dridex | a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d

Analysis

max time kernel
153s
max time network
119s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-11-2021 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d.dll
Size

1.2MB
MD5

0d2d32a9d4d31d4448df2902ef9590e2
SHA1

eb31c27903cc0d4bb2a9a4a6760bd0e60416a276
SHA256

a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d
SHA512

8a02e7fae0a6829180d69ae4600b9d5006174897a2b5cd09462d81ae64ed1a669908cb3a01d57adca7f0a2c9598074ca680fdbb1c048741ca2f27b64945eb4cd

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1216-60-0x0000000002B10000-0x0000000002B11000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

Netplwiz.exeddodiag.exemsra.exe

pid process

1844 Netplwiz.exe
992 ddodiag.exe
1880 msra.exe
Loads dropped DLL 7 IoCs

Processes:

Netplwiz.exeddodiag.exemsra.exe

pid process

1216
1844 Netplwiz.exe
1216
992 ddodiag.exe
1216
1880 msra.exe
1216

pid	process
1844	Netplwiz.exe
992	ddodiag.exe
1880	msra.exe

pid	process
1216
1844	Netplwiz.exe
1216
992	ddodiag.exe
1216
1880	msra.exe
1216

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\wh\\ddodiag.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Netplwiz.exeddodiag.exemsra.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exe

pid	process
1060	regsvr32.exe
1060	regsvr32.exe
1060	regsvr32.exe
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

regsvr32.exeNetplwiz.exeddodiag.exemsra.exe

pid process

1060 regsvr32.exe
1216
1844 Netplwiz.exe
992 ddodiag.exe
1880 msra.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1216 wrote to memory of 2044	1216	Netplwiz.exe
PID 1216 wrote to memory of 2044	1216	Netplwiz.exe
PID 1216 wrote to memory of 2044	1216	Netplwiz.exe
PID 1216 wrote to memory of 1844	1216	Netplwiz.exe
PID 1216 wrote to memory of 1844	1216	Netplwiz.exe
PID 1216 wrote to memory of 1844	1216	Netplwiz.exe
PID 1216 wrote to memory of 644	1216	ddodiag.exe
PID 1216 wrote to memory of 644	1216	ddodiag.exe
PID 1216 wrote to memory of 644	1216	ddodiag.exe
PID 1216 wrote to memory of 992	1216	ddodiag.exe
PID 1216 wrote to memory of 992	1216	ddodiag.exe
PID 1216 wrote to memory of 992	1216	ddodiag.exe
PID 1216 wrote to memory of 924	1216	msra.exe
PID 1216 wrote to memory of 924	1216	msra.exe
PID 1216 wrote to memory of 924	1216	msra.exe
PID 1216 wrote to memory of 1880	1216	msra.exe
PID 1216 wrote to memory of 1880	1216	msra.exe
PID 1216 wrote to memory of 1880	1216	msra.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a5282ab1f03b543c5876030240e56ada6e64c2d94f0acea8819d133a5d653d5d.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1060

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:2044

C:\Users\Admin\AppData\Local\JEgvbAoF\Netplwiz.exe
C:\Users\Admin\AppData\Local\JEgvbAoF\Netplwiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1844

C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
1⤵
PID:644

C:\Users\Admin\AppData\Local\mhaN\ddodiag.exe
C:\Users\Admin\AppData\Local\mhaN\ddodiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:992

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:924

C:\Users\Admin\AppData\Local\myytdmx\msra.exe
C:\Users\Admin\AppData\Local\myytdmx\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1880

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\JEgvbAoF\NETPLWIZ.dll
MD5
18b67d616d8185c8083fa333ae4518e7

SHA1
0e40d4929fa7e5d0c2b3bc57b7bb32d571cfc1fc

SHA256
395c86cc6c5ac8daf56b4f76848398395b25166b7a40f20457b11dfb3a68251f

SHA512
6d7bfda07a0010f23948fe40929ca9a60a2b86b779a1c28cd9f8294d5223c5b618e77a47d309e2a8ecccaa99ca53eebcbc872a00710388edefb4626be08e97a5

Download Submit
C:\Users\Admin\AppData\Local\JEgvbAoF\Netplwiz.exe
MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
C:\Users\Admin\AppData\Local\mhaN\XmlLite.dll
MD5
bfba66eb2fb168d846a557cd3fd0aa03

SHA1
1b8ce3a61a3b53d53ea79ca559d8e5fbb83add05

SHA256
0c01926ec9b152f78d4993fd0da8ddc7c59dd7998852ceddd49e4145e7a0db86

SHA512
c0e7c4dec50f3f505fb473ab08ba547a1ba3d4ac8f9159478399347cb20693f54f67bdfb82bcc4e0c8d8776c16cc7c41fbbf2f17227238983b1d7e9dd8e5a104

Download Submit
C:\Users\Admin\AppData\Local\mhaN\ddodiag.exe
MD5
509f9513ca16ba2f2047f5227a05d1a8

SHA1
fe8d63259cb9afa17da7b7b8ede4e75081071b1a

SHA256
ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

SHA512
ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

Download Submit
C:\Users\Admin\AppData\Local\myytdmx\NDFAPI.DLL
MD5
e854adf400f3d3243dc325fd0e295cad

SHA1
ae38d3e4c92dca3280ace82798690096caf36758

SHA256
3b7748990a24390ba983a5298c3ca4904785161dc4cbc3c7fd2aa7cd8255491d

SHA512
a6c99efff62ed85f83014ac56bf8dfbcc2a90dae62aeaec74521d632f990db1ce5a24291206d1060a6aabdafdf20569182640371438906708495e9bcaa530836

Download Submit
C:\Users\Admin\AppData\Local\myytdmx\msra.exe
MD5
e79df53bad587e24b3cf965a5746c7b6

SHA1
87a97ec159a3fc1db211f3c2c62e4d60810e7a70

SHA256
4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

SHA512
9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

Download Submit
\Users\Admin\AppData\Local\JEgvbAoF\NETPLWIZ.dll
MD5
18b67d616d8185c8083fa333ae4518e7

SHA1
0e40d4929fa7e5d0c2b3bc57b7bb32d571cfc1fc

SHA256
395c86cc6c5ac8daf56b4f76848398395b25166b7a40f20457b11dfb3a68251f

SHA512
6d7bfda07a0010f23948fe40929ca9a60a2b86b779a1c28cd9f8294d5223c5b618e77a47d309e2a8ecccaa99ca53eebcbc872a00710388edefb4626be08e97a5

Download Submit
\Users\Admin\AppData\Local\JEgvbAoF\Netplwiz.exe
MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
\Users\Admin\AppData\Local\mhaN\XmlLite.dll
MD5
bfba66eb2fb168d846a557cd3fd0aa03

SHA1
1b8ce3a61a3b53d53ea79ca559d8e5fbb83add05

SHA256
0c01926ec9b152f78d4993fd0da8ddc7c59dd7998852ceddd49e4145e7a0db86

SHA512
c0e7c4dec50f3f505fb473ab08ba547a1ba3d4ac8f9159478399347cb20693f54f67bdfb82bcc4e0c8d8776c16cc7c41fbbf2f17227238983b1d7e9dd8e5a104

Download Submit
\Users\Admin\AppData\Local\mhaN\ddodiag.exe
MD5
509f9513ca16ba2f2047f5227a05d1a8

SHA1
fe8d63259cb9afa17da7b7b8ede4e75081071b1a

SHA256
ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

SHA512
ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

Download Submit
\Users\Admin\AppData\Local\myytdmx\NDFAPI.DLL
MD5
e854adf400f3d3243dc325fd0e295cad

SHA1
ae38d3e4c92dca3280ace82798690096caf36758

SHA256
3b7748990a24390ba983a5298c3ca4904785161dc4cbc3c7fd2aa7cd8255491d

SHA512
a6c99efff62ed85f83014ac56bf8dfbcc2a90dae62aeaec74521d632f990db1ce5a24291206d1060a6aabdafdf20569182640371438906708495e9bcaa530836

Download Submit
\Users\Admin\AppData\Local\myytdmx\msra.exe
MD5
e79df53bad587e24b3cf965a5746c7b6

SHA1
87a97ec159a3fc1db211f3c2c62e4d60810e7a70

SHA256
4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

SHA512
9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\mt\msra.exe
MD5
e79df53bad587e24b3cf965a5746c7b6

SHA1
87a97ec159a3fc1db211f3c2c62e4d60810e7a70

SHA256
4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d

SHA512
9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

Download Submit
memory/992-95-0x0000000000000000-mapping.dmp

Download
memory/1060-55-0x000007FEFBA71000-0x000007FEFBA73000-memory.dmp

Filesize
8KB

Download
memory/1060-59-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1060-56-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-76-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-72-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-67-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-66-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-65-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-64-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-85-0x00000000773A0000-0x00000000773A2000-memory.dmp

Filesize
8KB

Download
memory/1216-69-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-60-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/1216-70-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-71-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-68-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-73-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-74-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-75-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-77-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-78-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-79-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-61-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-62-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1216-63-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/1844-87-0x0000000000000000-mapping.dmp

Download
memory/1880-103-0x0000000000000000-mapping.dmp

Download
memory/1880-108-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads