dridex | 67e634c8f431ed69d672dca57c2bd493772b24fdee37432aa8fc3e1822f0b804

Analysis

max time kernel
154s
max time network
161s
platform
windows10_x64
resource
win10-en-20210920
submitted
28-09-2021 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67e634c8f431ed69d672dca57c2bd493772b24fdee37432aa8fc3e1822f0b804.dll
Size

1.7MB
MD5

6966f6e2c68c1f536d63b50bb966c031
SHA1

c10eace5e0b5c0531895ed1d02332e3e8bd0fd32
SHA256

67e634c8f431ed69d672dca57c2bd493772b24fdee37432aa8fc3e1822f0b804
SHA512

365cefcf86f2d1b12e59d819c3dda9733003592a6a3cbf010b15d543547f2de2038dc659301a3f454881b76c644d929bb24c382bb70b349a621f95047457c19f

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3008-120-0x0000000000D00000-0x0000000000D01000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SndVol.exeRDVGHelper.exeRdpSa.exe

pid process

3248 SndVol.exe
1008 RDVGHelper.exe
2308 RdpSa.exe
Loads dropped DLL 3 IoCs

Processes:

SndVol.exeRDVGHelper.exeRdpSa.exe

pid process

3248 SndVol.exe
1008 RDVGHelper.exe
2308 RdpSa.exe

pid	process
3248	SndVol.exe
1008	RDVGHelper.exe
2308	RdpSa.exe

pid	process
3248	SndVol.exe
1008	RDVGHelper.exe
2308	RdpSa.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wjvmqhmsyzhtvy = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\ShHiS\\RDVGHelper.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSndVol.exeRDVGHelper.exeRdpSa.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RDVGHelper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RdpSa.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2348	rundll32.exe
2348	rundll32.exe
2348	rundll32.exe
2348	rundll32.exe
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008
3008

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3008

pid	process
3008

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3008 wrote to memory of 2284	3008	SndVol.exe
PID 3008 wrote to memory of 2284	3008	SndVol.exe
PID 3008 wrote to memory of 3248	3008	SndVol.exe
PID 3008 wrote to memory of 3248	3008	SndVol.exe
PID 3008 wrote to memory of 912	3008	RDVGHelper.exe
PID 3008 wrote to memory of 912	3008	RDVGHelper.exe
PID 3008 wrote to memory of 1008	3008	RDVGHelper.exe
PID 3008 wrote to memory of 1008	3008	RDVGHelper.exe
PID 3008 wrote to memory of 2196	3008	RdpSa.exe
PID 3008 wrote to memory of 2196	3008	RdpSa.exe
PID 3008 wrote to memory of 2308	3008	RdpSa.exe
PID 3008 wrote to memory of 2308	3008	RdpSa.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\67e634c8f431ed69d672dca57c2bd493772b24fdee37432aa8fc3e1822f0b804.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2348

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:2284

C:\Users\Admin\AppData\Local\hC79Lp8\SndVol.exe
C:\Users\Admin\AppData\Local\hC79Lp8\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3248

C:\Windows\system32\RDVGHelper.exe
C:\Windows\system32\RDVGHelper.exe
1⤵
PID:912

C:\Users\Admin\AppData\Local\bZQ\RDVGHelper.exe
C:\Users\Admin\AppData\Local\bZQ\RDVGHelper.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1008

C:\Windows\system32\RdpSa.exe
C:\Windows\system32\RdpSa.exe
1⤵
PID:2196

C:\Users\Admin\AppData\Local\yPk2EZwI\RdpSa.exe
C:\Users\Admin\AppData\Local\yPk2EZwI\RdpSa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\bZQ\RDVGHelper.exe
MD5
df98b824d9fa64358198283a97f453e3

SHA1
5328e86ede10063e77b988c9d2420d0c595800a1

SHA256
78361d08e67beb2df4f81d36440a25c4812684f28ba20f98de9a3ac3cfcd67ec

SHA512
984f7cc4dda5b1553df66678501ef3f5bfd79f7c327e1d0292f94cd65542cd6bca692bf6f02aa705df518d2a5630d9ba29bc0a85c00c5f9d45c5f11be9ceb213

Download Submit
C:\Users\Admin\AppData\Local\bZQ\WTSAPI32.dll
MD5
c0afb473900c052309b06fcc8a6e5eb2

SHA1
2c3ad3d9e23a1749b14056c10dfba43358a8b59e

SHA256
5d193f643cddc1eaf2e0ad6b8e5eb90be4d95891412078b9a1f8884f98f758e6

SHA512
13b881a4bb5b3ae3c24cd15003e5f70e4fd024becf11162fe3011b196f58bcadc3c62875c72eecf9ddac8105a686408739e0f5f611f98b924f723b26f554ce01

Download Submit
C:\Users\Admin\AppData\Local\hC79Lp8\SndVol.exe
MD5
27205270f880954ac16dbe3436a8699a

SHA1
c94dee99c7a19f85be8feef0019969b972894437

SHA256
9520ffcee5ece79190dcccc9020e212d43aa6f58e2e633e2a5ed701e909abb6f

SHA512
5e9cbc33cb583c93db4df7781c8960185703da554db81b31087545cc82d4eaf7a3d94aa7aff2b9c999446c621896c264940f0b1c1b4ba0e71cb09ab3dcc6b44b

Download Submit
C:\Users\Admin\AppData\Local\hC79Lp8\UxTheme.dll
MD5
71248ab9fad828bca6bdf961094c9be7

SHA1
d10e80580873d5313054f9ac3020ad78f3d31c74

SHA256
a7e67c9a94a750d09ef1fa0898682d0108dba74d079d7d25efee334bdd5d14fe

SHA512
fce90302a6b87e4ebd3ce876c7ea3390eb807dd2598d1451e54401ede8d022efc78cff169cfc83f3073078842a0da70a05f797fa795017041303f7c2be0cd120

Download Submit
C:\Users\Admin\AppData\Local\yPk2EZwI\RdpSa.exe
MD5
f1c2442f3ec5188998bf290c4cbd562a

SHA1
73fa6d853a92bfcc7671f82d3ab87ea3133bd9ad

SHA256
f6ff99a61cf82ef5889b3dd359a3bb55772439b66c710a9899eb8768c73a0a72

SHA512
310315718d7c684916f16754a1bceb9eb334c2dc8cb70634bf253b7b3d2fc8702e6ce7db52da0122a55fe53cadef1a6ec158d0056ebdbc2bcdc4832033e5d3f4

Download Submit
C:\Users\Admin\AppData\Local\yPk2EZwI\WINSTA.dll
MD5
42d5499d135f5947802c7bc922707b60

SHA1
9bc201437515e56b572c36cfd8f2413ed575f6af

SHA256
7480b609876984fc1b0ecdf9b8d162dcfaee1274fbab51e8720417d08d2e273f

SHA512
10179a42297b84455622743ac8164564007581bd902a38ad9ed97acdd429f1413d41536b0ed5705babe25e1afb31436af5fc8d62f0e25a2a0963f4e4ee5a2e74

Download Submit
\Users\Admin\AppData\Local\bZQ\WTSAPI32.dll
MD5
c0afb473900c052309b06fcc8a6e5eb2

SHA1
2c3ad3d9e23a1749b14056c10dfba43358a8b59e

SHA256
5d193f643cddc1eaf2e0ad6b8e5eb90be4d95891412078b9a1f8884f98f758e6

SHA512
13b881a4bb5b3ae3c24cd15003e5f70e4fd024becf11162fe3011b196f58bcadc3c62875c72eecf9ddac8105a686408739e0f5f611f98b924f723b26f554ce01

Download Submit
\Users\Admin\AppData\Local\hC79Lp8\UxTheme.dll
MD5
71248ab9fad828bca6bdf961094c9be7

SHA1
d10e80580873d5313054f9ac3020ad78f3d31c74

SHA256
a7e67c9a94a750d09ef1fa0898682d0108dba74d079d7d25efee334bdd5d14fe

SHA512
fce90302a6b87e4ebd3ce876c7ea3390eb807dd2598d1451e54401ede8d022efc78cff169cfc83f3073078842a0da70a05f797fa795017041303f7c2be0cd120

Download Submit
\Users\Admin\AppData\Local\yPk2EZwI\WINSTA.dll
MD5
42d5499d135f5947802c7bc922707b60

SHA1
9bc201437515e56b572c36cfd8f2413ed575f6af

SHA256
7480b609876984fc1b0ecdf9b8d162dcfaee1274fbab51e8720417d08d2e273f

SHA512
10179a42297b84455622743ac8164564007581bd902a38ad9ed97acdd429f1413d41536b0ed5705babe25e1afb31436af5fc8d62f0e25a2a0963f4e4ee5a2e74

Download Submit
memory/1008-172-0x0000000000000000-mapping.dmp

Download
memory/2308-185-0x0000000140000000-0x00000001401B4000-memory.dmp

Filesize
1.7MB

Download
memory/2308-181-0x0000000000000000-mapping.dmp

Download
memory/2348-119-0x000001A452F70000-0x000001A452F77000-memory.dmp

Filesize
28KB

Download
memory/2348-115-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-137-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-142-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-129-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-130-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-131-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-132-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-133-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-134-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-135-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-136-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-127-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-138-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-139-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-140-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-141-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-143-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-144-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-145-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-146-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-128-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-147-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-148-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-149-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-151-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-152-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-150-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-160-0x00007FFA8CD64560-0x00007FFA8CD65560-memory.dmp

Filesize
4KB

Download
memory/3008-162-0x00007FFA8CEA0000-0x00007FFA8CEA2000-memory.dmp

Filesize
8KB

Download
memory/3008-126-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-125-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-124-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-123-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-122-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-121-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/3008-120-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/3248-163-0x0000000000000000-mapping.dmp

Download
memory/3248-167-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download