dridex | 96f10e16e783acebd689db4f3e11b3b949badbd76e4ebf642a604314ce6df395

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-11-2021 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96f10e16e783acebd689db4f3e11b3b949badbd76e4ebf642a604314ce6df395.dll
Size

1.3MB
MD5

1f6485c87621bff97a63f506040b8288
SHA1

43e5b5a0abf8ef0cbf6fc3ca95f009022b89dec4
SHA256

96f10e16e783acebd689db4f3e11b3b949badbd76e4ebf642a604314ce6df395
SHA512

48bfcf96bc030cc1e84d30d00c42c54abc5f144c4f550d803d8db207fcc0e1bcf65bc4510b39a1204f967bb8028218ded870319423ef72f6b6164963390c091c

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1412-60-0x00000000029A0000-0x00000000029A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

RDVGHelper.exesethc.exesigverif.exe

pid process

1768 RDVGHelper.exe
1804 sethc.exe
1688 sigverif.exe
Loads dropped DLL 7 IoCs

Processes:

RDVGHelper.exesethc.exesigverif.exe

pid process

1412
1768 RDVGHelper.exe
1412
1804 sethc.exe
1412
1688 sigverif.exe
1412

pid	process
1768	RDVGHelper.exe
1804	sethc.exe
1688	sigverif.exe

pid	process
1412
1768	RDVGHelper.exe
1412
1804	sethc.exe
1412
1688	sigverif.exe
1412

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\7fvlzwc\\sethc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

sigverif.exerundll32.exeRDVGHelper.exesethc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RDVGHelper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sethc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeRDVGHelper.exesethc.exe

pid	process
1960	rundll32.exe
1960	rundll32.exe
1960	rundll32.exe
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1768	RDVGHelper.exe
1768	RDVGHelper.exe
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1412
1804	sethc.exe
1804	sethc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1412

pid	process
1412

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1412 wrote to memory of 1500	1412	RDVGHelper.exe
PID 1412 wrote to memory of 1500	1412	RDVGHelper.exe
PID 1412 wrote to memory of 1500	1412	RDVGHelper.exe
PID 1412 wrote to memory of 1768	1412	RDVGHelper.exe
PID 1412 wrote to memory of 1768	1412	RDVGHelper.exe
PID 1412 wrote to memory of 1768	1412	RDVGHelper.exe
PID 1412 wrote to memory of 1568	1412	sethc.exe
PID 1412 wrote to memory of 1568	1412	sethc.exe
PID 1412 wrote to memory of 1568	1412	sethc.exe
PID 1412 wrote to memory of 1804	1412	sethc.exe
PID 1412 wrote to memory of 1804	1412	sethc.exe
PID 1412 wrote to memory of 1804	1412	sethc.exe
PID 1412 wrote to memory of 1896	1412	sigverif.exe
PID 1412 wrote to memory of 1896	1412	sigverif.exe
PID 1412 wrote to memory of 1896	1412	sigverif.exe
PID 1412 wrote to memory of 1688	1412	sigverif.exe
PID 1412 wrote to memory of 1688	1412	sigverif.exe
PID 1412 wrote to memory of 1688	1412	sigverif.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\96f10e16e783acebd689db4f3e11b3b949badbd76e4ebf642a604314ce6df395.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1960

C:\Windows\system32\RDVGHelper.exe
C:\Windows\system32\RDVGHelper.exe
1⤵
PID:1500

C:\Users\Admin\AppData\Local\yqzw0yWx0\RDVGHelper.exe
C:\Users\Admin\AppData\Local\yqzw0yWx0\RDVGHelper.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1768

C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
1⤵
PID:1568

C:\Users\Admin\AppData\Local\zReVVPrQ3\sethc.exe
C:\Users\Admin\AppData\Local\zReVVPrQ3\sethc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1804

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:1896

C:\Users\Admin\AppData\Local\e2Pqv\sigverif.exe
C:\Users\Admin\AppData\Local\e2Pqv\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1688

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\e2Pqv\VERSION.dll
MD5
936b8b4096615132e93744630d6b89e8

SHA1
32eac911ee789d0b71cadd94f303fea6522386cb

SHA256
5f50101587f97910ca842f583c74fad8eed2da4aab97576f6589b0f5bb703a82

SHA512
abca5b000c501ca98e82262d6b862e205deb4a80057cecf018ac29ec6bd422a362b9c5ca2fdedc05e591f6e5df657f6fd127dc2eee3e69b4852f96966c64bb63

Download Submit
C:\Users\Admin\AppData\Local\e2Pqv\sigverif.exe
MD5
e8e95ae5534553fc055051cee99a7f55

SHA1
4e0f668849fd546edd083d5981ed685d02a68df4

SHA256
9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

SHA512
5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

Download Submit
C:\Users\Admin\AppData\Local\yqzw0yWx0\RDVGHelper.exe
MD5
53fda4af81e7c4895357a50e848b7cfe

SHA1
01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

SHA256
62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

SHA512
dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

Download Submit
C:\Users\Admin\AppData\Local\yqzw0yWx0\WTSAPI32.dll
MD5
011d2d43a6f54a693ae5461cb61bac71

SHA1
54aee7d690eb4398c04217e3d4dc5e1921fcb257

SHA256
ba001b51b9b6a96e32775f88f76fda792e410f7846d20b6a1f0ad25e5c6b02f2

SHA512
da40487362ee2c955b8044501405f041f86ec67211b313c191c48f30966672fd31720d62f7af1a1815b03d3a9297105165436e37748700d31fc2572ce85bb5e0

Download Submit
C:\Users\Admin\AppData\Local\zReVVPrQ3\DUI70.dll
MD5
46b58d24451f04c5ef70b22e443fa19c

SHA1
e400c0e7f76b3dceac5254bb42d1eca7f335f6af

SHA256
5b0f0a6bda2429fbc1a8c6bc152b55ca32e7ff390ae03346c35c7ec2fc86ca50

SHA512
7ced21f506b3c55481e9c6dbf1ac71e655f21f8ac0875ae566606b363f3efe5db4a94c1fe8dca2f56c686a5084344593fbc9d5c345643f9e1a67641aaa3f1c0b

Download Submit
C:\Users\Admin\AppData\Local\zReVVPrQ3\sethc.exe
MD5
3bcb70da9b5a2011e01e35ed29a3f3f3

SHA1
9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

SHA256
dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

SHA512
69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

Download Submit
\Users\Admin\AppData\Local\e2Pqv\VERSION.dll
MD5
936b8b4096615132e93744630d6b89e8

SHA1
32eac911ee789d0b71cadd94f303fea6522386cb

SHA256
5f50101587f97910ca842f583c74fad8eed2da4aab97576f6589b0f5bb703a82

SHA512
abca5b000c501ca98e82262d6b862e205deb4a80057cecf018ac29ec6bd422a362b9c5ca2fdedc05e591f6e5df657f6fd127dc2eee3e69b4852f96966c64bb63

Download Submit
\Users\Admin\AppData\Local\e2Pqv\sigverif.exe
MD5
e8e95ae5534553fc055051cee99a7f55

SHA1
4e0f668849fd546edd083d5981ed685d02a68df4

SHA256
9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

SHA512
5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

Download Submit
\Users\Admin\AppData\Local\yqzw0yWx0\RDVGHelper.exe
MD5
53fda4af81e7c4895357a50e848b7cfe

SHA1
01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

SHA256
62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

SHA512
dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

Download Submit
\Users\Admin\AppData\Local\yqzw0yWx0\WTSAPI32.dll
MD5
011d2d43a6f54a693ae5461cb61bac71

SHA1
54aee7d690eb4398c04217e3d4dc5e1921fcb257

SHA256
ba001b51b9b6a96e32775f88f76fda792e410f7846d20b6a1f0ad25e5c6b02f2

SHA512
da40487362ee2c955b8044501405f041f86ec67211b313c191c48f30966672fd31720d62f7af1a1815b03d3a9297105165436e37748700d31fc2572ce85bb5e0

Download Submit
\Users\Admin\AppData\Local\zReVVPrQ3\DUI70.dll
MD5
46b58d24451f04c5ef70b22e443fa19c

SHA1
e400c0e7f76b3dceac5254bb42d1eca7f335f6af

SHA256
5b0f0a6bda2429fbc1a8c6bc152b55ca32e7ff390ae03346c35c7ec2fc86ca50

SHA512
7ced21f506b3c55481e9c6dbf1ac71e655f21f8ac0875ae566606b363f3efe5db4a94c1fe8dca2f56c686a5084344593fbc9d5c345643f9e1a67641aaa3f1c0b

Download Submit
\Users\Admin\AppData\Local\zReVVPrQ3\sethc.exe
MD5
3bcb70da9b5a2011e01e35ed29a3f3f3

SHA1
9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

SHA256
dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

SHA512
69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\da5i49Z\sigverif.exe
MD5
e8e95ae5534553fc055051cee99a7f55

SHA1
4e0f668849fd546edd083d5981ed685d02a68df4

SHA256
9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

SHA512
5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

Download Submit
memory/1412-63-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1412-68-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1412-72-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1412-70-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1412-71-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1412-65-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1412-62-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1412-60-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1412-61-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1412-84-0x00000000771F0000-0x00000000771F2000-memory.dmp

Filesize
8KB

Download
memory/1412-75-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1412-64-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1412-77-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1412-78-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1412-79-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1412-67-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1412-76-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1412-73-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1412-74-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1412-69-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1412-66-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1688-104-0x0000000000000000-mapping.dmp

Download
memory/1688-106-0x000007FEFB8C1000-0x000007FEFB8C3000-memory.dmp

Filesize
8KB

Download
memory/1768-90-0x000007FEF6390000-0x000007FEF64DB000-memory.dmp

Filesize
1.3MB

Download
memory/1768-86-0x0000000000000000-mapping.dmp

Download
memory/1804-99-0x000007FEF6300000-0x000007FEF647E000-memory.dmp

Filesize
1.5MB

Download
memory/1804-95-0x0000000000000000-mapping.dmp

Download
memory/1960-55-0x000007FEF6390000-0x000007FEF64DA000-memory.dmp

Filesize
1.3MB

Download
memory/1960-58-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads