dridex | 91e876e9a1f7db2677a3706228a7d73ae0654d144168a7cdece5562d70e36026

Analysis

max time kernel
151s
max time network
138s
platform
windows7_x64
resource
win7-en-20210920
submitted
30-09-2021 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91e876e9a1f7db2677a3706228a7d73ae0654d144168a7cdece5562d70e36026.dll
Size

1.2MB
MD5

c1cd29287def3b7d044e400ff6fd830b
SHA1

1832a3a550610657a8110a2810932137d1d3e62b
SHA256

91e876e9a1f7db2677a3706228a7d73ae0654d144168a7cdece5562d70e36026
SHA512

d4cf7ad019ddc4311824bb9bbdf6efc0bf019b1812fa1c0c59603314afcda003df51dbf8125c5af356bd1a1f2429ac4510e82c3fb53146c6bb74e1cf27b9e58e

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1216-57-0x00000000029E0000-0x00000000029E1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

dccw.exemsra.exeSystemPropertiesHardware.exe

pid process

1816 dccw.exe
1500 msra.exe
1884 SystemPropertiesHardware.exe
Loads dropped DLL 7 IoCs

Processes:

dccw.exemsra.exeSystemPropertiesHardware.exe

pid process

1216
1816 dccw.exe
1216
1500 msra.exe
1216
1884 SystemPropertiesHardware.exe
1216

pid	process
1816	dccw.exe
1500	msra.exe
1884	SystemPropertiesHardware.exe

pid	process
1216
1816	dccw.exe
1216
1500	msra.exe
1216
1884	SystemPropertiesHardware.exe
1216

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wbbdywj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\Low\\jvWP\\msra.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dccw.exemsra.exeSystemPropertiesHardware.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1340	rundll32.exe
1340	rundll32.exe
1340	rundll32.exe
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1216
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1216
1216
1216
1216
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

1216
1216
1216
1216
1216
1216

pid	process
1216

pid	process
1216
1216
1216
1216

pid	process
1216
1216
1216
1216
1216
1216

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1216 wrote to memory of 1652	1216	dccw.exe
PID 1216 wrote to memory of 1652	1216	dccw.exe
PID 1216 wrote to memory of 1652	1216	dccw.exe
PID 1216 wrote to memory of 1816	1216	dccw.exe
PID 1216 wrote to memory of 1816	1216	dccw.exe
PID 1216 wrote to memory of 1816	1216	dccw.exe
PID 1216 wrote to memory of 1516	1216	msra.exe
PID 1216 wrote to memory of 1516	1216	msra.exe
PID 1216 wrote to memory of 1516	1216	msra.exe
PID 1216 wrote to memory of 1500	1216	msra.exe
PID 1216 wrote to memory of 1500	1216	msra.exe
PID 1216 wrote to memory of 1500	1216	msra.exe
PID 1216 wrote to memory of 1872	1216	SystemPropertiesHardware.exe
PID 1216 wrote to memory of 1872	1216	SystemPropertiesHardware.exe
PID 1216 wrote to memory of 1872	1216	SystemPropertiesHardware.exe
PID 1216 wrote to memory of 1884	1216	SystemPropertiesHardware.exe
PID 1216 wrote to memory of 1884	1216	SystemPropertiesHardware.exe
PID 1216 wrote to memory of 1884	1216	SystemPropertiesHardware.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\91e876e9a1f7db2677a3706228a7d73ae0654d144168a7cdece5562d70e36026.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1340

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:1652

C:\Users\Admin\AppData\Local\c6bxoCu\dccw.exe
C:\Users\Admin\AppData\Local\c6bxoCu\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1816

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:1516

C:\Users\Admin\AppData\Local\1PMoP\msra.exe
C:\Users\Admin\AppData\Local\1PMoP\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1500

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:1872

C:\Users\Admin\AppData\Local\qug\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\qug\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1884

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1PMoP\UxTheme.dll
MD5
18940a8c437522c7a5583754098cd32b

SHA1
bd19e65736828b4fd77939a314bb1ee15540a7b9

SHA256
1e2c3ced330376bc5945b37b364ead610705db8729e3422cac1f56f1fd6a9efe

SHA512
b44b1014fe0938f2c1a9a478746caae552acac1cb89f692b2bd5baf2c22492918de34948cb951daf8700faa19936739131745765d07f0c96d20a91e7cc8a27dc

Download Submit
C:\Users\Admin\AppData\Local\1PMoP\msra.exe
MD5
e79df53bad587e24b3cf965a5746c7b6

SHA1
87a97ec159a3fc1db211f3c2c62e4d60810e7a70

SHA256
4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

SHA512
9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

Download Submit
C:\Users\Admin\AppData\Local\c6bxoCu\dccw.exe
MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
C:\Users\Admin\AppData\Local\c6bxoCu\dxva2.dll
MD5
bf5b38f8821de18f2d9adac4f01655a1

SHA1
8f022f5b07588ea01dd46144eddea7c404c66300

SHA256
99632cd3e43b1d40af2365911b4a276b0a0d301494f84ea700e7173854669674

SHA512
09e4a1383d7d30724c9cf7979710c6d341274b8bc08c65c32f1d756677df3e9b9206c154a2199ba7f6bb0c1a922729788cea59f2aa327cb614842c289a0be820

Download Submit
C:\Users\Admin\AppData\Local\qug\SYSDM.CPL
MD5
0a91c00f5ffee7650aff708761125792

SHA1
cf70ea1d7825fba176d604c898546d9d57b82d5d

SHA256
aeca7596f634ba1a39609ca5ebc6e28288cdab4304268c5ad9cb0f893df291e5

SHA512
067a8a9393171c09eae7ecaec730f4d20ffccf526ccb6bbd7ccbbfcfca33636054bb66e534122f974d3c01ebf4ff0b1d1532d4a3b455e5d8ee0b94c3a63eb698

Download Submit
C:\Users\Admin\AppData\Local\qug\SystemPropertiesHardware.exe
MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
\Users\Admin\AppData\Local\1PMoP\UxTheme.dll
MD5
18940a8c437522c7a5583754098cd32b

SHA1
bd19e65736828b4fd77939a314bb1ee15540a7b9

SHA256
1e2c3ced330376bc5945b37b364ead610705db8729e3422cac1f56f1fd6a9efe

SHA512
b44b1014fe0938f2c1a9a478746caae552acac1cb89f692b2bd5baf2c22492918de34948cb951daf8700faa19936739131745765d07f0c96d20a91e7cc8a27dc

Download Submit
\Users\Admin\AppData\Local\1PMoP\msra.exe
MD5
e79df53bad587e24b3cf965a5746c7b6

SHA1
87a97ec159a3fc1db211f3c2c62e4d60810e7a70

SHA256
4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

SHA512
9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

Download Submit
\Users\Admin\AppData\Local\c6bxoCu\dccw.exe
MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
\Users\Admin\AppData\Local\c6bxoCu\dxva2.dll
MD5
bf5b38f8821de18f2d9adac4f01655a1

SHA1
8f022f5b07588ea01dd46144eddea7c404c66300

SHA256
99632cd3e43b1d40af2365911b4a276b0a0d301494f84ea700e7173854669674

SHA512
09e4a1383d7d30724c9cf7979710c6d341274b8bc08c65c32f1d756677df3e9b9206c154a2199ba7f6bb0c1a922729788cea59f2aa327cb614842c289a0be820

Download Submit
\Users\Admin\AppData\Local\qug\SYSDM.CPL
MD5
0a91c00f5ffee7650aff708761125792

SHA1
cf70ea1d7825fba176d604c898546d9d57b82d5d

SHA256
aeca7596f634ba1a39609ca5ebc6e28288cdab4304268c5ad9cb0f893df291e5

SHA512
067a8a9393171c09eae7ecaec730f4d20ffccf526ccb6bbd7ccbbfcfca33636054bb66e534122f974d3c01ebf4ff0b1d1532d4a3b455e5d8ee0b94c3a63eb698

Download Submit
\Users\Admin\AppData\Local\qug\SystemPropertiesHardware.exe
MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3456797065-1076791440-4146276586-1000\sVvjk\SystemPropertiesHardware.exe
MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
memory/1216-88-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-70-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-87-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-86-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-85-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-84-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-83-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-91-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-90-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-89-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-82-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-81-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-80-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-79-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-78-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-77-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-76-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-75-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-74-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-73-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-71-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-57-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/1216-69-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-68-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-97-0x0000000077260000-0x0000000077262000-memory.dmp

Filesize
8KB

Download
memory/1216-72-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-58-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-67-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-66-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-65-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-60-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-61-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-59-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-64-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-63-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1216-62-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1340-56-0x0000000001B60000-0x0000000001B67000-memory.dmp

Filesize
28KB

Download
memory/1340-54-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1500-107-0x0000000000000000-mapping.dmp

Download
memory/1816-104-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1816-103-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/1816-99-0x0000000000000000-mapping.dmp

Download
memory/1884-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads