Behavioral Report

Analysis

max time kernel
152s
max time network
126s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-11-2021 09:29

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

899cac1d02beb489b43a5aad1ef87609f3783d891def8f5fd122d848c71da5fb.dll
Size

1MB
MD5

cd87697a9e2bdfac82d9b7154c3105ce
SHA1

963e78487647a3b7199211154b8fe7f6babe6bbb
SHA256

899cac1d02beb489b43a5aad1ef87609f3783d891def8f5fd122d848c71da5fb
SHA512

ab1617bd35d7f07eb819ae467284985ea241d9e0c019970e5a5f0cd42a8b3eadb0ac3ea16d35a056620784c65f9b9b20410b39aa23c3119b6ddad2cfbe5400db

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral1/memory/1200-60-0x0000000002210000-0x0000000002211000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

icardagt.exewscript.exeDWWIN.EXE

pid process

612 icardagt.exe
1160 wscript.exe
860 DWWIN.EXE
Loads dropped DLL 8 IoCs

Processes:

icardagt.exewscript.exeDWWIN.EXE

pid process

1200
612 icardagt.exe
1200
1200
1160 wscript.exe
1200
860 DWWIN.EXE
1200

resource	yara_rule
behavioral1/memory/1200-60-0x0000000002210000-0x0000000002211000-memory.dmp	dridex_stager_shellcode

pid	process
612	icardagt.exe
1160	wscript.exe
860	DWWIN.EXE

pid	process
1200
612	icardagt.exe
1200
1200
1160	wscript.exe
1200
860	DWWIN.EXE
1200

Adds Run key to start application 2 TTPs 1 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\eeJZI7uw\\wscript.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

TTPs:

System Information Discovery

Processes:

rundll32.exeicardagt.exewscript.exeDWWIN.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icardagt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeicardagt.exewscript.exe

pid	process
1140	rundll32.exe
1140	rundll32.exe
1140	rundll32.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
612	icardagt.exe
612	icardagt.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1160	wscript.exe
1160	wscript.exe
1200
1200
1200
1200
1200
1200
1200
1200

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1200

pid	process
1200

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1200 wrote to memory of 1564	1200	icardagt.exe
PID 1200 wrote to memory of 1564	1200	icardagt.exe
PID 1200 wrote to memory of 1564	1200	icardagt.exe
PID 1200 wrote to memory of 612	1200	icardagt.exe
PID 1200 wrote to memory of 612	1200	icardagt.exe
PID 1200 wrote to memory of 612	1200	icardagt.exe
PID 1200 wrote to memory of 1800	1200	wscript.exe
PID 1200 wrote to memory of 1800	1200	wscript.exe
PID 1200 wrote to memory of 1800	1200	wscript.exe
PID 1200 wrote to memory of 1160	1200	wscript.exe
PID 1200 wrote to memory of 1160	1200	wscript.exe
PID 1200 wrote to memory of 1160	1200	wscript.exe
PID 1200 wrote to memory of 976	1200	DWWIN.EXE
PID 1200 wrote to memory of 976	1200	DWWIN.EXE
PID 1200 wrote to memory of 976	1200	DWWIN.EXE
PID 1200 wrote to memory of 860	1200	DWWIN.EXE
PID 1200 wrote to memory of 860	1200	DWWIN.EXE
PID 1200 wrote to memory of 860	1200	DWWIN.EXE

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\899cac1d02beb489b43a5aad1ef87609f3783d891def8f5fd122d848c71da5fb.dll,#1

Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses

PID:1140

C:\Windows\system32\icardagt.exe

C:\Windows\system32\icardagt.exe

PID:1564

C:\Users\Admin\AppData\Local\iwIrhp\icardagt.exe

C:\Users\Admin\AppData\Local\iwIrhp\icardagt.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses

PID:612

C:\Windows\system32\wscript.exe

C:\Windows\system32\wscript.exe

PID:1800

C:\Users\Admin\AppData\Local\TjJ\wscript.exe

C:\Users\Admin\AppData\Local\TjJ\wscript.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses

PID:1160

C:\Windows\system32\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

PID:976

C:\Users\Admin\AppData\Local\jpWt\DWWIN.EXE

C:\Users\Admin\AppData\Local\jpWt\DWWIN.EXE

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled

PID:860

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

T1112

Discovery

System Information Discovery

T1082

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\TjJ\VERSION.dll
MD5
7f3cde32f11a21d15919638f11689f32

SHA1
e210f27e9c4811869d380b7913361994152caca2

SHA256
14995291974e5ef14de89d6c4910e83ffc0d54dd0417550f54612d5fbc145650

SHA512
713c5e14f9e710287b876521d2da665ac74d385be4ecaa6b006e63f02f6ad7a2a04b333ddf13044452a0a6605e9e140a43b872550df58110daa4117efcaf259b

Download Submit
C:\Users\Admin\AppData\Local\TjJ\wscript.exe
MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
C:\Users\Admin\AppData\Local\iwIrhp\UxTheme.dll
MD5
e16a9076b37ad78588c7b6e24a58d014

SHA1
0f3a17f2583d819e0407eb81e90a7986942aa0ec

SHA256
8cf560eb905d8d12b0f77237f0e450956a77de8314444d462ceb51ccbe6a1b10

SHA512
8a218e795365ed05234ef01b96db2fed658198af11d44f3a3ce75cf0360e18e7e18d2df202884922c17f6546494d56dff1370928a283953a4c70c1564ee870cb

Download Submit
C:\Users\Admin\AppData\Local\iwIrhp\icardagt.exe
MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
C:\Users\Admin\AppData\Local\jpWt\DWWIN.EXE
MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
C:\Users\Admin\AppData\Local\jpWt\VERSION.dll
MD5
50a8500d333f65818de2eb896c7241a0

SHA1
c07b934431102393f4be87fb6724515856946106

SHA256
83987196448922a190ad2fe2f4d1eb4c40038476186349530031419662e8e096

SHA512
163d2e3bd82d473f07cda36c3ba31c294092101d29591f9c43f997601c04f313e694a73878914f4ee9788a0a0f574f86e66a698f9d6ec958471298e1948dbd3e

Download Submit
\Users\Admin\AppData\Local\TjJ\VERSION.dll
MD5
7f3cde32f11a21d15919638f11689f32

SHA1
e210f27e9c4811869d380b7913361994152caca2

SHA256
14995291974e5ef14de89d6c4910e83ffc0d54dd0417550f54612d5fbc145650

SHA512
713c5e14f9e710287b876521d2da665ac74d385be4ecaa6b006e63f02f6ad7a2a04b333ddf13044452a0a6605e9e140a43b872550df58110daa4117efcaf259b

Download Submit
\Users\Admin\AppData\Local\TjJ\wscript.exe
MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\TjJ\wscript.exe
MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\iwIrhp\UxTheme.dll
MD5
e16a9076b37ad78588c7b6e24a58d014

SHA1
0f3a17f2583d819e0407eb81e90a7986942aa0ec

SHA256
8cf560eb905d8d12b0f77237f0e450956a77de8314444d462ceb51ccbe6a1b10

SHA512
8a218e795365ed05234ef01b96db2fed658198af11d44f3a3ce75cf0360e18e7e18d2df202884922c17f6546494d56dff1370928a283953a4c70c1564ee870cb

Download Submit
\Users\Admin\AppData\Local\iwIrhp\icardagt.exe
MD5
2fe97a3052e847190a9775431292a3a3

SHA1
43edc451ac97365600391fa4af15476a30423ff6

SHA256
473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7

SHA512
93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

Download Submit
\Users\Admin\AppData\Local\jpWt\DWWIN.EXE
MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
\Users\Admin\AppData\Local\jpWt\VERSION.dll
MD5
50a8500d333f65818de2eb896c7241a0

SHA1
c07b934431102393f4be87fb6724515856946106

SHA256
83987196448922a190ad2fe2f4d1eb4c40038476186349530031419662e8e096

SHA512
163d2e3bd82d473f07cda36c3ba31c294092101d29591f9c43f997601c04f313e694a73878914f4ee9788a0a0f574f86e66a698f9d6ec958471298e1948dbd3e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Hk\DWWIN.EXE
MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
memory/612-89-0x000007FEF6790000-0x000007FEF68D9000-memory.dmp

Filesize
1MB

Download
memory/612-86-0x000007FEFBA61000-0x000007FEFBA63000-memory.dmp

Filesize
8KB

Download
memory/612-84-0x0000000000000000-mapping.dmp

Download
memory/860-104-0x0000000000000000-mapping.dmp

Download
memory/1140-55-0x000007FEF6510000-0x000007FEF6658000-memory.dmp

Filesize
1MB

Download
memory/1140-59-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/1160-95-0x0000000000000000-mapping.dmp

Download
memory/1160-99-0x000007FEF6510000-0x000007FEF6659000-memory.dmp

Filesize
1MB

Download
memory/1200-68-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1MB

Download
memory/1200-82-0x0000000077390000-0x0000000077392000-memory.dmp

Filesize
8KB

Download
memory/1200-77-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1MB

Download
memory/1200-76-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1MB

Download
memory/1200-75-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1MB

Download
memory/1200-74-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1MB

Download
memory/1200-73-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1MB

Download
memory/1200-72-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1MB

Download
memory/1200-71-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1MB

Download
memory/1200-70-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1MB

Download
memory/1200-69-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1MB

Download
memory/1200-67-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1MB

Download
memory/1200-66-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1MB

Download
memory/1200-65-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1MB

Download
memory/1200-64-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1MB

Download
memory/1200-63-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1MB

Download
memory/1200-62-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1MB

Download
memory/1200-61-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1MB

Download
memory/1200-60-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download