dridex | 507b6645ae27e145dea7b078c9c93ec52bf5638a97e7f90742705796d3083a67

Analysis

max time kernel
166s
max time network
143s
platform
windows7_x64
resource
win7-en
submitted
15-09-2021 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

507b6645ae27e145dea7b078c9c93ec52bf5638a97e7f90742705796d3083a67.dll
Size

1.9MB
MD5

264383b432afdce3f476f25a46148ea7
SHA1

1f2161f0e23a009738115de166ef77a362dff729
SHA256

507b6645ae27e145dea7b078c9c93ec52bf5638a97e7f90742705796d3083a67
SHA512

8ec9d8e57058ee4ad12fd6971b4436e9d2cc3928d9cbd1f479279814864b25146705b54f0576fa51b882475e63f111e48f990a26ac8b1237175e6cb49132c848

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1244-56-0x0000000002A50000-0x0000000002A51000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

psr.exemstsc.exeddodiag.exe

pid process

1064 psr.exe
1604 mstsc.exe
1756 ddodiag.exe
Loads dropped DLL 7 IoCs

Processes:

psr.exemstsc.exeddodiag.exe

pid process

1244
1064 psr.exe
1244
1604 mstsc.exe
1244
1756 ddodiag.exe
1244

pid	process
1064	psr.exe
1604	mstsc.exe
1756	ddodiag.exe

pid	process
1244
1064	psr.exe
1244
1604	mstsc.exe
1244
1756	ddodiag.exe
1244

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gtdwm = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\t3Xf8AFP\\mstsc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exepsr.exemstsc.exeddodiag.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstsc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddodiag.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1944	rundll32.exe
1944	rundll32.exe
1944	rundll32.exe
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1244
Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

pid process

1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
Suspicious use of SendNotifyMessage 13 IoCs

Processes:

pid process

1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244

pid	process
1244

pid	process
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244

pid	process
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1244 wrote to memory of 624	1244	psr.exe
PID 1244 wrote to memory of 624	1244	psr.exe
PID 1244 wrote to memory of 624	1244	psr.exe
PID 1244 wrote to memory of 1064	1244	psr.exe
PID 1244 wrote to memory of 1064	1244	psr.exe
PID 1244 wrote to memory of 1064	1244	psr.exe
PID 1244 wrote to memory of 1116	1244	mstsc.exe
PID 1244 wrote to memory of 1116	1244	mstsc.exe
PID 1244 wrote to memory of 1116	1244	mstsc.exe
PID 1244 wrote to memory of 1604	1244	mstsc.exe
PID 1244 wrote to memory of 1604	1244	mstsc.exe
PID 1244 wrote to memory of 1604	1244	mstsc.exe
PID 1244 wrote to memory of 584	1244	ddodiag.exe
PID 1244 wrote to memory of 584	1244	ddodiag.exe
PID 1244 wrote to memory of 584	1244	ddodiag.exe
PID 1244 wrote to memory of 1756	1244	ddodiag.exe
PID 1244 wrote to memory of 1756	1244	ddodiag.exe
PID 1244 wrote to memory of 1756	1244	ddodiag.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\507b6645ae27e145dea7b078c9c93ec52bf5638a97e7f90742705796d3083a67.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1944

C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
1⤵
PID:624

C:\Users\Admin\AppData\Local\0S7q6\psr.exe
C:\Users\Admin\AppData\Local\0S7q6\psr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1064

C:\Windows\system32\mstsc.exe
C:\Windows\system32\mstsc.exe
1⤵
PID:1116

C:\Users\Admin\AppData\Local\TJY\mstsc.exe
C:\Users\Admin\AppData\Local\TJY\mstsc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1604

C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
1⤵
PID:584

C:\Users\Admin\AppData\Local\SIs2na\ddodiag.exe
C:\Users\Admin\AppData\Local\SIs2na\ddodiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1756

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0S7q6\XmlLite.dll
MD5
f9d4a7d17e0967d13613dddb41e3b7d0

SHA1
d7eca9cf0376e8c6486890056f7c3388a7fd7979

SHA256
512778409e4781e18c9fb012996efdaa566f402e6c293ea69bf655180b675c7a

SHA512
9c2b0dd536d178be907c75eb0943871bfc5f4156629135096bf43034b22df8e0ce282ff46d4b42c0307ce3f2f9864e4429f83bf595d5c61f2dc9de561c9c426f

Download Submit
C:\Users\Admin\AppData\Local\0S7q6\psr.exe
MD5
a80527109d75cba125d940b007eea151

SHA1
facf32a9ede6abfaa09368bfdfcfec8554107272

SHA256
68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

SHA512
77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

Download Submit
C:\Users\Admin\AppData\Local\SIs2na\XmlLite.dll
MD5
317e6f00e5081252dcf43ee8cfbaff49

SHA1
5576c9f74dcb57ed8daac393eb055083f28cc985

SHA256
82f7378329eaad981fa719b1ebd92d5e9a36f8ab1b95980c656aaff97247b61a

SHA512
5d9f45d2c4c841a26ec8290af3bb673cfbf820728fa41b9929084cc41c580e20286637f46d95856313b828ae1bce1038daf14cef187de336d3ce9e9e402169cc

Download Submit
C:\Users\Admin\AppData\Local\SIs2na\ddodiag.exe
MD5
509f9513ca16ba2f2047f5227a05d1a8

SHA1
fe8d63259cb9afa17da7b7b8ede4e75081071b1a

SHA256
ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

SHA512
ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

Download Submit
C:\Users\Admin\AppData\Local\TJY\WINMM.dll
MD5
0d949fceca2b0fc006ca8e63adb5f39c

SHA1
7a4ab44fd99e5f9e4559be6faa4a26b7fd0044a2

SHA256
ec89ad3c37e8ba89c2cc61a0be04b3dd987f29c0b9af438ef37f6e3a3e48ec46

SHA512
9b10f8b4fa74f66839d8efa202c6b9564911fc3dcbe035c3788bb4fefde931fc215316f1138a0706d6516361ab17b4882c1b184da817fa57113aa236e0abd9af

Download Submit
C:\Users\Admin\AppData\Local\TJY\mstsc.exe
MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\Users\Admin\AppData\Local\0S7q6\XmlLite.dll
MD5
f9d4a7d17e0967d13613dddb41e3b7d0

SHA1
d7eca9cf0376e8c6486890056f7c3388a7fd7979

SHA256
512778409e4781e18c9fb012996efdaa566f402e6c293ea69bf655180b675c7a

SHA512
9c2b0dd536d178be907c75eb0943871bfc5f4156629135096bf43034b22df8e0ce282ff46d4b42c0307ce3f2f9864e4429f83bf595d5c61f2dc9de561c9c426f

Download Submit
\Users\Admin\AppData\Local\0S7q6\psr.exe
MD5
a80527109d75cba125d940b007eea151

SHA1
facf32a9ede6abfaa09368bfdfcfec8554107272

SHA256
68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

SHA512
77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

Download Submit
\Users\Admin\AppData\Local\SIs2na\XmlLite.dll
MD5
317e6f00e5081252dcf43ee8cfbaff49

SHA1
5576c9f74dcb57ed8daac393eb055083f28cc985

SHA256
82f7378329eaad981fa719b1ebd92d5e9a36f8ab1b95980c656aaff97247b61a

SHA512
5d9f45d2c4c841a26ec8290af3bb673cfbf820728fa41b9929084cc41c580e20286637f46d95856313b828ae1bce1038daf14cef187de336d3ce9e9e402169cc

Download Submit
\Users\Admin\AppData\Local\SIs2na\ddodiag.exe
MD5
509f9513ca16ba2f2047f5227a05d1a8

SHA1
fe8d63259cb9afa17da7b7b8ede4e75081071b1a

SHA256
ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

SHA512
ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

Download Submit
\Users\Admin\AppData\Local\TJY\WINMM.dll
MD5
0d949fceca2b0fc006ca8e63adb5f39c

SHA1
7a4ab44fd99e5f9e4559be6faa4a26b7fd0044a2

SHA256
ec89ad3c37e8ba89c2cc61a0be04b3dd987f29c0b9af438ef37f6e3a3e48ec46

SHA512
9b10f8b4fa74f66839d8efa202c6b9564911fc3dcbe035c3788bb4fefde931fc215316f1138a0706d6516361ab17b4882c1b184da817fa57113aa236e0abd9af

Download Submit
\Users\Admin\AppData\Local\TJY\mstsc.exe
MD5
50f739538ef014b2e7ec59431749d838

SHA1
b439762b8efe8cfb977e7374c11a7e4d8ed05eb3

SHA256
85c510c7fa8d64c70886ea01ec99e7b9064594f021a95b4cf88359421e732be3

SHA512
02e231ddc4ac012c597b9db42f8a77fbf35ca8253c030d443a0dd4db3d76a9ee1cced600f12d7bb06305e7a4da4a8fda980faad335adcb12738d80d453cb3cc8

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ITTBTdrI\ddodiag.exe
MD5
509f9513ca16ba2f2047f5227a05d1a8

SHA1
fe8d63259cb9afa17da7b7b8ede4e75081071b1a

SHA256
ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

SHA512
ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

Download Submit
memory/1064-120-0x0000000140000000-0x00000001401E5000-memory.dmp

Filesize
1.9MB

Download
memory/1064-117-0x000007FEFC401000-0x000007FEFC403000-memory.dmp

Filesize
8KB

Download
memory/1064-115-0x0000000000000000-mapping.dmp

Download
memory/1244-80-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-67-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-104-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-106-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-107-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-105-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-103-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-101-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-99-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-98-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-96-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-95-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-93-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-90-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-91-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-88-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-86-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-84-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-83-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-82-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-56-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/1244-77-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-78-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-74-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-75-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-73-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-71-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-70-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-69-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-102-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-66-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-64-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-65-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-62-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-61-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-60-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-58-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-57-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-113-0x0000000077D30000-0x0000000077D32000-memory.dmp

Filesize
8KB

Download
memory/1244-100-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-97-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-94-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-92-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-89-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-87-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-85-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-81-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-59-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-79-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-76-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-72-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-63-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1244-68-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1604-128-0x0000000140000000-0x00000001401E6000-memory.dmp

Filesize
1.9MB

Download
memory/1604-123-0x0000000000000000-mapping.dmp

Download
memory/1756-131-0x0000000000000000-mapping.dmp

Download
memory/1944-53-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/1944-55-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads