dridex | f025f6648a7f6974197106d60dd007b7fd8d07b64ba344a45a3a13d4f27a36fe

Analysis

max time kernel
152s
max time network
46s
platform
windows7_x64
resource
win7v20210408
submitted
15-09-2021 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f025f6648a7f6974197106d60dd007b7fd8d07b64ba344a45a3a13d4f27a36fe.dll
Size

1.9MB
MD5

1e9b0b70cdf360d0b18e097519ff669c
SHA1

d7f826da60ef7e74c9989f5e7dc94bd51bf5a4cb
SHA256

f025f6648a7f6974197106d60dd007b7fd8d07b64ba344a45a3a13d4f27a36fe
SHA512

98553a13caec28389568e21b9f5d24e5f6afcfafec20fec564ed0d54c42d7db6c534f0a7e781c95b0040c1b149dd3e833fceb978131c4e7b0efee6436798628b

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1244-64-0x0000000002BE0000-0x0000000002BE1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

StikyNot.exeDWWIN.EXEp2phost.exe

pid process

1652 StikyNot.exe
428 DWWIN.EXE
380 p2phost.exe
Loads dropped DLL 7 IoCs

Processes:

StikyNot.exeDWWIN.EXEp2phost.exe

pid process

1244
1652 StikyNot.exe
1244
428 DWWIN.EXE
1244
380 p2phost.exe
1244

pid	process
1652	StikyNot.exe
428	DWWIN.EXE
380	p2phost.exe

pid	process
1244
1652	StikyNot.exe
1244
428	DWWIN.EXE
1244
380	p2phost.exe
1244

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Axiifu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\bCTSd\\DWWIN.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

p2phost.exerundll32.exeStikyNot.exeDWWIN.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	p2phost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	StikyNot.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1644	rundll32.exe
1644	rundll32.exe
1644	rundll32.exe
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1244
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1244
1244
1244
1244
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1244
1244
1244
1244

pid	process
1244

pid	process
1244
1244
1244
1244

pid	process
1244
1244
1244
1244

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1244 wrote to memory of 1576	1244	StikyNot.exe
PID 1244 wrote to memory of 1576	1244	StikyNot.exe
PID 1244 wrote to memory of 1576	1244	StikyNot.exe
PID 1244 wrote to memory of 1652	1244	StikyNot.exe
PID 1244 wrote to memory of 1652	1244	StikyNot.exe
PID 1244 wrote to memory of 1652	1244	StikyNot.exe
PID 1244 wrote to memory of 744	1244	DWWIN.EXE
PID 1244 wrote to memory of 744	1244	DWWIN.EXE
PID 1244 wrote to memory of 744	1244	DWWIN.EXE
PID 1244 wrote to memory of 428	1244	DWWIN.EXE
PID 1244 wrote to memory of 428	1244	DWWIN.EXE
PID 1244 wrote to memory of 428	1244	DWWIN.EXE
PID 1244 wrote to memory of 2016	1244	p2phost.exe
PID 1244 wrote to memory of 2016	1244	p2phost.exe
PID 1244 wrote to memory of 2016	1244	p2phost.exe
PID 1244 wrote to memory of 380	1244	p2phost.exe
PID 1244 wrote to memory of 380	1244	p2phost.exe
PID 1244 wrote to memory of 380	1244	p2phost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f025f6648a7f6974197106d60dd007b7fd8d07b64ba344a45a3a13d4f27a36fe.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1644

C:\Windows\system32\StikyNot.exe
C:\Windows\system32\StikyNot.exe
1⤵
PID:1576

C:\Users\Admin\AppData\Local\i93\StikyNot.exe
C:\Users\Admin\AppData\Local\i93\StikyNot.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1652

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:744

C:\Users\Admin\AppData\Local\g7dztoZnu\DWWIN.EXE
C:\Users\Admin\AppData\Local\g7dztoZnu\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:428

C:\Windows\system32\p2phost.exe
C:\Windows\system32\p2phost.exe
1⤵
PID:2016

C:\Users\Admin\AppData\Local\qqmHZuw\p2phost.exe
C:\Users\Admin\AppData\Local\qqmHZuw\p2phost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:380

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\g7dztoZnu\DWWIN.EXE
MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
C:\Users\Admin\AppData\Local\g7dztoZnu\wer.dll
MD5
3d4560b2c215d1dbd0f532e5d6ed6ca9

SHA1
4dbdfa3942d8a6f638ca2ac90792f43e4fd76a41

SHA256
1c60ce806b879a020dda621faed106c74680690f61975ee53a37cc9a2168941c

SHA512
765b008867e3baeba6e0a94a6a46b163f5400ae1c480aea6ae27b80a20fb3df36f4243dddc0a642210767fd6013071d85d0e34b6f4d2340b3ea756947b0f2ae8

Download Submit
C:\Users\Admin\AppData\Local\i93\StikyNot.exe
MD5
b22cb67919ebad88b0e8bb9cda446010

SHA1
423a794d26d96d9f812d76d75fa89bffdc07d468

SHA256
2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

SHA512
f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

Download Submit
C:\Users\Admin\AppData\Local\i93\dwmapi.dll
MD5
46067c3740dfcf7621c412f2a6e6df09

SHA1
fd3e1fd2f8a1cc100b921246c7eb57c36351495f

SHA256
0cdace13f24afed3ff9d3776131d0acc11a37a234a3edf80a59e28f9905f77d5

SHA512
3d6da597c1e910233dae1466678c98810871367b0e874293063c52c835b481e900c5ae3579ba79fd4d5ff228102966e6075635229550fc135cee5a9597acea48

Download Submit
C:\Users\Admin\AppData\Local\qqmHZuw\P2P.dll
MD5
17b40dc20854d49f7b424f607f909fb5

SHA1
f83d3874aece6627b2b7a90d5224e292c76d0b14

SHA256
ef9d868b979ea57dc19186a312eaf13d5fd80285b787faba62447bfaf8b4a406

SHA512
526418de34ac285040ee40e5720c47c86d0292cc6b7d6380f246d586b6e3a17a3390577bd0a66895b4a784cc9ce1af8edce936dbbf9c24ede3466038156dee58

Download Submit
C:\Users\Admin\AppData\Local\qqmHZuw\p2phost.exe
MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
\Users\Admin\AppData\Local\g7dztoZnu\DWWIN.EXE
MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
\Users\Admin\AppData\Local\g7dztoZnu\wer.dll
MD5
3d4560b2c215d1dbd0f532e5d6ed6ca9

SHA1
4dbdfa3942d8a6f638ca2ac90792f43e4fd76a41

SHA256
1c60ce806b879a020dda621faed106c74680690f61975ee53a37cc9a2168941c

SHA512
765b008867e3baeba6e0a94a6a46b163f5400ae1c480aea6ae27b80a20fb3df36f4243dddc0a642210767fd6013071d85d0e34b6f4d2340b3ea756947b0f2ae8

Download Submit
\Users\Admin\AppData\Local\i93\StikyNot.exe
MD5
b22cb67919ebad88b0e8bb9cda446010

SHA1
423a794d26d96d9f812d76d75fa89bffdc07d468

SHA256
2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128

SHA512
f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

Download Submit
\Users\Admin\AppData\Local\i93\dwmapi.dll
MD5
46067c3740dfcf7621c412f2a6e6df09

SHA1
fd3e1fd2f8a1cc100b921246c7eb57c36351495f

SHA256
0cdace13f24afed3ff9d3776131d0acc11a37a234a3edf80a59e28f9905f77d5

SHA512
3d6da597c1e910233dae1466678c98810871367b0e874293063c52c835b481e900c5ae3579ba79fd4d5ff228102966e6075635229550fc135cee5a9597acea48

Download Submit
\Users\Admin\AppData\Local\qqmHZuw\P2P.dll
MD5
17b40dc20854d49f7b424f607f909fb5

SHA1
f83d3874aece6627b2b7a90d5224e292c76d0b14

SHA256
ef9d868b979ea57dc19186a312eaf13d5fd80285b787faba62447bfaf8b4a406

SHA512
526418de34ac285040ee40e5720c47c86d0292cc6b7d6380f246d586b6e3a17a3390577bd0a66895b4a784cc9ce1af8edce936dbbf9c24ede3466038156dee58

Download Submit
\Users\Admin\AppData\Local\qqmHZuw\p2phost.exe
MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\80Wpp8aO\p2phost.exe
MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
memory/380-114-0x0000000000000000-mapping.dmp

Download
memory/428-107-0x0000000000000000-mapping.dmp

Download
memory/1244-73-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-76-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-78-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-79-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-80-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-81-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-82-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-83-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-84-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-86-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-85-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-87-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-88-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-89-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-90-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-91-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-97-0x0000000076E90000-0x0000000076E92000-memory.dmp

Filesize
8KB

Download
memory/1244-77-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-62-0x0000000002B30000-0x0000000002B40000-memory.dmp

Filesize
64KB

Download
memory/1244-75-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-74-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-64-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/1244-66-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-65-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-72-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-71-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-70-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-69-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-68-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1244-67-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1644-60-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/1644-63-0x0000000000420000-0x0000000000427000-memory.dmp

Filesize
28KB

Download
memory/1652-104-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1652-101-0x000007FEFB561000-0x000007FEFB563000-memory.dmp

Filesize
8KB

Download
memory/1652-99-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads