dridex | 17f1c7f8add9b69cb52bee6eb8c572c2a482078a91f9cc52710e60c43efbb7d3

Analysis

max time kernel
160s
max time network
121s
platform
windows7_x64
resource
win7-en-20211104
submitted
26-11-2021 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17f1c7f8add9b69cb52bee6eb8c572c2a482078a91f9cc52710e60c43efbb7d3.dll
Size

1.3MB
MD5

5f5c07488e5abf8dfc6e7fe4186c3560
SHA1

736fbf758cc7b79f7c67fb6df47ed96fcd5a641d
SHA256

17f1c7f8add9b69cb52bee6eb8c572c2a482078a91f9cc52710e60c43efbb7d3
SHA512

053d5770731ad4b585dc0efb6251109f4c96e216f9c225780c7c33c46514c748e1fe3b4045cce0dbc6ffb6943662fcb4515fa800fcd9e906675ccb8030f5df4a

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1384-60-0x0000000002690000-0x0000000002691000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

cmstp.exerdpshell.exeRDVGHelper.exe

pid process

1264 cmstp.exe
844 rdpshell.exe
1852 RDVGHelper.exe
Loads dropped DLL 7 IoCs

Processes:

cmstp.exerdpshell.exeRDVGHelper.exe

pid process

1384
1264 cmstp.exe
1384
844 rdpshell.exe
1384
1852 RDVGHelper.exe
1384

pid	process
1264	cmstp.exe
844	rdpshell.exe
1852	RDVGHelper.exe

pid	process
1384
1264	cmstp.exe
1384
844	rdpshell.exe
1384
1852	RDVGHelper.exe
1384

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\J2\\rdpshell.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.execmstp.exerdpshell.exeRDVGHelper.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpshell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RDVGHelper.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.execmstp.exerdpshell.exe

pid	process
1296	rundll32.exe
1296	rundll32.exe
1296	rundll32.exe
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1264	cmstp.exe
1264	cmstp.exe
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
844	rdpshell.exe
844	rdpshell.exe
1384
1384
1384
1384
1384

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1384

pid	process
1384

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1384 wrote to memory of 1064	1384	cmstp.exe
PID 1384 wrote to memory of 1064	1384	cmstp.exe
PID 1384 wrote to memory of 1064	1384	cmstp.exe
PID 1384 wrote to memory of 1264	1384	cmstp.exe
PID 1384 wrote to memory of 1264	1384	cmstp.exe
PID 1384 wrote to memory of 1264	1384	cmstp.exe
PID 1384 wrote to memory of 1584	1384	rdpshell.exe
PID 1384 wrote to memory of 1584	1384	rdpshell.exe
PID 1384 wrote to memory of 1584	1384	rdpshell.exe
PID 1384 wrote to memory of 844	1384	rdpshell.exe
PID 1384 wrote to memory of 844	1384	rdpshell.exe
PID 1384 wrote to memory of 844	1384	rdpshell.exe
PID 1384 wrote to memory of 288	1384	RDVGHelper.exe
PID 1384 wrote to memory of 288	1384	RDVGHelper.exe
PID 1384 wrote to memory of 288	1384	RDVGHelper.exe
PID 1384 wrote to memory of 1852	1384	RDVGHelper.exe
PID 1384 wrote to memory of 1852	1384	RDVGHelper.exe
PID 1384 wrote to memory of 1852	1384	RDVGHelper.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\17f1c7f8add9b69cb52bee6eb8c572c2a482078a91f9cc52710e60c43efbb7d3.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1296

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:1064

C:\Users\Admin\AppData\Local\3McvmVf\cmstp.exe
C:\Users\Admin\AppData\Local\3McvmVf\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1264

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:1584

C:\Users\Admin\AppData\Local\1tHIkMhw\rdpshell.exe
C:\Users\Admin\AppData\Local\1tHIkMhw\rdpshell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:844

C:\Windows\system32\RDVGHelper.exe
C:\Windows\system32\RDVGHelper.exe
1⤵
PID:288

C:\Users\Admin\AppData\Local\j6Q1yEd\RDVGHelper.exe
C:\Users\Admin\AppData\Local\j6Q1yEd\RDVGHelper.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1852

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1tHIkMhw\WINSTA.dll
MD5
dc06f4ce17389e0798c54f8c61029333

SHA1
88037bed23aebba587cfb74810325e26fdfb3f7f

SHA256
a228c6409c865510498fe7a6e5dbefecadf2d662c7170e718a822abe7f3ce3ac

SHA512
81fb5950e99d8ace1dc78920d718d36c2f8f0b6d15afd29d2b287dcfde2a81b07a8c9353172ee01c3b50c4f812d58087fd360b5bd054222e8775368f5bae2031

Download Submit
C:\Users\Admin\AppData\Local\1tHIkMhw\rdpshell.exe
MD5
a62dfcea3a58ba8fcf32f831f018fe3f

SHA1
75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

SHA256
f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

SHA512
9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

Download Submit
C:\Users\Admin\AppData\Local\3McvmVf\VERSION.dll
MD5
6476a8b20cfff9293da3a6641599250c

SHA1
7d4452a5a41e9ddfd66a5d39ff8227589c8bc4b8

SHA256
f654672f997445d94c30d82fbaea6c073aeb2c2389e374d62f97fb95d9d38875

SHA512
c329b120c65ae6fb8f77de2d4569390b80a31f20c94767d84b9ac32c144567e334b8d7bffcf8e20173148021bedd9958081f432db871dac9a19f881473af317b

Download Submit
C:\Users\Admin\AppData\Local\3McvmVf\cmstp.exe
MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
C:\Users\Admin\AppData\Local\j6Q1yEd\RDVGHelper.exe
MD5
53fda4af81e7c4895357a50e848b7cfe

SHA1
01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

SHA256
62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

SHA512
dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

Download Submit
C:\Users\Admin\AppData\Local\j6Q1yEd\dwmapi.dll
MD5
f8d66b60ed97f1230c95e70d8cc7b247

SHA1
e4edb281c40e3610839f981f93883f034bc340b9

SHA256
0885c2e268fc067a8294116a56c127b55dc224acffa725c40716221c714a9271

SHA512
dabbdf33fb8357c259b7ffe4866bd8a74e7d280611c9e2eb3f72d73c47dce361c057523e8a1f505cff236520f4888fa9858dd769b11ae7b9067af2be2bd0d0dd

Download Submit
\Users\Admin\AppData\Local\1tHIkMhw\WINSTA.dll
MD5
dc06f4ce17389e0798c54f8c61029333

SHA1
88037bed23aebba587cfb74810325e26fdfb3f7f

SHA256
a228c6409c865510498fe7a6e5dbefecadf2d662c7170e718a822abe7f3ce3ac

SHA512
81fb5950e99d8ace1dc78920d718d36c2f8f0b6d15afd29d2b287dcfde2a81b07a8c9353172ee01c3b50c4f812d58087fd360b5bd054222e8775368f5bae2031

Download Submit
\Users\Admin\AppData\Local\1tHIkMhw\rdpshell.exe
MD5
a62dfcea3a58ba8fcf32f831f018fe3f

SHA1
75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

SHA256
f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

SHA512
9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

Download Submit
\Users\Admin\AppData\Local\3McvmVf\VERSION.dll
MD5
6476a8b20cfff9293da3a6641599250c

SHA1
7d4452a5a41e9ddfd66a5d39ff8227589c8bc4b8

SHA256
f654672f997445d94c30d82fbaea6c073aeb2c2389e374d62f97fb95d9d38875

SHA512
c329b120c65ae6fb8f77de2d4569390b80a31f20c94767d84b9ac32c144567e334b8d7bffcf8e20173148021bedd9958081f432db871dac9a19f881473af317b

Download Submit
\Users\Admin\AppData\Local\3McvmVf\cmstp.exe
MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
\Users\Admin\AppData\Local\j6Q1yEd\RDVGHelper.exe
MD5
53fda4af81e7c4895357a50e848b7cfe

SHA1
01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

SHA256
62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

SHA512
dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

Download Submit
\Users\Admin\AppData\Local\j6Q1yEd\dwmapi.dll
MD5
f8d66b60ed97f1230c95e70d8cc7b247

SHA1
e4edb281c40e3610839f981f93883f034bc340b9

SHA256
0885c2e268fc067a8294116a56c127b55dc224acffa725c40716221c714a9271

SHA512
dabbdf33fb8357c259b7ffe4866bd8a74e7d280611c9e2eb3f72d73c47dce361c057523e8a1f505cff236520f4888fa9858dd769b11ae7b9067af2be2bd0d0dd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\VNRhY2jet\RDVGHelper.exe
MD5
53fda4af81e7c4895357a50e848b7cfe

SHA1
01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

SHA256
62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

SHA512
dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

Download Submit
memory/844-101-0x000007FEF6D50000-0x000007FEF6EA1000-memory.dmp

Filesize
1.3MB

Download
memory/844-97-0x0000000000000000-mapping.dmp

Download
memory/1264-92-0x000007FEF7000000-0x000007FEF7150000-memory.dmp

Filesize
1.3MB

Download
memory/1264-88-0x0000000000000000-mapping.dmp

Download
memory/1296-55-0x000007FEF6D60000-0x000007FEF6EAF000-memory.dmp

Filesize
1.3MB

Download
memory/1296-59-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1384-80-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1384-77-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1384-64-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1384-62-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1384-61-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1384-86-0x0000000077BC0000-0x0000000077BC2000-memory.dmp

Filesize
8KB

Download
memory/1384-67-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1384-68-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1384-70-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1384-71-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1384-73-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1384-74-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1384-76-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1384-66-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1384-81-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1384-79-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1384-78-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1384-75-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1384-72-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1384-69-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1384-60-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1384-65-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1384-63-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/1852-110-0x000007FEF6D60000-0x000007FEF6EB0000-memory.dmp

Filesize
1.3MB

Download
memory/1852-106-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads