Overview
overview
10Static
static
Dridex/Dri...1 .exe
windows7_x64
10Dridex/Dri...1 .exe
windows10_x64
Dridex/Dri...a6.exe
windows7_x64
10Dridex/Dri...a6.exe
windows10_x64
10Dridex/Dri...01.exe
windows7_x64
10Dridex/Dri...01.exe
windows10_x64
10Dridex/Tro...a .exe
windows7_x64
10Dridex/Tro...a .exe
windows10_x64
10Dridex/Tro...27.exe
windows7_x64
10Dridex/Tro...27.exe
windows10_x64
10Dridex/Tro...c2.dll
windows7_x64
10Dridex/Tro...c2.dll
windows10_x64
10Analysis
-
max time kernel
151s -
max time network
8s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
15-04-2021 13:05
Static task
static1
Behavioral task
behavioral1
Sample
Dridex/Dridex.JhiSharp.dll.9d75ff0e9447ceb89c90cca24a1dbec1 .exe
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral2
Sample
Dridex/Dridex.JhiSharp.dll.9d75ff0e9447ceb89c90cca24a1dbec1 .exe
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral3
Sample
Dridex/DridexDroppedVBS.925da3a10f7dde802c8d87047b14fda6.exe
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral4
Sample
Dridex/DridexDroppedVBS.925da3a10f7dde802c8d87047b14fda6.exe
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral5
Sample
Dridex/DridexLoader.bin.exe.c26203af4b3e9c81a9e634178b603601.exe
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral6
Sample
Dridex/DridexLoader.bin.exe.c26203af4b3e9c81a9e634178b603601.exe
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral7
Sample
Dridex/Trojan.Dridex.A. dbf96ab40b728c12951d317642fbd9da .exe
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral8
Sample
Dridex/Trojan.Dridex.A. dbf96ab40b728c12951d317642fbd9da .exe
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral9
Sample
Dridex/Trojan.Dridex.A.6164228ed2cc0eceba9ce1828d87d827.exe
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral10
Sample
Dridex/Trojan.Dridex.A.6164228ed2cc0eceba9ce1828d87d827.exe
Resource
win10v20210408
windows10_x64
Behavioral task
behavioral11
Sample
Dridex/Trojan.Dridex.A.97a26d9e3598fea2e1715c6c77b645c2.dll
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral12
Sample
Dridex/Trojan.Dridex.A.97a26d9e3598fea2e1715c6c77b645c2.dll
Resource
win10v20210408
windows10_x64
General
-
Target
Dridex/Trojan.Dridex.A.97a26d9e3598fea2e1715c6c77b645c2.dll
-
Size
628KB
-
MD5
97a26d9e3598fea2e1715c6c77b645c2
-
SHA1
c4bf3a00c9223201aa11178d0f0b53c761a551c4
-
SHA256
e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f
-
SHA512
acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c
Malware Config
Signatures
-
resource yara_rule behavioral11/memory/1084-60-0x000007FEF77A0000-0x000007FEF783D000-memory.dmp dridex_ldr behavioral11/memory/1288-69-0x0000000140000000-0x000000014009D000-memory.dmp dridex_ldr -
Loads dropped DLL 1 IoCs
pid Process 1288 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srlqp = "\"C:\\Users\\Admin\\AppData\\Roaming\\96Rx\\rstrui.exe\"" Process not Found -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\4sef\TpmInit.exe cmd.exe File created C:\Windows\system32\4sef\TpmInit.exe cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1144 schtasks.exe -
Modifies registry class 9 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\MSCFile\shell\open Process not Found Key deleted \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\MSCFile\shell Process not Found Key deleted \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\MSCFile Process not Found Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\MSCFile\shell\open\command Process not Found Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\MSCFile\shell\open Process not Found Key deleted \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\MSCFile\shell\open\command Process not Found Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\MSCFile Process not Found Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\MSCFile\shell Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\ixvqugu.cmd" Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1084 rundll32.exe 1084 rundll32.exe 1084 rundll32.exe 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1288 Process not Found -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1288 Process not Found 1288 Process not Found 1288 Process not Found 1288 Process not Found -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 1288 wrote to memory of 1120 1288 Process not Found 29 PID 1288 wrote to memory of 1120 1288 Process not Found 29 PID 1288 wrote to memory of 1120 1288 Process not Found 29 PID 1288 wrote to memory of 804 1288 Process not Found 30 PID 1288 wrote to memory of 804 1288 Process not Found 30 PID 1288 wrote to memory of 804 1288 Process not Found 30 PID 1288 wrote to memory of 620 1288 Process not Found 32 PID 1288 wrote to memory of 620 1288 Process not Found 32 PID 1288 wrote to memory of 620 1288 Process not Found 32 PID 1288 wrote to memory of 776 1288 Process not Found 33 PID 1288 wrote to memory of 776 1288 Process not Found 33 PID 1288 wrote to memory of 776 1288 Process not Found 33 PID 1288 wrote to memory of 924 1288 Process not Found 35 PID 1288 wrote to memory of 924 1288 Process not Found 35 PID 1288 wrote to memory of 924 1288 Process not Found 35 PID 924 wrote to memory of 320 924 eventvwr.exe 36 PID 924 wrote to memory of 320 924 eventvwr.exe 36 PID 924 wrote to memory of 320 924 eventvwr.exe 36 PID 320 wrote to memory of 1144 320 cmd.exe 38 PID 320 wrote to memory of 1144 320 cmd.exe 38 PID 320 wrote to memory of 1144 320 cmd.exe 38 PID 1288 wrote to memory of 892 1288 Process not Found 39 PID 1288 wrote to memory of 892 1288 Process not Found 39 PID 1288 wrote to memory of 892 1288 Process not Found 39 PID 892 wrote to memory of 1208 892 cmd.exe 41 PID 892 wrote to memory of 1208 892 cmd.exe 41 PID 892 wrote to memory of 1208 892 cmd.exe 41 PID 1288 wrote to memory of 1616 1288 Process not Found 42 PID 1288 wrote to memory of 1616 1288 Process not Found 42 PID 1288 wrote to memory of 1616 1288 Process not Found 42 PID 1616 wrote to memory of 532 1616 cmd.exe 44 PID 1616 wrote to memory of 532 1616 cmd.exe 44 PID 1616 wrote to memory of 532 1616 cmd.exe 44 PID 1288 wrote to memory of 1684 1288 Process not Found 45 PID 1288 wrote to memory of 1684 1288 Process not Found 45 PID 1288 wrote to memory of 1684 1288 Process not Found 45 PID 1684 wrote to memory of 1600 1684 cmd.exe 47 PID 1684 wrote to memory of 1600 1684 cmd.exe 47 PID 1684 wrote to memory of 1600 1684 cmd.exe 47 PID 1288 wrote to memory of 1352 1288 Process not Found 48 PID 1288 wrote to memory of 1352 1288 Process not Found 48 PID 1288 wrote to memory of 1352 1288 Process not Found 48 PID 1352 wrote to memory of 1336 1352 cmd.exe 50 PID 1352 wrote to memory of 1336 1352 cmd.exe 50 PID 1352 wrote to memory of 1336 1352 cmd.exe 50 PID 1288 wrote to memory of 1472 1288 Process not Found 51 PID 1288 wrote to memory of 1472 1288 Process not Found 51 PID 1288 wrote to memory of 1472 1288 Process not Found 51 PID 1472 wrote to memory of 1592 1472 cmd.exe 53 PID 1472 wrote to memory of 1592 1472 cmd.exe 53 PID 1472 wrote to memory of 1592 1472 cmd.exe 53
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Dridex\Trojan.Dridex.A.97a26d9e3598fea2e1715c6c77b645c2.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
PID:1084
-
C:\Windows\system32\rstrui.exeC:\Windows\system32\rstrui.exe1⤵PID:1120
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\YpT.cmd1⤵PID:804
-
C:\Windows\system32\TpmInit.exeC:\Windows\system32\TpmInit.exe1⤵PID:620
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\UV9SGFW.cmd1⤵
- Drops file in System32 directory
PID:776
-
C:\Windows\System32\eventvwr.exe"C:\Windows\System32\eventvwr.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\ixvqugu.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\system32\schtasks.exeschtasks.exe /Create /F /TN "Qeyhkuisg" /TR C:\Windows\system32\4sef\TpmInit.exe /SC minute /MO 60 /RL highest3⤵
- Creates scheduled task(s)
PID:1144
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qeyhkuisg"1⤵
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Qeyhkuisg"2⤵PID:1208
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qeyhkuisg"1⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Qeyhkuisg"2⤵PID:532
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qeyhkuisg"1⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Qeyhkuisg"2⤵PID:1600
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qeyhkuisg"1⤵
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Qeyhkuisg"2⤵PID:1336
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qeyhkuisg"1⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Qeyhkuisg"2⤵PID:1592
-