dridex | a7e4a244a0c2c589c237ed8ee1870017ee62e84809d589cb0824db74ca64ec99

Analysis

max time kernel
154s
max time network
117s
platform
windows7_x64
resource
win7-en-20211104
submitted
26-11-2021 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7e4a244a0c2c589c237ed8ee1870017ee62e84809d589cb0824db74ca64ec99.dll
Size

1.3MB
MD5

7bdaee4bb6adf9e4b601e6d577759dac
SHA1

887a4784967fa269affaa90866bb5c2527b66474
SHA256

a7e4a244a0c2c589c237ed8ee1870017ee62e84809d589cb0824db74ca64ec99
SHA512

947aca10d1aeb83b275bcdd844cb3019e91e198838ba15b054d04fe1bba42017284e5b14a871dfc08fd6a8c0f7f919c14d0e3375f0c3ea2cf7c2f872d8e90a49

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1384-60-0x0000000002750000-0x0000000002751000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

osk.exewinlogon.exemsconfig.exe

pid process

1984 osk.exe
1716 winlogon.exe
292 msconfig.exe
Loads dropped DLL 7 IoCs

Processes:

osk.exewinlogon.exemsconfig.exe

pid process

1384
1984 osk.exe
1384
1716 winlogon.exe
1384
292 msconfig.exe
1384

pid	process
1984	osk.exe
1716	winlogon.exe
292	msconfig.exe

pid	process
1384
1984	osk.exe
1384
1716	winlogon.exe
1384
292	msconfig.exe
1384

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\VHQHPW~1\\winlogon.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeosk.exewinlogon.exemsconfig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeosk.exewinlogon.exe

pid	process
664	rundll32.exe
664	rundll32.exe
664	rundll32.exe
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1984	osk.exe
1984	osk.exe
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1716	winlogon.exe
1716	winlogon.exe
1384
1384
1384
1384
1384
1384
1384
1384

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1384

pid	process
1384

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1384 wrote to memory of 2004	1384	osk.exe
PID 1384 wrote to memory of 2004	1384	osk.exe
PID 1384 wrote to memory of 2004	1384	osk.exe
PID 1384 wrote to memory of 1984	1384	osk.exe
PID 1384 wrote to memory of 1984	1384	osk.exe
PID 1384 wrote to memory of 1984	1384	osk.exe
PID 1384 wrote to memory of 956	1384	winlogon.exe
PID 1384 wrote to memory of 956	1384	winlogon.exe
PID 1384 wrote to memory of 956	1384	winlogon.exe
PID 1384 wrote to memory of 1716	1384	winlogon.exe
PID 1384 wrote to memory of 1716	1384	winlogon.exe
PID 1384 wrote to memory of 1716	1384	winlogon.exe
PID 1384 wrote to memory of 984	1384	msconfig.exe
PID 1384 wrote to memory of 984	1384	msconfig.exe
PID 1384 wrote to memory of 984	1384	msconfig.exe
PID 1384 wrote to memory of 292	1384	msconfig.exe
PID 1384 wrote to memory of 292	1384	msconfig.exe
PID 1384 wrote to memory of 292	1384	msconfig.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a7e4a244a0c2c589c237ed8ee1870017ee62e84809d589cb0824db74ca64ec99.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:664

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:2004

C:\Users\Admin\AppData\Local\1Vx\osk.exe
C:\Users\Admin\AppData\Local\1Vx\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1984

C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
1⤵
PID:956

C:\Users\Admin\AppData\Local\NYgrxql\winlogon.exe
C:\Users\Admin\AppData\Local\NYgrxql\winlogon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1716

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:984

C:\Users\Admin\AppData\Local\GulXO\msconfig.exe
C:\Users\Admin\AppData\Local\GulXO\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:292

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1Vx\UxTheme.dll
MD5
b5d38103c0854b98150748eac1e2f060

SHA1
2f9f4075514b345e20ec196739371ac96e6cb9b7

SHA256
be73368510265ef55e683dcff92718fe16d77b7e0f486f7e386b05bf8bfcc906

SHA512
ac1a842c51e091c944bc7edc3258e3dd36a766b75d9c27e560f2409e5ba578d2fa7b32401951dd1ff4fdca1a56e5036df62f4de8699f22ebf306fd4bd88d539a

Download Submit
C:\Users\Admin\AppData\Local\1Vx\osk.exe
MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
C:\Users\Admin\AppData\Local\GulXO\VERSION.dll
MD5
4be6b9cc64f5f5383a776e29cab36e43

SHA1
60c6a1db4ed75381d4d70c198fe906786acff35e

SHA256
25b168266f26be8003a62cb3338aa45b20a486531ec138d69cb64c67dea8c6e8

SHA512
2506ad185b7a87fe73d76d735f49b5086a0c478b9fd1ad631da40a90e89fdaf65ddeb06c869e5d76bee04c008a1d7d15ddcbd0326bc0448e3901e891e78754c4

Download Submit
C:\Users\Admin\AppData\Local\GulXO\msconfig.exe
MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
C:\Users\Admin\AppData\Local\NYgrxql\WINSTA.dll
MD5
698fc47a7000519e6398c1c5f89d9713

SHA1
1f0382f368b21a5a281a8dd4065e0ebcc11c4b1a

SHA256
46e668aab4ae8c7d101669de72d58e0a24d3bf1f504c05a76c58cf3a60761a2c

SHA512
c6be0b2d96f199fa825cf82de377b1bde30a6ea3b94c0c605f5522427093190b39f0b7bd0c24fe2e2c04c87e8b73fda6d18c3d954f6dfb05c099dcaedb84da24

Download Submit
C:\Users\Admin\AppData\Local\NYgrxql\winlogon.exe
MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
\Users\Admin\AppData\Local\1Vx\UxTheme.dll
MD5
b5d38103c0854b98150748eac1e2f060

SHA1
2f9f4075514b345e20ec196739371ac96e6cb9b7

SHA256
be73368510265ef55e683dcff92718fe16d77b7e0f486f7e386b05bf8bfcc906

SHA512
ac1a842c51e091c944bc7edc3258e3dd36a766b75d9c27e560f2409e5ba578d2fa7b32401951dd1ff4fdca1a56e5036df62f4de8699f22ebf306fd4bd88d539a

Download Submit
\Users\Admin\AppData\Local\1Vx\osk.exe
MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
\Users\Admin\AppData\Local\GulXO\VERSION.dll
MD5
4be6b9cc64f5f5383a776e29cab36e43

SHA1
60c6a1db4ed75381d4d70c198fe906786acff35e

SHA256
25b168266f26be8003a62cb3338aa45b20a486531ec138d69cb64c67dea8c6e8

SHA512
2506ad185b7a87fe73d76d735f49b5086a0c478b9fd1ad631da40a90e89fdaf65ddeb06c869e5d76bee04c008a1d7d15ddcbd0326bc0448e3901e891e78754c4

Download Submit
\Users\Admin\AppData\Local\GulXO\msconfig.exe
MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
\Users\Admin\AppData\Local\NYgrxql\WINSTA.dll
MD5
698fc47a7000519e6398c1c5f89d9713

SHA1
1f0382f368b21a5a281a8dd4065e0ebcc11c4b1a

SHA256
46e668aab4ae8c7d101669de72d58e0a24d3bf1f504c05a76c58cf3a60761a2c

SHA512
c6be0b2d96f199fa825cf82de377b1bde30a6ea3b94c0c605f5522427093190b39f0b7bd0c24fe2e2c04c87e8b73fda6d18c3d954f6dfb05c099dcaedb84da24

Download Submit
\Users\Admin\AppData\Local\NYgrxql\winlogon.exe
MD5
1151b1baa6f350b1db6598e0fea7c457

SHA1
434856b834baf163c5ea4d26434eeae775a507fb

SHA256
b1506e0a7e826eff0f5252ef5026070c46e2235438403a9a24d73ee69c0b8a49

SHA512
df728d06238da1dece96f8b8d67a2423ed4dcb344b42d5958768d23bd570a79e7189e7c5ba783c1628fe8ddd1deaebeacb1b471c59c8a7c9beb21b4f1eb9edab

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\wzLAOwHzJ\msconfig.exe
MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
memory/292-102-0x0000000000000000-mapping.dmp

Download
memory/292-106-0x000007FEF6B20000-0x000007FEF6C6A000-memory.dmp

Filesize
1.3MB

Download
memory/664-55-0x000007FEF6FD0000-0x000007FEF7119000-memory.dmp

Filesize
1.3MB

Download
memory/664-59-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/1384-67-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1384-66-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1384-77-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1384-82-0x0000000077E30000-0x0000000077E32000-memory.dmp

Filesize
8KB

Download
memory/1384-60-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/1384-72-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1384-73-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1384-74-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1384-75-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1384-61-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1384-76-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1384-62-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1384-70-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1384-69-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1384-68-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1384-63-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1384-71-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1384-65-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1384-64-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/1716-97-0x000007FEF6FD0000-0x000007FEF711B000-memory.dmp

Filesize
1.3MB

Download
memory/1716-93-0x0000000000000000-mapping.dmp

Download
memory/1984-88-0x000007FEF72B0000-0x000007FEF73FA000-memory.dmp

Filesize
1.3MB

Download
memory/1984-84-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads