dridex | 7818fc1e2f9e7df1ba5688ddc87f54b59b3e12c3d2c60393b50f9b56447ac2ab

Analysis

max time kernel
153s
max time network
117s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-11-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7818fc1e2f9e7df1ba5688ddc87f54b59b3e12c3d2c60393b50f9b56447ac2ab.dll
Size

1.4MB
MD5

915d143eb22a1278b9d2d56abe7d6fef
SHA1

32cb17ebd3a9da188a833c7f66f8018a3ad06b00
SHA256

7818fc1e2f9e7df1ba5688ddc87f54b59b3e12c3d2c60393b50f9b56447ac2ab
SHA512

0c468fafedb26675d8c3d0dfaa30262f498b8c56b9d91f71e42b893e8e50aa5d05628cececb29285f773b4189edab83e659f8b3f736d8d3ab2aa8c48d7881d4e

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1276-59-0x0000000002A90000-0x0000000002A91000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

rdpclip.exeSystemPropertiesAdvanced.exesigverif.exe

pid process

1692 rdpclip.exe
1832 SystemPropertiesAdvanced.exe
920 sigverif.exe
Loads dropped DLL 7 IoCs

Processes:

rdpclip.exeSystemPropertiesAdvanced.exesigverif.exe

pid process

1276
1692 rdpclip.exe
1276
1832 SystemPropertiesAdvanced.exe
1276
920 sigverif.exe
1276

pid	process
1692	rdpclip.exe
1832	SystemPropertiesAdvanced.exe
920	sigverif.exe

pid	process
1276
1692	rdpclip.exe
1276
1832	SystemPropertiesAdvanced.exe
1276
920	sigverif.exe
1276

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\XoVD7TRyrP\\SystemPropertiesAdvanced.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpclip.exeSystemPropertiesAdvanced.exesigverif.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1980	rundll32.exe
1980	rundll32.exe
1980	rundll32.exe
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276
1276

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exerdpclip.exeSystemPropertiesAdvanced.exesigverif.exe

pid process

1980 rundll32.exe
1276
1692 rdpclip.exe
1832 SystemPropertiesAdvanced.exe
920 sigverif.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1276 wrote to memory of 1168	1276	rdpclip.exe
PID 1276 wrote to memory of 1168	1276	rdpclip.exe
PID 1276 wrote to memory of 1168	1276	rdpclip.exe
PID 1276 wrote to memory of 1692	1276	rdpclip.exe
PID 1276 wrote to memory of 1692	1276	rdpclip.exe
PID 1276 wrote to memory of 1692	1276	rdpclip.exe
PID 1276 wrote to memory of 1320	1276	SystemPropertiesAdvanced.exe
PID 1276 wrote to memory of 1320	1276	SystemPropertiesAdvanced.exe
PID 1276 wrote to memory of 1320	1276	SystemPropertiesAdvanced.exe
PID 1276 wrote to memory of 1832	1276	SystemPropertiesAdvanced.exe
PID 1276 wrote to memory of 1832	1276	SystemPropertiesAdvanced.exe
PID 1276 wrote to memory of 1832	1276	SystemPropertiesAdvanced.exe
PID 1276 wrote to memory of 1104	1276	sigverif.exe
PID 1276 wrote to memory of 1104	1276	sigverif.exe
PID 1276 wrote to memory of 1104	1276	sigverif.exe
PID 1276 wrote to memory of 920	1276	sigverif.exe
PID 1276 wrote to memory of 920	1276	sigverif.exe
PID 1276 wrote to memory of 920	1276	sigverif.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7818fc1e2f9e7df1ba5688ddc87f54b59b3e12c3d2c60393b50f9b56447ac2ab.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1980

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:1168

C:\Users\Admin\AppData\Local\En6rdp6\rdpclip.exe
C:\Users\Admin\AppData\Local\En6rdp6\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1692

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:1320

C:\Users\Admin\AppData\Local\jvBAPs3su\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\jvBAPs3su\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1832

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:1104

C:\Users\Admin\AppData\Local\Bk1R8t\sigverif.exe
C:\Users\Admin\AppData\Local\Bk1R8t\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:920

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Bk1R8t\VERSION.dll
MD5
50c0d4dc0cf6732f131114daef5929f0

SHA1
0ce2cacfc897d62a4f7a179c39f304b2a504bdf8

SHA256
ef353651870f12ad511d2ad4a8625c03cdd9204eaa03233d9e7c46e82ffe09c3

SHA512
25c03104258ddf870aecb03b8a71f3183f78b3e8cb55cc1f6578965f75e68ffaad64067350cdd9ed3a9bc6ada0b60cf71632be65f053781d443f6cf3eb48da39

Download Submit
C:\Users\Admin\AppData\Local\Bk1R8t\sigverif.exe
MD5
e8e95ae5534553fc055051cee99a7f55

SHA1
4e0f668849fd546edd083d5981ed685d02a68df4

SHA256
9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

SHA512
5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

Download Submit
C:\Users\Admin\AppData\Local\En6rdp6\WTSAPI32.dll
MD5
763faceb062a5c478b0fa6e4c83de7aa

SHA1
fd01e91dd8d5e749262f83c437cbf828b6486334

SHA256
8c3e8d6eeedbd77bba3a68b420cb69db2411f87bb84ea5a0450e9446440490a6

SHA512
087e3ab8528fbe85fe2bbd55ceed58c793df85368d259251a0b072203f9c2f93d5f2670baaa98994867637e1142f78a155ec71681ecc7bc0e21e5bc651395e68

Download Submit
C:\Users\Admin\AppData\Local\En6rdp6\rdpclip.exe
MD5
25d284eb2f12254c001afe9a82575a81

SHA1
cf131801fdd5ec92278f9e0ae62050e31c6670a5

SHA256
837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

SHA512
7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

Download Submit
C:\Users\Admin\AppData\Local\jvBAPs3su\SYSDM.CPL
MD5
905b23a43a47781170aed74e60def2c5

SHA1
92613067b862423ee63792c1fda136b67a03e0cf

SHA256
5c03ce340f49562016cd550167488a7107fa7aa8a60828d811fcd1a0e87d1199

SHA512
cae3d8972bbe132d3dec15a14a3ffdd5f67801dd727bd62cb2efea4e794caa5a2f04e4baa2bda3ccc29075fc5cb381f915cebeb7c701a848617bda3771eba5ca

Download Submit
C:\Users\Admin\AppData\Local\jvBAPs3su\SystemPropertiesAdvanced.exe
MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
\Users\Admin\AppData\Local\Bk1R8t\VERSION.dll
MD5
50c0d4dc0cf6732f131114daef5929f0

SHA1
0ce2cacfc897d62a4f7a179c39f304b2a504bdf8

SHA256
ef353651870f12ad511d2ad4a8625c03cdd9204eaa03233d9e7c46e82ffe09c3

SHA512
25c03104258ddf870aecb03b8a71f3183f78b3e8cb55cc1f6578965f75e68ffaad64067350cdd9ed3a9bc6ada0b60cf71632be65f053781d443f6cf3eb48da39

Download Submit
\Users\Admin\AppData\Local\Bk1R8t\sigverif.exe
MD5
e8e95ae5534553fc055051cee99a7f55

SHA1
4e0f668849fd546edd083d5981ed685d02a68df4

SHA256
9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

SHA512
5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

Download Submit
\Users\Admin\AppData\Local\En6rdp6\WTSAPI32.dll
MD5
763faceb062a5c478b0fa6e4c83de7aa

SHA1
fd01e91dd8d5e749262f83c437cbf828b6486334

SHA256
8c3e8d6eeedbd77bba3a68b420cb69db2411f87bb84ea5a0450e9446440490a6

SHA512
087e3ab8528fbe85fe2bbd55ceed58c793df85368d259251a0b072203f9c2f93d5f2670baaa98994867637e1142f78a155ec71681ecc7bc0e21e5bc651395e68

Download Submit
\Users\Admin\AppData\Local\En6rdp6\rdpclip.exe
MD5
25d284eb2f12254c001afe9a82575a81

SHA1
cf131801fdd5ec92278f9e0ae62050e31c6670a5

SHA256
837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

SHA512
7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

Download Submit
\Users\Admin\AppData\Local\jvBAPs3su\SYSDM.CPL
MD5
905b23a43a47781170aed74e60def2c5

SHA1
92613067b862423ee63792c1fda136b67a03e0cf

SHA256
5c03ce340f49562016cd550167488a7107fa7aa8a60828d811fcd1a0e87d1199

SHA512
cae3d8972bbe132d3dec15a14a3ffdd5f67801dd727bd62cb2efea4e794caa5a2f04e4baa2bda3ccc29075fc5cb381f915cebeb7c701a848617bda3771eba5ca

Download Submit
\Users\Admin\AppData\Local\jvBAPs3su\SystemPropertiesAdvanced.exe
MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\1WpHHk\sigverif.exe
MD5
e8e95ae5534553fc055051cee99a7f55

SHA1
4e0f668849fd546edd083d5981ed685d02a68df4

SHA256
9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

SHA512
5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

Download Submit
memory/920-104-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

Filesize
8KB

Download
memory/920-102-0x0000000000000000-mapping.dmp

Download
memory/1276-78-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1276-64-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1276-69-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1276-68-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1276-67-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1276-59-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1276-77-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1276-84-0x0000000077C40000-0x0000000077C42000-memory.dmp

Filesize
8KB

Download
memory/1276-60-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1276-71-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1276-72-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1276-73-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1276-74-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1276-61-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1276-75-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1276-62-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1276-76-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1276-66-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1276-65-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1276-70-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1276-63-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1692-90-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1692-86-0x0000000000000000-mapping.dmp

Download
memory/1832-94-0x0000000000000000-mapping.dmp

Download
memory/1980-55-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1980-58-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads