dridex | b00840048749257957b81d41979187a60a83d52fbe57998630873729a94ffd79

Analysis

max time kernel
151s
max time network
119s
platform
windows7_x64
resource
win7-en-20211104
submitted
26-11-2021 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b00840048749257957b81d41979187a60a83d52fbe57998630873729a94ffd79.dll
Size

1.2MB
MD5

12a2429bc9990f1631ce12341895db8c
SHA1

0ee8f6d9b2ce34403e841a39a5f92c6d8138dc42
SHA256

b00840048749257957b81d41979187a60a83d52fbe57998630873729a94ffd79
SHA512

cd85e51fe53befd08ce8707d354ba2a1e519dc5444cc81dd625342af64de9f93de947dcb845c652ad13012c22e056851d2c11eb236086607560e16b829f0a8df

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1220-60-0x0000000002140000-0x0000000002141000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

recdisc.exedpapimig.exetcmsetup.exe

pid process

1036 recdisc.exe
1452 dpapimig.exe
1956 tcmsetup.exe
Loads dropped DLL 7 IoCs

Processes:

recdisc.exedpapimig.exetcmsetup.exe

pid process

1220
1036 recdisc.exe
1220
1452 dpapimig.exe
1220
1956 tcmsetup.exe
1220

pid	process
1036	recdisc.exe
1452	dpapimig.exe
1956	tcmsetup.exe

pid	process
1220
1036	recdisc.exe
1220
1452	dpapimig.exe
1220
1956	tcmsetup.exe
1220

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\QSj\\dpapimig.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

tcmsetup.exerundll32.exerecdisc.exedpapimig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tcmsetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	recdisc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpapimig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exerecdisc.exedpapimig.exe

pid	process
968	rundll32.exe
968	rundll32.exe
968	rundll32.exe
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1036	recdisc.exe
1036	recdisc.exe
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1452	dpapimig.exe
1452	dpapimig.exe
1220
1220
1220
1220
1220
1220

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1220

pid	process
1220

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1220 wrote to memory of 1056	1220	recdisc.exe
PID 1220 wrote to memory of 1056	1220	recdisc.exe
PID 1220 wrote to memory of 1056	1220	recdisc.exe
PID 1220 wrote to memory of 1036	1220	recdisc.exe
PID 1220 wrote to memory of 1036	1220	recdisc.exe
PID 1220 wrote to memory of 1036	1220	recdisc.exe
PID 1220 wrote to memory of 1420	1220	dpapimig.exe
PID 1220 wrote to memory of 1420	1220	dpapimig.exe
PID 1220 wrote to memory of 1420	1220	dpapimig.exe
PID 1220 wrote to memory of 1452	1220	dpapimig.exe
PID 1220 wrote to memory of 1452	1220	dpapimig.exe
PID 1220 wrote to memory of 1452	1220	dpapimig.exe
PID 1220 wrote to memory of 1808	1220	tcmsetup.exe
PID 1220 wrote to memory of 1808	1220	tcmsetup.exe
PID 1220 wrote to memory of 1808	1220	tcmsetup.exe
PID 1220 wrote to memory of 1956	1220	tcmsetup.exe
PID 1220 wrote to memory of 1956	1220	tcmsetup.exe
PID 1220 wrote to memory of 1956	1220	tcmsetup.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b00840048749257957b81d41979187a60a83d52fbe57998630873729a94ffd79.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:968

C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
1⤵
PID:1056

C:\Users\Admin\AppData\Local\TnHUMBo\recdisc.exe
C:\Users\Admin\AppData\Local\TnHUMBo\recdisc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1036

C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
1⤵
PID:1420

C:\Users\Admin\AppData\Local\sUwNQyoR\dpapimig.exe
C:\Users\Admin\AppData\Local\sUwNQyoR\dpapimig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1452

C:\Windows\system32\tcmsetup.exe
C:\Windows\system32\tcmsetup.exe
1⤵
PID:1808

C:\Users\Admin\AppData\Local\tXMn7w\tcmsetup.exe
C:\Users\Admin\AppData\Local\tXMn7w\tcmsetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1956

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TnHUMBo\ReAgent.dll
MD5
80a7d5dfe6679159ff9f40fa777021d0

SHA1
2cf49fb9c53187b9113f7589be296008ffd276b8

SHA256
f85af1c90777cdc656d3340e2ca64b8e523543836cf25ed5a9d5ec1a2d446b27

SHA512
33b53bfbd57e7b4f42ca3d88bcf29fc350b71c22c61fae1d4e1ecf1f4925dadc553edd43be23c782778e74a60ae9a806881bc41620ebf9da20dfc47ba71663be

Download Submit
C:\Users\Admin\AppData\Local\TnHUMBo\recdisc.exe
MD5
f3b306179f1840c0813dc6771b018358

SHA1
dec7ce3c13f7a684cb52ae6007c99cf03afef005

SHA256
dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

SHA512
9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

Download Submit
C:\Users\Admin\AppData\Local\sUwNQyoR\DUI70.dll
MD5
022ab47f1bd308b0e0d7b497cb88d445

SHA1
ed9b660c95d0d472a9b5d77c821e74a4977ef90d

SHA256
875a7bf8785813622e892b4fb2fdd5206b0da0b06cafa6195dc8b9a4b52e5f40

SHA512
0d5221fd4163f61ce54bbcfbe1f19a035b7d0e71a42216bbf88d92d0d79d909d2e21675942d9aeaa283726ad406b515aa100703eae7c1e6afc84e9354e189ccf

Download Submit
C:\Users\Admin\AppData\Local\sUwNQyoR\dpapimig.exe
MD5
0e8b8abea4e23ddc9a70614f3f651303

SHA1
6d332ba4e7a78039f75b211845514ab35ab467b2

SHA256
66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1

SHA512
4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

Download Submit
C:\Users\Admin\AppData\Local\tXMn7w\TAPI32.dll
MD5
77996cc7045a66e809142e2696571e43

SHA1
52e9309b3dee30e7b368cf5e21c4bc282c0de82e

SHA256
98cc7aa3293b82869a7ea399ac2256c701c472a083ffe68f2c215f59d8c50528

SHA512
7dd2cec5d6e0859e5a0b812ae23cfc7e7483a4b95c70ede847e4fdded09cc4a4582b5ff0108be03d0cf10eeb83be587329af41ba1d43f1a6901c75315acea81a

Download Submit
C:\Users\Admin\AppData\Local\tXMn7w\tcmsetup.exe
MD5
0b08315da0da7f9f472fbab510bfe7b8

SHA1
33ba48fd980216becc532466a5ff8476bec0b31c

SHA256
e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

SHA512
c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

Download Submit
\Users\Admin\AppData\Local\TnHUMBo\ReAgent.dll
MD5
80a7d5dfe6679159ff9f40fa777021d0

SHA1
2cf49fb9c53187b9113f7589be296008ffd276b8

SHA256
f85af1c90777cdc656d3340e2ca64b8e523543836cf25ed5a9d5ec1a2d446b27

SHA512
33b53bfbd57e7b4f42ca3d88bcf29fc350b71c22c61fae1d4e1ecf1f4925dadc553edd43be23c782778e74a60ae9a806881bc41620ebf9da20dfc47ba71663be

Download Submit
\Users\Admin\AppData\Local\TnHUMBo\recdisc.exe
MD5
f3b306179f1840c0813dc6771b018358

SHA1
dec7ce3c13f7a684cb52ae6007c99cf03afef005

SHA256
dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

SHA512
9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

Download Submit
\Users\Admin\AppData\Local\sUwNQyoR\DUI70.dll
MD5
022ab47f1bd308b0e0d7b497cb88d445

SHA1
ed9b660c95d0d472a9b5d77c821e74a4977ef90d

SHA256
875a7bf8785813622e892b4fb2fdd5206b0da0b06cafa6195dc8b9a4b52e5f40

SHA512
0d5221fd4163f61ce54bbcfbe1f19a035b7d0e71a42216bbf88d92d0d79d909d2e21675942d9aeaa283726ad406b515aa100703eae7c1e6afc84e9354e189ccf

Download Submit
\Users\Admin\AppData\Local\sUwNQyoR\dpapimig.exe
MD5
0e8b8abea4e23ddc9a70614f3f651303

SHA1
6d332ba4e7a78039f75b211845514ab35ab467b2

SHA256
66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1

SHA512
4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

Download Submit
\Users\Admin\AppData\Local\tXMn7w\TAPI32.dll
MD5
77996cc7045a66e809142e2696571e43

SHA1
52e9309b3dee30e7b368cf5e21c4bc282c0de82e

SHA256
98cc7aa3293b82869a7ea399ac2256c701c472a083ffe68f2c215f59d8c50528

SHA512
7dd2cec5d6e0859e5a0b812ae23cfc7e7483a4b95c70ede847e4fdded09cc4a4582b5ff0108be03d0cf10eeb83be587329af41ba1d43f1a6901c75315acea81a

Download Submit
\Users\Admin\AppData\Local\tXMn7w\tcmsetup.exe
MD5
0b08315da0da7f9f472fbab510bfe7b8

SHA1
33ba48fd980216becc532466a5ff8476bec0b31c

SHA256
e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

SHA512
c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\h0JJgL\tcmsetup.exe
MD5
0b08315da0da7f9f472fbab510bfe7b8

SHA1
33ba48fd980216becc532466a5ff8476bec0b31c

SHA256
e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

SHA512
c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

Download Submit
memory/968-59-0x0000000000380000-0x0000000000387000-memory.dmp

Filesize
28KB

Download
memory/968-55-0x000007FEF6850000-0x000007FEF697B000-memory.dmp

Filesize
1.2MB

Download
memory/1036-96-0x000007FEF6850000-0x000007FEF697C000-memory.dmp

Filesize
1.2MB

Download
memory/1036-91-0x0000000000000000-mapping.dmp

Download
memory/1036-93-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmp

Filesize
8KB

Download
memory/1220-82-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-70-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-78-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-79-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-80-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-81-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-77-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-83-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-84-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-89-0x00000000776B0000-0x00000000776B2000-memory.dmp

Filesize
8KB

Download
memory/1220-75-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-74-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-73-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-72-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-71-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-76-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-69-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-68-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-60-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1220-67-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-65-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-66-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-61-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-64-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-62-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1220-63-0x0000000140000000-0x000000014012B000-memory.dmp

Filesize
1.2MB

Download
memory/1452-106-0x000007FEF6820000-0x000007FEF697F000-memory.dmp

Filesize
1.4MB

Download
memory/1452-101-0x0000000000000000-mapping.dmp

Download
memory/1956-111-0x0000000000000000-mapping.dmp

Download
memory/1956-115-0x000007FEF6850000-0x000007FEF697D000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads