dridex | 202a5ee7d2833ecaae0120d63636567895cfcc9ea1cdae12debf6b9131147225

Analysis

max time kernel
151s
max time network
109s
platform
windows7_x64
resource
win7v20210408
submitted
30-09-2021 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202a5ee7d2833ecaae0120d63636567895cfcc9ea1cdae12debf6b9131147225.dll
Size

836KB
MD5

dc4936a8b1123fcb1ce8334adeff0f65
SHA1

966b336176a72d29e98c6aeaaa211f790df79427
SHA256

202a5ee7d2833ecaae0120d63636567895cfcc9ea1cdae12debf6b9131147225
SHA512

8f2b2e51dc553188a4626c85dc44368fd6b28c6eb1688ed3af61454d36c79191f234ae4dba306b32eb6e37540ef2a2f1844eeabfd73b5998328459e39f852ba0

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 3 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1100-59-0x0000000140000000-0x00000001400D1000-memory.dmp	dridex_payload
behavioral1/memory/1240-103-0x0000000140000000-0x00000001400D2000-memory.dmp	dridex_payload
behavioral1/memory/620-117-0x00000000002F0000-0x00000000003C2000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1212-62-0x0000000002E80000-0x0000000002E81000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

sdclt.exeDxpserver.exewisptis.exe

pid process

1240 sdclt.exe
1028 Dxpserver.exe
620 wisptis.exe
Loads dropped DLL 7 IoCs

Processes:

sdclt.exeDxpserver.exewisptis.exe

pid process

1212
1240 sdclt.exe
1212
1028 Dxpserver.exe
1212
620 wisptis.exe
1212

pid	process
1240	sdclt.exe
1028	Dxpserver.exe
620	wisptis.exe

pid	process
1212
1240	sdclt.exe
1212
1028	Dxpserver.exe
1212
620	wisptis.exe
1212

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Axiifu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\ACCESS~1\\tv\\DXPSER~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sdclt.exeDxpserver.exewisptis.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wisptis.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1100	rundll32.exe
1100	rundll32.exe
1100	rundll32.exe
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1212
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pid process

1212
1212
1212
1212
1212
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

pid process

1212
1212
1212
1212
1212
1212
1212
1212

pid	process
1212

pid	process
1212
1212
1212
1212
1212

pid	process
1212
1212
1212
1212
1212
1212
1212
1212

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1212 wrote to memory of 1304	1212	sdclt.exe
PID 1212 wrote to memory of 1304	1212	sdclt.exe
PID 1212 wrote to memory of 1304	1212	sdclt.exe
PID 1212 wrote to memory of 1240	1212	sdclt.exe
PID 1212 wrote to memory of 1240	1212	sdclt.exe
PID 1212 wrote to memory of 1240	1212	sdclt.exe
PID 1212 wrote to memory of 864	1212	Dxpserver.exe
PID 1212 wrote to memory of 864	1212	Dxpserver.exe
PID 1212 wrote to memory of 864	1212	Dxpserver.exe
PID 1212 wrote to memory of 1028	1212	Dxpserver.exe
PID 1212 wrote to memory of 1028	1212	Dxpserver.exe
PID 1212 wrote to memory of 1028	1212	Dxpserver.exe
PID 1212 wrote to memory of 1716	1212	wisptis.exe
PID 1212 wrote to memory of 1716	1212	wisptis.exe
PID 1212 wrote to memory of 1716	1212	wisptis.exe
PID 1212 wrote to memory of 620	1212	wisptis.exe
PID 1212 wrote to memory of 620	1212	wisptis.exe
PID 1212 wrote to memory of 620	1212	wisptis.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\202a5ee7d2833ecaae0120d63636567895cfcc9ea1cdae12debf6b9131147225.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1100

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:1304

C:\Users\Admin\AppData\Local\l42CAJbS\sdclt.exe
C:\Users\Admin\AppData\Local\l42CAJbS\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1240

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:864

C:\Users\Admin\AppData\Local\H5q9Cx\Dxpserver.exe
C:\Users\Admin\AppData\Local\H5q9Cx\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1028

C:\Windows\system32\wisptis.exe
C:\Windows\system32\wisptis.exe
1⤵
PID:1716

C:\Users\Admin\AppData\Local\VBldsZK\wisptis.exe
C:\Users\Admin\AppData\Local\VBldsZK\wisptis.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:620

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\H5q9Cx\Dxpserver.exe
MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
C:\Users\Admin\AppData\Local\H5q9Cx\dwmapi.dll
MD5
07b557833af0f83acdefcf6098c7c5c2

SHA1
e79700892ebacb404683d0b83fd59be82e5cc902

SHA256
2f522bba2bb0922f1de1e9474bd27bf252a4a7352febdaa9c5e61b4e6dc240a7

SHA512
be78bb884e5fd495f49063f8a2d102c23a45bc4f9dc373de5fcbcf9da74d278d22738339b6c5588e81eb32d83d0be8af1d50e94be96ca76a5285774a2405f8ea

Download Submit
C:\Users\Admin\AppData\Local\VBldsZK\WTSAPI32.dll
MD5
e8c2672db331d3d9b6baa40017037436

SHA1
13a5b8232c63a07ce332f9c20c03060542ada9da

SHA256
8e5aa73f924e58881cdfcf06a0c9a0c670ccc6a3cddc8e99e72ab6035797e5a9

SHA512
7ed4472c61819839305d96c21de628b4b6d1a38f07748be1f3ceca994c93c35ef903374897ed95b06cac8b2f66820b4fffa4e42aaf1be87d8d84f59a8ed9833d

Download Submit
C:\Users\Admin\AppData\Local\VBldsZK\wisptis.exe
MD5
02e20372d9d6d28e37ba9704edc90b67

SHA1
d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

SHA256
3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

SHA512
bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

Download Submit
C:\Users\Admin\AppData\Local\VBldsZK\wisptis.exe
MD5
02e20372d9d6d28e37ba9704edc90b67

SHA1
d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

SHA256
3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

SHA512
bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

Download Submit
C:\Users\Admin\AppData\Local\l42CAJbS\ReAgent.dll
MD5
ae2861f75c6f351e4817c03a73975988

SHA1
c53d1d52b4ec8d7f92787b623685e363a77bcae1

SHA256
71532090a2aa50ab7850c9b1b50a2380f16f554fecfce1d602d48680883c1767

SHA512
e664cad9e91de64d55a33e404ce627fd7304120c858b968e3b2abf09ffed3b257c5658cdbbaa8e20155e0fe555519ff9a7ce2c9a486433a04be90a67fa3f3e7c

Download Submit
C:\Users\Admin\AppData\Local\l42CAJbS\sdclt.exe
MD5
cdebd55ffbda3889aa2a8ce52b9dc097

SHA1
4b3cbfff5e57fa0cb058e93e445e3851063646cf

SHA256
61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

SHA512
2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

Download Submit
\Users\Admin\AppData\Local\H5q9Cx\Dxpserver.exe
MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
\Users\Admin\AppData\Local\H5q9Cx\dwmapi.dll
MD5
07b557833af0f83acdefcf6098c7c5c2

SHA1
e79700892ebacb404683d0b83fd59be82e5cc902

SHA256
2f522bba2bb0922f1de1e9474bd27bf252a4a7352febdaa9c5e61b4e6dc240a7

SHA512
be78bb884e5fd495f49063f8a2d102c23a45bc4f9dc373de5fcbcf9da74d278d22738339b6c5588e81eb32d83d0be8af1d50e94be96ca76a5285774a2405f8ea

Download Submit
\Users\Admin\AppData\Local\VBldsZK\WTSAPI32.dll
MD5
e8c2672db331d3d9b6baa40017037436

SHA1
13a5b8232c63a07ce332f9c20c03060542ada9da

SHA256
8e5aa73f924e58881cdfcf06a0c9a0c670ccc6a3cddc8e99e72ab6035797e5a9

SHA512
7ed4472c61819839305d96c21de628b4b6d1a38f07748be1f3ceca994c93c35ef903374897ed95b06cac8b2f66820b4fffa4e42aaf1be87d8d84f59a8ed9833d

Download Submit
\Users\Admin\AppData\Local\VBldsZK\wisptis.exe
MD5
02e20372d9d6d28e37ba9704edc90b67

SHA1
d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

SHA256
3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

SHA512
bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

Download Submit
\Users\Admin\AppData\Local\l42CAJbS\ReAgent.dll
MD5
ae2861f75c6f351e4817c03a73975988

SHA1
c53d1d52b4ec8d7f92787b623685e363a77bcae1

SHA256
71532090a2aa50ab7850c9b1b50a2380f16f554fecfce1d602d48680883c1767

SHA512
e664cad9e91de64d55a33e404ce627fd7304120c858b968e3b2abf09ffed3b257c5658cdbbaa8e20155e0fe555519ff9a7ce2c9a486433a04be90a67fa3f3e7c

Download Submit
\Users\Admin\AppData\Local\l42CAJbS\sdclt.exe
MD5
cdebd55ffbda3889aa2a8ce52b9dc097

SHA1
4b3cbfff5e57fa0cb058e93e445e3851063646cf

SHA256
61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd

SHA512
2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\kYfyA\wisptis.exe
MD5
02e20372d9d6d28e37ba9704edc90b67

SHA1
d7d18ba0df95c3507bf20be8d72e25c5d11ab40c

SHA256
3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144

SHA512
bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

Download Submit
memory/620-117-0x00000000002F0000-0x00000000003C2000-memory.dmp

Filesize
840KB

Download
memory/620-113-0x0000000000000000-mapping.dmp

Download
memory/1028-106-0x0000000000000000-mapping.dmp

Download
memory/1100-59-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1100-61-0x0000000000420000-0x0000000000427000-memory.dmp

Filesize
28KB

Download
memory/1212-80-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-84-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-87-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-88-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-89-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-70-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-68-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-66-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-64-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-90-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-91-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-63-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-62-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/1212-65-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-85-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-73-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-67-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-86-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-83-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-69-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-82-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-81-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-79-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-78-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-77-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-76-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-75-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-74-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-72-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1212-71-0x0000000140000000-0x00000001400D1000-memory.dmp

Filesize
836KB

Download
memory/1240-103-0x0000000140000000-0x00000001400D2000-memory.dmp

Filesize
840KB

Download
memory/1240-100-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

Filesize
8KB

Download
memory/1240-98-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads