dridex | 4b165651a1740bfbac89a2a15423f935cf2058ce9fa79903889e04016be8344b

Analysis

max time kernel
153s
max time network
121s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-11-2021 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b165651a1740bfbac89a2a15423f935cf2058ce9fa79903889e04016be8344b.dll
Size

1.3MB
MD5

6d6d268e7bafbede834d84141ade7ae5
SHA1

43f460cb03c89dbf77545944c913c7fb6f0fbca6
SHA256

4b165651a1740bfbac89a2a15423f935cf2058ce9fa79903889e04016be8344b
SHA512

24f44a7fc90d8a4de0a7d47056660db46d8b09392121da615b29a9d28f3e60106a0d03b3ff4ca297c71012cca9ea98a7fc479bb839f40595befaa9cfdd21cb78

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1260-60-0x0000000002A30000-0x0000000002A31000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

mspaint.exeAdapterTroubleshooter.exeDWWIN.EXE

pid process

1356 mspaint.exe
1600 AdapterTroubleshooter.exe
1872 DWWIN.EXE
Loads dropped DLL 7 IoCs

Processes:

mspaint.exeAdapterTroubleshooter.exeDWWIN.EXE

pid process

1260
1356 mspaint.exe
1260
1600 AdapterTroubleshooter.exe
1260
1872 DWWIN.EXE
1260

pid	process
1356	mspaint.exe
1600	AdapterTroubleshooter.exe
1872	DWWIN.EXE

pid	process
1260
1356	mspaint.exe
1260
1600	AdapterTroubleshooter.exe
1260
1872	DWWIN.EXE
1260

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UW\\ADAPTE~1.EXE"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

mspaint.exeAdapterTroubleshooter.exeDWWIN.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AdapterTroubleshooter.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
1092	regsvr32.exe
1092	regsvr32.exe
1092	regsvr32.exe
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

regsvr32.exemspaint.exeAdapterTroubleshooter.exeDWWIN.EXE

pid process

1092 regsvr32.exe
1260
1356 mspaint.exe
1600 AdapterTroubleshooter.exe
1872 DWWIN.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1260 wrote to memory of 1156	1260	mspaint.exe
PID 1260 wrote to memory of 1156	1260	mspaint.exe
PID 1260 wrote to memory of 1156	1260	mspaint.exe
PID 1260 wrote to memory of 1356	1260	mspaint.exe
PID 1260 wrote to memory of 1356	1260	mspaint.exe
PID 1260 wrote to memory of 1356	1260	mspaint.exe
PID 1260 wrote to memory of 1108	1260	AdapterTroubleshooter.exe
PID 1260 wrote to memory of 1108	1260	AdapterTroubleshooter.exe
PID 1260 wrote to memory of 1108	1260	AdapterTroubleshooter.exe
PID 1260 wrote to memory of 1600	1260	AdapterTroubleshooter.exe
PID 1260 wrote to memory of 1600	1260	AdapterTroubleshooter.exe
PID 1260 wrote to memory of 1600	1260	AdapterTroubleshooter.exe
PID 1260 wrote to memory of 984	1260	DWWIN.EXE
PID 1260 wrote to memory of 984	1260	DWWIN.EXE
PID 1260 wrote to memory of 984	1260	DWWIN.EXE
PID 1260 wrote to memory of 1872	1260	DWWIN.EXE
PID 1260 wrote to memory of 1872	1260	DWWIN.EXE
PID 1260 wrote to memory of 1872	1260	DWWIN.EXE

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4b165651a1740bfbac89a2a15423f935cf2058ce9fa79903889e04016be8344b.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1092

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:1156

C:\Users\Admin\AppData\Local\bFr1\mspaint.exe
C:\Users\Admin\AppData\Local\bFr1\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1356

C:\Windows\system32\AdapterTroubleshooter.exe
C:\Windows\system32\AdapterTroubleshooter.exe
1⤵
PID:1108

C:\Users\Admin\AppData\Local\zO28\AdapterTroubleshooter.exe
C:\Users\Admin\AppData\Local\zO28\AdapterTroubleshooter.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1600

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:984

C:\Users\Admin\AppData\Local\C4vbm4Sjp\DWWIN.EXE
C:\Users\Admin\AppData\Local\C4vbm4Sjp\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1872

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\C4vbm4Sjp\DWWIN.EXE
MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
C:\Users\Admin\AppData\Local\C4vbm4Sjp\VERSION.dll
MD5
ce3c549e159bb8051b4cfd2f31643aa3

SHA1
57ec86042b34cc869a94a68d92a13deaec56014d

SHA256
70ca848d9a374d361d81fa8b4d09c5f8792ce7b1696a348fc762422558e88624

SHA512
0d59b66ee5285a7bb09d01fc98b1074401e6ab6cd3c7761b3897adb957daca7bafc3f5c772d9e28248675eb2f077fc9c35a16a463f2cdefe195fb3f0673c6f0b

Download Submit
C:\Users\Admin\AppData\Local\bFr1\WINMM.dll
MD5
a9c7f302926ef2efa62cdcb4388c83ea

SHA1
e2eaa30de0a89845c8afbd552f6af6e204cca8d4

SHA256
876cc21e57b1ac7d7609c9e3ef82586bb7dcd871ce83461638bfae314fbf96bf

SHA512
4877878ef0ceacbb097ad811ed1c9be18490bf68f1f92e0203cdc08b9c62763ad84910b9ed2fe60d0135fab497da538728e98e3c626c054d5a5b5be7ff01a742

Download Submit
C:\Users\Admin\AppData\Local\bFr1\mspaint.exe
MD5
458f4590f80563eb2a0a72709bfc2bd9

SHA1
3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

SHA256
ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

SHA512
e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

Download Submit
C:\Users\Admin\AppData\Local\zO28\AdapterTroubleshooter.exe
MD5
d4170c9ff5b2f85b0ce0246033d26919

SHA1
a76118e8775e16237cf00f2fb79718be0dc84db1

SHA256
d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da

SHA512
9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

Download Submit
C:\Users\Admin\AppData\Local\zO28\d3d9.dll
MD5
ebdb5958882ab0f223fe041649985024

SHA1
edda98640e63ba5e64d619d8c29e8a3e2bf3117c

SHA256
930faa44e56281785d89ef98e8d305e60d1b72b11b200186be111dcf586b29ab

SHA512
9e41a48a2a05fef5db72ae8d55336a4a570ed97716216ced8371e8cad7d4c37d06f5b57697cb200a7556fa851781cd7c182b885e52b74266b266956ef3366e41

Download Submit
\Users\Admin\AppData\Local\C4vbm4Sjp\DWWIN.EXE
MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
\Users\Admin\AppData\Local\C4vbm4Sjp\VERSION.dll
MD5
ce3c549e159bb8051b4cfd2f31643aa3

SHA1
57ec86042b34cc869a94a68d92a13deaec56014d

SHA256
70ca848d9a374d361d81fa8b4d09c5f8792ce7b1696a348fc762422558e88624

SHA512
0d59b66ee5285a7bb09d01fc98b1074401e6ab6cd3c7761b3897adb957daca7bafc3f5c772d9e28248675eb2f077fc9c35a16a463f2cdefe195fb3f0673c6f0b

Download Submit
\Users\Admin\AppData\Local\bFr1\WINMM.dll
MD5
a9c7f302926ef2efa62cdcb4388c83ea

SHA1
e2eaa30de0a89845c8afbd552f6af6e204cca8d4

SHA256
876cc21e57b1ac7d7609c9e3ef82586bb7dcd871ce83461638bfae314fbf96bf

SHA512
4877878ef0ceacbb097ad811ed1c9be18490bf68f1f92e0203cdc08b9c62763ad84910b9ed2fe60d0135fab497da538728e98e3c626c054d5a5b5be7ff01a742

Download Submit
\Users\Admin\AppData\Local\bFr1\mspaint.exe
MD5
458f4590f80563eb2a0a72709bfc2bd9

SHA1
3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

SHA256
ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

SHA512
e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

Download Submit
\Users\Admin\AppData\Local\zO28\AdapterTroubleshooter.exe
MD5
d4170c9ff5b2f85b0ce0246033d26919

SHA1
a76118e8775e16237cf00f2fb79718be0dc84db1

SHA256
d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da

SHA512
9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

Download Submit
\Users\Admin\AppData\Local\zO28\d3d9.dll
MD5
ebdb5958882ab0f223fe041649985024

SHA1
edda98640e63ba5e64d619d8c29e8a3e2bf3117c

SHA256
930faa44e56281785d89ef98e8d305e60d1b72b11b200186be111dcf586b29ab

SHA512
9e41a48a2a05fef5db72ae8d55336a4a570ed97716216ced8371e8cad7d4c37d06f5b57697cb200a7556fa851781cd7c182b885e52b74266b266956ef3366e41

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Credentials\FWjfE6UC\DWWIN.EXE
MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
memory/1092-55-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmp

Filesize
8KB

Download
memory/1092-59-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1092-56-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1260-67-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1260-71-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1260-72-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1260-76-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1260-77-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1260-78-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1260-79-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1260-85-0x0000000077910000-0x0000000077912000-memory.dmp

Filesize
8KB

Download
memory/1260-73-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1260-60-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/1260-74-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1260-63-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1260-70-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1260-75-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1260-69-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1260-61-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1260-68-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1260-66-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1260-65-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1260-62-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1260-64-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1356-92-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1356-87-0x0000000000000000-mapping.dmp

Download
memory/1600-100-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1600-96-0x0000000000000000-mapping.dmp

Download
memory/1872-104-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads