dridex | d613a07d9ea513fbfb187dd4fa6baee901de7a2217fd3e69dd7539efbd602f88

Analysis

max time kernel
150s
max time network
108s
platform
windows7_x64
resource
win7v20210408
submitted
06-10-2021 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d613a07d9ea513fbfb187dd4fa6baee901de7a2217fd3e69dd7539efbd602f88.dll
Size

1.7MB
MD5

2465cd00de8a884ccbf278484a269100
SHA1

873c9d37af344388bd010f416b5367864575bd4a
SHA256

d613a07d9ea513fbfb187dd4fa6baee901de7a2217fd3e69dd7539efbd602f88
SHA512

a2d89bfdf259be0e96abfcbfabde849ab8c3355c153baf47639b85287496a8d1512c6b7cdf7100de2daf5e0e476d4637a31cdc11252630a504fe6a3c36101c35

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1352-63-0x0000000002210000-0x0000000002211000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

spreview.exedwm.exexpsrchvw.exe

pid process

1712 spreview.exe
1420 dwm.exe
1704 xpsrchvw.exe
Loads dropped DLL 7 IoCs

Processes:

spreview.exedwm.exexpsrchvw.exe

pid process

1352
1712 spreview.exe
1352
1420 dwm.exe
1352
1704 xpsrchvw.exe
1352

pid	process
1712	spreview.exe
1420	dwm.exe
1704	xpsrchvw.exe

pid	process
1352
1712	spreview.exe
1352
1420	dwm.exe
1352
1704	xpsrchvw.exe
1352

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Axiifu = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ZJqJ3\\dwm.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dwm.exexpsrchvw.exerundll32.exespreview.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xpsrchvw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spreview.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1988	rundll32.exe
1988	rundll32.exe
1988	rundll32.exe
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1352
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

pid process

1352
1352
1352
1352
1352
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1352
1352
1352
1352

pid	process
1352

pid	process
1352
1352
1352
1352
1352

pid	process
1352
1352
1352
1352

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1352 wrote to memory of 1804	1352	spreview.exe
PID 1352 wrote to memory of 1804	1352	spreview.exe
PID 1352 wrote to memory of 1804	1352	spreview.exe
PID 1352 wrote to memory of 1712	1352	spreview.exe
PID 1352 wrote to memory of 1712	1352	spreview.exe
PID 1352 wrote to memory of 1712	1352	spreview.exe
PID 1352 wrote to memory of 1464	1352	dwm.exe
PID 1352 wrote to memory of 1464	1352	dwm.exe
PID 1352 wrote to memory of 1464	1352	dwm.exe
PID 1352 wrote to memory of 1420	1352	dwm.exe
PID 1352 wrote to memory of 1420	1352	dwm.exe
PID 1352 wrote to memory of 1420	1352	dwm.exe
PID 1352 wrote to memory of 1636	1352	xpsrchvw.exe
PID 1352 wrote to memory of 1636	1352	xpsrchvw.exe
PID 1352 wrote to memory of 1636	1352	xpsrchvw.exe
PID 1352 wrote to memory of 1704	1352	xpsrchvw.exe
PID 1352 wrote to memory of 1704	1352	xpsrchvw.exe
PID 1352 wrote to memory of 1704	1352	xpsrchvw.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d613a07d9ea513fbfb187dd4fa6baee901de7a2217fd3e69dd7539efbd602f88.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1988

C:\Windows\system32\spreview.exe
C:\Windows\system32\spreview.exe
1⤵
PID:1804

C:\Users\Admin\AppData\Local\DYD\spreview.exe
C:\Users\Admin\AppData\Local\DYD\spreview.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1712

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:1464

C:\Users\Admin\AppData\Local\2BdzTUg\dwm.exe
C:\Users\Admin\AppData\Local\2BdzTUg\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1420

C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
1⤵
PID:1636

C:\Users\Admin\AppData\Local\S436d8j\xpsrchvw.exe
C:\Users\Admin\AppData\Local\S436d8j\xpsrchvw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1704

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2BdzTUg\UxTheme.dll
MD5
0ee403360438b072f583897ca3990ac6

SHA1
49e88d07851ac53433ed56cf7e498cf1b21c6b09

SHA256
64575d9ef65e9dc9a016da9ad626440f735878a5cf9cd41ef94e667b5a9e207b

SHA512
28446a67500d51772fef07379e24c5310f9a03a7ce6c4cd781df8018677ee2bc8484f5ff8e9cbcc13ed69994d64bc75524d3f0466c4d54075b9c37b77a67dfab

Download Submit
C:\Users\Admin\AppData\Local\2BdzTUg\dwm.exe
MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
C:\Users\Admin\AppData\Local\DYD\VERSION.dll
MD5
1a5ad71891a45401857ff2f32ea9be67

SHA1
c85087b73d4f7168e15cfd42c1e25331cdfe7abd

SHA256
5e4f2e29fd6f851a150bf4b11dca763aaf34e1a25b9e9c9f275195a0a79acc4a

SHA512
01089d6f7fd7388b943cd95dbbdd8c204e82cc6918715437c7ed66d26cbdc016323a600c67701dc8d787579934a85c7c2a4d9e3af7b639942960a05ca9449973

Download Submit
C:\Users\Admin\AppData\Local\DYD\spreview.exe
MD5
704cd4cac010e8e6d8de9b778ed17773

SHA1
81856abf70640f102b8b3defe2cf65669fe8e165

SHA256
4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

SHA512
b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

Download Submit
C:\Users\Admin\AppData\Local\S436d8j\WINMM.dll
MD5
f9bc51e58aa07d71dfb0eb91e178fe21

SHA1
4f2db3d723d1d29ffd238d7d6164632272e96db2

SHA256
3c3d38c6de2eb247e31abf9624f421880d4d5c382ae7efe4b112ce62827c75a5

SHA512
08e54012b5f968e82cd685186de22def895f0ef500e624c6080718f32adbfed74d90a93f9e6f421d8d3ebc349186a0bcb0d7f7a8893264b1e7e7794dd5c4be9f

Download Submit
C:\Users\Admin\AppData\Local\S436d8j\xpsrchvw.exe
MD5
492cb6a624d5dad73ee0294b5db37dd6

SHA1
e74806af04a5147ccabfb5b167eb95a0177c43b3

SHA256
ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

SHA512
63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

Download Submit
\Users\Admin\AppData\Local\2BdzTUg\UxTheme.dll
MD5
0ee403360438b072f583897ca3990ac6

SHA1
49e88d07851ac53433ed56cf7e498cf1b21c6b09

SHA256
64575d9ef65e9dc9a016da9ad626440f735878a5cf9cd41ef94e667b5a9e207b

SHA512
28446a67500d51772fef07379e24c5310f9a03a7ce6c4cd781df8018677ee2bc8484f5ff8e9cbcc13ed69994d64bc75524d3f0466c4d54075b9c37b77a67dfab

Download Submit
\Users\Admin\AppData\Local\2BdzTUg\dwm.exe
MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
\Users\Admin\AppData\Local\DYD\VERSION.dll
MD5
1a5ad71891a45401857ff2f32ea9be67

SHA1
c85087b73d4f7168e15cfd42c1e25331cdfe7abd

SHA256
5e4f2e29fd6f851a150bf4b11dca763aaf34e1a25b9e9c9f275195a0a79acc4a

SHA512
01089d6f7fd7388b943cd95dbbdd8c204e82cc6918715437c7ed66d26cbdc016323a600c67701dc8d787579934a85c7c2a4d9e3af7b639942960a05ca9449973

Download Submit
\Users\Admin\AppData\Local\DYD\spreview.exe
MD5
704cd4cac010e8e6d8de9b778ed17773

SHA1
81856abf70640f102b8b3defe2cf65669fe8e165

SHA256
4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

SHA512
b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

Download Submit
\Users\Admin\AppData\Local\S436d8j\WINMM.dll
MD5
f9bc51e58aa07d71dfb0eb91e178fe21

SHA1
4f2db3d723d1d29ffd238d7d6164632272e96db2

SHA256
3c3d38c6de2eb247e31abf9624f421880d4d5c382ae7efe4b112ce62827c75a5

SHA512
08e54012b5f968e82cd685186de22def895f0ef500e624c6080718f32adbfed74d90a93f9e6f421d8d3ebc349186a0bcb0d7f7a8893264b1e7e7794dd5c4be9f

Download Submit
\Users\Admin\AppData\Local\S436d8j\xpsrchvw.exe
MD5
492cb6a624d5dad73ee0294b5db37dd6

SHA1
e74806af04a5147ccabfb5b167eb95a0177c43b3

SHA256
ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

SHA512
63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\IeCjhLgdg\xpsrchvw.exe
MD5
492cb6a624d5dad73ee0294b5db37dd6

SHA1
e74806af04a5147ccabfb5b167eb95a0177c43b3

SHA256
ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

SHA512
63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

Download Submit
memory/1352-90-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-99-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-75-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-76-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-77-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-78-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-79-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-80-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-81-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-82-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-83-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-84-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-85-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-86-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-87-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-88-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-89-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-73-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-91-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-92-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-93-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-94-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-95-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-74-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-98-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-97-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-96-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-105-0x0000000077B30000-0x0000000077B32000-memory.dmp

Filesize
8KB

Download
memory/1352-72-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-63-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1352-65-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-64-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-71-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-66-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-70-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-69-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-68-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1352-67-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1420-115-0x0000000000000000-mapping.dmp

Download
memory/1704-122-0x0000000000000000-mapping.dmp

Download
memory/1704-127-0x00000000FF561000-0x00000000FF563000-memory.dmp

Filesize
8KB

Download
memory/1704-128-0x0000000140000000-0x00000001401BD000-memory.dmp

Filesize
1.7MB

Download
memory/1712-112-0x0000000140000000-0x00000001401BC000-memory.dmp

Filesize
1.7MB

Download
memory/1712-111-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp

Filesize
8KB

Download
memory/1712-107-0x0000000000000000-mapping.dmp

Download
memory/1988-60-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/1988-62-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads