dridex | e84a6be9a0be2072e7cad77b66e433bcb87035dae75e86ca982d26fe37186458

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7v20201028
submitted
22-01-2021 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dridex.dll
Size

672KB
MD5

5decc1ceb1b5a1a1a26a7049ab860f67
SHA1

02219e55c686e80e405a8132cb0a4fb77bef3b4a
SHA256

e84a6be9a0be2072e7cad77b66e433bcb87035dae75e86ca982d26fe37186458
SHA512

3fb6cee0c6ab75ac53d0cd1cb6362e93d94d068e71df24feb699c318d47692e8752cfca4022c97e3675caaf821acf1aa5405cb738c148b85a7ae2343c315be52

Score

10^/10

dridex botnet evasion loader persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Loader 4 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/800-4-0x0000000140000000-0x0000000140085000-memory.dmp	dridex_ldr
behavioral1/memory/800-3-0x0000000140000000-0x00000001400AE000-memory.dmp	dridex_ldr
behavioral1/memory/1628-16-0x0000000140000000-0x00000001400B0000-memory.dmp	dridex_ldr
behavioral1/memory/576-25-0x0000000140000000-0x00000001400AF000-memory.dmp	dridex_ldr

Executes dropped EXE 3 IoCs

Processes:

dialer.exeSystemPropertiesPerformance.exep2phost.exe

pid process

1628 dialer.exe
576 SystemPropertiesPerformance.exe
964 p2phost.exe
Loads dropped DLL 7 IoCs

Processes:

dialer.exeSystemPropertiesPerformance.exep2phost.exe

pid process

1280
1628 dialer.exe
1280
576 SystemPropertiesPerformance.exe
1280
964 p2phost.exe
1280

pid	process
1628	dialer.exe
576	SystemPropertiesPerformance.exe
964	p2phost.exe

pid	process
1280
1628	dialer.exe
1280
576	SystemPropertiesPerformance.exe
1280
964	p2phost.exe
1280

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mwngpuogdpc = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\aiDum5ugB5y\\SystemPropertiesPerformance.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exedialer.exeSystemPropertiesPerformance.exep2phost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dialer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesPerformance.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	p2phost.exe

Suspicious behavior: EnumeratesProcesses 314 IoCs

Processes:

rundll32.exedialer.exeSystemPropertiesPerformance.exe

pid	process
800	rundll32.exe
800	rundll32.exe
800	rundll32.exe
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1628	dialer.exe
1628	dialer.exe
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
1280
576	SystemPropertiesPerformance.exe
576	SystemPropertiesPerformance.exe
1280
1280
1280

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1280
1280
1280
1280
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1280
1280
1280
1280

pid	process
1280
1280
1280
1280

pid	process
1280
1280
1280
1280

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1280 wrote to memory of 1524	1280	dialer.exe
PID 1280 wrote to memory of 1524	1280	dialer.exe
PID 1280 wrote to memory of 1524	1280	dialer.exe
PID 1280 wrote to memory of 1628	1280	dialer.exe
PID 1280 wrote to memory of 1628	1280	dialer.exe
PID 1280 wrote to memory of 1628	1280	dialer.exe
PID 1280 wrote to memory of 1480	1280	SystemPropertiesPerformance.exe
PID 1280 wrote to memory of 1480	1280	SystemPropertiesPerformance.exe
PID 1280 wrote to memory of 1480	1280	SystemPropertiesPerformance.exe
PID 1280 wrote to memory of 576	1280	SystemPropertiesPerformance.exe
PID 1280 wrote to memory of 576	1280	SystemPropertiesPerformance.exe
PID 1280 wrote to memory of 576	1280	SystemPropertiesPerformance.exe
PID 1280 wrote to memory of 1352	1280	p2phost.exe
PID 1280 wrote to memory of 1352	1280	p2phost.exe
PID 1280 wrote to memory of 1352	1280	p2phost.exe
PID 1280 wrote to memory of 964	1280	p2phost.exe
PID 1280 wrote to memory of 964	1280	p2phost.exe
PID 1280 wrote to memory of 964	1280	p2phost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dridex.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:800

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
1⤵
PID:1524

C:\Users\Admin\AppData\Local\xxXq\dialer.exe
C:\Users\Admin\AppData\Local\xxXq\dialer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1628

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:1480

C:\Users\Admin\AppData\Local\lnYvz\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\lnYvz\SystemPropertiesPerformance.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:576

C:\Windows\system32\p2phost.exe
C:\Windows\system32\p2phost.exe
1⤵
PID:1352

C:\Users\Admin\AppData\Local\XC1zdWe\p2phost.exe
C:\Users\Admin\AppData\Local\XC1zdWe\p2phost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:964

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\XC1zdWe\P2P.dll
MD5
27ab4fe59b22680b79eb65107b3d8a9e

SHA1
cbaa0269708bf51083c09f0bb3d58a5e425efbba

SHA256
25d1a5aa8d5f818de9e9496e040b1b698ab378522c72b35ab92bd699e4bce7e6

SHA512
addf5aacc20d00f7800c45c32ef5ee9eae519c3ec18316b8839376dcf8946bf76c76a8cc39d8f111a95d355e1cf735bbba889c6f6fe3aff1a0f3763c26231c30

Download Submit
C:\Users\Admin\AppData\Local\XC1zdWe\p2phost.exe
MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
C:\Users\Admin\AppData\Local\lnYvz\SYSDM.CPL
MD5
d719dfb0f1f046fe16175b26f59cde74

SHA1
abb7b4e4bdc2d85fe3757fc3e91944543ee1a4d3

SHA256
89eebbe576b5af7cc7779b6f772ee1effd9b7c3b1110b49a8e1d57c66d750392

SHA512
4a7f4f2b706c4c55513b9dee2bab5ed8201e329972996b512e9a9e3a0b2c746375e94b94c8bbc945dac406a3d43d272585c692a5501c1db82838aebefcc5ff97

Download Submit
C:\Users\Admin\AppData\Local\lnYvz\SystemPropertiesPerformance.exe
MD5
870726cdcc241a92785572628b89cc07

SHA1
63d47cc4fe9beb75862add1abca1d8ae8235710a

SHA256
1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

SHA512
89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

Download Submit
C:\Users\Admin\AppData\Local\xxXq\TAPI32.dll
MD5
cda571dd37ffee48d04585bd7bfb1313

SHA1
eceb78db826c36433937258c67080225d427f250

SHA256
cb330da8723a1123d38395864eb9e7052aacc2fd3d2e0aaf92bc524503797006

SHA512
5bc30596b23e5a262652c1d7d3e5654ce57c689f6f2dfcd1e17179a8453e9a97a3f048c28daeda12b1265adbbc5ee397bd8a33a14dad626c44e0bc0b1a324bc1

Download Submit
C:\Users\Admin\AppData\Local\xxXq\dialer.exe
MD5
46523e17ee0f6837746924eda7e9bac9

SHA1
d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

SHA256
23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

SHA512
c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

Download Submit
\Users\Admin\AppData\Local\XC1zdWe\P2P.dll
MD5
27ab4fe59b22680b79eb65107b3d8a9e

SHA1
cbaa0269708bf51083c09f0bb3d58a5e425efbba

SHA256
25d1a5aa8d5f818de9e9496e040b1b698ab378522c72b35ab92bd699e4bce7e6

SHA512
addf5aacc20d00f7800c45c32ef5ee9eae519c3ec18316b8839376dcf8946bf76c76a8cc39d8f111a95d355e1cf735bbba889c6f6fe3aff1a0f3763c26231c30

Download Submit
\Users\Admin\AppData\Local\XC1zdWe\p2phost.exe
MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
\Users\Admin\AppData\Local\lnYvz\SYSDM.CPL
MD5
d719dfb0f1f046fe16175b26f59cde74

SHA1
abb7b4e4bdc2d85fe3757fc3e91944543ee1a4d3

SHA256
89eebbe576b5af7cc7779b6f772ee1effd9b7c3b1110b49a8e1d57c66d750392

SHA512
4a7f4f2b706c4c55513b9dee2bab5ed8201e329972996b512e9a9e3a0b2c746375e94b94c8bbc945dac406a3d43d272585c692a5501c1db82838aebefcc5ff97

Download Submit
\Users\Admin\AppData\Local\lnYvz\SystemPropertiesPerformance.exe
MD5
870726cdcc241a92785572628b89cc07

SHA1
63d47cc4fe9beb75862add1abca1d8ae8235710a

SHA256
1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6

SHA512
89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

Download Submit
\Users\Admin\AppData\Local\xxXq\TAPI32.dll
MD5
cda571dd37ffee48d04585bd7bfb1313

SHA1
eceb78db826c36433937258c67080225d427f250

SHA256
cb330da8723a1123d38395864eb9e7052aacc2fd3d2e0aaf92bc524503797006

SHA512
5bc30596b23e5a262652c1d7d3e5654ce57c689f6f2dfcd1e17179a8453e9a97a3f048c28daeda12b1265adbbc5ee397bd8a33a14dad626c44e0bc0b1a324bc1

Download Submit
\Users\Admin\AppData\Local\xxXq\dialer.exe
MD5
46523e17ee0f6837746924eda7e9bac9

SHA1
d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

SHA256
23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

SHA512
c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\MvQN3Rl7S8O\p2phost.exe
MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
memory/576-24-0x000007FEF69C0000-0x000007FEF6C3A000-memory.dmp

Filesize
2.5MB

Download
memory/576-20-0x0000000000000000-mapping.dmp

Download
memory/576-25-0x0000000140000000-0x00000001400AF000-memory.dmp

Filesize
700KB

Download
memory/800-4-0x0000000140000000-0x0000000140085000-memory.dmp

Filesize
532KB

Download
memory/800-5-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/800-2-0x000007FEF69C0000-0x000007FEF6C3A000-memory.dmp

Filesize
2.5MB

Download
memory/800-3-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/964-33-0x000007FEF69C0000-0x000007FEF6C3A000-memory.dmp

Filesize
2.5MB

Download
memory/964-29-0x0000000000000000-mapping.dmp

Download
memory/1280-7-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1280-6-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/1628-11-0x0000000000000000-mapping.dmp

Download
memory/1628-16-0x0000000140000000-0x00000001400B0000-memory.dmp

Filesize
704KB

Download
memory/1628-15-0x000007FEF69C0000-0x000007FEF6C3A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads