dridex | 114c890f736efbfef6a5d5bfe69d10f3b98b5cf919b25536bff9dd7ba2738fc6

Analysis

max time kernel
156s
max time network
128s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-11-2021 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

114c890f736efbfef6a5d5bfe69d10f3b98b5cf919b25536bff9dd7ba2738fc6.dll
Size

1.5MB
MD5

32f0105f83bb61e4fd688219dca080c0
SHA1

4de49a52dd511040dc5d36703966d6b0fe9075a7
SHA256

114c890f736efbfef6a5d5bfe69d10f3b98b5cf919b25536bff9dd7ba2738fc6
SHA512

28556df31e2299904d61ddb80b3ef334c23a40f16bca1f0cfb395c4fe472dfe9ea37d978e44c2d2443f75e77870a4d88ccc197bd1e54462e89c44de7e733e6ec

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1256-60-0x0000000002A80000-0x0000000002A81000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

FXSCOVER.exeRDVGHelper.exemsdtc.exe

pid process

1916 FXSCOVER.exe
1612 RDVGHelper.exe
1828 msdtc.exe
Loads dropped DLL 7 IoCs

Processes:

FXSCOVER.exeRDVGHelper.exemsdtc.exe

pid process

1256
1916 FXSCOVER.exe
1256
1612 RDVGHelper.exe
1256
1828 msdtc.exe
1256

pid	process
1916	FXSCOVER.exe
1612	RDVGHelper.exe
1828	msdtc.exe

pid	process
1256
1916	FXSCOVER.exe
1256
1612	RDVGHelper.exe
1256
1828	msdtc.exe
1256

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\ACCESS~1\\EOXCEI~1\\RDVGHE~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeFXSCOVER.exeRDVGHelper.exemsdtc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RDVGHelper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdtc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeFXSCOVER.exeRDVGHelper.exe

pid	process
1212	rundll32.exe
1212	rundll32.exe
1212	rundll32.exe
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1916	FXSCOVER.exe
1916	FXSCOVER.exe
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1612	RDVGHelper.exe
1612	RDVGHelper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1256

pid	process
1256

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1256 wrote to memory of 1896	1256	FXSCOVER.exe
PID 1256 wrote to memory of 1896	1256	FXSCOVER.exe
PID 1256 wrote to memory of 1896	1256	FXSCOVER.exe
PID 1256 wrote to memory of 1916	1256	FXSCOVER.exe
PID 1256 wrote to memory of 1916	1256	FXSCOVER.exe
PID 1256 wrote to memory of 1916	1256	FXSCOVER.exe
PID 1256 wrote to memory of 1392	1256	RDVGHelper.exe
PID 1256 wrote to memory of 1392	1256	RDVGHelper.exe
PID 1256 wrote to memory of 1392	1256	RDVGHelper.exe
PID 1256 wrote to memory of 1612	1256	RDVGHelper.exe
PID 1256 wrote to memory of 1612	1256	RDVGHelper.exe
PID 1256 wrote to memory of 1612	1256	RDVGHelper.exe
PID 1256 wrote to memory of 1528	1256	msdtc.exe
PID 1256 wrote to memory of 1528	1256	msdtc.exe
PID 1256 wrote to memory of 1528	1256	msdtc.exe
PID 1256 wrote to memory of 1828	1256	msdtc.exe
PID 1256 wrote to memory of 1828	1256	msdtc.exe
PID 1256 wrote to memory of 1828	1256	msdtc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\114c890f736efbfef6a5d5bfe69d10f3b98b5cf919b25536bff9dd7ba2738fc6.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1212

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:1896

C:\Users\Admin\AppData\Local\WEzdyg\FXSCOVER.exe
C:\Users\Admin\AppData\Local\WEzdyg\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1916

C:\Windows\system32\RDVGHelper.exe
C:\Windows\system32\RDVGHelper.exe
1⤵
PID:1392

C:\Users\Admin\AppData\Local\y3IVej\RDVGHelper.exe
C:\Users\Admin\AppData\Local\y3IVej\RDVGHelper.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1612

C:\Windows\system32\msdtc.exe
C:\Windows\system32\msdtc.exe
1⤵
PID:1528

C:\Users\Admin\AppData\Local\3HWkk\msdtc.exe
C:\Users\Admin\AppData\Local\3HWkk\msdtc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3HWkk\VERSION.dll

MD5
e1c546151983578058b640fb8790d192

SHA1
3af44c708df0c48a5850d3486827bfe4f572a092

SHA256
6a0102271ac491c3110e3205db761d5cac53d02a076df8898301e868c5af06ae

SHA512
ba05b9528d81b195678679d54c409cd04cfd42d71f796ab1f3cbcde050cdf48cea7fddf019294c0dad218da88f627ecc63384cef9ea9f74c1dc30bc3e23d46ad

Download Submit
C:\Users\Admin\AppData\Local\3HWkk\msdtc.exe

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
C:\Users\Admin\AppData\Local\WEzdyg\FXSCOVER.exe

MD5
5e2c61be8e093dbfe7fc37585be42869

SHA1
ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

SHA256
3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

SHA512
90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

Download Submit
C:\Users\Admin\AppData\Local\WEzdyg\MFC42u.dll

MD5
77bb8287eb841dbcc410d8a75a6b4d20

SHA1
e6e4517de4baf86942eb2bad5360306b2153684c

SHA256
102582788b1335a1420b92b9346744488ce299195184731a73fc8f87d2f255ca

SHA512
b199d2fb85272e1c89f39007edbf5608c7a232399a597f08da2dc22827acbad6ec8d29894b9992b2c4fdacf109565657e49de677893dd67ad788b784298e689b

Download Submit
C:\Users\Admin\AppData\Local\y3IVej\RDVGHelper.exe

MD5
53fda4af81e7c4895357a50e848b7cfe

SHA1
01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

SHA256
62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

SHA512
dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

Download Submit
C:\Users\Admin\AppData\Local\y3IVej\dwmapi.dll

MD5
1a440f4da5c307e6bca43bd9832d5ae1

SHA1
955f7cf246bc80da52c54d579af24e656341d1a9

SHA256
a04f32a839ad466314a67f10511c5ed5308ae8f24d455d5104b9344ddc9ac421

SHA512
3e2e3c7570175d8f58fe438b988ed2e49d8d6917861327d7bcbb85b067a7772ddd841fa5df3f56cac5a99d599ae325739185bd4b19600e38ab5b10f78b8a90db

Download Submit
\Users\Admin\AppData\Local\3HWkk\VERSION.dll

MD5
e1c546151983578058b640fb8790d192

SHA1
3af44c708df0c48a5850d3486827bfe4f572a092

SHA256
6a0102271ac491c3110e3205db761d5cac53d02a076df8898301e868c5af06ae

SHA512
ba05b9528d81b195678679d54c409cd04cfd42d71f796ab1f3cbcde050cdf48cea7fddf019294c0dad218da88f627ecc63384cef9ea9f74c1dc30bc3e23d46ad

Download Submit
\Users\Admin\AppData\Local\3HWkk\msdtc.exe

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
\Users\Admin\AppData\Local\WEzdyg\FXSCOVER.exe

MD5
5e2c61be8e093dbfe7fc37585be42869

SHA1
ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

SHA256
3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

SHA512
90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

Download Submit
\Users\Admin\AppData\Local\WEzdyg\MFC42u.dll

MD5
77bb8287eb841dbcc410d8a75a6b4d20

SHA1
e6e4517de4baf86942eb2bad5360306b2153684c

SHA256
102582788b1335a1420b92b9346744488ce299195184731a73fc8f87d2f255ca

SHA512
b199d2fb85272e1c89f39007edbf5608c7a232399a597f08da2dc22827acbad6ec8d29894b9992b2c4fdacf109565657e49de677893dd67ad788b784298e689b

Download Submit
\Users\Admin\AppData\Local\y3IVej\RDVGHelper.exe

MD5
53fda4af81e7c4895357a50e848b7cfe

SHA1
01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

SHA256
62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

SHA512
dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

Download Submit
\Users\Admin\AppData\Local\y3IVej\dwmapi.dll

MD5
1a440f4da5c307e6bca43bd9832d5ae1

SHA1
955f7cf246bc80da52c54d579af24e656341d1a9

SHA256
a04f32a839ad466314a67f10511c5ed5308ae8f24d455d5104b9344ddc9ac421

SHA512
3e2e3c7570175d8f58fe438b988ed2e49d8d6917861327d7bcbb85b067a7772ddd841fa5df3f56cac5a99d599ae325739185bd4b19600e38ab5b10f78b8a90db

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\ZU37vgodW7\msdtc.exe

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
memory/1212-55-0x000007FEF6870000-0x000007FEF69F9000-memory.dmp

Filesize
1.5MB

Download
memory/1212-59-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1256-71-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1256-64-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1256-75-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1256-80-0x0000000077450000-0x0000000077452000-memory.dmp

Filesize
8KB

Download
memory/1256-66-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1256-60-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/1256-67-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1256-68-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1256-69-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1256-61-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1256-62-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1256-65-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1256-70-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1256-74-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1256-72-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1256-73-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1256-63-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1612-97-0x000007FEF6870000-0x000007FEF69FA000-memory.dmp

Filesize
1.5MB

Download
memory/1612-93-0x0000000000000000-mapping.dmp

Download
memory/1828-102-0x0000000000000000-mapping.dmp

Download
memory/1828-106-0x000007FEF64F0000-0x000007FEF667A000-memory.dmp

Filesize
1.5MB

Download
memory/1916-88-0x000007FEFAD40000-0x000007FEFAED0000-memory.dmp

Filesize
1.6MB

Download
memory/1916-87-0x000000013F111000-0x000000013F113000-memory.dmp

Filesize
8KB

Download
memory/1916-86-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

Filesize
8KB

Download
memory/1916-82-0x0000000000000000-mapping.dmp

Download