dridex | 763bdff3e9dfaea38a2c5f1cfcac8a850c531d4a0785bd46369a9d575c4d4eda

Analysis

max time kernel
157s
max time network
144s
platform
windows10_x64
resource
win10-en-20211104
submitted
26-11-2021 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

763bdff3e9dfaea38a2c5f1cfcac8a850c531d4a0785bd46369a9d575c4d4eda.dll
Size

1.3MB
MD5

f475890b3db27bd228eab93a66e834e5
SHA1

ef69eaf983de220c59ad835ba79ea403099dd2fd
SHA256

763bdff3e9dfaea38a2c5f1cfcac8a850c531d4a0785bd46369a9d575c4d4eda
SHA512

0991bf4ba63a24f9a264bea2f4b7707ea9aa29abb883f1e166b9e1bd3c44fbdafcb25673953b8a67f7542bbb14e77457ddc9dddaf1140e390e824f4f5a50e09c

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3044-125-0x0000000000660000-0x0000000000661000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

dpapimig.exeDWWIN.EXEMagnify.exe

pid process

4400 dpapimig.exe
3140 DWWIN.EXE
900 Magnify.exe
Loads dropped DLL 3 IoCs

Processes:

dpapimig.exeDWWIN.EXEMagnify.exe

pid process

4400 dpapimig.exe
3140 DWWIN.EXE
900 Magnify.exe

pid	process
4400	dpapimig.exe
3140	DWWIN.EXE
900	Magnify.exe

pid	process
4400	dpapimig.exe
3140	DWWIN.EXE
900	Magnify.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ziekmjidk = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\pDV\\DWWIN.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exedpapimig.exeDWWIN.EXEMagnify.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpapimig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magnify.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exedpapimig.exe

pid	process
3032	rundll32.exe
3032	rundll32.exe
3032	rundll32.exe
3032	rundll32.exe
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
4400	dpapimig.exe
4400	dpapimig.exe
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3044

pid	process
3044

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3044 wrote to memory of 4476	3044	dpapimig.exe
PID 3044 wrote to memory of 4476	3044	dpapimig.exe
PID 3044 wrote to memory of 4400	3044	dpapimig.exe
PID 3044 wrote to memory of 4400	3044	dpapimig.exe
PID 3044 wrote to memory of 4300	3044	DWWIN.EXE
PID 3044 wrote to memory of 4300	3044	DWWIN.EXE
PID 3044 wrote to memory of 3140	3044	DWWIN.EXE
PID 3044 wrote to memory of 3140	3044	DWWIN.EXE
PID 3044 wrote to memory of 808	3044	Magnify.exe
PID 3044 wrote to memory of 808	3044	Magnify.exe
PID 3044 wrote to memory of 900	3044	Magnify.exe
PID 3044 wrote to memory of 900	3044	Magnify.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\763bdff3e9dfaea38a2c5f1cfcac8a850c531d4a0785bd46369a9d575c4d4eda.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3032

C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
1⤵
PID:4476

C:\Users\Admin\AppData\Local\Ca5e\dpapimig.exe
C:\Users\Admin\AppData\Local\Ca5e\dpapimig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4400

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:4300

C:\Users\Admin\AppData\Local\8x9t5K\DWWIN.EXE
C:\Users\Admin\AppData\Local\8x9t5K\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3140

C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
1⤵
PID:808

C:\Users\Admin\AppData\Local\5Fsyjb\Magnify.exe
C:\Users\Admin\AppData\Local\5Fsyjb\Magnify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5Fsyjb\DUI70.dll
MD5
07470cdb6891d2053944efd1c6d2080e

SHA1
997561eda80e93ca940d28b825230f11dc29f751

SHA256
0f614d3ec26ca6d2aa22085a53d679b844ac527570b00976c0f6924a93c427c2

SHA512
d4ae8b7be92dca8d3350356c17a5c7f80c4b71a3de00dfc6ec8da2713f80b7a7cb1a0af315d55fe553ad1cbdc23cf306f1d192b1173cd8e060e24a1501934c2e

Download Submit
C:\Users\Admin\AppData\Local\5Fsyjb\Magnify.exe
MD5
0c3925b9a284f0dd02571d0d2bca19ee

SHA1
a73451bb2ddd09397cb7737d36a75c0cdfdf9d51

SHA256
41e91d736995628275261aa1adb14158e0783b36c913ef5fc681da105a4272cc

SHA512
db02a3211b1b2cf7b10cd70148404106be6cb4a63c7c0c0526256f983c3ad756c157a67848173208e7c0d88a8f34b73c42d37b24f5cc1f9da66731731a534a72

Download Submit
C:\Users\Admin\AppData\Local\5Fsyjb\Magnify.exe
MD5
0c3925b9a284f0dd02571d0d2bca19ee

SHA1
a73451bb2ddd09397cb7737d36a75c0cdfdf9d51

SHA256
41e91d736995628275261aa1adb14158e0783b36c913ef5fc681da105a4272cc

SHA512
db02a3211b1b2cf7b10cd70148404106be6cb4a63c7c0c0526256f983c3ad756c157a67848173208e7c0d88a8f34b73c42d37b24f5cc1f9da66731731a534a72

Download Submit
C:\Users\Admin\AppData\Local\8x9t5K\DWWIN.EXE
MD5
d23ce8aaa23b042a66a876009d0c4514

SHA1
ff34a8e53b55acb18c2b87ab34d5adfb8d1e60f1

SHA256
611a508b865b3f2d29d5f60794e786929a89f2befb99be99d745238428f8a29a

SHA512
13c311d081dcddbd6bbd0ee2782045a273b8f881af11f5bc2bf2c7efb4d7d4361f239a5eedfdeaab9c5e23a7f51c7ac4e8571f6f48bc225368355c3104a6c09d

Download Submit
C:\Users\Admin\AppData\Local\8x9t5K\VERSION.dll
MD5
49485e4187d00cc50cdd95db3c99ef1b

SHA1
5715f6afaf7d8172c026d7fbd7ffddb571f9377f

SHA256
39cd98fe610cf63b64937c37124ddbeec26875767c7a1fba0ec593fa3e6eef6f

SHA512
8b961d72d237ce0ea7cf61f6961e05644fa610cfd14543fc3331c5acb60e8dbeba3ce56cf15d85ee40a9753c78a9adb08887707bd2a0737c76f1c2a1c52994d2

Download Submit
C:\Users\Admin\AppData\Local\Ca5e\DUI70.dll
MD5
7037bcbf32a1494c58ffd9f35e6baa8a

SHA1
cf2b2a66ef5fd57aba6d0dfdca9eb3c631c10a29

SHA256
d8e5fc995adfd4072895517acec9a9bf37bdec30294e0de903e07ecfd9878296

SHA512
4ca6c4beab918daa0fac60e3fc52f3f72d4b6441228d6a1affcd4bbd179a263a690e4e3e131ae4130e1477c7fae2713e7d56ea23fdf8d1d3471a7e2ba2ab16f7

Download Submit
C:\Users\Admin\AppData\Local\Ca5e\dpapimig.exe
MD5
a210dd05d1e941a1ec04b134f39ef036

SHA1
86b5493ecf8f456ae56ede4b013b934b892572e0

SHA256
3912f380049e362ca875ccb4fe064621197f0df999b35c593de382cf0c852988

SHA512
9648ed1088af13717479f4739ecdfd604b463582fe3a9db43761b446c61e93856309fd1f8c993962d426af566497b9c8f7eaa3a5af069a7a0f8fde8424111bf8

Download Submit
\Users\Admin\AppData\Local\5Fsyjb\DUI70.dll
MD5
07470cdb6891d2053944efd1c6d2080e

SHA1
997561eda80e93ca940d28b825230f11dc29f751

SHA256
0f614d3ec26ca6d2aa22085a53d679b844ac527570b00976c0f6924a93c427c2

SHA512
d4ae8b7be92dca8d3350356c17a5c7f80c4b71a3de00dfc6ec8da2713f80b7a7cb1a0af315d55fe553ad1cbdc23cf306f1d192b1173cd8e060e24a1501934c2e

Download Submit
\Users\Admin\AppData\Local\8x9t5K\VERSION.dll
MD5
49485e4187d00cc50cdd95db3c99ef1b

SHA1
5715f6afaf7d8172c026d7fbd7ffddb571f9377f

SHA256
39cd98fe610cf63b64937c37124ddbeec26875767c7a1fba0ec593fa3e6eef6f

SHA512
8b961d72d237ce0ea7cf61f6961e05644fa610cfd14543fc3331c5acb60e8dbeba3ce56cf15d85ee40a9753c78a9adb08887707bd2a0737c76f1c2a1c52994d2

Download Submit
\Users\Admin\AppData\Local\Ca5e\DUI70.dll
MD5
7037bcbf32a1494c58ffd9f35e6baa8a

SHA1
cf2b2a66ef5fd57aba6d0dfdca9eb3c631c10a29

SHA256
d8e5fc995adfd4072895517acec9a9bf37bdec30294e0de903e07ecfd9878296

SHA512
4ca6c4beab918daa0fac60e3fc52f3f72d4b6441228d6a1affcd4bbd179a263a690e4e3e131ae4130e1477c7fae2713e7d56ea23fdf8d1d3471a7e2ba2ab16f7

Download Submit
memory/900-176-0x0000000000000000-mapping.dmp

Download
memory/900-184-0x0000028580710000-0x0000028580712000-memory.dmp

Filesize
8KB

Download
memory/900-186-0x0000028580710000-0x0000028580712000-memory.dmp

Filesize
8KB

Download
memory/900-185-0x0000028580710000-0x0000028580712000-memory.dmp

Filesize
8KB

Download
memory/3032-124-0x000002820F890000-0x000002820F897000-memory.dmp

Filesize
28KB

Download
memory/3032-123-0x000002820FA40000-0x000002820FA42000-memory.dmp

Filesize
8KB

Download
memory/3032-118-0x00007FF9FD330000-0x00007FF9FD47B000-memory.dmp

Filesize
1.3MB

Download
memory/3032-122-0x000002820FA40000-0x000002820FA42000-memory.dmp

Filesize
8KB

Download
memory/3044-134-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3044-131-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3044-141-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3044-142-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3044-143-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3044-144-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3044-149-0x00000000006C0000-0x00000000006C2000-memory.dmp

Filesize
8KB

Download
memory/3044-150-0x00000000006C0000-0x00000000006C2000-memory.dmp

Filesize
8KB

Download
memory/3044-151-0x00007FFA0B1E5000-0x00007FFA0B1E6000-memory.dmp

Filesize
4KB

Download
memory/3044-152-0x00000000006C0000-0x00000000006C2000-memory.dmp

Filesize
8KB

Download
memory/3044-153-0x00007FFA0B320000-0x00007FFA0B322000-memory.dmp

Filesize
8KB

Download
memory/3044-189-0x00000000006C0000-0x00000000006C2000-memory.dmp

Filesize
8KB

Download
memory/3044-140-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3044-137-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3044-138-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3044-188-0x00000000006C0000-0x00000000006C2000-memory.dmp

Filesize
8KB

Download
memory/3044-125-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/3044-126-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3044-127-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3044-129-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3044-136-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3044-135-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3044-133-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3044-128-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3044-130-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3044-139-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3044-132-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3140-175-0x0000020063CF0000-0x0000020063CF2000-memory.dmp

Filesize
8KB

Download
memory/3140-174-0x0000020063CF0000-0x0000020063CF2000-memory.dmp

Filesize
8KB

Download
memory/3140-173-0x0000020063CF0000-0x0000020063CF2000-memory.dmp

Filesize
8KB

Download
memory/3140-169-0x00007FF9FD330000-0x00007FF9FD47C000-memory.dmp

Filesize
1.3MB

Download
memory/3140-165-0x0000000000000000-mapping.dmp

Download
memory/4400-164-0x000001FF35FA0000-0x000001FF35FA2000-memory.dmp

Filesize
8KB

Download
memory/4400-163-0x000001FF35FA0000-0x000001FF35FA2000-memory.dmp

Filesize
8KB

Download
memory/4400-162-0x000001FF35FA0000-0x000001FF35FA2000-memory.dmp

Filesize
8KB

Download
memory/4400-158-0x00007FF9FD2E0000-0x00007FF9FD471000-memory.dmp

Filesize
1.6MB

Download
memory/4400-154-0x0000000000000000-mapping.dmp

Download