dridex | 30b8a22979fcf9cd5eadbaf0683b68dce6608e4507079f508ebf5e9f3a4cb3f9

Analysis

max time kernel
151s
max time network
42s
platform
windows7_x64
resource
win7-en-20210920
submitted
30-09-2021 07:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30b8a22979fcf9cd5eadbaf0683b68dce6608e4507079f508ebf5e9f3a4cb3f9.dll
Size

1.2MB
MD5

050f7b6b85755449ad51107dd8be3946
SHA1

1c04df714fa68afabc5c9e3528ae7a3114b55078
SHA256

30b8a22979fcf9cd5eadbaf0683b68dce6608e4507079f508ebf5e9f3a4cb3f9
SHA512

f06deb19569c9d52ffc8c5d3d4b221cc327b57073819471e27623f7e4e93384f33d82478da3c8a7ecbef4f02138c7a69af0e38bdab1a7d7e386456112599d297

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1264-57-0x0000000002B30000-0x0000000002B31000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

Processes:

SnippingTool.exedpnsvr.exeDeviceDisplayObjectProvider.execmstp.exe

pid process

1888 SnippingTool.exe
2024 dpnsvr.exe
1048 DeviceDisplayObjectProvider.exe
1256 cmstp.exe
Loads dropped DLL 9 IoCs

Processes:

SnippingTool.exedpnsvr.exeDeviceDisplayObjectProvider.execmstp.exe

pid process

1264
1888 SnippingTool.exe
1264
2024 dpnsvr.exe
1264
1048 DeviceDisplayObjectProvider.exe
1264
1256 cmstp.exe
1264

pid	process
1888	SnippingTool.exe
2024	dpnsvr.exe
1048	DeviceDisplayObjectProvider.exe
1256	cmstp.exe

pid	process
1264
1888	SnippingTool.exe
1264
2024	dpnsvr.exe
1264
1048	DeviceDisplayObjectProvider.exe
1264
1256	cmstp.exe
1264

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wbbdywj = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\v42sMa\\DEVICE~1.EXE"

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dpnsvr.exeDeviceDisplayObjectProvider.execmstp.exerundll32.exeSnippingTool.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpnsvr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceDisplayObjectProvider.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SnippingTool.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1264
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1264
1264
1264
1264
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1264
1264
1264
1264

pid	process
1264

pid	process
1264
1264
1264
1264

pid	process
1264
1264
1264
1264

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

description	pid	target process
PID 1264 wrote to memory of 1200	1264	SnippingTool.exe
PID 1264 wrote to memory of 1200	1264	SnippingTool.exe
PID 1264 wrote to memory of 1200	1264	SnippingTool.exe
PID 1264 wrote to memory of 1888	1264	SnippingTool.exe
PID 1264 wrote to memory of 1888	1264	SnippingTool.exe
PID 1264 wrote to memory of 1888	1264	SnippingTool.exe
PID 1264 wrote to memory of 1312	1264	dpnsvr.exe
PID 1264 wrote to memory of 1312	1264	dpnsvr.exe
PID 1264 wrote to memory of 1312	1264	dpnsvr.exe
PID 1264 wrote to memory of 2024	1264	dpnsvr.exe
PID 1264 wrote to memory of 2024	1264	dpnsvr.exe
PID 1264 wrote to memory of 2024	1264	dpnsvr.exe
PID 1264 wrote to memory of 1812	1264	DeviceDisplayObjectProvider.exe
PID 1264 wrote to memory of 1812	1264	DeviceDisplayObjectProvider.exe
PID 1264 wrote to memory of 1812	1264	DeviceDisplayObjectProvider.exe
PID 1264 wrote to memory of 1048	1264	DeviceDisplayObjectProvider.exe
PID 1264 wrote to memory of 1048	1264	DeviceDisplayObjectProvider.exe
PID 1264 wrote to memory of 1048	1264	DeviceDisplayObjectProvider.exe
PID 1264 wrote to memory of 1868	1264	cmstp.exe
PID 1264 wrote to memory of 1868	1264	cmstp.exe
PID 1264 wrote to memory of 1868	1264	cmstp.exe
PID 1264 wrote to memory of 1256	1264	cmstp.exe
PID 1264 wrote to memory of 1256	1264	cmstp.exe
PID 1264 wrote to memory of 1256	1264	cmstp.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\30b8a22979fcf9cd5eadbaf0683b68dce6608e4507079f508ebf5e9f3a4cb3f9.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1356

C:\Windows\system32\SnippingTool.exe
C:\Windows\system32\SnippingTool.exe
1⤵
PID:1200

C:\Users\Admin\AppData\Local\6LEpS\SnippingTool.exe
C:\Users\Admin\AppData\Local\6LEpS\SnippingTool.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1888

C:\Windows\system32\dpnsvr.exe
C:\Windows\system32\dpnsvr.exe
1⤵
PID:1312

C:\Users\Admin\AppData\Local\VCN43sfJR\dpnsvr.exe
C:\Users\Admin\AppData\Local\VCN43sfJR\dpnsvr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2024

C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
1⤵
PID:1812

C:\Users\Admin\AppData\Local\ZWazWQ\DeviceDisplayObjectProvider.exe
C:\Users\Admin\AppData\Local\ZWazWQ\DeviceDisplayObjectProvider.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1048

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:1868

C:\Users\Admin\AppData\Local\zgqe\cmstp.exe
C:\Users\Admin\AppData\Local\zgqe\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1256

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6LEpS\SnippingTool.exe
MD5
7633f554eeafde7f144b41c2fcaf5f63

SHA1
44497c3d6fada0066598a6170b90c53e28ddf96c

SHA256
890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78

SHA512
7b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203

Download Submit
C:\Users\Admin\AppData\Local\6LEpS\UxTheme.dll
MD5
37bd16eade5ad06b88bd8b246cbc2f2d

SHA1
6453ae51ca6d42b1455da2710d6401f1af6e712c

SHA256
059d5713b0bb113bdee6b0fc6a43a4f381b42d862b844687f6de05042af62352

SHA512
129d6438609e58232c2609b1239e7c9db03d03521a0475dd8572c6eb4e0aa82e8371f59bed126644d794fd319062a7b43d9154663fe7facec254bbdb8ba8b206

Download Submit
C:\Users\Admin\AppData\Local\VCN43sfJR\WINMM.dll
MD5
f4711067c8bba6130095ed63881a73d1

SHA1
14cd00f2da0c6093ed0c13b905b2bb258af93e84

SHA256
9a0cee85c3062fe1c0357e8c194edfb076c7ff56c7de661ff11000513fbfa1b9

SHA512
53f94383d19d5b76613d7ec909479d69af2e8ef2ebfcaca20e71513b5fd915d9373eca655abb4a413492fab3250b59994523cf848c93917996e554480de06264

Download Submit
C:\Users\Admin\AppData\Local\VCN43sfJR\dpnsvr.exe
MD5
6806b72978f6bd27aef57899be68b93b

SHA1
713c246d0b0b8dcc298afaed4f62aed82789951c

SHA256
3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

SHA512
43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

Download Submit
C:\Users\Admin\AppData\Local\ZWazWQ\DeviceDisplayObjectProvider.exe
MD5
7e2eb3a4ae11190ef4c8a9b9a9123234

SHA1
72e98687a8d28614e2131c300403c2822856e865

SHA256
8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

SHA512
18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

Download Submit
C:\Users\Admin\AppData\Local\ZWazWQ\XmlLite.dll
MD5
4988e760111654203c10e6141b1d33fc

SHA1
6c0b3614e952ef987e3fdfc50aa5254a07a6f4b5

SHA256
d6d70b3038ecf9a9d26e47e2149855fc653820a261ffc4dc52f9080e2c79a3fc

SHA512
4bb92e3bb1f773a7116adb195b0aa9e0670f54be5264aab7ae3728ea2f31a8c1a637479a958db817f5a1aef3f72926712e9c2013d7ea813f87372ec7f413a6d4

Download Submit
C:\Users\Admin\AppData\Local\zgqe\VERSION.dll
MD5
07a3942a29cac7e281e2a0dc5a97e57d

SHA1
9e3335221150a213f56dbb801f147627f15ce1a3

SHA256
062319ecd2422bc06fb910110ee84fcee5af94d6d7b35201cb67c39975a4cac5

SHA512
b35257ba913d9a6b9b365f598420e6d6ba569c9675eea2c587c179534a396c412cb841c08b3c82f00a19184affd0eea6555f23e6d29f658dc8ce0dfc66d1545e

Download Submit
C:\Users\Admin\AppData\Local\zgqe\cmstp.exe
MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
\Users\Admin\AppData\Local\6LEpS\SnippingTool.exe
MD5
7633f554eeafde7f144b41c2fcaf5f63

SHA1
44497c3d6fada0066598a6170b90c53e28ddf96c

SHA256
890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78

SHA512
7b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203

Download Submit
\Users\Admin\AppData\Local\6LEpS\UxTheme.dll
MD5
37bd16eade5ad06b88bd8b246cbc2f2d

SHA1
6453ae51ca6d42b1455da2710d6401f1af6e712c

SHA256
059d5713b0bb113bdee6b0fc6a43a4f381b42d862b844687f6de05042af62352

SHA512
129d6438609e58232c2609b1239e7c9db03d03521a0475dd8572c6eb4e0aa82e8371f59bed126644d794fd319062a7b43d9154663fe7facec254bbdb8ba8b206

Download Submit
\Users\Admin\AppData\Local\VCN43sfJR\WINMM.dll
MD5
f4711067c8bba6130095ed63881a73d1

SHA1
14cd00f2da0c6093ed0c13b905b2bb258af93e84

SHA256
9a0cee85c3062fe1c0357e8c194edfb076c7ff56c7de661ff11000513fbfa1b9

SHA512
53f94383d19d5b76613d7ec909479d69af2e8ef2ebfcaca20e71513b5fd915d9373eca655abb4a413492fab3250b59994523cf848c93917996e554480de06264

Download Submit
\Users\Admin\AppData\Local\VCN43sfJR\dpnsvr.exe
MD5
6806b72978f6bd27aef57899be68b93b

SHA1
713c246d0b0b8dcc298afaed4f62aed82789951c

SHA256
3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

SHA512
43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

Download Submit
\Users\Admin\AppData\Local\ZWazWQ\DeviceDisplayObjectProvider.exe
MD5
7e2eb3a4ae11190ef4c8a9b9a9123234

SHA1
72e98687a8d28614e2131c300403c2822856e865

SHA256
8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

SHA512
18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

Download Submit
\Users\Admin\AppData\Local\ZWazWQ\XmlLite.dll
MD5
4988e760111654203c10e6141b1d33fc

SHA1
6c0b3614e952ef987e3fdfc50aa5254a07a6f4b5

SHA256
d6d70b3038ecf9a9d26e47e2149855fc653820a261ffc4dc52f9080e2c79a3fc

SHA512
4bb92e3bb1f773a7116adb195b0aa9e0670f54be5264aab7ae3728ea2f31a8c1a637479a958db817f5a1aef3f72926712e9c2013d7ea813f87372ec7f413a6d4

Download Submit
\Users\Admin\AppData\Local\zgqe\VERSION.dll
MD5
07a3942a29cac7e281e2a0dc5a97e57d

SHA1
9e3335221150a213f56dbb801f147627f15ce1a3

SHA256
062319ecd2422bc06fb910110ee84fcee5af94d6d7b35201cb67c39975a4cac5

SHA512
b35257ba913d9a6b9b365f598420e6d6ba569c9675eea2c587c179534a396c412cb841c08b3c82f00a19184affd0eea6555f23e6d29f658dc8ce0dfc66d1545e

Download Submit
\Users\Admin\AppData\Local\zgqe\cmstp.exe
MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\igGO6L9I\cmstp.exe
MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
memory/1048-116-0x0000000000000000-mapping.dmp

Download
memory/1256-123-0x0000000000000000-mapping.dmp

Download
memory/1264-71-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-66-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-76-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-77-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-78-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-79-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-80-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-90-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-89-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-88-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-87-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-86-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-93-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-92-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-91-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-85-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-84-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-83-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-82-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-81-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-99-0x0000000077BA0000-0x0000000077BA2000-memory.dmp

Filesize
8KB

Download
memory/1264-73-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-74-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-57-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/1264-58-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-72-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-59-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-60-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-70-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-69-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-61-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-68-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-67-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-62-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-75-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-65-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-64-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1264-63-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1356-54-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1356-56-0x0000000001B60000-0x0000000001B67000-memory.dmp

Filesize
28KB

Download
memory/1888-106-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1888-103-0x000007FEFC271000-0x000007FEFC273000-memory.dmp

Filesize
8KB

Download
memory/1888-101-0x0000000000000000-mapping.dmp

Download
memory/2024-113-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2024-109-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads