFC175E0000-0x00007FFC175F0000-memory.dmp

Filesize
64KB

Download
memory/3132-145-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3132-144-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3716-210-0x00007FFBF90A0000-0x00007FFBF9161000-memory.dmp

Filesize
772KB

Download
memory/3716-213-0x000001FCB2B90000-0x000001FCB2B97000-memory.dmp

Filesize
28KB

Download
memory/3716-216-0x00007FFBF90A0000-0x00007FFBF9161000-memory.dmp

Filesize
772KB

Download
memory/4044-175-0x00007FFBF8730000-0x00007FFBF87F2000-memory.dmp

Filesize
776KB

Download
memory/4044-182-0x00007FFBF8730000-0x00007FFBF87F2000-memory.dmp

Filesize
776KB

Download
memory/4044-179-0x0000021BAEA30000-0x0000021BAEA37000-memory.dmp

Filesize
28KB

Download
memory/4924-133-0x00007FFBF8BE0000-0x00007FFBF8CA0000-memory.dmp

Filesize
768KB

Download
memory/4924-137-0x00007FFBF8BE0000-0x00007FFBF8CA0000-memory.dmp

Filesize
768KB

Download
memory/4924-136-0x000001A1BC400000-0x000001A1BC407000-memory.dmp

Filesize
28KB

Download