dridex | c80a6055c1607efc5254747e5993f4f505da72a7519104e92f2c32189be5ba3d

Analysis

max time kernel
155s
max time network
118s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-11-2021 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c80a6055c1607efc5254747e5993f4f505da72a7519104e92f2c32189be5ba3d.dll
Size

1.3MB
MD5

3264df29f9af6fdccad5f6c62793f158
SHA1

2901853e6dabaee7a82549952a17997caaacb046
SHA256

c80a6055c1607efc5254747e5993f4f505da72a7519104e92f2c32189be5ba3d
SHA512

9bd36e375bea27aa5ce154119031343c8157c88f81a871b45b128b28ce6a7494f6e3eb38d83bf0ae207b62ea01ffa8ce13289c76aa0abb2e9a982c098ecc8cab

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1256-59-0x0000000002A80000-0x0000000002A81000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SystemPropertiesComputerName.exeDeviceDisplayObjectProvider.exedvdupgrd.exe

pid process

592 SystemPropertiesComputerName.exe
1392 DeviceDisplayObjectProvider.exe
996 dvdupgrd.exe
Loads dropped DLL 7 IoCs

Processes:

SystemPropertiesComputerName.exeDeviceDisplayObjectProvider.exedvdupgrd.exe

pid process

1256
592 SystemPropertiesComputerName.exe
1256
1392 DeviceDisplayObjectProvider.exe
1256
996 dvdupgrd.exe
1256

pid	process
592	SystemPropertiesComputerName.exe
1392	DeviceDisplayObjectProvider.exe
996	dvdupgrd.exe

pid	process
1256
592	SystemPropertiesComputerName.exe
1256
1392	DeviceDisplayObjectProvider.exe
1256
996	dvdupgrd.exe
1256

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEDownloadHistory\\kfqIkp6y\\DeviceDisplayObjectProvider.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesComputerName.exeDeviceDisplayObjectProvider.exedvdupgrd.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceDisplayObjectProvider.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dvdupgrd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
472	rundll32.exe
472	rundll32.exe
472	rundll32.exe
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exeSystemPropertiesComputerName.exeDeviceDisplayObjectProvider.exedvdupgrd.exe

pid process

472 rundll32.exe
1256
592 SystemPropertiesComputerName.exe
1392 DeviceDisplayObjectProvider.exe
996 dvdupgrd.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1256 wrote to memory of 1840	1256	SystemPropertiesComputerName.exe
PID 1256 wrote to memory of 1840	1256	SystemPropertiesComputerName.exe
PID 1256 wrote to memory of 1840	1256	SystemPropertiesComputerName.exe
PID 1256 wrote to memory of 592	1256	SystemPropertiesComputerName.exe
PID 1256 wrote to memory of 592	1256	SystemPropertiesComputerName.exe
PID 1256 wrote to memory of 592	1256	SystemPropertiesComputerName.exe
PID 1256 wrote to memory of 1512	1256	DeviceDisplayObjectProvider.exe
PID 1256 wrote to memory of 1512	1256	DeviceDisplayObjectProvider.exe
PID 1256 wrote to memory of 1512	1256	DeviceDisplayObjectProvider.exe
PID 1256 wrote to memory of 1392	1256	DeviceDisplayObjectProvider.exe
PID 1256 wrote to memory of 1392	1256	DeviceDisplayObjectProvider.exe
PID 1256 wrote to memory of 1392	1256	DeviceDisplayObjectProvider.exe
PID 1256 wrote to memory of 1564	1256	dvdupgrd.exe
PID 1256 wrote to memory of 1564	1256	dvdupgrd.exe
PID 1256 wrote to memory of 1564	1256	dvdupgrd.exe
PID 1256 wrote to memory of 996	1256	dvdupgrd.exe
PID 1256 wrote to memory of 996	1256	dvdupgrd.exe
PID 1256 wrote to memory of 996	1256	dvdupgrd.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c80a6055c1607efc5254747e5993f4f505da72a7519104e92f2c32189be5ba3d.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:472

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:1840

C:\Users\Admin\AppData\Local\Zxo1Y\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\Zxo1Y\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:592

C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
1⤵
PID:1512

C:\Users\Admin\AppData\Local\tKA6\DeviceDisplayObjectProvider.exe
C:\Users\Admin\AppData\Local\tKA6\DeviceDisplayObjectProvider.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1392

C:\Windows\system32\dvdupgrd.exe
C:\Windows\system32\dvdupgrd.exe
1⤵
PID:1564

C:\Users\Admin\AppData\Local\lUBOVYs\dvdupgrd.exe
C:\Users\Admin\AppData\Local\lUBOVYs\dvdupgrd.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:996

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Zxo1Y\SYSDM.CPL
MD5
d447d76096229f04af2dca485af1f811

SHA1
8ea8d427b1025f136a29ef11aae65e4d3ea6ac7d

SHA256
f698e0e2a18fbf3a19447591a72e94d1fbba56c9d9c86b3c9befeccb0823c72f

SHA512
f19f3b4773c2a5cb81dc8faf9a6e7e1d6f87820b7504ed8ad3b8d27e4fbb7a9abfbc0b07b9d174624fa3613f4374842a66986b507284794722619e3aa1764a77

Download Submit
C:\Users\Admin\AppData\Local\Zxo1Y\SystemPropertiesComputerName.exe
MD5
bd889683916aa93e84e1a75802918acf

SHA1
5ee66571359178613a4256a7470c2c3e6dd93cfa

SHA256
0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

SHA512
9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

Download Submit
C:\Users\Admin\AppData\Local\lUBOVYs\VERSION.dll
MD5
23300ff69718ceb6b44dc8f1f251cb5c

SHA1
3a05e0b9f0dab2615a113e5f753a8cd92d104033

SHA256
1a47bd6c2158bb1b949891c825059e053862c70b40cb6a091fa5c5361a209fab

SHA512
dcedded1458453583ef8955d457819684f38adbb29983a3b815ef6c3848530bcce9fd968620dc6d46cd2dff37d640b55ef847959cf78c0d80d0a3d886d80706f

Download Submit
C:\Users\Admin\AppData\Local\lUBOVYs\dvdupgrd.exe
MD5
75a9b4172eac01d9648c6d2133af952f

SHA1
63c7e1af762d2b584e9cc841e8b0100f2a482b81

SHA256
18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

SHA512
5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

Download Submit
C:\Users\Admin\AppData\Local\tKA6\DeviceDisplayObjectProvider.exe
MD5
7e2eb3a4ae11190ef4c8a9b9a9123234

SHA1
72e98687a8d28614e2131c300403c2822856e865

SHA256
8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

SHA512
18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

Download Submit
C:\Users\Admin\AppData\Local\tKA6\XmlLite.dll
MD5
4bdd34264c1e29424c1e5ea92b57faa1

SHA1
fc0809ba96be6443ef5850f7f3c90eccd6005d46

SHA256
73ff77ee565c7ac7755f2100ad7ae7ddcd88619b881ea6ba73c1b5835a05609d

SHA512
505adcb3aaceb761888deaefd308643cc6e12e2a4536581ed09c0765916f9f9d487982183e6568277b9816f4d2ed6d2217ffd92e4d4c1eed6e4d4abe324e64eb

Download Submit
\Users\Admin\AppData\Local\Zxo1Y\SYSDM.CPL
MD5
d447d76096229f04af2dca485af1f811

SHA1
8ea8d427b1025f136a29ef11aae65e4d3ea6ac7d

SHA256
f698e0e2a18fbf3a19447591a72e94d1fbba56c9d9c86b3c9befeccb0823c72f

SHA512
f19f3b4773c2a5cb81dc8faf9a6e7e1d6f87820b7504ed8ad3b8d27e4fbb7a9abfbc0b07b9d174624fa3613f4374842a66986b507284794722619e3aa1764a77

Download Submit
\Users\Admin\AppData\Local\Zxo1Y\SystemPropertiesComputerName.exe
MD5
bd889683916aa93e84e1a75802918acf

SHA1
5ee66571359178613a4256a7470c2c3e6dd93cfa

SHA256
0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf

SHA512
9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

Download Submit
\Users\Admin\AppData\Local\lUBOVYs\VERSION.dll
MD5
23300ff69718ceb6b44dc8f1f251cb5c

SHA1
3a05e0b9f0dab2615a113e5f753a8cd92d104033

SHA256
1a47bd6c2158bb1b949891c825059e053862c70b40cb6a091fa5c5361a209fab

SHA512
dcedded1458453583ef8955d457819684f38adbb29983a3b815ef6c3848530bcce9fd968620dc6d46cd2dff37d640b55ef847959cf78c0d80d0a3d886d80706f

Download Submit
\Users\Admin\AppData\Local\lUBOVYs\dvdupgrd.exe
MD5
75a9b4172eac01d9648c6d2133af952f

SHA1
63c7e1af762d2b584e9cc841e8b0100f2a482b81

SHA256
18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

SHA512
5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

Download Submit
\Users\Admin\AppData\Local\tKA6\DeviceDisplayObjectProvider.exe
MD5
7e2eb3a4ae11190ef4c8a9b9a9123234

SHA1
72e98687a8d28614e2131c300403c2822856e865

SHA256
8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

SHA512
18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

Download Submit
\Users\Admin\AppData\Local\tKA6\XmlLite.dll
MD5
4bdd34264c1e29424c1e5ea92b57faa1

SHA1
fc0809ba96be6443ef5850f7f3c90eccd6005d46

SHA256
73ff77ee565c7ac7755f2100ad7ae7ddcd88619b881ea6ba73c1b5835a05609d

SHA512
505adcb3aaceb761888deaefd308643cc6e12e2a4536581ed09c0765916f9f9d487982183e6568277b9816f4d2ed6d2217ffd92e4d4c1eed6e4d4abe324e64eb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-2955169046-2371869340-1800780948-1000\sPU9RYmz\dvdupgrd.exe
MD5
75a9b4172eac01d9648c6d2133af952f

SHA1
63c7e1af762d2b584e9cc841e8b0100f2a482b81

SHA256
18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

SHA512
5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

Download Submit
memory/472-55-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/472-58-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/592-85-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/592-81-0x0000000000000000-mapping.dmp

Download
memory/996-97-0x0000000000000000-mapping.dmp

Download
memory/1256-61-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1256-68-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1256-73-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1256-72-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1256-71-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1256-70-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1256-69-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1256-59-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/1256-67-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1256-79-0x0000000077450000-0x0000000077452000-memory.dmp

Filesize
8KB

Download
memory/1256-60-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1256-62-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1256-63-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1256-64-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1256-65-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1256-66-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1392-89-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads