dridex | a435f616d20bb7534e2a3a7ac480e52792c472ee0fd1e83c3203167af1c93407

Analysis

max time kernel
151s
max time network
119s
platform
windows7_x64
resource
win7-en-20211104
submitted
26-11-2021 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a435f616d20bb7534e2a3a7ac480e52792c472ee0fd1e83c3203167af1c93407.dll
Size

1.3MB
MD5

96a1a6247fd9266b2df8e83e40ec5066
SHA1

5af3279ed13f24ed21fc1c5de232f81e9a8defca
SHA256

a435f616d20bb7534e2a3a7ac480e52792c472ee0fd1e83c3203167af1c93407
SHA512

5256356f114d86110fa1d0f640dad9833b20366a0c9687dbdfcdc6cc71d6ef0d6ef8eefa2cc79afa3202f415af638a1384ab6b6a1517a8566f186a54a72cf6a9

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1220-60-0x0000000002140000-0x0000000002141000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

tabcal.exeRDVGHelper.exexpsrchvw.exe

pid process

1048 tabcal.exe
1940 RDVGHelper.exe
1392 xpsrchvw.exe
Loads dropped DLL 7 IoCs

Processes:

tabcal.exeRDVGHelper.exexpsrchvw.exe

pid process

1220
1048 tabcal.exe
1220
1940 RDVGHelper.exe
1220
1392 xpsrchvw.exe
1220

pid	process
1048	tabcal.exe
1940	RDVGHelper.exe
1392	xpsrchvw.exe

pid	process
1220
1048	tabcal.exe
1220
1940	RDVGHelper.exe
1220
1392	xpsrchvw.exe
1220

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\fRE0wL\\RDVGHE~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

xpsrchvw.exerundll32.exetabcal.exeRDVGHelper.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xpsrchvw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RDVGHelper.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exetabcal.exeRDVGHelper.exe

pid	process
332	rundll32.exe
332	rundll32.exe
332	rundll32.exe
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1048	tabcal.exe
1048	tabcal.exe
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1940	RDVGHelper.exe
1940	RDVGHelper.exe
1220
1220
1220
1220
1220
1220
1220
1220

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1220

pid	process
1220

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1220 wrote to memory of 432	1220	tabcal.exe
PID 1220 wrote to memory of 432	1220	tabcal.exe
PID 1220 wrote to memory of 432	1220	tabcal.exe
PID 1220 wrote to memory of 1048	1220	tabcal.exe
PID 1220 wrote to memory of 1048	1220	tabcal.exe
PID 1220 wrote to memory of 1048	1220	tabcal.exe
PID 1220 wrote to memory of 1312	1220	RDVGHelper.exe
PID 1220 wrote to memory of 1312	1220	RDVGHelper.exe
PID 1220 wrote to memory of 1312	1220	RDVGHelper.exe
PID 1220 wrote to memory of 1940	1220	RDVGHelper.exe
PID 1220 wrote to memory of 1940	1220	RDVGHelper.exe
PID 1220 wrote to memory of 1940	1220	RDVGHelper.exe
PID 1220 wrote to memory of 1480	1220	xpsrchvw.exe
PID 1220 wrote to memory of 1480	1220	xpsrchvw.exe
PID 1220 wrote to memory of 1480	1220	xpsrchvw.exe
PID 1220 wrote to memory of 1392	1220	xpsrchvw.exe
PID 1220 wrote to memory of 1392	1220	xpsrchvw.exe
PID 1220 wrote to memory of 1392	1220	xpsrchvw.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a435f616d20bb7534e2a3a7ac480e52792c472ee0fd1e83c3203167af1c93407.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:332

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:432

C:\Users\Admin\AppData\Local\w2nXP\tabcal.exe
C:\Users\Admin\AppData\Local\w2nXP\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1048

C:\Windows\system32\RDVGHelper.exe
C:\Windows\system32\RDVGHelper.exe
1⤵
PID:1312

C:\Users\Admin\AppData\Local\7Gri\RDVGHelper.exe
C:\Users\Admin\AppData\Local\7Gri\RDVGHelper.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1940

C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
1⤵
PID:1480

C:\Users\Admin\AppData\Local\FS6omBaL\xpsrchvw.exe
C:\Users\Admin\AppData\Local\FS6omBaL\xpsrchvw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1392

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7Gri\RDVGHelper.exe
MD5
53fda4af81e7c4895357a50e848b7cfe

SHA1
01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

SHA256
62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

SHA512
dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

Download Submit
C:\Users\Admin\AppData\Local\7Gri\dwmapi.dll
MD5
bd6e16b09e9b03a55d327678c1c0ba3f

SHA1
c11200f2eea1ef2771ea77569e9536ddfa051e13

SHA256
72b617c6ebbbaf4581e9673b4c048e6535e22d745ded396cf66857be161f4a64

SHA512
b0e6fd5e1ab23a85bec8c2c5ae32f42d9c4dd99b571a2981131fb7e9b9756430534a17a3f10c2976cf6cfe92142fe3ba734cbff2b7bbe316ae4b70c231a9d465

Download Submit
C:\Users\Admin\AppData\Local\FS6omBaL\WINMM.dll
MD5
fdbd45c92456339a44ef1cd7f241bc81

SHA1
846a30cfb4f79d9698e2c82deb40322869a6d0f3

SHA256
60183a76427daafdead14b7f6af262edd1d4f52ad7fd87628d92132e54781b94

SHA512
3ce1ecfbc433798874daf4d25e80048f9f3ff91ebb29d1dd19952a93a8c7bda4fac49157dfa04dab3e491741b1ef2e11d19479b313190217096ed2a3fc74ecd0

Download Submit
C:\Users\Admin\AppData\Local\FS6omBaL\xpsrchvw.exe
MD5
492cb6a624d5dad73ee0294b5db37dd6

SHA1
e74806af04a5147ccabfb5b167eb95a0177c43b3

SHA256
ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

SHA512
63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

Download Submit
C:\Users\Admin\AppData\Local\w2nXP\HID.DLL
MD5
6a3eb005c65690fdcabb0418a6a19807

SHA1
09087591748e7065ba6cfcad4032bcff5f0d7a35

SHA256
55b1a1dd6b1bbce0b44660529496ab2459d07888768dfdba8dc7dd5c471f8ada

SHA512
eae8c5ccfce30ebc90f56506dc0c384636f341af86f19f6ce446a7d8c2b46a575f3608bb7a693900c4d4995f300d3e58fc4b61aa940f60a7856d9f418725c401

Download Submit
C:\Users\Admin\AppData\Local\w2nXP\tabcal.exe
MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
\Users\Admin\AppData\Local\7Gri\RDVGHelper.exe
MD5
53fda4af81e7c4895357a50e848b7cfe

SHA1
01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

SHA256
62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

SHA512
dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

Download Submit
\Users\Admin\AppData\Local\7Gri\dwmapi.dll
MD5
bd6e16b09e9b03a55d327678c1c0ba3f

SHA1
c11200f2eea1ef2771ea77569e9536ddfa051e13

SHA256
72b617c6ebbbaf4581e9673b4c048e6535e22d745ded396cf66857be161f4a64

SHA512
b0e6fd5e1ab23a85bec8c2c5ae32f42d9c4dd99b571a2981131fb7e9b9756430534a17a3f10c2976cf6cfe92142fe3ba734cbff2b7bbe316ae4b70c231a9d465

Download Submit
\Users\Admin\AppData\Local\FS6omBaL\WINMM.dll
MD5
fdbd45c92456339a44ef1cd7f241bc81

SHA1
846a30cfb4f79d9698e2c82deb40322869a6d0f3

SHA256
60183a76427daafdead14b7f6af262edd1d4f52ad7fd87628d92132e54781b94

SHA512
3ce1ecfbc433798874daf4d25e80048f9f3ff91ebb29d1dd19952a93a8c7bda4fac49157dfa04dab3e491741b1ef2e11d19479b313190217096ed2a3fc74ecd0

Download Submit
\Users\Admin\AppData\Local\FS6omBaL\xpsrchvw.exe
MD5
492cb6a624d5dad73ee0294b5db37dd6

SHA1
e74806af04a5147ccabfb5b167eb95a0177c43b3

SHA256
ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

SHA512
63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

Download Submit
\Users\Admin\AppData\Local\w2nXP\HID.DLL
MD5
6a3eb005c65690fdcabb0418a6a19807

SHA1
09087591748e7065ba6cfcad4032bcff5f0d7a35

SHA256
55b1a1dd6b1bbce0b44660529496ab2459d07888768dfdba8dc7dd5c471f8ada

SHA512
eae8c5ccfce30ebc90f56506dc0c384636f341af86f19f6ce446a7d8c2b46a575f3608bb7a693900c4d4995f300d3e58fc4b61aa940f60a7856d9f418725c401

Download Submit
\Users\Admin\AppData\Local\w2nXP\tabcal.exe
MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\9cgR0\xpsrchvw.exe
MD5
492cb6a624d5dad73ee0294b5db37dd6

SHA1
e74806af04a5147ccabfb5b167eb95a0177c43b3

SHA256
ccb4ecd48561ce024ea176b7036f0f2713b98bc82aa37347a30d8187762a8784

SHA512
63bf2931764efe767fb42f9576702dd585a032f74ad2be2481eaf309f34950f05974d77b5cb220a3ff89c92af0c7693dc558f8e3a3ee2a0be6c5c07171d03835

Download Submit
memory/332-59-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/332-55-0x000007FEF6830000-0x000007FEF6978000-memory.dmp

Filesize
1.3MB

Download
memory/1048-88-0x000007FEF6C30000-0x000007FEF6D79000-memory.dmp

Filesize
1.3MB

Download
memory/1048-84-0x0000000000000000-mapping.dmp

Download
memory/1220-71-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/1220-74-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/1220-77-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/1220-82-0x00000000776B0000-0x00000000776B2000-memory.dmp

Filesize
8KB

Download
memory/1220-64-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/1220-65-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/1220-66-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/1220-67-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/1220-68-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/1220-69-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/1220-70-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/1220-72-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/1220-60-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1220-63-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/1220-75-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/1220-61-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/1220-76-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/1220-62-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/1220-73-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/1392-104-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmp

Filesize
8KB

Download
memory/1392-102-0x0000000000000000-mapping.dmp

Download
memory/1392-107-0x00000000FF1D1000-0x00000000FF1D3000-memory.dmp

Filesize
8KB

Download
memory/1392-108-0x000007FEF6690000-0x000007FEF67DA000-memory.dmp

Filesize
1.3MB

Download
memory/1940-97-0x000007FEF6830000-0x000007FEF6979000-memory.dmp

Filesize
1.3MB

Download
memory/1940-93-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads