dridex | 5ab7f5960a2652821f3477d035336e8af6c7e2b667e57149b4be94a6fac10e19

Analysis

max time kernel
153s
max time network
119s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-11-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ab7f5960a2652821f3477d035336e8af6c7e2b667e57149b4be94a6fac10e19.dll
Size

1.4MB
MD5

da2840fc190af8a35f974ccabd4d3b5b
SHA1

8a6dd71bd4586434e68fe7e2f408d2927f3ab17b
SHA256

5ab7f5960a2652821f3477d035336e8af6c7e2b667e57149b4be94a6fac10e19
SHA512

edac6848add5a121bdfc32c7ceac74a9bd0824a81f078f04be213e531d0b66c773507d124aa2e877194997a3e688e41c0a1fd778133ab277897718bb02871fe3

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1272-61-0x0000000002A60000-0x0000000002A61000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

irftp.exeosk.exeTpmInit.exe

pid process

1456 irftp.exe
1616 osk.exe
1688 TpmInit.exe
Loads dropped DLL 7 IoCs

Processes:

irftp.exeosk.exeTpmInit.exe

pid process

1272
1456 irftp.exe
1272
1616 osk.exe
1272
1688 TpmInit.exe
1272

pid	process
1456	irftp.exe
1616	osk.exe
1688	TpmInit.exe

pid	process
1272
1456	irftp.exe
1272
1616	osk.exe
1272
1688	TpmInit.exe
1272

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\xAn\\osk.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

irftp.exeosk.exeTpmInit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	irftp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TpmInit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exeirftp.exeosk.exe

pid	process
660	regsvr32.exe
660	regsvr32.exe
660	regsvr32.exe
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1456	irftp.exe
1456	irftp.exe
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1616	osk.exe
1616	osk.exe
1272
1272
1272
1272

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1272

pid	process
1272

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1272 wrote to memory of 1236	1272	irftp.exe
PID 1272 wrote to memory of 1236	1272	irftp.exe
PID 1272 wrote to memory of 1236	1272	irftp.exe
PID 1272 wrote to memory of 1456	1272	irftp.exe
PID 1272 wrote to memory of 1456	1272	irftp.exe
PID 1272 wrote to memory of 1456	1272	irftp.exe
PID 1272 wrote to memory of 1280	1272	osk.exe
PID 1272 wrote to memory of 1280	1272	osk.exe
PID 1272 wrote to memory of 1280	1272	osk.exe
PID 1272 wrote to memory of 1616	1272	osk.exe
PID 1272 wrote to memory of 1616	1272	osk.exe
PID 1272 wrote to memory of 1616	1272	osk.exe
PID 1272 wrote to memory of 1968	1272	TpmInit.exe
PID 1272 wrote to memory of 1968	1272	TpmInit.exe
PID 1272 wrote to memory of 1968	1272	TpmInit.exe
PID 1272 wrote to memory of 1688	1272	TpmInit.exe
PID 1272 wrote to memory of 1688	1272	TpmInit.exe
PID 1272 wrote to memory of 1688	1272	TpmInit.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5ab7f5960a2652821f3477d035336e8af6c7e2b667e57149b4be94a6fac10e19.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:660

C:\Windows\system32\irftp.exe
C:\Windows\system32\irftp.exe
1⤵
PID:1236

C:\Users\Admin\AppData\Local\Va8an\irftp.exe
C:\Users\Admin\AppData\Local\Va8an\irftp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1456

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:1280

C:\Users\Admin\AppData\Local\KEG\osk.exe
C:\Users\Admin\AppData\Local\KEG\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1616

C:\Windows\system32\TpmInit.exe
C:\Windows\system32\TpmInit.exe
1⤵
PID:1968

C:\Users\Admin\AppData\Local\L8u1q\TpmInit.exe
C:\Users\Admin\AppData\Local\L8u1q\TpmInit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1688

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\KEG\DUser.dll
MD5
5dd31c7366894163a18f9fe6dc67787b

SHA1
efe8a783f22fefb85fadd77d6c8de8a88e86e32f

SHA256
6932f736e82736d4eb37abf88221e19c10c65c93c13e05994e08b0d47d4f68a6

SHA512
a76e111530a25abeac9f63076351372eb8fef879e18d0b5d16520353a9f0493633764981e658e77594a624f0d626fb90850a58ef25378eb72d381d23219434de

Download Submit
C:\Users\Admin\AppData\Local\KEG\osk.exe
MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
C:\Users\Admin\AppData\Local\L8u1q\Secur32.dll
MD5
afd82beac6464c86441837e9daa2f189

SHA1
04cc4fe695ed2409d115f533b174aa6044925813

SHA256
a0dff4baf1279592a55c0b15287c1db944b610364ac9d58f2db6e14fcc609a94

SHA512
ba4a9ea4acad2a65e8c56a14da1b578b1b5fce2a9ab4f3f2d68a75962e6c3d43421cc2bb7c3b7791e133f56263c7b826035c3b8593887817e1df57e33b65a4fd

Download Submit
C:\Users\Admin\AppData\Local\L8u1q\TpmInit.exe
MD5
8b5eb38e08a678afa129e23129ca1e6d

SHA1
a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

SHA256
4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

SHA512
a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

Download Submit
C:\Users\Admin\AppData\Local\Va8an\WINMM.dll
MD5
950f3107e156402257d6c6b51f1db96d

SHA1
4fae03c8f8ec123dc3ba9e1343abc7f014449b28

SHA256
24321b5e6a940c706401ea395c42d021e1e74dec5ae19974eb8215015b45d660

SHA512
a1d2a7536157e458d85f52e37b0e0e5b6364b49b10717a967a16be665ec2b26b0ec516b0e0e7b45d4d1cc7b0d18da548d429c459933aa961d6605899755a94d5

Download Submit
C:\Users\Admin\AppData\Local\Va8an\irftp.exe
MD5
0cae1fb725c56d260bfd6feba7ae9a75

SHA1
102ac676a1de3ec3d56401f8efd518c31c8b0b80

SHA256
312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

SHA512
db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

Download Submit
\Users\Admin\AppData\Local\KEG\DUser.dll
MD5
5dd31c7366894163a18f9fe6dc67787b

SHA1
efe8a783f22fefb85fadd77d6c8de8a88e86e32f

SHA256
6932f736e82736d4eb37abf88221e19c10c65c93c13e05994e08b0d47d4f68a6

SHA512
a76e111530a25abeac9f63076351372eb8fef879e18d0b5d16520353a9f0493633764981e658e77594a624f0d626fb90850a58ef25378eb72d381d23219434de

Download Submit
\Users\Admin\AppData\Local\KEG\osk.exe
MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
\Users\Admin\AppData\Local\L8u1q\Secur32.dll
MD5
afd82beac6464c86441837e9daa2f189

SHA1
04cc4fe695ed2409d115f533b174aa6044925813

SHA256
a0dff4baf1279592a55c0b15287c1db944b610364ac9d58f2db6e14fcc609a94

SHA512
ba4a9ea4acad2a65e8c56a14da1b578b1b5fce2a9ab4f3f2d68a75962e6c3d43421cc2bb7c3b7791e133f56263c7b826035c3b8593887817e1df57e33b65a4fd

Download Submit
\Users\Admin\AppData\Local\L8u1q\TpmInit.exe
MD5
8b5eb38e08a678afa129e23129ca1e6d

SHA1
a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

SHA256
4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

SHA512
a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

Download Submit
\Users\Admin\AppData\Local\Va8an\WINMM.dll
MD5
950f3107e156402257d6c6b51f1db96d

SHA1
4fae03c8f8ec123dc3ba9e1343abc7f014449b28

SHA256
24321b5e6a940c706401ea395c42d021e1e74dec5ae19974eb8215015b45d660

SHA512
a1d2a7536157e458d85f52e37b0e0e5b6364b49b10717a967a16be665ec2b26b0ec516b0e0e7b45d4d1cc7b0d18da548d429c459933aa961d6605899755a94d5

Download Submit
\Users\Admin\AppData\Local\Va8an\irftp.exe
MD5
0cae1fb725c56d260bfd6feba7ae9a75

SHA1
102ac676a1de3ec3d56401f8efd518c31c8b0b80

SHA256
312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

SHA512
db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\Extensions\pA\TpmInit.exe
MD5
8b5eb38e08a678afa129e23129ca1e6d

SHA1
a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

SHA256
4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

SHA512
a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

Download Submit
memory/660-55-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp

Filesize
8KB

Download
memory/660-60-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/660-56-0x000007FEF6820000-0x000007FEF697A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-63-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-72-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-76-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-85-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-84-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-83-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-82-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-81-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-80-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-79-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-78-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-77-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-87-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-86-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-88-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-93-0x00000000773B0000-0x00000000773B2000-memory.dmp

Filesize
8KB

Download
memory/1272-74-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-75-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-61-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/1272-73-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-62-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-71-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-64-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-70-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-65-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-66-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-67-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-69-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1272-68-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1456-99-0x000007FEF6540000-0x000007FEF669C000-memory.dmp

Filesize
1.4MB

Download
memory/1456-95-0x0000000000000000-mapping.dmp

Download
memory/1616-108-0x000007FEF6820000-0x000007FEF697B000-memory.dmp

Filesize
1.4MB

Download
memory/1616-104-0x0000000000000000-mapping.dmp

Download
memory/1688-113-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads