dridex | 96705595655fd817156073e3d3efde3338e24c3afaef13e517153ae4b5218fc9

Analysis

max time kernel
153s
max time network
133s
platform
windows7_x64
resource
win7-en-20210920
submitted
28-09-2021 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96705595655fd817156073e3d3efde3338e24c3afaef13e517153ae4b5218fc9.dll
Size

2.1MB
MD5

f8295446e335b679641637334c99242d
SHA1

18b9a40791f1a52c70507b29d0b631510f2e33c6
SHA256

96705595655fd817156073e3d3efde3338e24c3afaef13e517153ae4b5218fc9
SHA512

82b140666adcf81d786ef650a4eeae44a133c23593e2ccb14a1bd0b262084dd937d2fe6546fd691ba859b376becbfc4f18e57459d8e9e6b2e20654cc227fd1b7

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1264-57-0x0000000002B30000-0x0000000002B31000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

tabcal.exeNetplwiz.exeiexpress.exe

pid process

396 tabcal.exe
1180 Netplwiz.exe
1216 iexpress.exe
Loads dropped DLL 7 IoCs

Processes:

tabcal.exeNetplwiz.exeiexpress.exe

pid process

1264
396 tabcal.exe
1264
1180 Netplwiz.exe
1264
1216 iexpress.exe
1264

pid	process
396	tabcal.exe
1180	Netplwiz.exe
1216	iexpress.exe

pid	process
1264
396	tabcal.exe
1264
1180	Netplwiz.exe
1264
1216	iexpress.exe
1264

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wbbdywj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\aShLbPP3IJ\\Netplwiz.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

tabcal.exeNetplwiz.exeiexpress.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1172	rundll32.exe
1172	rundll32.exe
1172	rundll32.exe
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1264
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1264
1264
1264
1264
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

1264
1264
1264
1264
1264
1264

pid	process
1264

pid	process
1264
1264
1264
1264

pid	process
1264
1264
1264
1264
1264
1264

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1264 wrote to memory of 1900	1264	tabcal.exe
PID 1264 wrote to memory of 1900	1264	tabcal.exe
PID 1264 wrote to memory of 1900	1264	tabcal.exe
PID 1264 wrote to memory of 396	1264	tabcal.exe
PID 1264 wrote to memory of 396	1264	tabcal.exe
PID 1264 wrote to memory of 396	1264	tabcal.exe
PID 1264 wrote to memory of 948	1264	Netplwiz.exe
PID 1264 wrote to memory of 948	1264	Netplwiz.exe
PID 1264 wrote to memory of 948	1264	Netplwiz.exe
PID 1264 wrote to memory of 1180	1264	Netplwiz.exe
PID 1264 wrote to memory of 1180	1264	Netplwiz.exe
PID 1264 wrote to memory of 1180	1264	Netplwiz.exe
PID 1264 wrote to memory of 1080	1264	iexpress.exe
PID 1264 wrote to memory of 1080	1264	iexpress.exe
PID 1264 wrote to memory of 1080	1264	iexpress.exe
PID 1264 wrote to memory of 1216	1264	iexpress.exe
PID 1264 wrote to memory of 1216	1264	iexpress.exe
PID 1264 wrote to memory of 1216	1264	iexpress.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\96705595655fd817156073e3d3efde3338e24c3afaef13e517153ae4b5218fc9.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1172

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:1900

C:\Users\Admin\AppData\Local\T7w\tabcal.exe
C:\Users\Admin\AppData\Local\T7w\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:396

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:948

C:\Users\Admin\AppData\Local\Xxav\Netplwiz.exe
C:\Users\Admin\AppData\Local\Xxav\Netplwiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1180

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:1080

C:\Users\Admin\AppData\Local\jkY\iexpress.exe
C:\Users\Admin\AppData\Local\jkY\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1216

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\T7w\HID.DLL
MD5
b019a506bae766fc26fba1ffab792482

SHA1
a22d641684afc07b164c1dcb3e9036751a164569

SHA256
e9601bf7b1e716638a8d0b3d741a2b130a970ceb39e8b286353feb2629d0af44

SHA512
7f83495c7e2a58b2bbe85711d10de0286ac3d4ad40832c6ef5d1e4ec306b1c25d7345fee32dd8b45d557cae4d2e6893a9a92261bd87659be6bdf41ded1e4f4c4

Download Submit
C:\Users\Admin\AppData\Local\T7w\tabcal.exe
MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
C:\Users\Admin\AppData\Local\Xxav\NETPLWIZ.dll
MD5
2115aed8b7482088c27002d814fce8d7

SHA1
b843f609284a77d82a74665634387d0378a7214a

SHA256
e72a7aab9945dfe265cfc8792aeee9595e6b1e59922ae9738008de7e5cc992c5

SHA512
9e5202313d5fa8f9a62d12832ab53c644cd90f4f7806d825eb278e3970a071b0e92c26313401347685b38dfb6e254ddcd5a1206eb3baeaa511361148a91e719e

Download Submit
C:\Users\Admin\AppData\Local\Xxav\Netplwiz.exe
MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
C:\Users\Admin\AppData\Local\jkY\VERSION.dll
MD5
21f53553e35c8c960b2509073e2b631e

SHA1
3d9cc5d93a26e0e43c0480ae2898b65b65755829

SHA256
9eb9d79f7f0b1f500eab6f22922aad6c95a4c56c558cb9e2ad04ecc79b8ee4f4

SHA512
24b417ca2a606d59d93f1d0b9ecb5d90f8e7ebd6a817188ece6ddbeef1b4fb170ac9995a33fa5d8d86ce71eebe9a8256eaae25be7b884456d798951df47a8346

Download Submit
C:\Users\Admin\AppData\Local\jkY\iexpress.exe
MD5
46fd16f9b1924a2ea8cd5c6716cc654f

SHA1
99284bc91cf829e9602b4b95811c1d72977700b6

SHA256
9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

SHA512
52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

Download Submit
\Users\Admin\AppData\Local\T7w\HID.DLL
MD5
b019a506bae766fc26fba1ffab792482

SHA1
a22d641684afc07b164c1dcb3e9036751a164569

SHA256
e9601bf7b1e716638a8d0b3d741a2b130a970ceb39e8b286353feb2629d0af44

SHA512
7f83495c7e2a58b2bbe85711d10de0286ac3d4ad40832c6ef5d1e4ec306b1c25d7345fee32dd8b45d557cae4d2e6893a9a92261bd87659be6bdf41ded1e4f4c4

Download Submit
\Users\Admin\AppData\Local\T7w\tabcal.exe
MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
\Users\Admin\AppData\Local\Xxav\NETPLWIZ.dll
MD5
2115aed8b7482088c27002d814fce8d7

SHA1
b843f609284a77d82a74665634387d0378a7214a

SHA256
e72a7aab9945dfe265cfc8792aeee9595e6b1e59922ae9738008de7e5cc992c5

SHA512
9e5202313d5fa8f9a62d12832ab53c644cd90f4f7806d825eb278e3970a071b0e92c26313401347685b38dfb6e254ddcd5a1206eb3baeaa511361148a91e719e

Download Submit
\Users\Admin\AppData\Local\Xxav\Netplwiz.exe
MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
\Users\Admin\AppData\Local\jkY\VERSION.dll
MD5
21f53553e35c8c960b2509073e2b631e

SHA1
3d9cc5d93a26e0e43c0480ae2898b65b65755829

SHA256
9eb9d79f7f0b1f500eab6f22922aad6c95a4c56c558cb9e2ad04ecc79b8ee4f4

SHA512
24b417ca2a606d59d93f1d0b9ecb5d90f8e7ebd6a817188ece6ddbeef1b4fb170ac9995a33fa5d8d86ce71eebe9a8256eaae25be7b884456d798951df47a8346

Download Submit
\Users\Admin\AppData\Local\jkY\iexpress.exe
MD5
46fd16f9b1924a2ea8cd5c6716cc654f

SHA1
99284bc91cf829e9602b4b95811c1d72977700b6

SHA256
9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

SHA512
52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\Low\kv\iexpress.exe
MD5
46fd16f9b1924a2ea8cd5c6716cc654f

SHA1
99284bc91cf829e9602b4b95811c1d72977700b6

SHA256
9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

SHA512
52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

Download Submit
memory/396-121-0x0000000000000000-mapping.dmp

Download
memory/1172-56-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1172-54-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1180-128-0x0000000000000000-mapping.dmp

Download
memory/1216-135-0x0000000000000000-mapping.dmp

Download
memory/1264-102-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-105-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-78-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-91-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-90-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-89-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-88-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-87-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-86-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-85-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-84-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-83-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-82-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-81-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-77-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-76-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-75-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-74-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-73-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-71-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-80-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-113-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-112-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-111-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-110-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-109-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-108-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-107-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-106-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-79-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-104-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-103-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-101-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-100-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-99-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-98-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-97-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-96-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-95-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-94-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-93-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-92-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-72-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-62-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-63-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-64-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-65-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-66-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-60-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-61-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-59-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-58-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-57-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/1264-70-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-69-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-68-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-67-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1264-119-0x00000000777C0000-0x00000000777C2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads