dridex | 559ea4cd5ccedae2401361426823b4c92046f9f997e78b9cf9a1c1e31f9b79c9

Analysis

max time kernel
155s
max time network
119s
platform
windows7_x64
resource
win7-en-20211104
submitted
26-11-2021 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

559ea4cd5ccedae2401361426823b4c92046f9f997e78b9cf9a1c1e31f9b79c9.dll
Size

1.2MB
MD5

366013530a4b95379a78c2fdb73c57bc
SHA1

ef3d3ab238a9c130efde5d42a25d6da283fb32b4
SHA256

559ea4cd5ccedae2401361426823b4c92046f9f997e78b9cf9a1c1e31f9b79c9
SHA512

d069b330242c8ec15975e4ff601b6c4a6cadf43a3ea36193c3e616e0f13602d51a4ef72a8af59a7989eb4d3e126b87436280f5457787bddfe430899600113ead

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1244-59-0x00000000021F0000-0x00000000021F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

dwm.exeddodiag.exefvenotify.exe

pid process

1572 dwm.exe
1872 ddodiag.exe
1036 fvenotify.exe
Loads dropped DLL 7 IoCs

Processes:

dwm.exeddodiag.exefvenotify.exe

pid process

1244
1572 dwm.exe
1244
1872 ddodiag.exe
1244
1036 fvenotify.exe
1244

pid	process
1572	dwm.exe
1872	ddodiag.exe
1036	fvenotify.exe

pid	process
1244
1572	dwm.exe
1244
1872	ddodiag.exe
1244
1036	fvenotify.exe
1244

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\IU\\ddodiag.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exedwm.exeddodiag.exefvenotify.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fvenotify.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
472	rundll32.exe
472	rundll32.exe
472	rundll32.exe
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exedwm.exeddodiag.exefvenotify.exe

pid process

472 rundll32.exe
1244
1572 dwm.exe
1872 ddodiag.exe
1036 fvenotify.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1244 wrote to memory of 1152	1244	dwm.exe
PID 1244 wrote to memory of 1152	1244	dwm.exe
PID 1244 wrote to memory of 1152	1244	dwm.exe
PID 1244 wrote to memory of 1572	1244	dwm.exe
PID 1244 wrote to memory of 1572	1244	dwm.exe
PID 1244 wrote to memory of 1572	1244	dwm.exe
PID 1244 wrote to memory of 1384	1244	ddodiag.exe
PID 1244 wrote to memory of 1384	1244	ddodiag.exe
PID 1244 wrote to memory of 1384	1244	ddodiag.exe
PID 1244 wrote to memory of 1872	1244	ddodiag.exe
PID 1244 wrote to memory of 1872	1244	ddodiag.exe
PID 1244 wrote to memory of 1872	1244	ddodiag.exe
PID 1244 wrote to memory of 1612	1244	fvenotify.exe
PID 1244 wrote to memory of 1612	1244	fvenotify.exe
PID 1244 wrote to memory of 1612	1244	fvenotify.exe
PID 1244 wrote to memory of 1036	1244	fvenotify.exe
PID 1244 wrote to memory of 1036	1244	fvenotify.exe
PID 1244 wrote to memory of 1036	1244	fvenotify.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\559ea4cd5ccedae2401361426823b4c92046f9f997e78b9cf9a1c1e31f9b79c9.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:472

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:1152

C:\Users\Admin\AppData\Local\Q8Yet8uH9\dwm.exe
C:\Users\Admin\AppData\Local\Q8Yet8uH9\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1572

C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
1⤵
PID:1384

C:\Users\Admin\AppData\Local\tGI\ddodiag.exe
C:\Users\Admin\AppData\Local\tGI\ddodiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1872

C:\Windows\system32\fvenotify.exe
C:\Windows\system32\fvenotify.exe
1⤵
PID:1612

C:\Users\Admin\AppData\Local\39NY\fvenotify.exe
C:\Users\Admin\AppData\Local\39NY\fvenotify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1036

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\39NY\fvenotify.exe
MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
C:\Users\Admin\AppData\Local\39NY\slc.dll
MD5
ebf0f0b3bea73c9560be58dc9741c633

SHA1
2422786c094c9b621edac664721d8dc8bea6642b

SHA256
c62bafa3cc46352b516f30810ddcc5ba1a85d0e54153fdf7bd6d530c515acd8a

SHA512
c96ab342b2625397bead6c43ebea5d9bb2bd9dec15bf93d7814e55828187d09c24dea597b7b56c590a749b672954ebf70dd49eff429e7a24d4cb734248baea15

Download Submit
C:\Users\Admin\AppData\Local\Q8Yet8uH9\UxTheme.dll
MD5
71dcf19a66b9cdf0cf3286e07a372ad7

SHA1
2d58e643fc9c3e842d4ddbf91e1ccfc3f6ac3fba

SHA256
dbdfeb6035f524adc3477c8a5871276b03e18ea3be3345af06e7ca2449e7cbd2

SHA512
4915197ac36194a52fe6714d45e454ae73941b346915b09daa9d06127dd7aab9c487d37bcb50998100dc2fcbcf4f658ed2357fe0588b93325d7f1407babce50a

Download Submit
C:\Users\Admin\AppData\Local\Q8Yet8uH9\dwm.exe
MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
C:\Users\Admin\AppData\Local\tGI\XmlLite.dll
MD5
7b427f906691c36776bae0b4ac44cb7b

SHA1
b9c0cff63404b9a91e67b1456649d25cc87b21cd

SHA256
d932f00c20b92b3861d535bc5c8834e2e426e1d49c3000503122cf965c638d4f

SHA512
385de8727c5157fc853286eb4a3025c6217c144366863370624ba0ac509f08ad9327c8b9a3a47fdedaa0b9b26a7984c38e330f6b5b8e779c74ac5c2e7d94fd41

Download Submit
C:\Users\Admin\AppData\Local\tGI\ddodiag.exe
MD5
509f9513ca16ba2f2047f5227a05d1a8

SHA1
fe8d63259cb9afa17da7b7b8ede4e75081071b1a

SHA256
ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

SHA512
ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

Download Submit
\Users\Admin\AppData\Local\39NY\fvenotify.exe
MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
\Users\Admin\AppData\Local\39NY\slc.dll
MD5
ebf0f0b3bea73c9560be58dc9741c633

SHA1
2422786c094c9b621edac664721d8dc8bea6642b

SHA256
c62bafa3cc46352b516f30810ddcc5ba1a85d0e54153fdf7bd6d530c515acd8a

SHA512
c96ab342b2625397bead6c43ebea5d9bb2bd9dec15bf93d7814e55828187d09c24dea597b7b56c590a749b672954ebf70dd49eff429e7a24d4cb734248baea15

Download Submit
\Users\Admin\AppData\Local\Q8Yet8uH9\UxTheme.dll
MD5
71dcf19a66b9cdf0cf3286e07a372ad7

SHA1
2d58e643fc9c3e842d4ddbf91e1ccfc3f6ac3fba

SHA256
dbdfeb6035f524adc3477c8a5871276b03e18ea3be3345af06e7ca2449e7cbd2

SHA512
4915197ac36194a52fe6714d45e454ae73941b346915b09daa9d06127dd7aab9c487d37bcb50998100dc2fcbcf4f658ed2357fe0588b93325d7f1407babce50a

Download Submit
\Users\Admin\AppData\Local\Q8Yet8uH9\dwm.exe
MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
\Users\Admin\AppData\Local\tGI\XmlLite.dll
MD5
7b427f906691c36776bae0b4ac44cb7b

SHA1
b9c0cff63404b9a91e67b1456649d25cc87b21cd

SHA256
d932f00c20b92b3861d535bc5c8834e2e426e1d49c3000503122cf965c638d4f

SHA512
385de8727c5157fc853286eb4a3025c6217c144366863370624ba0ac509f08ad9327c8b9a3a47fdedaa0b9b26a7984c38e330f6b5b8e779c74ac5c2e7d94fd41

Download Submit
\Users\Admin\AppData\Local\tGI\ddodiag.exe
MD5
509f9513ca16ba2f2047f5227a05d1a8

SHA1
fe8d63259cb9afa17da7b7b8ede4e75081071b1a

SHA256
ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

SHA512
ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\l0\fvenotify.exe
MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
memory/472-55-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/472-58-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1036-104-0x0000000000000000-mapping.dmp

Download
memory/1036-106-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp

Filesize
8KB

Download
memory/1244-65-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1244-76-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1244-67-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1244-69-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1244-63-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1244-62-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1244-60-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1244-86-0x0000000077CF0000-0x0000000077CF2000-memory.dmp

Filesize
8KB

Download
memory/1244-71-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1244-59-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/1244-72-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1244-74-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1244-75-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1244-61-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1244-77-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1244-64-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1244-80-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1244-79-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1244-78-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1244-68-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1244-73-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1244-70-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1244-66-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/1572-92-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1572-88-0x0000000000000000-mapping.dmp

Download
memory/1872-96-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads