dridex | 248f05930d4cf6075a5e309d4c20c5cf422a750d52a4f7afc31fd983b9cf897e

Analysis

max time kernel
152s
max time network
130s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-11-2021 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

248f05930d4cf6075a5e309d4c20c5cf422a750d52a4f7afc31fd983b9cf897e.dll
Size

1.3MB
MD5

a547e2f14c375de73aa013704367f35f
SHA1

c29eededd89c502cb410ecb45540f935aaa3dd5d
SHA256

248f05930d4cf6075a5e309d4c20c5cf422a750d52a4f7afc31fd983b9cf897e
SHA512

8b470f3360dcea76e432641a127c5b487aaee7196f9b821586b8d18958485e84a834552a2ae9c252fcc315328ddca643f6b29c164e7e0f4a4857a8bb041bed4c

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1252-59-0x0000000002AF0000-0x0000000002AF1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

spreview.exeicardagt.exeWFS.exe

pid process

1064 spreview.exe
1172 icardagt.exe
1636 WFS.exe
Loads dropped DLL 7 IoCs

Processes:

spreview.exeicardagt.exeWFS.exe

pid process

1252
1064 spreview.exe
1252
1172 icardagt.exe
1252
1636 WFS.exe
1252

pid	process
1064	spreview.exe
1172	icardagt.exe
1636	WFS.exe

pid	process
1252
1064	spreview.exe
1252
1172	icardagt.exe
1252
1636	WFS.exe
1252

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2955169046-2371869340-1800780948-1000\\nH5XN\\icardagt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exespreview.exeicardagt.exeWFS.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spreview.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icardagt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WFS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1604	rundll32.exe
1604	rundll32.exe
1604	rundll32.exe
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252
1252

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exespreview.exeicardagt.exeWFS.exe

pid process

1604 rundll32.exe
1252
1064 spreview.exe
1172 icardagt.exe
1636 WFS.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1252 wrote to memory of 808	1252	spreview.exe
PID 1252 wrote to memory of 808	1252	spreview.exe
PID 1252 wrote to memory of 808	1252	spreview.exe
PID 1252 wrote to memory of 1064	1252	spreview.exe
PID 1252 wrote to memory of 1064	1252	spreview.exe
PID 1252 wrote to memory of 1064	1252	spreview.exe
PID 1252 wrote to memory of 1948	1252	icardagt.exe
PID 1252 wrote to memory of 1948	1252	icardagt.exe
PID 1252 wrote to memory of 1948	1252	icardagt.exe
PID 1252 wrote to memory of 1172	1252	icardagt.exe
PID 1252 wrote to memory of 1172	1252	icardagt.exe
PID 1252 wrote to memory of 1172	1252	icardagt.exe
PID 1252 wrote to memory of 1632	1252	WFS.exe
PID 1252 wrote to memory of 1632	1252	WFS.exe
PID 1252 wrote to memory of 1632	1252	WFS.exe
PID 1252 wrote to memory of 1636	1252	WFS.exe
PID 1252 wrote to memory of 1636	1252	WFS.exe
PID 1252 wrote to memory of 1636	1252	WFS.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\248f05930d4cf6075a5e309d4c20c5cf422a750d52a4f7afc31fd983b9cf897e.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1604

C:\Windows\system32\spreview.exe
C:\Windows\system32\spreview.exe
1⤵
PID:808

C:\Users\Admin\AppData\Local\sQt0zgt5e\spreview.exe
C:\Users\Admin\AppData\Local\sQt0zgt5e\spreview.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1064

C:\Windows\system32\icardagt.exe
C:\Windows\system32\icardagt.exe
1⤵
PID:1948

C:\Users\Admin\AppData\Local\R3N\icardagt.exe
C:\Users\Admin\AppData\Local\R3N\icardagt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1172

C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
1⤵
PID:1632

C:\Users\Admin\AppData\Local\Oly\WFS.exe
C:\Users\Admin\AppData\Local\Oly\WFS.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1636

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Oly\WFS.exe
MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
C:\Users\Admin\AppData\Local\Oly\WINMM.dll
MD5
adc6d1ef00cfdd8da883f0d5d774ba74

SHA1
f6b957e8492f2bdf166038c14de24692cf73856c

SHA256
fe35c8913e9e06262c11cba1c00ba7525dd7f6b6a2153f2ff11270c09f3c5d38

SHA512
5cc268251df2782768426f6f9d1590f9ccd8e36c5157277dd497687f646881d0f6aeae2432bf8840533b1ceb10d4b85d135c20d47a6d3cbea9bb48b665cfb40e

Download Submit
C:\Users\Admin\AppData\Local\R3N\UxTheme.dll
MD5
8309813202cc087a097ba42d6a9362a3

SHA1
341753757066bcf5e9688c6c30b9a65989f33072

SHA256
2da6580f0f8e1fff971b5b2cf01c8a0c9f5f275d98790c56010f598af7002638

SHA512
989e2a00cd41654c5ac7d67b3458b76d1fc24aadb3f2153cea3339e41b41d8e43f7218db4a8cc36e9f3a8e0a47c0ee1b44b68bd3ba1bc310a2d752de33fdccc1

Download Submit
C:\Users\Admin\AppData\Local\R3N\icardagt.exe
MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
C:\Users\Admin\AppData\Local\sQt0zgt5e\spreview.exe
MD5
704cd4cac010e8e6d8de9b778ed17773

SHA1
81856abf70640f102b8b3defe2cf65669fe8e165

SHA256
4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

SHA512
b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

Download Submit
C:\Users\Admin\AppData\Local\sQt0zgt5e\sqmapi.dll
MD5
9a95ae0dcd409c3102678032685fb568

SHA1
45a7b22ac752fcd4879577e53561cede396cfa6b

SHA256
e2a1f61af0018a6414626ef2dcb493277d0e406959f7e136bcbcac56a5cfaf58

SHA512
0c24e3f6564a8d69d0bb78ce6138353452f499edb6d1e730e0dd8687bb063a7c9e9367ab84e36b73ce14ff95ecec9be857e46ce9312818a1cd08a158319e6f40

Download Submit
\Users\Admin\AppData\Local\Oly\WFS.exe
MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
\Users\Admin\AppData\Local\Oly\WINMM.dll
MD5
adc6d1ef00cfdd8da883f0d5d774ba74

SHA1
f6b957e8492f2bdf166038c14de24692cf73856c

SHA256
fe35c8913e9e06262c11cba1c00ba7525dd7f6b6a2153f2ff11270c09f3c5d38

SHA512
5cc268251df2782768426f6f9d1590f9ccd8e36c5157277dd497687f646881d0f6aeae2432bf8840533b1ceb10d4b85d135c20d47a6d3cbea9bb48b665cfb40e

Download Submit
\Users\Admin\AppData\Local\R3N\UxTheme.dll
MD5
8309813202cc087a097ba42d6a9362a3

SHA1
341753757066bcf5e9688c6c30b9a65989f33072

SHA256
2da6580f0f8e1fff971b5b2cf01c8a0c9f5f275d98790c56010f598af7002638

SHA512
989e2a00cd41654c5ac7d67b3458b76d1fc24aadb3f2153cea3339e41b41d8e43f7218db4a8cc36e9f3a8e0a47c0ee1b44b68bd3ba1bc310a2d752de33fdccc1

Download Submit
\Users\Admin\AppData\Local\R3N\icardagt.exe
MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
\Users\Admin\AppData\Local\sQt0zgt5e\spreview.exe
MD5
704cd4cac010e8e6d8de9b778ed17773

SHA1
81856abf70640f102b8b3defe2cf65669fe8e165

SHA256
4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208

SHA512
b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

Download Submit
\Users\Admin\AppData\Local\sQt0zgt5e\sqmapi.dll
MD5
9a95ae0dcd409c3102678032685fb568

SHA1
45a7b22ac752fcd4879577e53561cede396cfa6b

SHA256
e2a1f61af0018a6414626ef2dcb493277d0e406959f7e136bcbcac56a5cfaf58

SHA512
0c24e3f6564a8d69d0bb78ce6138353452f499edb6d1e730e0dd8687bb063a7c9e9367ab84e36b73ce14ff95ecec9be857e46ce9312818a1cd08a158319e6f40

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\Collab\0eVa9Oir\WFS.exe
MD5
a943d670747778c7597987a4b5b9a679

SHA1
c48b760ff9762205386563b93e8884352645ef40

SHA256
1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610

SHA512
3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

Download Submit
memory/1064-87-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1064-82-0x0000000000000000-mapping.dmp

Download
memory/1064-84-0x000007FEFBD11000-0x000007FEFBD13000-memory.dmp

Filesize
8KB

Download
memory/1172-91-0x0000000000000000-mapping.dmp

Download
memory/1252-66-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/1252-65-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/1252-74-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/1252-73-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/1252-72-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/1252-68-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/1252-71-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/1252-70-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/1252-69-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/1252-67-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/1252-59-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/1252-80-0x00000000774A0000-0x00000000774A2000-memory.dmp

Filesize
8KB

Download
memory/1252-64-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/1252-63-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/1252-62-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/1252-61-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/1252-60-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/1604-55-0x0000000140000000-0x0000000140156000-memory.dmp

Filesize
1.3MB

Download
memory/1604-58-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1636-100-0x0000000000000000-mapping.dmp

Download
memory/1636-105-0x000000013F7F1000-0x000000013F7F3000-memory.dmp

Filesize
8KB

Download
memory/1636-106-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads