dridex | 076e78d17a3bba27225ed654145b83f73563a85d568287fd22fbcb3f6aaed049

Analysis

max time kernel
153s
max time network
119s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-11-2021 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

076e78d17a3bba27225ed654145b83f73563a85d568287fd22fbcb3f6aaed049.dll
Size

1.3MB
MD5

a5d99a124590b06e72d07c3371875c1c
SHA1

9ec7c5ed0795e3631bd8445428b3385586789a62
SHA256

076e78d17a3bba27225ed654145b83f73563a85d568287fd22fbcb3f6aaed049
SHA512

def205a46b1ddf95d3e7d28ef94a9f87a5759e3f325241e7ae4cbcfae88c4e9fad0a25f9d506010a040f1c0829df4ff7d25a405a3fce5296184c81d6e99ab6c2

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1300-59-0x0000000002210000-0x0000000002211000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

DisplaySwitch.exeSystemPropertiesAdvanced.exewscript.exe

pid process

420 DisplaySwitch.exe
1292 SystemPropertiesAdvanced.exe
1640 wscript.exe
Loads dropped DLL 8 IoCs

Processes:

DisplaySwitch.exeSystemPropertiesAdvanced.exewscript.exe

pid process

1300
420 DisplaySwitch.exe
1300
1292 SystemPropertiesAdvanced.exe
1300
1300
1640 wscript.exe
1300

pid	process
420	DisplaySwitch.exe
1292	SystemPropertiesAdvanced.exe
1640	wscript.exe

pid	process
1300
420	DisplaySwitch.exe
1300
1292	SystemPropertiesAdvanced.exe
1300
1300
1640	wscript.exe
1300

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gpavvclvseucyal = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\{7AD27044-FA0A-4BCB-BFBA-317D0ED3B56B}\\Turjpgz\\SystemPropertiesAdvanced.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemPropertiesAdvanced.exewscript.exerundll32.exeDisplaySwitch.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesAdvanced.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1084	rundll32.exe
1084	rundll32.exe
1084	rundll32.exe
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exeDisplaySwitch.exeSystemPropertiesAdvanced.exewscript.exe

pid process

1084 rundll32.exe
1300
420 DisplaySwitch.exe
1292 SystemPropertiesAdvanced.exe
1640 wscript.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1300 wrote to memory of 728	1300	DisplaySwitch.exe
PID 1300 wrote to memory of 728	1300	DisplaySwitch.exe
PID 1300 wrote to memory of 728	1300	DisplaySwitch.exe
PID 1300 wrote to memory of 420	1300	DisplaySwitch.exe
PID 1300 wrote to memory of 420	1300	DisplaySwitch.exe
PID 1300 wrote to memory of 420	1300	DisplaySwitch.exe
PID 1300 wrote to memory of 1200	1300	SystemPropertiesAdvanced.exe
PID 1300 wrote to memory of 1200	1300	SystemPropertiesAdvanced.exe
PID 1300 wrote to memory of 1200	1300	SystemPropertiesAdvanced.exe
PID 1300 wrote to memory of 1292	1300	SystemPropertiesAdvanced.exe
PID 1300 wrote to memory of 1292	1300	SystemPropertiesAdvanced.exe
PID 1300 wrote to memory of 1292	1300	SystemPropertiesAdvanced.exe
PID 1300 wrote to memory of 1280	1300	wscript.exe
PID 1300 wrote to memory of 1280	1300	wscript.exe
PID 1300 wrote to memory of 1280	1300	wscript.exe
PID 1300 wrote to memory of 1640	1300	wscript.exe
PID 1300 wrote to memory of 1640	1300	wscript.exe
PID 1300 wrote to memory of 1640	1300	wscript.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\076e78d17a3bba27225ed654145b83f73563a85d568287fd22fbcb3f6aaed049.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1084

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:728

C:\Users\Admin\AppData\Local\jybRPu\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\jybRPu\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:420

C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
1⤵
PID:1200

C:\Users\Admin\AppData\Local\faVrlw\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\faVrlw\SystemPropertiesAdvanced.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1292

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:1280

C:\Users\Admin\AppData\Local\jKDW2z6YP\wscript.exe
C:\Users\Admin\AppData\Local\jKDW2z6YP\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
PID:1640

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\faVrlw\SYSDM.CPL
MD5
1752e1d5961e765a79e36d904417e2b9

SHA1
334a78f75f1b68f0a62209b4747984ac0821363d

SHA256
8bfd52a20f595d5da1805e0a8ad0df3b31e2147b6ba082748b362664581ee2c2

SHA512
3bd5f0c75dc7ea606b0e3dfde6fcee95e5b1c20388e2d7b0ff8bfeed8cc024c1c14664b43b9721c3d75b275d4afea2107137e9ae507c2c8320e52f5bb7010782

Download Submit
C:\Users\Admin\AppData\Local\faVrlw\SystemPropertiesAdvanced.exe
MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
C:\Users\Admin\AppData\Local\jKDW2z6YP\VERSION.dll
MD5
6f6bb483e55aa936f07a6f6afeae6167

SHA1
95aef7fa559632893845f143c593c9a7f21d9008

SHA256
a47856d3bcc2b941c5cb1abad2fe7f733037f7966d0e664da9d064b1faed2316

SHA512
a5c4e7541de3b24d9209d4a737f2f9db7b0ee9ca7fb070e63b60138a08b246bf11389a4f443501701d6d14bc71dd60c12a87bce44bd71bcab9464c9a0a06e93d

Download Submit
C:\Users\Admin\AppData\Local\jKDW2z6YP\wscript.exe
MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
C:\Users\Admin\AppData\Local\jybRPu\DisplaySwitch.exe
MD5
b795e6138e29a37508285fc31e92bd78

SHA1
d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

SHA256
01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

SHA512
8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

Download Submit
C:\Users\Admin\AppData\Local\jybRPu\slc.dll
MD5
53046e7db8401e14de038e08080955bc

SHA1
ad748fb00cde90b90bbaeb82ce1951e8f432a35d

SHA256
35eed5f4aba8627a4b3cee95f2b6a83dca94dbc92f586e551dae9e1b9e92c29c

SHA512
5f6a290618dbb752f6458878ea0f1bad10dbc19cba86ab574972f55e837817b74bf13c6c517c44e76d0ed2ffb5fead4329b6617ef2ecd589c9f5035d91a7a562

Download Submit
\Users\Admin\AppData\Local\faVrlw\SYSDM.CPL
MD5
1752e1d5961e765a79e36d904417e2b9

SHA1
334a78f75f1b68f0a62209b4747984ac0821363d

SHA256
8bfd52a20f595d5da1805e0a8ad0df3b31e2147b6ba082748b362664581ee2c2

SHA512
3bd5f0c75dc7ea606b0e3dfde6fcee95e5b1c20388e2d7b0ff8bfeed8cc024c1c14664b43b9721c3d75b275d4afea2107137e9ae507c2c8320e52f5bb7010782

Download Submit
\Users\Admin\AppData\Local\faVrlw\SystemPropertiesAdvanced.exe
MD5
25dc1e599591871c074a68708206e734

SHA1
27a9dffa92d979d39c07d889fada536c062dac77

SHA256
a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

SHA512
f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

Download Submit
\Users\Admin\AppData\Local\jKDW2z6YP\VERSION.dll
MD5
6f6bb483e55aa936f07a6f6afeae6167

SHA1
95aef7fa559632893845f143c593c9a7f21d9008

SHA256
a47856d3bcc2b941c5cb1abad2fe7f733037f7966d0e664da9d064b1faed2316

SHA512
a5c4e7541de3b24d9209d4a737f2f9db7b0ee9ca7fb070e63b60138a08b246bf11389a4f443501701d6d14bc71dd60c12a87bce44bd71bcab9464c9a0a06e93d

Download Submit
\Users\Admin\AppData\Local\jKDW2z6YP\wscript.exe
MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\jKDW2z6YP\wscript.exe
MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\jybRPu\DisplaySwitch.exe
MD5
b795e6138e29a37508285fc31e92bd78

SHA1
d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

SHA256
01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

SHA512
8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

Download Submit
\Users\Admin\AppData\Local\jybRPu\slc.dll
MD5
53046e7db8401e14de038e08080955bc

SHA1
ad748fb00cde90b90bbaeb82ce1951e8f432a35d

SHA256
35eed5f4aba8627a4b3cee95f2b6a83dca94dbc92f586e551dae9e1b9e92c29c

SHA512
5f6a290618dbb752f6458878ea0f1bad10dbc19cba86ab574972f55e837817b74bf13c6c517c44e76d0ed2ffb5fead4329b6617ef2ecd589c9f5035d91a7a562

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\MKAhksa\wscript.exe
MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
memory/420-81-0x0000000000000000-mapping.dmp

Download
memory/420-86-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/420-83-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

Filesize
8KB

Download
memory/1084-55-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1084-58-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/1292-90-0x0000000000000000-mapping.dmp

Download
memory/1300-67-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-63-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-69-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-72-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-71-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-66-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-68-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-65-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-64-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-73-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-60-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-70-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-62-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-61-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/1300-59-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1300-79-0x0000000077B20000-0x0000000077B22000-memory.dmp

Filesize
8KB

Download
memory/1640-99-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads