dridex | d7cb31b51d497eaac81246a38db0abd05398832fb301cb1b97d1ca979df2a4ca

Analysis

max time kernel
160s
max time network
45s
platform
windows7_x64
resource
win7v20210408
submitted
28-09-2021 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7cb31b51d497eaac81246a38db0abd05398832fb301cb1b97d1ca979df2a4ca.dll
Size

2.0MB
MD5

8a6f4fe59b41d74501e04f1b451dc57d
SHA1

064f5eca3efd02c5f40a8c9e7fedb86aa40eeed0
SHA256

d7cb31b51d497eaac81246a38db0abd05398832fb301cb1b97d1ca979df2a4ca
SHA512

4dfb736dc4e967f964d4a8eac22808fd7249fe39500752bf8b2cc9c197107bc6347ba7da07f20dda47b7d7bd14217792a81222e60f7d648918a93f222ab8084c

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1244-63-0x00000000021E0000-0x00000000021E1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

shrpubw.exemsconfig.exedvdupgrd.exe

pid process

680 shrpubw.exe
1520 msconfig.exe
1688 dvdupgrd.exe
Loads dropped DLL 7 IoCs

Processes:

shrpubw.exemsconfig.exedvdupgrd.exe

pid process

1244
680 shrpubw.exe
1244
1520 msconfig.exe
1244
1688 dvdupgrd.exe
1244

pid	process
680	shrpubw.exe
1520	msconfig.exe
1688	dvdupgrd.exe

pid	process
1244
680	shrpubw.exe
1244
1520	msconfig.exe
1244
1688	dvdupgrd.exe
1244

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Axiifu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\lT2\\msconfig.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dvdupgrd.exerundll32.exeshrpubw.exemsconfig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dvdupgrd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
792	rundll32.exe
792	rundll32.exe
792	rundll32.exe
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1244
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pid process

1244
1244
1244
1244
1244
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1244
1244
1244
1244

pid	process
1244

pid	process
1244
1244
1244
1244
1244

pid	process
1244
1244
1244
1244

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1244 wrote to memory of 556	1244	shrpubw.exe
PID 1244 wrote to memory of 556	1244	shrpubw.exe
PID 1244 wrote to memory of 556	1244	shrpubw.exe
PID 1244 wrote to memory of 680	1244	shrpubw.exe
PID 1244 wrote to memory of 680	1244	shrpubw.exe
PID 1244 wrote to memory of 680	1244	shrpubw.exe
PID 1244 wrote to memory of 568	1244	msconfig.exe
PID 1244 wrote to memory of 568	1244	msconfig.exe
PID 1244 wrote to memory of 568	1244	msconfig.exe
PID 1244 wrote to memory of 1520	1244	msconfig.exe
PID 1244 wrote to memory of 1520	1244	msconfig.exe
PID 1244 wrote to memory of 1520	1244	msconfig.exe
PID 1244 wrote to memory of 1708	1244	dvdupgrd.exe
PID 1244 wrote to memory of 1708	1244	dvdupgrd.exe
PID 1244 wrote to memory of 1708	1244	dvdupgrd.exe
PID 1244 wrote to memory of 1688	1244	dvdupgrd.exe
PID 1244 wrote to memory of 1688	1244	dvdupgrd.exe
PID 1244 wrote to memory of 1688	1244	dvdupgrd.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d7cb31b51d497eaac81246a38db0abd05398832fb301cb1b97d1ca979df2a4ca.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:792

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:556

C:\Users\Admin\AppData\Local\qD3x9\shrpubw.exe
C:\Users\Admin\AppData\Local\qD3x9\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:680

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:568

C:\Users\Admin\AppData\Local\1V492ghq\msconfig.exe
C:\Users\Admin\AppData\Local\1V492ghq\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1520

C:\Windows\system32\dvdupgrd.exe
C:\Windows\system32\dvdupgrd.exe
1⤵
PID:1708

C:\Users\Admin\AppData\Local\xGvaW\dvdupgrd.exe
C:\Users\Admin\AppData\Local\xGvaW\dvdupgrd.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1688

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1V492ghq\VERSION.dll
MD5
d8b05663d7811bcc5d0d0cbdfd9cfa73

SHA1
12250db1ce411525e4971b0e8f70a95d2a41c799

SHA256
806346dac1dba54b4058abedd68ce2f37737c603bc91727ef19cbedbdaa2bd0c

SHA512
5d0aa3c83c67af151f2809cb9697cd8903ed6675f64f850482d029279cb699554da71a9e3198888018bc449eceb7b6ecbb034ced6a3ebd9872fe4545c8c57b5b

Download Submit
C:\Users\Admin\AppData\Local\1V492ghq\msconfig.exe
MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
C:\Users\Admin\AppData\Local\qD3x9\MFC42u.dll
MD5
40dcc7cdfc806b048416deeb316dfed1

SHA1
8095b8a46202878a399f6e67e8221c44058829f0

SHA256
5906b50614ebef1cb85d105810eb37cd481f956966547ee0ff4d77a9d6cdcd0f

SHA512
5703684010de6e08d21909b6c0313ca14b4cdf2c45bf0afd04b1b25ea65232a94a81b4b917af565f1225d1ed9651c16d580c04887702acf040d89f6e57b37720

Download Submit
C:\Users\Admin\AppData\Local\qD3x9\shrpubw.exe
MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
C:\Users\Admin\AppData\Local\xGvaW\VERSION.dll
MD5
e2a7277c837b5552f2b44d3246b4f93a

SHA1
f449fefa94f7e995b159b984108f2709b298cd9e

SHA256
3074b8c674b9f0d7526e296ee51b27f7bc5d5f78ee8f87357755bb3ae2507a96

SHA512
37d7ff6947f2c96f4113948977bb26dd62c6790ac5cc4d0e5cf851e128a2a8e0fd753c780ec996c12d31085dd477ff05389178855601bff90ced5928c8032211

Download Submit
C:\Users\Admin\AppData\Local\xGvaW\dvdupgrd.exe
MD5
75a9b4172eac01d9648c6d2133af952f

SHA1
63c7e1af762d2b584e9cc841e8b0100f2a482b81

SHA256
18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

SHA512
5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

Download Submit
\Users\Admin\AppData\Local\1V492ghq\VERSION.dll
MD5
d8b05663d7811bcc5d0d0cbdfd9cfa73

SHA1
12250db1ce411525e4971b0e8f70a95d2a41c799

SHA256
806346dac1dba54b4058abedd68ce2f37737c603bc91727ef19cbedbdaa2bd0c

SHA512
5d0aa3c83c67af151f2809cb9697cd8903ed6675f64f850482d029279cb699554da71a9e3198888018bc449eceb7b6ecbb034ced6a3ebd9872fe4545c8c57b5b

Download Submit
\Users\Admin\AppData\Local\1V492ghq\msconfig.exe
MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
\Users\Admin\AppData\Local\qD3x9\MFC42u.dll
MD5
40dcc7cdfc806b048416deeb316dfed1

SHA1
8095b8a46202878a399f6e67e8221c44058829f0

SHA256
5906b50614ebef1cb85d105810eb37cd481f956966547ee0ff4d77a9d6cdcd0f

SHA512
5703684010de6e08d21909b6c0313ca14b4cdf2c45bf0afd04b1b25ea65232a94a81b4b917af565f1225d1ed9651c16d580c04887702acf040d89f6e57b37720

Download Submit
\Users\Admin\AppData\Local\qD3x9\shrpubw.exe
MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
\Users\Admin\AppData\Local\xGvaW\VERSION.dll
MD5
e2a7277c837b5552f2b44d3246b4f93a

SHA1
f449fefa94f7e995b159b984108f2709b298cd9e

SHA256
3074b8c674b9f0d7526e296ee51b27f7bc5d5f78ee8f87357755bb3ae2507a96

SHA512
37d7ff6947f2c96f4113948977bb26dd62c6790ac5cc4d0e5cf851e128a2a8e0fd753c780ec996c12d31085dd477ff05389178855601bff90ced5928c8032211

Download Submit
\Users\Admin\AppData\Local\xGvaW\dvdupgrd.exe
MD5
75a9b4172eac01d9648c6d2133af952f

SHA1
63c7e1af762d2b584e9cc841e8b0100f2a482b81

SHA256
18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

SHA512
5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\PQ4kkSJ0AZ\dvdupgrd.exe
MD5
75a9b4172eac01d9648c6d2133af952f

SHA1
63c7e1af762d2b584e9cc841e8b0100f2a482b81

SHA256
18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

SHA512
5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

Download Submit
memory/680-107-0x0000000000000000-mapping.dmp

Download
memory/680-112-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/680-111-0x000007FEFB561000-0x000007FEFB563000-memory.dmp

Filesize
8KB

Download
memory/792-60-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/792-62-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1244-77-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-105-0x0000000076E90000-0x0000000076E92000-memory.dmp

Filesize
8KB

Download
memory/1244-86-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-90-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-92-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-93-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-95-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-97-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-99-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-98-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-96-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-94-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-91-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-88-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-89-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-87-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-85-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-83-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-81-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-80-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-64-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-84-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-82-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-79-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-78-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-66-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-65-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-69-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-68-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-76-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-63-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/1244-70-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-72-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-75-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-67-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-71-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-74-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1244-73-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/1520-119-0x0000000140000000-0x0000000140207000-memory.dmp

Filesize
2.0MB

Download
memory/1520-115-0x0000000000000000-mapping.dmp

Download
memory/1688-122-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads