dridex | 4e16c7179564c280431462f14d51eb4da50bbc1524b4961b289a0ad0fb96ed35

Analysis

max time kernel
156s
max time network
137s
platform
windows7_x64
resource
win7-en-20211104
submitted
26-11-2021 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e16c7179564c280431462f14d51eb4da50bbc1524b4961b289a0ad0fb96ed35.dll
Size

1.4MB
MD5

ec7196719cd7072437a15963ec474858
SHA1

371c3f1ace0a466b1da2ea4773966c3762602c72
SHA256

4e16c7179564c280431462f14d51eb4da50bbc1524b4961b289a0ad0fb96ed35
SHA512

e398d4295a42f215a1adce34107b5111df0c4b66b891b714ee572c6863921ed904b96c6873f143c3ae7ba9c6a5351a0e50a7d1834ae19d149ed8b95a86b1fa32

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1372-59-0x0000000002200000-0x0000000002201000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

icardagt.exeDxpserver.exemmc.exe

pid process

1840 icardagt.exe
1688 Dxpserver.exe
1752 mmc.exe
Loads dropped DLL 7 IoCs

Processes:

icardagt.exeDxpserver.exemmc.exe

pid process

1372
1840 icardagt.exe
1372
1688 Dxpserver.exe
1372
1752 mmc.exe
1372

pid	process
1840	icardagt.exe
1688	Dxpserver.exe
1752	mmc.exe

pid	process
1372
1840	icardagt.exe
1372
1688	Dxpserver.exe
1372
1752	mmc.exe
1372

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\5gYFgyzP\\DXPSER~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeicardagt.exeDxpserver.exemmc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icardagt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mmc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1400	rundll32.exe
1400	rundll32.exe
1400	rundll32.exe
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372
1372

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exeicardagt.exeDxpserver.exemmc.exe

pid process

1400 rundll32.exe
1372
1840 icardagt.exe
1688 Dxpserver.exe
1752 mmc.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1372 wrote to memory of 1836	1372	icardagt.exe
PID 1372 wrote to memory of 1836	1372	icardagt.exe
PID 1372 wrote to memory of 1836	1372	icardagt.exe
PID 1372 wrote to memory of 1840	1372	icardagt.exe
PID 1372 wrote to memory of 1840	1372	icardagt.exe
PID 1372 wrote to memory of 1840	1372	icardagt.exe
PID 1372 wrote to memory of 1568	1372	Dxpserver.exe
PID 1372 wrote to memory of 1568	1372	Dxpserver.exe
PID 1372 wrote to memory of 1568	1372	Dxpserver.exe
PID 1372 wrote to memory of 1688	1372	Dxpserver.exe
PID 1372 wrote to memory of 1688	1372	Dxpserver.exe
PID 1372 wrote to memory of 1688	1372	Dxpserver.exe
PID 1372 wrote to memory of 1852	1372	mmc.exe
PID 1372 wrote to memory of 1852	1372	mmc.exe
PID 1372 wrote to memory of 1852	1372	mmc.exe
PID 1372 wrote to memory of 1752	1372	mmc.exe
PID 1372 wrote to memory of 1752	1372	mmc.exe
PID 1372 wrote to memory of 1752	1372	mmc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4e16c7179564c280431462f14d51eb4da50bbc1524b4961b289a0ad0fb96ed35.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1400

C:\Windows\system32\icardagt.exe
C:\Windows\system32\icardagt.exe
1⤵
PID:1836

C:\Users\Admin\AppData\Local\0wWqXYBS\icardagt.exe
C:\Users\Admin\AppData\Local\0wWqXYBS\icardagt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1840

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:1568

C:\Users\Admin\AppData\Local\78st\Dxpserver.exe
C:\Users\Admin\AppData\Local\78st\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1688

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
1⤵
PID:1852

C:\Users\Admin\AppData\Local\Iq0qcng\mmc.exe
C:\Users\Admin\AppData\Local\Iq0qcng\mmc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1752

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0wWqXYBS\VERSION.dll
MD5
072c3f6de6c89a4343abef8d0f464abb

SHA1
3dd1fa9bf4ce54ecab4da5f30639be6a7ff3b8eb

SHA256
2306d6469c64554d849f763deca2d35f07916a0671d6c9f943e29f7695ae56ef

SHA512
3c87f767717dd2a31b0a919f00af94622e8501c35eb0e05d074a8c59841fe1c68632dd325e76f7a921587c2453fd20282bc7cd6f10223e8bf32547fcd9072c67

Download Submit
C:\Users\Admin\AppData\Local\0wWqXYBS\icardagt.exe
MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
C:\Users\Admin\AppData\Local\78st\Dxpserver.exe
MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
C:\Users\Admin\AppData\Local\78st\dwmapi.dll
MD5
147ef5ba6e09c0823ad4543226502a6a

SHA1
53267e839802de95a76971b3e6f4d87ebadb1ded

SHA256
6498491fab9478e1ed5e398f1e6c553bcb6447fd7985bb0de8d55022679e89f9

SHA512
35e260dc8953ac44e3c39e7881c53c0ed1860613d39c90902a034dbfc1665f2674e134e180cf217943d2bb5c0a8c44307a803d259161f4f5397fd8d8228d99b8

Download Submit
C:\Users\Admin\AppData\Local\Iq0qcng\MFC42u.dll
MD5
5e9c8a662a3ad4a84b0495ba806cf896

SHA1
0cc78e1fda33e736c8e89ee4fc26dd67f242a647

SHA256
aa4b93bcf41f2c1650b3f27c690756ed55d9688572a8ab15592e36af8d7c7cc8

SHA512
d493424cd8c168951dc005e99087b4672155b788783462d4fa404bf377a6588442e65c1494ee7d8b9eab0dab8233863c5b9e4608320aa0b64790608b6f2459fb

Download Submit
C:\Users\Admin\AppData\Local\Iq0qcng\mmc.exe
MD5
9fea051a9585f2a303d55745b4bf63aa

SHA1
f5dc12d658402900a2b01af2f018d113619b96b8

SHA256
b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484

SHA512
beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

Download Submit
\Users\Admin\AppData\Local\0wWqXYBS\VERSION.dll
MD5
072c3f6de6c89a4343abef8d0f464abb

SHA1
3dd1fa9bf4ce54ecab4da5f30639be6a7ff3b8eb

SHA256
2306d6469c64554d849f763deca2d35f07916a0671d6c9f943e29f7695ae56ef

SHA512
3c87f767717dd2a31b0a919f00af94622e8501c35eb0e05d074a8c59841fe1c68632dd325e76f7a921587c2453fd20282bc7cd6f10223e8bf32547fcd9072c67

Download Submit
\Users\Admin\AppData\Local\0wWqXYBS\icardagt.exe
MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
\Users\Admin\AppData\Local\78st\Dxpserver.exe
MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
\Users\Admin\AppData\Local\78st\dwmapi.dll
MD5
147ef5ba6e09c0823ad4543226502a6a

SHA1
53267e839802de95a76971b3e6f4d87ebadb1ded

SHA256
6498491fab9478e1ed5e398f1e6c553bcb6447fd7985bb0de8d55022679e89f9

SHA512
35e260dc8953ac44e3c39e7881c53c0ed1860613d39c90902a034dbfc1665f2674e134e180cf217943d2bb5c0a8c44307a803d259161f4f5397fd8d8228d99b8

Download Submit
\Users\Admin\AppData\Local\Iq0qcng\MFC42u.dll
MD5
5e9c8a662a3ad4a84b0495ba806cf896

SHA1
0cc78e1fda33e736c8e89ee4fc26dd67f242a647

SHA256
aa4b93bcf41f2c1650b3f27c690756ed55d9688572a8ab15592e36af8d7c7cc8

SHA512
d493424cd8c168951dc005e99087b4672155b788783462d4fa404bf377a6588442e65c1494ee7d8b9eab0dab8233863c5b9e4608320aa0b64790608b6f2459fb

Download Submit
\Users\Admin\AppData\Local\Iq0qcng\mmc.exe
MD5
9fea051a9585f2a303d55745b4bf63aa

SHA1
f5dc12d658402900a2b01af2f018d113619b96b8

SHA256
b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484

SHA512
beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\QPo\mmc.exe
MD5
9fea051a9585f2a303d55745b4bf63aa

SHA1
f5dc12d658402900a2b01af2f018d113619b96b8

SHA256
b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484

SHA512
beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

Download Submit
memory/1372-77-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1372-74-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1372-71-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1372-69-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1372-67-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1372-66-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1372-65-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1372-64-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1372-63-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1372-61-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1372-60-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1372-86-0x00000000772D0000-0x00000000772D2000-memory.dmp

Filesize
8KB

Download
memory/1372-73-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1372-75-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1372-59-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/1372-62-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1372-78-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1372-68-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1372-79-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1372-80-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1372-70-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1372-76-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1372-72-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1400-55-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1400-58-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1688-97-0x0000000000000000-mapping.dmp

Download
memory/1752-105-0x0000000000000000-mapping.dmp

Download
memory/1752-109-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1840-90-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp

Filesize
8KB

Download
memory/1840-88-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads