dridex | 67e634c8f431ed69d672dca57c2bd493772b24fdee37432aa8fc3e1822f0b804

Analysis

max time kernel
150s
max time network
53s
platform
windows7_x64
resource
win7v20210408
submitted
28-09-2021 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67e634c8f431ed69d672dca57c2bd493772b24fdee37432aa8fc3e1822f0b804.dll
Size

1.7MB
MD5

6966f6e2c68c1f536d63b50bb966c031
SHA1

c10eace5e0b5c0531895ed1d02332e3e8bd0fd32
SHA256

67e634c8f431ed69d672dca57c2bd493772b24fdee37432aa8fc3e1822f0b804
SHA512

365cefcf86f2d1b12e59d819c3dda9733003592a6a3cbf010b15d543547f2de2038dc659301a3f454881b76c644d929bb24c382bb70b349a621f95047457c19f

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1252-62-0x0000000002220000-0x0000000002221000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

wisptis.exevmicsvc.exeicardagt.exe

pid process

1264 wisptis.exe
616 vmicsvc.exe
524 icardagt.exe
Loads dropped DLL 7 IoCs

Processes:

wisptis.exevmicsvc.exeicardagt.exe

pid process

1252
1264 wisptis.exe
1252
616 vmicsvc.exe
1252
524 icardagt.exe
1252

pid	process
1264	wisptis.exe
616	vmicsvc.exe
524	icardagt.exe

pid	process
1252
1264	wisptis.exe
1252
616	vmicsvc.exe
1252
524	icardagt.exe
1252

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Axiifu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\B1Q8\\vmicsvc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exewisptis.exevmicsvc.exeicardagt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wisptis.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vmicsvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icardagt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1208	rundll32.exe
1208	rundll32.exe
1208	rundll32.exe
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1252
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pid process

1252
1252
1252
1252
1252
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1252
1252
1252
1252

pid	process
1252

pid	process
1252
1252
1252
1252
1252

pid	process
1252
1252
1252
1252

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1252 wrote to memory of 1220	1252	wisptis.exe
PID 1252 wrote to memory of 1220	1252	wisptis.exe
PID 1252 wrote to memory of 1220	1252	wisptis.exe
PID 1252 wrote to memory of 1264	1252	wisptis.exe
PID 1252 wrote to memory of 1264	1252	wisptis.exe
PID 1252 wrote to memory of 1264	1252	wisptis.exe
PID 1252 wrote to memory of 1200	1252	vmicsvc.exe
PID 1252 wrote to memory of 1200	1252	vmicsvc.exe
PID 1252 wrote to memory of 1200	1252	vmicsvc.exe
PID 1252 wrote to memory of 616	1252	vmicsvc.exe
PID 1252 wrote to memory of 616	1252	vmicsvc.exe
PID 1252 wrote to memory of 616	1252	vmicsvc.exe
PID 1252 wrote to memory of 1360	1252	icardagt.exe
PID 1252 wrote to memory of 1360	1252	icardagt.exe
PID 1252 wrote to memory of 1360	1252	icardagt.exe
PID 1252 wrote to memory of 524	1252	icardagt.exe
PID 1252 wrote to memory of 524	1252	icardagt.exe
PID 1252 wrote to memory of 524	1252	icardagt.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\67e634c8f431ed69d672dca57c2bd493772b24fdee37432aa8fc3e1822f0b804.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1208

C:\Windows\system32\wisptis.exe
C:\Windows\system32\wisptis.exe
1⤵
PID:1220

C:\Users\Admin\AppData\Local\NE1\wisptis.exe
C:\Users\Admin\AppData\Local\NE1\wisptis.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1264

C:\Windows\system32\vmicsvc.exe
C:\Windows\system32\vmicsvc.exe
1⤵
PID:1200

C:\Users\Admin\AppData\Local\w5I9U8\vmicsvc.exe
C:\Users\Admin\AppData\Local\w5I9U8\vmicsvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:616

C:\Windows\system32\icardagt.exe
C:\Windows\system32\icardagt.exe
1⤵
PID:1360

C:\Users\Admin\AppData\Local\I7LxDEa\icardagt.exe
C:\Users\Admin\AppData\Local\I7LxDEa\icardagt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:524

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\I7LxDEa\UxTheme.dll
MD5
3cb3f3dd516714c8f670937de6822358

SHA1
d7f7b886ab5d08c5828062c8de793f944c34f356

SHA256
6608b3d1f0eecac71e27fdb409530f88cd00904812566e2b14a432334dfe1aea

SHA512
027e96332b75c760ee9875e8e75ebd2a9605c146342483eaa452682eaf946cd61bf210d1939c7b8490c4701ff46c2dc5624fe915e833b60c93e2db57a196f63a

Download Submit
C:\Users\Admin\AppData\Local\I7LxDEa\icardagt.exe
MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
C:\Users\Admin\AppData\Local\NE1\WTSAPI32.dll
MD5
d893951155092e34bbdba2171431038a

SHA1
114db288441358c7526d11ce99e83006595a0f1a

SHA256
2562e2e1629fb3486f3aafa42ad358e6a4d6c860f7decb7c60d628a06b3da04d

SHA512
b9ec7a82fe1a693104985bae40da83898b51f5eca3cf8b99514faf1df710e50f4874806ea0d805666e90c5596035f179b8038b9c0c585a8bb3bba8d65039726d

Download Submit
C:\Users\Admin\AppData\Local\NE1\wisptis.exe
MD5
02e20372d9d6d28e37ba9704edc90b67

SHA1
d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

SHA256
3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

SHA512
bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

Download Submit
C:\Users\Admin\AppData\Local\w5I9U8\ACTIVEDS.dll
MD5
6e2402e8d81978a3ee726b8e45ac4a0f

SHA1
b0ca3ed78bf6a627bc896a75b58dcc958ad412e8

SHA256
fa630b0f17788f2d3363e84e2299d736e8611444aee02fbdf68eaad1980af9c7

SHA512
0fca4070d38ab16b4fc780150f459610e3b131f835c1da36c879eb71f0b55ce09ff7018d28e7ff2c8876043e10ec0231f83d05388fde8fc3f33cb896fb8b8c15

Download Submit
C:\Users\Admin\AppData\Local\w5I9U8\vmicsvc.exe
MD5
79e14b291ca96a02f1eb22bd721deccd

SHA1
4c8dbff611acd8a92cd2280239f78bebd2a9947e

SHA256
d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

SHA512
f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

Download Submit
\Users\Admin\AppData\Local\I7LxDEa\UxTheme.dll
MD5
3cb3f3dd516714c8f670937de6822358

SHA1
d7f7b886ab5d08c5828062c8de793f944c34f356

SHA256
6608b3d1f0eecac71e27fdb409530f88cd00904812566e2b14a432334dfe1aea

SHA512
027e96332b75c760ee9875e8e75ebd2a9605c146342483eaa452682eaf946cd61bf210d1939c7b8490c4701ff46c2dc5624fe915e833b60c93e2db57a196f63a

Download Submit
\Users\Admin\AppData\Local\I7LxDEa\icardagt.exe
MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
\Users\Admin\AppData\Local\NE1\WTSAPI32.dll
MD5
d893951155092e34bbdba2171431038a

SHA1
114db288441358c7526d11ce99e83006595a0f1a

SHA256
2562e2e1629fb3486f3aafa42ad358e6a4d6c860f7decb7c60d628a06b3da04d

SHA512
b9ec7a82fe1a693104985bae40da83898b51f5eca3cf8b99514faf1df710e50f4874806ea0d805666e90c5596035f179b8038b9c0c585a8bb3bba8d65039726d

Download Submit
\Users\Admin\AppData\Local\NE1\wisptis.exe
MD5
02e20372d9d6d28e37ba9704edc90b67

SHA1
d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

SHA256
3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

SHA512
bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

Download Submit
\Users\Admin\AppData\Local\w5I9U8\ACTIVEDS.dll
MD5
6e2402e8d81978a3ee726b8e45ac4a0f

SHA1
b0ca3ed78bf6a627bc896a75b58dcc958ad412e8

SHA256
fa630b0f17788f2d3363e84e2299d736e8611444aee02fbdf68eaad1980af9c7

SHA512
0fca4070d38ab16b4fc780150f459610e3b131f835c1da36c879eb71f0b55ce09ff7018d28e7ff2c8876043e10ec0231f83d05388fde8fc3f33cb896fb8b8c15

Download Submit
\Users\Admin\AppData\Local\w5I9U8\vmicsvc.exe
MD5
79e14b291ca96a02f1eb22bd721deccd

SHA1
4c8dbff611acd8a92cd2280239f78bebd2a9947e

SHA256
d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8

SHA512
f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E8tqiuNU\icardagt.exe
MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
memory/524-116-0x0000000000000000-mapping.dmp

Download
memory/524-118-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp

Filesize
8KB

Download
memory/616-109-0x0000000000000000-mapping.dmp

Download
memory/1208-59-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1208-61-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1252-83-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-100-0x0000000077320000-0x0000000077322000-memory.dmp

Filesize
8KB

Download
memory/1252-85-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-90-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-92-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-91-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-79-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-77-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-93-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-94-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-75-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-71-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-70-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-68-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-67-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-66-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-63-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-86-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-89-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-62-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/1252-88-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-87-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-84-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-64-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-82-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-78-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-80-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-81-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-76-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-74-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-73-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-72-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-69-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1252-65-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/1264-106-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/1264-102-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads