dridex | 28cdb76bf1b90ef6b5e8ef101b419f5cb02b74bd3bfd2a4ca348b8402b0d2425

Analysis

max time kernel
152s
max time network
124s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-11-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28cdb76bf1b90ef6b5e8ef101b419f5cb02b74bd3bfd2a4ca348b8402b0d2425.dll
Size

1.4MB
MD5

94ea5ec1d6e2773e4b1ac030ea8fb7f7
SHA1

e5b45a82aaba3716c3d62997052a874b586c0fe5
SHA256

28cdb76bf1b90ef6b5e8ef101b419f5cb02b74bd3bfd2a4ca348b8402b0d2425
SHA512

1bc71c9f32855356a94a9f85defd08814b26db562227e3286e39863d2f55856087777408a56de7ce98946edd4f8454ef954231aac12225ae6fb58da75d392352

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1400-59-0x0000000002570000-0x0000000002571000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

OptionalFeatures.exewextract.exedvdupgrd.exe

pid process

1476 OptionalFeatures.exe
916 wextract.exe
1720 dvdupgrd.exe
Loads dropped DLL 7 IoCs

Processes:

OptionalFeatures.exewextract.exedvdupgrd.exe

pid process

1400
1476 OptionalFeatures.exe
1400
916 wextract.exe
1400
1720 dvdupgrd.exe
1400

pid	process
1476	OptionalFeatures.exe
916	wextract.exe
1720	dvdupgrd.exe

pid	process
1400
1476	OptionalFeatures.exe
1400
916	wextract.exe
1400
1720	dvdupgrd.exe
1400

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\Low\\WZn6j\\wextract.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeOptionalFeatures.exewextract.exedvdupgrd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OptionalFeatures.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dvdupgrd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1772	rundll32.exe
1772	rundll32.exe
1772	rundll32.exe
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400
1400

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exeOptionalFeatures.exewextract.exedvdupgrd.exe

pid process

1772 rundll32.exe
1400
1476 OptionalFeatures.exe
916 wextract.exe
1720 dvdupgrd.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1400 wrote to memory of 1060	1400	OptionalFeatures.exe
PID 1400 wrote to memory of 1060	1400	OptionalFeatures.exe
PID 1400 wrote to memory of 1060	1400	OptionalFeatures.exe
PID 1400 wrote to memory of 1476	1400	OptionalFeatures.exe
PID 1400 wrote to memory of 1476	1400	OptionalFeatures.exe
PID 1400 wrote to memory of 1476	1400	OptionalFeatures.exe
PID 1400 wrote to memory of 1524	1400	wextract.exe
PID 1400 wrote to memory of 1524	1400	wextract.exe
PID 1400 wrote to memory of 1524	1400	wextract.exe
PID 1400 wrote to memory of 916	1400	wextract.exe
PID 1400 wrote to memory of 916	1400	wextract.exe
PID 1400 wrote to memory of 916	1400	wextract.exe
PID 1400 wrote to memory of 1852	1400	dvdupgrd.exe
PID 1400 wrote to memory of 1852	1400	dvdupgrd.exe
PID 1400 wrote to memory of 1852	1400	dvdupgrd.exe
PID 1400 wrote to memory of 1720	1400	dvdupgrd.exe
PID 1400 wrote to memory of 1720	1400	dvdupgrd.exe
PID 1400 wrote to memory of 1720	1400	dvdupgrd.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\28cdb76bf1b90ef6b5e8ef101b419f5cb02b74bd3bfd2a4ca348b8402b0d2425.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1772

C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
1⤵
PID:1060

C:\Users\Admin\AppData\Local\tWXLj\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\tWXLj\OptionalFeatures.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1476

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:1524

C:\Users\Admin\AppData\Local\5E8a6R4Ro\wextract.exe
C:\Users\Admin\AppData\Local\5E8a6R4Ro\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:916

C:\Windows\system32\dvdupgrd.exe
C:\Windows\system32\dvdupgrd.exe
1⤵
PID:1852

C:\Users\Admin\AppData\Local\Gh4\dvdupgrd.exe
C:\Users\Admin\AppData\Local\Gh4\dvdupgrd.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1720

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5E8a6R4Ro\VERSION.dll
MD5
5005b57b17b425eba9363e08d49fa6c7

SHA1
09a2d12f2ecfb7be2ec50db2518a15a5b4d166a3

SHA256
fb6d3c7df67da482807ddf40ce4a7c3e2a94eff5a2cabe154a007719f42f01c1

SHA512
d37456b38b5c2f0b09432294945d46edbae56b1a495cfdd2543af86fc8bf3302404e91cbd9c30c3164a5f4a67d2c35fcee6ff2e060d4a4a8d9874c567ce3b79c

Download Submit
C:\Users\Admin\AppData\Local\5E8a6R4Ro\wextract.exe
MD5
1ea6500c25a80e8bdb65099c509af993

SHA1
6a090ef561feb4ae1c6794de5b19c5e893c4aafc

SHA256
99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

SHA512
b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

Download Submit
C:\Users\Admin\AppData\Local\Gh4\VERSION.dll
MD5
01256c95df98e2f0110ef7c0348e4ccf

SHA1
0ecfce7b972291f9a995b9af374ef29500d88c15

SHA256
9e9b2761154d2d9a7f9b83f2f8a4ea55fdb26600ef299ff5fdd32b9be204764b

SHA512
b71e18249494ea9daaf3071562c8bc28f94698c763d3fd7e39696583edcb872204b5b47220eb1c07f1fd0de68b878ad7058de248b792900c95550ae04b5030c0

Download Submit
C:\Users\Admin\AppData\Local\Gh4\dvdupgrd.exe
MD5
75a9b4172eac01d9648c6d2133af952f

SHA1
63c7e1af762d2b584e9cc841e8b0100f2a482b81

SHA256
18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

SHA512
5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

Download Submit
C:\Users\Admin\AppData\Local\tWXLj\OptionalFeatures.exe
MD5
eae7af6084667c8f05412ddf096167fc

SHA1
0dbe8aba001447030e48e8ad5466fd23481e6140

SHA256
01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

SHA512
172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

Download Submit
C:\Users\Admin\AppData\Local\tWXLj\appwiz.cpl
MD5
350b1e51fc7b009fbf90d80b514730af

SHA1
466ac506c1e4415c66b40720d09cd119836df90f

SHA256
49139b7bcbb804d0357c804254fe3f191babe70bc57e3d72673f20faf0e7d1b1

SHA512
3ba47f72885c218d0e23a476a4ac8946c2b4fa6ca75d38fbb6800840bcb000b4ed15961d55d362b3f47f2ab567b39ef8db1e12a423d5973909baa7911ed70b33

Download Submit
\Users\Admin\AppData\Local\5E8a6R4Ro\VERSION.dll
MD5
5005b57b17b425eba9363e08d49fa6c7

SHA1
09a2d12f2ecfb7be2ec50db2518a15a5b4d166a3

SHA256
fb6d3c7df67da482807ddf40ce4a7c3e2a94eff5a2cabe154a007719f42f01c1

SHA512
d37456b38b5c2f0b09432294945d46edbae56b1a495cfdd2543af86fc8bf3302404e91cbd9c30c3164a5f4a67d2c35fcee6ff2e060d4a4a8d9874c567ce3b79c

Download Submit
\Users\Admin\AppData\Local\5E8a6R4Ro\wextract.exe
MD5
1ea6500c25a80e8bdb65099c509af993

SHA1
6a090ef561feb4ae1c6794de5b19c5e893c4aafc

SHA256
99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

SHA512
b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

Download Submit
\Users\Admin\AppData\Local\Gh4\VERSION.dll
MD5
01256c95df98e2f0110ef7c0348e4ccf

SHA1
0ecfce7b972291f9a995b9af374ef29500d88c15

SHA256
9e9b2761154d2d9a7f9b83f2f8a4ea55fdb26600ef299ff5fdd32b9be204764b

SHA512
b71e18249494ea9daaf3071562c8bc28f94698c763d3fd7e39696583edcb872204b5b47220eb1c07f1fd0de68b878ad7058de248b792900c95550ae04b5030c0

Download Submit
\Users\Admin\AppData\Local\Gh4\dvdupgrd.exe
MD5
75a9b4172eac01d9648c6d2133af952f

SHA1
63c7e1af762d2b584e9cc841e8b0100f2a482b81

SHA256
18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

SHA512
5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

Download Submit
\Users\Admin\AppData\Local\tWXLj\OptionalFeatures.exe
MD5
eae7af6084667c8f05412ddf096167fc

SHA1
0dbe8aba001447030e48e8ad5466fd23481e6140

SHA256
01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

SHA512
172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

Download Submit
\Users\Admin\AppData\Local\tWXLj\appwiz.cpl
MD5
350b1e51fc7b009fbf90d80b514730af

SHA1
466ac506c1e4415c66b40720d09cd119836df90f

SHA256
49139b7bcbb804d0357c804254fe3f191babe70bc57e3d72673f20faf0e7d1b1

SHA512
3ba47f72885c218d0e23a476a4ac8946c2b4fa6ca75d38fbb6800840bcb000b4ed15961d55d362b3f47f2ab567b39ef8db1e12a423d5973909baa7911ed70b33

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Acrobat\YGrckTV\dvdupgrd.exe
MD5
75a9b4172eac01d9648c6d2133af952f

SHA1
63c7e1af762d2b584e9cc841e8b0100f2a482b81

SHA256
18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

SHA512
5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

Download Submit
memory/916-100-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmp

Filesize
8KB

Download
memory/916-98-0x0000000000000000-mapping.dmp

Download
memory/1400-68-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-70-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-74-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-75-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-76-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-77-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-78-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-79-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-80-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-81-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-82-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-88-0x0000000077710000-0x0000000077712000-memory.dmp

Filesize
8KB

Download
memory/1400-72-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-59-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1400-71-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-73-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-69-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-60-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-61-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-67-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-66-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-65-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-64-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-63-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1400-62-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1476-94-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/1476-90-0x0000000000000000-mapping.dmp

Download
memory/1720-107-0x0000000000000000-mapping.dmp

Download
memory/1772-55-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1772-58-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads