dridex | c3d5f929965ae352fcc0342db1174af2f23ca00d95e60011572f14ca7eefd87c

Analysis

max time kernel
151s
max time network
123s
platform
windows10_x64
resource
win10-en-20211104
submitted
26-11-2021 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3d5f929965ae352fcc0342db1174af2f23ca00d95e60011572f14ca7eefd87c.dll
Size

1.4MB
MD5

5ac689f9ccb4c602698c05dfb0714eb3
SHA1

dbd1d5a444c921826c7bd0aabb33f4d24a48146d
SHA256

c3d5f929965ae352fcc0342db1174af2f23ca00d95e60011572f14ca7eefd87c
SHA512

2707ca4cca0d886cfc5c4a09826afd0c4880914648bda1a912955a8935a0ad892827d64fe80440f171725f8a8e1f2de6d7fa44eac2c60d38b6b50e5149f7ed26

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3056-124-0x00000000001B0000-0x00000000001B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

rdpinput.exeDeviceEnroller.exedpapimig.exe

pid process

4376 rdpinput.exe
4332 DeviceEnroller.exe
4452 dpapimig.exe
Loads dropped DLL 3 IoCs

Processes:

rdpinput.exeDeviceEnroller.exedpapimig.exe

pid process

4376 rdpinput.exe
4332 DeviceEnroller.exe
4452 dpapimig.exe

pid	process
4376	rdpinput.exe
4332	DeviceEnroller.exe
4452	dpapimig.exe

pid	process
4376	rdpinput.exe
4332	DeviceEnroller.exe
4452	dpapimig.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\NfBdn\\DeviceEnroller.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpinput.exeDeviceEnroller.exedpapimig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinput.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceEnroller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpapimig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
3588	rundll32.exe
3588	rundll32.exe
3588	rundll32.exe
3588	rundll32.exe
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exerdpinput.exeDeviceEnroller.exedpapimig.exe

pid process

3588 rundll32.exe
3056
4376 rdpinput.exe
4332 DeviceEnroller.exe
4452 dpapimig.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3056 wrote to memory of 1800	3056	rdpinput.exe
PID 3056 wrote to memory of 1800	3056	rdpinput.exe
PID 3056 wrote to memory of 4376	3056	rdpinput.exe
PID 3056 wrote to memory of 4376	3056	rdpinput.exe
PID 3056 wrote to memory of 4344	3056	DeviceEnroller.exe
PID 3056 wrote to memory of 4344	3056	DeviceEnroller.exe
PID 3056 wrote to memory of 4332	3056	DeviceEnroller.exe
PID 3056 wrote to memory of 4332	3056	DeviceEnroller.exe
PID 3056 wrote to memory of 800	3056	dpapimig.exe
PID 3056 wrote to memory of 800	3056	dpapimig.exe
PID 3056 wrote to memory of 4452	3056	dpapimig.exe
PID 3056 wrote to memory of 4452	3056	dpapimig.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c3d5f929965ae352fcc0342db1174af2f23ca00d95e60011572f14ca7eefd87c.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:3588

C:\Windows\system32\rdpinput.exe
C:\Windows\system32\rdpinput.exe
1⤵
PID:1800

C:\Users\Admin\AppData\Local\vZdf\rdpinput.exe
C:\Users\Admin\AppData\Local\vZdf\rdpinput.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:4376

C:\Windows\system32\DeviceEnroller.exe
C:\Windows\system32\DeviceEnroller.exe
1⤵
PID:4344

C:\Users\Admin\AppData\Local\dWCP\DeviceEnroller.exe
C:\Users\Admin\AppData\Local\dWCP\DeviceEnroller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:4332

C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
1⤵
PID:800

C:\Users\Admin\AppData\Local\GTdhE6\dpapimig.exe
C:\Users\Admin\AppData\Local\GTdhE6\dpapimig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:4452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GTdhE6\DUI70.dll
MD5
a244cb4241ade00e29179f39a3425476

SHA1
2c1c4bcb97099000121c03404fe6ba5a5082b024

SHA256
5345dea366f72be1f751a9cda9327e3e626ad4eac39db1b0ce7618ad297be7a2

SHA512
7849ba975f957ee125c60d55926f80a5c5e81ab3219f9b146bbce771ff61d61deb131e04fc825c8f305c5defd3cda639772b4276c770f19db5cf393bec0e199e

Download Submit
C:\Users\Admin\AppData\Local\GTdhE6\dpapimig.exe
MD5
a210dd05d1e941a1ec04b134f39ef036

SHA1
86b5493ecf8f456ae56ede4b013b934b892572e0

SHA256
3912f380049e362ca875ccb4fe064621197f0df999b35c593de382cf0c852988

SHA512
9648ed1088af13717479f4739ecdfd604b463582fe3a9db43761b446c61e93856309fd1f8c993962d426af566497b9c8f7eaa3a5af069a7a0f8fde8424111bf8

Download Submit
C:\Users\Admin\AppData\Local\dWCP\DeviceEnroller.exe
MD5
bd732a3a065f5cca6df003a7ca78bb35

SHA1
449d027d933fdd530a6a27d7c2132f98ee56374a

SHA256
fd5f32939c8de2d80a6f2481268313b5151c21c474c61635c92d2b8ea436955e

SHA512
d1cd727841522be31e979484cdea467501693e1a3bab2fabc72510c73698353c960f7d2c16be9a4406d804da2b2ad7da58827a630f9616ebe296cae481103701

Download Submit
C:\Users\Admin\AppData\Local\dWCP\XmlLite.dll
MD5
b0f6e116911dd1a91a2c1729837b4ba9

SHA1
14b513f21b303de109be1254c20e28ccc3f1c89e

SHA256
ef11ef8ca47376289414ed20b2d8eda5683041ca80267b35cc015e75a7b5cf50

SHA512
ce914e832b7ca68ee3a46d1de8bff9303595f4227faad15fb6ef2fdfd2ea96f5560d79a7a1ebf7b9069a976d4a6cd20be937e597e21aa960966b8e8f0608c3d3

Download Submit
C:\Users\Admin\AppData\Local\vZdf\WTSAPI32.dll
MD5
35ffab0db449332dbc7be497765c72f5

SHA1
67504c09df123172739ced20fff34ee69ec9413c

SHA256
9f3f6b693094af1c39a5178ed18154ebeba829eca92bf5df0b39d83b79b42d5c

SHA512
06c9508b4081cee91fc33e529fd88ccadf7ca9b4b55d8b33918dbb8d981c89a5cae6a353dd1c5e090d2e3e282ccd72953f4d207721c40c90e1869975eecd73a3

Download Submit
C:\Users\Admin\AppData\Local\vZdf\rdpinput.exe
MD5
431364c49991ebfea19b468020368e08

SHA1
c36c8a01ccd17b8ec754fe92d1e03558bb3f05ac

SHA256
6c59ea8b7807d9cc9de5c67cf679a1fb1bed4629da1f0a071e03af775de8e4fc

SHA512
6b2baeb9abc1277fef874ead7d0c4b2b5c5953b8f9db5ae056a14a0af6edb6482b303e7f4ba5237a22e62919f09cd8334692dd58053754ed18837ace14565d8f

Download Submit
\Users\Admin\AppData\Local\GTdhE6\DUI70.dll
MD5
a244cb4241ade00e29179f39a3425476

SHA1
2c1c4bcb97099000121c03404fe6ba5a5082b024

SHA256
5345dea366f72be1f751a9cda9327e3e626ad4eac39db1b0ce7618ad297be7a2

SHA512
7849ba975f957ee125c60d55926f80a5c5e81ab3219f9b146bbce771ff61d61deb131e04fc825c8f305c5defd3cda639772b4276c770f19db5cf393bec0e199e

Download Submit
\Users\Admin\AppData\Local\dWCP\XmlLite.dll
MD5
b0f6e116911dd1a91a2c1729837b4ba9

SHA1
14b513f21b303de109be1254c20e28ccc3f1c89e

SHA256
ef11ef8ca47376289414ed20b2d8eda5683041ca80267b35cc015e75a7b5cf50

SHA512
ce914e832b7ca68ee3a46d1de8bff9303595f4227faad15fb6ef2fdfd2ea96f5560d79a7a1ebf7b9069a976d4a6cd20be937e597e21aa960966b8e8f0608c3d3

Download Submit
\Users\Admin\AppData\Local\vZdf\WTSAPI32.dll
MD5
35ffab0db449332dbc7be497765c72f5

SHA1
67504c09df123172739ced20fff34ee69ec9413c

SHA256
9f3f6b693094af1c39a5178ed18154ebeba829eca92bf5df0b39d83b79b42d5c

SHA512
06c9508b4081cee91fc33e529fd88ccadf7ca9b4b55d8b33918dbb8d981c89a5cae6a353dd1c5e090d2e3e282ccd72953f4d207721c40c90e1869975eecd73a3

Download Submit
memory/3056-132-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3056-128-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3056-131-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3056-124-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/3056-133-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3056-134-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3056-135-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3056-136-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3056-137-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3056-138-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3056-139-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3056-140-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3056-146-0x00000000004D0000-0x00000000004D2000-memory.dmp

Filesize
8KB

Download
memory/3056-147-0x00000000004D0000-0x00000000004D2000-memory.dmp

Filesize
8KB

Download
memory/3056-148-0x00007FFB41DA5000-0x00007FFB41DA6000-memory.dmp

Filesize
4KB

Download
memory/3056-149-0x00000000004D0000-0x00000000004D2000-memory.dmp

Filesize
8KB

Download
memory/3056-150-0x00007FFB41CF0000-0x00007FFB41D00000-memory.dmp

Filesize
64KB

Download
memory/3056-125-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3056-129-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3056-130-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3056-127-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3056-126-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3588-118-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3588-121-0x000001ABD98F0000-0x000001ABD98F2000-memory.dmp

Filesize
8KB

Download
memory/3588-122-0x000001ABD98F0000-0x000001ABD98F2000-memory.dmp

Filesize
8KB

Download
memory/3588-123-0x000001ABD98E0000-0x000001ABD98E7000-memory.dmp

Filesize
28KB

Download
memory/4332-169-0x0000020003C70000-0x0000020003C72000-memory.dmp

Filesize
8KB

Download
memory/4332-168-0x0000020003C70000-0x0000020003C72000-memory.dmp

Filesize
8KB

Download
memory/4332-170-0x0000020003C70000-0x0000020003C72000-memory.dmp

Filesize
8KB

Download
memory/4332-161-0x0000000000000000-mapping.dmp

Download
memory/4376-158-0x0000011801040000-0x0000011801042000-memory.dmp

Filesize
8KB

Download
memory/4376-155-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/4376-159-0x0000011801040000-0x0000011801042000-memory.dmp

Filesize
8KB

Download
memory/4376-151-0x0000000000000000-mapping.dmp

Download
memory/4376-160-0x0000011801040000-0x0000011801042000-memory.dmp

Filesize
8KB

Download
memory/4452-171-0x0000000000000000-mapping.dmp

Download
memory/4452-175-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/4452-178-0x0000022201410000-0x0000022201412000-memory.dmp

Filesize
8KB

Download
memory/4452-179-0x0000022201410000-0x0000022201412000-memory.dmp

Filesize
8KB

Download
memory/4452-180-0x0000022201410000-0x0000022201412000-memory.dmp

Filesize
8KB

Download