dridex | c3d5f929965ae352fcc0342db1174af2f23ca00d95e60011572f14ca7eefd87c

Analysis

max time kernel
153s
max time network
126s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-11-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3d5f929965ae352fcc0342db1174af2f23ca00d95e60011572f14ca7eefd87c.dll
Size

1.4MB
MD5

5ac689f9ccb4c602698c05dfb0714eb3
SHA1

dbd1d5a444c921826c7bd0aabb33f4d24a48146d
SHA256

c3d5f929965ae352fcc0342db1174af2f23ca00d95e60011572f14ca7eefd87c
SHA512

2707ca4cca0d886cfc5c4a09826afd0c4880914648bda1a912955a8935a0ad892827d64fe80440f171725f8a8e1f2de6d7fa44eac2c60d38b6b50e5149f7ed26

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1212-59-0x0000000002B10000-0x0000000002B11000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

rdpinit.exeicardagt.exeDisplaySwitch.exe

pid process

1136 rdpinit.exe
848 icardagt.exe
1632 DisplaySwitch.exe
Loads dropped DLL 7 IoCs

Processes:

rdpinit.exeicardagt.exeDisplaySwitch.exe

pid process

1212
1136 rdpinit.exe
1212
848 icardagt.exe
1212
1632 DisplaySwitch.exe
1212

pid	process
1136	rdpinit.exe
848	icardagt.exe
1632	DisplaySwitch.exe

pid	process
1212
1136	rdpinit.exe
1212
848	icardagt.exe
1212
1632	DisplaySwitch.exe
1212

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\viMyJFyCN\\icardagt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

DisplaySwitch.exerundll32.exerdpinit.exeicardagt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icardagt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
324	rundll32.exe
324	rundll32.exe
324	rundll32.exe
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exerdpinit.exeicardagt.exeDisplaySwitch.exe

pid process

324 rundll32.exe
1212
1136 rdpinit.exe
848 icardagt.exe
1632 DisplaySwitch.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1212 wrote to memory of 1316	1212	rdpinit.exe
PID 1212 wrote to memory of 1316	1212	rdpinit.exe
PID 1212 wrote to memory of 1316	1212	rdpinit.exe
PID 1212 wrote to memory of 1136	1212	rdpinit.exe
PID 1212 wrote to memory of 1136	1212	rdpinit.exe
PID 1212 wrote to memory of 1136	1212	rdpinit.exe
PID 1212 wrote to memory of 1780	1212	icardagt.exe
PID 1212 wrote to memory of 1780	1212	icardagt.exe
PID 1212 wrote to memory of 1780	1212	icardagt.exe
PID 1212 wrote to memory of 848	1212	icardagt.exe
PID 1212 wrote to memory of 848	1212	icardagt.exe
PID 1212 wrote to memory of 848	1212	icardagt.exe
PID 1212 wrote to memory of 1388	1212	DisplaySwitch.exe
PID 1212 wrote to memory of 1388	1212	DisplaySwitch.exe
PID 1212 wrote to memory of 1388	1212	DisplaySwitch.exe
PID 1212 wrote to memory of 1632	1212	DisplaySwitch.exe
PID 1212 wrote to memory of 1632	1212	DisplaySwitch.exe
PID 1212 wrote to memory of 1632	1212	DisplaySwitch.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c3d5f929965ae352fcc0342db1174af2f23ca00d95e60011572f14ca7eefd87c.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:324

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:1316

C:\Users\Admin\AppData\Local\KqmCvXmiq\rdpinit.exe
C:\Users\Admin\AppData\Local\KqmCvXmiq\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1136

C:\Windows\system32\icardagt.exe
C:\Windows\system32\icardagt.exe
1⤵
PID:1780

C:\Users\Admin\AppData\Local\2CiaCv\icardagt.exe
C:\Users\Admin\AppData\Local\2CiaCv\icardagt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:848

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:1388

C:\Users\Admin\AppData\Local\OZOB\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\OZOB\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1632

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2CiaCv\VERSION.dll
MD5
0694a6f19084efcee4242d69b7ef71b7

SHA1
56d9e49522672b7dc2fa3c9623d1c658123497e9

SHA256
710c306c3a262d95181451f6a386f79c6d55a466bc6f03505c9cc7d675c78640

SHA512
b982ce87c144e548978553e610f3236f5d940db6df0251a35c5ea6cd84fbbb9a37c63970f3c6430cdc0ea0edf0800703562fc69fde10e7120ab64e0ed79472d7

Download Submit
C:\Users\Admin\AppData\Local\2CiaCv\icardagt.exe
MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
C:\Users\Admin\AppData\Local\KqmCvXmiq\rdpinit.exe
MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
C:\Users\Admin\AppData\Local\KqmCvXmiq\slc.dll
MD5
c18916a63efbb2ef9e58cd8c10cd9c12

SHA1
353b3b143e1eaf51a92e01f1ba3f89c3786cc76d

SHA256
451e94ed263f0762be0db145107f74dedff187a63ac55ccad4ab7bb47fc0c2ad

SHA512
cf3b36c76113a131dbf310394c344607d62ed3c62716070bbf7f952c0fb6da1c9c34ed4f9e3182c21c635d1edc1da56a711fdfdf460aa1852558ca7862c4014e

Download Submit
C:\Users\Admin\AppData\Local\OZOB\DisplaySwitch.exe
MD5
b795e6138e29a37508285fc31e92bd78

SHA1
d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

SHA256
01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

SHA512
8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

Download Submit
C:\Users\Admin\AppData\Local\OZOB\slc.dll
MD5
637e893951807b48a8993540a5f015d5

SHA1
55bfe9b4e16935b9f583d7f5841cd50703de12e6

SHA256
0a8504b7506eb58e59c1c1a6b907700b8ab1d5a14ef07a043b108fcd68c64576

SHA512
8ec41e182bf1fcdd30ab7d509d29cb114ad0b8c64ed82674fc290bda38d9dbb6121095b357d646a66a822be820c5a428a3df468eb3b6e1cd69a9655b11b79724

Download Submit
\Users\Admin\AppData\Local\2CiaCv\VERSION.dll
MD5
0694a6f19084efcee4242d69b7ef71b7

SHA1
56d9e49522672b7dc2fa3c9623d1c658123497e9

SHA256
710c306c3a262d95181451f6a386f79c6d55a466bc6f03505c9cc7d675c78640

SHA512
b982ce87c144e548978553e610f3236f5d940db6df0251a35c5ea6cd84fbbb9a37c63970f3c6430cdc0ea0edf0800703562fc69fde10e7120ab64e0ed79472d7

Download Submit
\Users\Admin\AppData\Local\2CiaCv\icardagt.exe
MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
\Users\Admin\AppData\Local\KqmCvXmiq\rdpinit.exe
MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
\Users\Admin\AppData\Local\KqmCvXmiq\slc.dll
MD5
c18916a63efbb2ef9e58cd8c10cd9c12

SHA1
353b3b143e1eaf51a92e01f1ba3f89c3786cc76d

SHA256
451e94ed263f0762be0db145107f74dedff187a63ac55ccad4ab7bb47fc0c2ad

SHA512
cf3b36c76113a131dbf310394c344607d62ed3c62716070bbf7f952c0fb6da1c9c34ed4f9e3182c21c635d1edc1da56a711fdfdf460aa1852558ca7862c4014e

Download Submit
\Users\Admin\AppData\Local\OZOB\DisplaySwitch.exe
MD5
b795e6138e29a37508285fc31e92bd78

SHA1
d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

SHA256
01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

SHA512
8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

Download Submit
\Users\Admin\AppData\Local\OZOB\slc.dll
MD5
637e893951807b48a8993540a5f015d5

SHA1
55bfe9b4e16935b9f583d7f5841cd50703de12e6

SHA256
0a8504b7506eb58e59c1c1a6b907700b8ab1d5a14ef07a043b108fcd68c64576

SHA512
8ec41e182bf1fcdd30ab7d509d29cb114ad0b8c64ed82674fc290bda38d9dbb6121095b357d646a66a822be820c5a428a3df468eb3b6e1cd69a9655b11b79724

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\hsk2B5fCU\DisplaySwitch.exe
MD5
b795e6138e29a37508285fc31e92bd78

SHA1
d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

SHA256
01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

SHA512
8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

Download Submit
memory/324-55-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/324-58-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/848-91-0x0000000000000000-mapping.dmp

Download
memory/848-93-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp

Filesize
8KB

Download
memory/1136-87-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1136-83-0x0000000000000000-mapping.dmp

Download
memory/1212-66-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1212-71-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1212-67-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1212-68-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1212-69-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1212-73-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1212-74-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1212-75-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1212-70-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1212-81-0x0000000077690000-0x0000000077692000-memory.dmp

Filesize
8KB

Download
memory/1212-72-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1212-65-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1212-64-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1212-63-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1212-59-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/1212-62-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1212-61-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1212-60-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1632-100-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads