Overview
overview
10Static
static
Dridex/Dri...1 .exe
windows7_x64
10Dridex/Dri...1 .exe
windows10_x64
Dridex/Dri...a6.exe
windows7_x64
10Dridex/Dri...a6.exe
windows10_x64
10Dridex/Dri...01.exe
windows7_x64
10Dridex/Dri...01.exe
windows10_x64
10Dridex/Tro...a .exe
windows7_x64
10Dridex/Tro...a .exe
windows10_x64
10Dridex/Tro...27.exe
windows7_x64
10Dridex/Tro...27.exe
windows10_x64
10Dridex/Tro...c2.dll
windows7_x64
10Dridex/Tro...c2.dll
windows10_x64
10Analysis
-
max time kernel
150s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-04-2021 13:05
Static task
static1
Behavioral task
behavioral1
Sample
Dridex/Dridex.JhiSharp.dll.9d75ff0e9447ceb89c90cca24a1dbec1 .exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Dridex/Dridex.JhiSharp.dll.9d75ff0e9447ceb89c90cca24a1dbec1 .exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
Dridex/DridexDroppedVBS.925da3a10f7dde802c8d87047b14fda6.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
Dridex/DridexDroppedVBS.925da3a10f7dde802c8d87047b14fda6.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
Dridex/DridexLoader.bin.exe.c26203af4b3e9c81a9e634178b603601.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
Dridex/DridexLoader.bin.exe.c26203af4b3e9c81a9e634178b603601.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
Dridex/Trojan.Dridex.A. dbf96ab40b728c12951d317642fbd9da .exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
Dridex/Trojan.Dridex.A. dbf96ab40b728c12951d317642fbd9da .exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
Dridex/Trojan.Dridex.A.6164228ed2cc0eceba9ce1828d87d827.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
Dridex/Trojan.Dridex.A.6164228ed2cc0eceba9ce1828d87d827.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral11
Sample
Dridex/Trojan.Dridex.A.97a26d9e3598fea2e1715c6c77b645c2.dll
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral12
Sample
Dridex/Trojan.Dridex.A.97a26d9e3598fea2e1715c6c77b645c2.dll
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
Dridex/Trojan.Dridex.A.97a26d9e3598fea2e1715c6c77b645c2.dll
-
Size
628KB
-
MD5
97a26d9e3598fea2e1715c6c77b645c2
-
SHA1
c4bf3a00c9223201aa11178d0f0b53c761a551c4
-
SHA256
e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f
-
SHA512
acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c
Score
10/10
Malware Config
Signatures
-
resource yara_rule behavioral12/memory/860-114-0x00007FF91F460000-0x00007FF91F4FD000-memory.dmp dridex_ldr behavioral12/memory/3052-126-0x0000000140000000-0x000000014009D000-memory.dmp dridex_ldr -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rvhohwdqaanc = "\"C:\\Users\\Admin\\AppData\\Roaming\\RJJjY\\GamePanel.exe\"" Process not Found -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\LMtOo0\sigverif.exe cmd.exe File opened for modification C:\Windows\system32\LMtOo0\sigverif.exe cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1788 schtasks.exe -
Modifies registry class 12 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell Process not Found Key deleted \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Process not Found Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\YbtZRu.cmd" Process not Found Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\DelegateExecute Process not Found Key deleted \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command Process not Found Key deleted \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open Process not Found Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Process not Found Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command Process not Found Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 860 rundll32.exe 860 rundll32.exe 860 rundll32.exe 860 rundll32.exe 860 rundll32.exe 860 rundll32.exe 860 rundll32.exe 860 rundll32.exe 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3052 Process not Found -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeShutdownPrivilege 3052 Process not Found Token: SeCreatePagefilePrivilege 3052 Process not Found Token: SeShutdownPrivilege 3052 Process not Found Token: SeCreatePagefilePrivilege 3052 Process not Found Token: SeShutdownPrivilege 3052 Process not Found Token: SeCreatePagefilePrivilege 3052 Process not Found Token: SeShutdownPrivilege 3052 Process not Found Token: SeCreatePagefilePrivilege 3052 Process not Found Token: SeShutdownPrivilege 3052 Process not Found Token: SeCreatePagefilePrivilege 3052 Process not Found Token: SeShutdownPrivilege 3052 Process not Found Token: SeCreatePagefilePrivilege 3052 Process not Found Token: SeShutdownPrivilege 3052 Process not Found Token: SeCreatePagefilePrivilege 3052 Process not Found Token: SeShutdownPrivilege 3052 Process not Found Token: SeCreatePagefilePrivilege 3052 Process not Found Token: SeShutdownPrivilege 3052 Process not Found Token: SeCreatePagefilePrivilege 3052 Process not Found Token: SeShutdownPrivilege 3052 Process not Found Token: SeCreatePagefilePrivilege 3052 Process not Found Token: SeShutdownPrivilege 3052 Process not Found Token: SeCreatePagefilePrivilege 3052 Process not Found Token: SeShutdownPrivilege 3052 Process not Found Token: SeCreatePagefilePrivilege 3052 Process not Found Token: SeShutdownPrivilege 3052 Process not Found Token: SeCreatePagefilePrivilege 3052 Process not Found Token: SeShutdownPrivilege 3052 Process not Found Token: SeCreatePagefilePrivilege 3052 Process not Found Token: SeShutdownPrivilege 3052 Process not Found Token: SeCreatePagefilePrivilege 3052 Process not Found Token: SeShutdownPrivilege 3052 Process not Found Token: SeCreatePagefilePrivilege 3052 Process not Found -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found 3052 Process not Found -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3052 Process not Found 3052 Process not Found 3052 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3052 Process not Found -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 3052 wrote to memory of 2960 3052 Process not Found 78 PID 3052 wrote to memory of 2960 3052 Process not Found 78 PID 3052 wrote to memory of 3820 3052 Process not Found 79 PID 3052 wrote to memory of 3820 3052 Process not Found 79 PID 3052 wrote to memory of 3652 3052 Process not Found 81 PID 3052 wrote to memory of 3652 3052 Process not Found 81 PID 3052 wrote to memory of 1176 3052 Process not Found 82 PID 3052 wrote to memory of 1176 3052 Process not Found 82 PID 3052 wrote to memory of 2124 3052 Process not Found 84 PID 3052 wrote to memory of 2124 3052 Process not Found 84 PID 2124 wrote to memory of 3916 2124 fodhelper.exe 85 PID 2124 wrote to memory of 3916 2124 fodhelper.exe 85 PID 3916 wrote to memory of 1788 3916 cmd.exe 87 PID 3916 wrote to memory of 1788 3916 cmd.exe 87 PID 3052 wrote to memory of 3252 3052 Process not Found 88 PID 3052 wrote to memory of 3252 3052 Process not Found 88 PID 3252 wrote to memory of 2848 3252 cmd.exe 90 PID 3252 wrote to memory of 2848 3252 cmd.exe 90 PID 3052 wrote to memory of 3044 3052 Process not Found 91 PID 3052 wrote to memory of 3044 3052 Process not Found 91 PID 3044 wrote to memory of 1012 3044 cmd.exe 93 PID 3044 wrote to memory of 1012 3044 cmd.exe 93 PID 3052 wrote to memory of 1688 3052 Process not Found 94 PID 3052 wrote to memory of 1688 3052 Process not Found 94 PID 1688 wrote to memory of 2220 1688 cmd.exe 96 PID 1688 wrote to memory of 2220 1688 cmd.exe 96 PID 3052 wrote to memory of 1856 3052 Process not Found 97 PID 3052 wrote to memory of 1856 3052 Process not Found 97 PID 1856 wrote to memory of 3992 1856 cmd.exe 99 PID 1856 wrote to memory of 3992 1856 cmd.exe 99 PID 3052 wrote to memory of 60 3052 Process not Found 100 PID 3052 wrote to memory of 60 3052 Process not Found 100 PID 60 wrote to memory of 2248 60 cmd.exe 102 PID 60 wrote to memory of 2248 60 cmd.exe 102
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\Dridex\Trojan.Dridex.A.97a26d9e3598fea2e1715c6c77b645c2.dll,#11⤵
- Suspicious behavior: EnumeratesProcesses
PID:860
-
C:\Windows\system32\GamePanel.exeC:\Windows\system32\GamePanel.exe1⤵PID:2960
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\v8oMZk.cmd1⤵PID:3820
-
C:\Windows\system32\sigverif.exeC:\Windows\system32\sigverif.exe1⤵PID:3652
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\pTJj1.cmd1⤵
- Drops file in System32 directory
PID:1176
-
C:\Windows\System32\fodhelper.exe"C:\Windows\System32\fodhelper.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\YbtZRu.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\system32\schtasks.exeschtasks.exe /Create /F /TN "Lwgompprldmpd" /TR C:\Windows\system32\LMtOo0\sigverif.exe /SC minute /MO 60 /RL highest3⤵
- Creates scheduled task(s)
PID:1788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Lwgompprldmpd"1⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Lwgompprldmpd"2⤵PID:2848
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Lwgompprldmpd"1⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Lwgompprldmpd"2⤵PID:1012
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Lwgompprldmpd"1⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Lwgompprldmpd"2⤵PID:2220
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Lwgompprldmpd"1⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Lwgompprldmpd"2⤵PID:3992
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Lwgompprldmpd"1⤵
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\system32\schtasks.exeschtasks.exe /Query /TN "Lwgompprldmpd"2⤵PID:2248
-