dridex | 551ffee108503aaa811686e21a22388d509a652f7f4876a12de86092e19c596c

Analysis

max time kernel
155s
max time network
118s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-11-2021 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

551ffee108503aaa811686e21a22388d509a652f7f4876a12de86092e19c596c.dll
Size

1.2MB
MD5

0cea842b15be5b2e537ddfed28706abe
SHA1

510fd4fba4122a2d5cea810cb8d90493ef9570e4
SHA256

551ffee108503aaa811686e21a22388d509a652f7f4876a12de86092e19c596c
SHA512

3aa534022e692349519019fdce5fd1b74aeea0f22e627627c795970deded152881d3ac3cab391e85fd0330b1cd91ed216c80a0a9b08a464ce59ac8a6dfea9960

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1352-59-0x0000000001DE0000-0x0000000001DE1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

msdt.exeSystemPropertiesHardware.exeraserver.exe

pid process

1288 msdt.exe
1320 SystemPropertiesHardware.exe
1192 raserver.exe
Loads dropped DLL 7 IoCs

Processes:

msdt.exeSystemPropertiesHardware.exeraserver.exe

pid process

1352
1288 msdt.exe
1352
1320 SystemPropertiesHardware.exe
1352
1192 raserver.exe
1352

pid	process
1288	msdt.exe
1320	SystemPropertiesHardware.exe
1192	raserver.exe

pid	process
1352
1288	msdt.exe
1352
1320	SystemPropertiesHardware.exe
1352
1192	raserver.exe
1352

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\8lYHFh\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exemsdt.exeSystemPropertiesHardware.exeraserver.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
948	rundll32.exe
948	rundll32.exe
948	rundll32.exe
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exemsdt.exeSystemPropertiesHardware.exeraserver.exe

pid process

948 rundll32.exe
1352
1288 msdt.exe
1320 SystemPropertiesHardware.exe
1192 raserver.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1352 wrote to memory of 1264	1352	msdt.exe
PID 1352 wrote to memory of 1264	1352	msdt.exe
PID 1352 wrote to memory of 1264	1352	msdt.exe
PID 1352 wrote to memory of 1288	1352	msdt.exe
PID 1352 wrote to memory of 1288	1352	msdt.exe
PID 1352 wrote to memory of 1288	1352	msdt.exe
PID 1352 wrote to memory of 1608	1352	SystemPropertiesHardware.exe
PID 1352 wrote to memory of 1608	1352	SystemPropertiesHardware.exe
PID 1352 wrote to memory of 1608	1352	SystemPropertiesHardware.exe
PID 1352 wrote to memory of 1320	1352	SystemPropertiesHardware.exe
PID 1352 wrote to memory of 1320	1352	SystemPropertiesHardware.exe
PID 1352 wrote to memory of 1320	1352	SystemPropertiesHardware.exe
PID 1352 wrote to memory of 1116	1352	raserver.exe
PID 1352 wrote to memory of 1116	1352	raserver.exe
PID 1352 wrote to memory of 1116	1352	raserver.exe
PID 1352 wrote to memory of 1192	1352	raserver.exe
PID 1352 wrote to memory of 1192	1352	raserver.exe
PID 1352 wrote to memory of 1192	1352	raserver.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\551ffee108503aaa811686e21a22388d509a652f7f4876a12de86092e19c596c.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:948

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:1264

C:\Users\Admin\AppData\Local\NOOa\msdt.exe
C:\Users\Admin\AppData\Local\NOOa\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1288

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:1608

C:\Users\Admin\AppData\Local\NsCJlpK\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\NsCJlpK\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1320

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:1116

C:\Users\Admin\AppData\Local\xB5QGXh\raserver.exe
C:\Users\Admin\AppData\Local\xB5QGXh\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1192

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\NOOa\DUI70.dll
MD5
247cc8283e2949e17868a3b50f7768f5

SHA1
9814364f5c1ac9d264531ba91d3bebbb9fc030fc

SHA256
272835a6a7b1b67ac6b235e1363e23b484b9a9a84408b8f5d82661d7fe01eb62

SHA512
9aa870ed249d47b88b9183c3c1437379fde1c0f29422f7f5fb6612c99c07b05eb2b527ec8ab4f8a0a450efd44847ec4aa7c77172972b09f0bfb1dde4e6211c4f

Download Submit
C:\Users\Admin\AppData\Local\NOOa\msdt.exe
MD5
aecb7b09566b1f83f61d5a4b44ae9c7e

SHA1
3a4a2338c6b5ac833dc87497e04fe89c5481e289

SHA256
fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

SHA512
6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

Download Submit
C:\Users\Admin\AppData\Local\NsCJlpK\SYSDM.CPL
MD5
a3ade37230c8849478349ffe49acfd35

SHA1
e93973fa385c6174b3584d695051358b46022509

SHA256
334de3271877e7c5df9f6738bac7ef1185d2be5615d7ed60767d0258bada5180

SHA512
3f982a871d84c77cddd4e120a056faddf4982d870224b783def9abca79b98b1b277e9f66b1f9017b6a5ff47affed18a274df38e6319fc9a3f141ee9486d22658

Download Submit
C:\Users\Admin\AppData\Local\NsCJlpK\SystemPropertiesHardware.exe
MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
C:\Users\Admin\AppData\Local\xB5QGXh\WTSAPI32.dll
MD5
1d7c01d786391a0b50f8317057dddae9

SHA1
677cfb74c4c47ae6699db65b29befe00c76b302e

SHA256
93e7d67a37f9e94fa31cb979c9a11feef82c54a0afa7cacdb514dd334a22d4a1

SHA512
9636f2f9695966f8ad376931857101112a7bf6b9c9100a893fd3b0b89945ac657bc1a33b6aecce3eb29bc4c55fffb125b8b1ed1c0e8967af78acbbfc4dc217af

Download Submit
C:\Users\Admin\AppData\Local\xB5QGXh\raserver.exe
MD5
cd0bc0b6b8d219808aea3ecd4e889b19

SHA1
9f8f4071ce2484008e36fdfd963378f4ebad703f

SHA256
16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

SHA512
84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

Download Submit
\Users\Admin\AppData\Local\NOOa\DUI70.dll
MD5
247cc8283e2949e17868a3b50f7768f5

SHA1
9814364f5c1ac9d264531ba91d3bebbb9fc030fc

SHA256
272835a6a7b1b67ac6b235e1363e23b484b9a9a84408b8f5d82661d7fe01eb62

SHA512
9aa870ed249d47b88b9183c3c1437379fde1c0f29422f7f5fb6612c99c07b05eb2b527ec8ab4f8a0a450efd44847ec4aa7c77172972b09f0bfb1dde4e6211c4f

Download Submit
\Users\Admin\AppData\Local\NOOa\msdt.exe
MD5
aecb7b09566b1f83f61d5a4b44ae9c7e

SHA1
3a4a2338c6b5ac833dc87497e04fe89c5481e289

SHA256
fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

SHA512
6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

Download Submit
\Users\Admin\AppData\Local\NsCJlpK\SYSDM.CPL
MD5
a3ade37230c8849478349ffe49acfd35

SHA1
e93973fa385c6174b3584d695051358b46022509

SHA256
334de3271877e7c5df9f6738bac7ef1185d2be5615d7ed60767d0258bada5180

SHA512
3f982a871d84c77cddd4e120a056faddf4982d870224b783def9abca79b98b1b277e9f66b1f9017b6a5ff47affed18a274df38e6319fc9a3f141ee9486d22658

Download Submit
\Users\Admin\AppData\Local\NsCJlpK\SystemPropertiesHardware.exe
MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
\Users\Admin\AppData\Local\xB5QGXh\WTSAPI32.dll
MD5
1d7c01d786391a0b50f8317057dddae9

SHA1
677cfb74c4c47ae6699db65b29befe00c76b302e

SHA256
93e7d67a37f9e94fa31cb979c9a11feef82c54a0afa7cacdb514dd334a22d4a1

SHA512
9636f2f9695966f8ad376931857101112a7bf6b9c9100a893fd3b0b89945ac657bc1a33b6aecce3eb29bc4c55fffb125b8b1ed1c0e8967af78acbbfc4dc217af

Download Submit
\Users\Admin\AppData\Local\xB5QGXh\raserver.exe
MD5
cd0bc0b6b8d219808aea3ecd4e889b19

SHA1
9f8f4071ce2484008e36fdfd963378f4ebad703f

SHA256
16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

SHA512
84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\h0GL\raserver.exe
MD5
cd0bc0b6b8d219808aea3ecd4e889b19

SHA1
9f8f4071ce2484008e36fdfd963378f4ebad703f

SHA256
16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

SHA512
84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

Download Submit
memory/948-55-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/948-58-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1192-102-0x0000000000000000-mapping.dmp

Download
memory/1288-90-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1288-87-0x000007FEFC291000-0x000007FEFC293000-memory.dmp

Filesize
8KB

Download
memory/1288-85-0x0000000000000000-mapping.dmp

Download
memory/1320-94-0x0000000000000000-mapping.dmp

Download
memory/1320-98-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1352-65-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1352-83-0x0000000077BC0000-0x0000000077BC2000-memory.dmp

Filesize
8KB

Download
memory/1352-77-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1352-76-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1352-74-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1352-75-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1352-73-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1352-72-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1352-71-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1352-70-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1352-69-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1352-68-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1352-67-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1352-66-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1352-64-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1352-60-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1352-63-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1352-62-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1352-61-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1352-59-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads