dridex | 7500211dd9ce4e45664ae07e4eb58ca361c4551f1c2b52d00bb0da547e9cdc2a

Analysis

max time kernel
152s
max time network
155s
platform
windows7_x64
resource
win7-en-20210920
submitted
28-09-2021 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7500211dd9ce4e45664ae07e4eb58ca361c4551f1c2b52d00bb0da547e9cdc2a.dll
Size

2.0MB
MD5

a75be08d11b5028b6e0fa8be59676599
SHA1

c47a48e04dc10641df07dba7dbbb73602e6615aa
SHA256

7500211dd9ce4e45664ae07e4eb58ca361c4551f1c2b52d00bb0da547e9cdc2a
SHA512

444d9ddbdbfac48953e01df6ed9376a78de22f6ae5d8155e5325a8482c228f96c099985ac4b9fd2e5447090380e535bdad59f59b7ebfa20578cd2038262a53b8

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1268-57-0x0000000002A80000-0x0000000002A81000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

lpksetup.exeDWWIN.EXErdpinit.exe

pid process

1952 lpksetup.exe
432 DWWIN.EXE
1164 rdpinit.exe
Loads dropped DLL 7 IoCs

Processes:

lpksetup.exeDWWIN.EXErdpinit.exe

pid process

1268
1952 lpksetup.exe
1268
432 DWWIN.EXE
1268
1164 rdpinit.exe
1268

pid	process
1952	lpksetup.exe
432	DWWIN.EXE
1164	rdpinit.exe

pid	process
1268
1952	lpksetup.exe
1268
432	DWWIN.EXE
1268
1164	rdpinit.exe
1268

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wbbdywj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\eoLut\\DWWIN.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

lpksetup.exeDWWIN.EXErdpinit.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lpksetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2040	rundll32.exe
2040	rundll32.exe
2040	rundll32.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1268
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1268
1268
1268
1268
Suspicious use of SendNotifyMessage 10 IoCs

Processes:

pid process

1268
1268
1268
1268
1268
1268
1268
1268
1268
1268

pid	process
1268

pid	process
1268
1268
1268
1268

pid	process
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1268 wrote to memory of 840	1268	lpksetup.exe
PID 1268 wrote to memory of 840	1268	lpksetup.exe
PID 1268 wrote to memory of 840	1268	lpksetup.exe
PID 1268 wrote to memory of 1952	1268	lpksetup.exe
PID 1268 wrote to memory of 1952	1268	lpksetup.exe
PID 1268 wrote to memory of 1952	1268	lpksetup.exe
PID 1268 wrote to memory of 1128	1268	DWWIN.EXE
PID 1268 wrote to memory of 1128	1268	DWWIN.EXE
PID 1268 wrote to memory of 1128	1268	DWWIN.EXE
PID 1268 wrote to memory of 432	1268	DWWIN.EXE
PID 1268 wrote to memory of 432	1268	DWWIN.EXE
PID 1268 wrote to memory of 432	1268	DWWIN.EXE
PID 1268 wrote to memory of 1068	1268	rdpinit.exe
PID 1268 wrote to memory of 1068	1268	rdpinit.exe
PID 1268 wrote to memory of 1068	1268	rdpinit.exe
PID 1268 wrote to memory of 1164	1268	rdpinit.exe
PID 1268 wrote to memory of 1164	1268	rdpinit.exe
PID 1268 wrote to memory of 1164	1268	rdpinit.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7500211dd9ce4e45664ae07e4eb58ca361c4551f1c2b52d00bb0da547e9cdc2a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2040

C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
1⤵
PID:840

C:\Users\Admin\AppData\Local\Jlwa9Xk1\lpksetup.exe
C:\Users\Admin\AppData\Local\Jlwa9Xk1\lpksetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1952

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:1128

C:\Users\Admin\AppData\Local\eEshZx4mh\DWWIN.EXE
C:\Users\Admin\AppData\Local\eEshZx4mh\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:432

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:1068

C:\Users\Admin\AppData\Local\WBlfdUO\rdpinit.exe
C:\Users\Admin\AppData\Local\WBlfdUO\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1164

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Jlwa9Xk1\lpksetup.exe
MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
C:\Users\Admin\AppData\Local\Jlwa9Xk1\slc.dll
MD5
6d4358f9fc1c1cf56c8b867cc05c7fe6

SHA1
9fe73ed2803f3121532613a86a0490ba9b6a9416

SHA256
dedd1c89b7e30006b3165c84f8799df72c1d04a5f68ba2d60143a0279ae08abf

SHA512
803ce618d1f6c1fe9530132a4abba85233167100c147497d5f5f40c2c4c48534480ae47d0dd29d8a49edac53a117c8fc16a52bb16c11022d8eff83d34647b423

Download Submit
C:\Users\Admin\AppData\Local\WBlfdUO\rdpinit.exe
MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
C:\Users\Admin\AppData\Local\WBlfdUO\slc.dll
MD5
a881b032a54171c3f6ce69aad6c8df14

SHA1
81ea6f5f22722f21c04bfc3b2124400c9d8bc418

SHA256
51b65ee67c75833405aa62fcafab289697d2c1acacb2c5a1b72186cb5786a1da

SHA512
71b75ab689f806331dce7d7a78feaffc9abb4b3f40fb87985a6865b5997f96921bacb9ebdfc8c96fbcbcbd155b96fd4e1209e145682cab269ba2217df61f9c6e

Download Submit
C:\Users\Admin\AppData\Local\eEshZx4mh\DWWIN.EXE
MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
C:\Users\Admin\AppData\Local\eEshZx4mh\wer.dll
MD5
13055b677525fe980b038654db771257

SHA1
2cf7025dcc100ba60d995e33192dd817568d1303

SHA256
36cf2e82308572caf918d28af238d8cdf7a33333dc737b39d102b50b72866fbb

SHA512
b9fe5f2c409ccee324c6ac8ba3f3a04304f0e5895ae6f7ae95d711983c3b0bbddd2726a6ab5c7d1aa8e7ea93637d1b32289094e01b512113b651d8548e2c0d79

Download Submit
\Users\Admin\AppData\Local\Jlwa9Xk1\lpksetup.exe
MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
\Users\Admin\AppData\Local\Jlwa9Xk1\slc.dll
MD5
6d4358f9fc1c1cf56c8b867cc05c7fe6

SHA1
9fe73ed2803f3121532613a86a0490ba9b6a9416

SHA256
dedd1c89b7e30006b3165c84f8799df72c1d04a5f68ba2d60143a0279ae08abf

SHA512
803ce618d1f6c1fe9530132a4abba85233167100c147497d5f5f40c2c4c48534480ae47d0dd29d8a49edac53a117c8fc16a52bb16c11022d8eff83d34647b423

Download Submit
\Users\Admin\AppData\Local\WBlfdUO\rdpinit.exe
MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
\Users\Admin\AppData\Local\WBlfdUO\slc.dll
MD5
a881b032a54171c3f6ce69aad6c8df14

SHA1
81ea6f5f22722f21c04bfc3b2124400c9d8bc418

SHA256
51b65ee67c75833405aa62fcafab289697d2c1acacb2c5a1b72186cb5786a1da

SHA512
71b75ab689f806331dce7d7a78feaffc9abb4b3f40fb87985a6865b5997f96921bacb9ebdfc8c96fbcbcbd155b96fd4e1209e145682cab269ba2217df61f9c6e

Download Submit
\Users\Admin\AppData\Local\eEshZx4mh\DWWIN.EXE
MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
\Users\Admin\AppData\Local\eEshZx4mh\wer.dll
MD5
13055b677525fe980b038654db771257

SHA1
2cf7025dcc100ba60d995e33192dd817568d1303

SHA256
36cf2e82308572caf918d28af238d8cdf7a33333dc737b39d102b50b72866fbb

SHA512
b9fe5f2c409ccee324c6ac8ba3f3a04304f0e5895ae6f7ae95d711983c3b0bbddd2726a6ab5c7d1aa8e7ea93637d1b32289094e01b512113b651d8548e2c0d79

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\SystemExtensionsDev\UeaERixjk3g\rdpinit.exe
MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
memory/432-111-0x0000000000000000-mapping.dmp

Download
memory/1164-118-0x0000000000000000-mapping.dmp

Download
memory/1268-72-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-61-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-95-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-94-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-91-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-89-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-86-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-87-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-84-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-82-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-81-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-80-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-78-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-76-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-74-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-57-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/1268-71-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-69-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-68-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-66-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-65-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-64-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-62-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-93-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-59-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-58-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-101-0x0000000076E70000-0x0000000076E72000-memory.dmp

Filesize
8KB

Download
memory/1268-92-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-90-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-60-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-88-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-63-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-85-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-67-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-83-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-79-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-77-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-75-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-73-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1268-70-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1952-108-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/1952-103-0x0000000000000000-mapping.dmp

Download
memory/1952-105-0x000007FEFB541000-0x000007FEFB543000-memory.dmp

Filesize
8KB

Download
memory/2040-54-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2040-56-0x0000000000240000-0x0000000000247000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads