Behavioral Report

Analysis

max time kernel
60s
max time network
0s
platform
windows7_x64
resource
win7-en-20211104
submitted
03-12-2021 10:30

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

02a28f4bc46d29f2ae0c82813839b3f5661a26937bef1a5c2d9fc8f05406da26.dll
Size

1MB
MD5

6f35fe576a7c7bc71651a0ee2e76cb85
SHA1

b240f9008cfca0bc90865363a8fd5a56ed051435
SHA256

02a28f4bc46d29f2ae0c82813839b3f5661a26937bef1a5c2d9fc8f05406da26
SHA512

22707965963ea8b91c365f2439980113e5949db69cafbf8eb9358ee440908b686c16f1bddea7a8fd649acb10a18489b3f2582c02db329d9ab61f699b55cac764

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral3/memory/1340-59-0x00000000026D0000-0x00000000026D1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

dialer.exelpksetup.exeisoburn.exe

pid process

972 dialer.exe
1144 lpksetup.exe
992 isoburn.exe

resource	yara_rule
behavioral3/memory/1340-59-0x00000000026D0000-0x00000000026D1000-memory.dmp	dridex_stager_shellcode

pid	process
972	dialer.exe
1144	lpksetup.exe
992	isoburn.exe

Drops startup file 3 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h1
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h1\dpx.dll
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h1\lpksetup.exe

Loads dropped DLL 7 IoCs

Processes:

dialer.exelpksetup.exeisoburn.exe

pid process

1340
972 dialer.exe
1340
1144 lpksetup.exe
1340
992 isoburn.exe
1340

pid	process
1340
972	dialer.exe
1340
1144	lpksetup.exe
1340
992	isoburn.exe
1340

Adds Run key to start application 2 TTPs 1 IoCs

persistence

TTPs:

Registry Run Keys / Startup Folder Modify Registry

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Startup\\h1\\lpksetup.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

TTPs:

System Information Discovery

Processes:

lpksetup.exeisoburn.exerundll32.exedialer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lpksetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dialer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1412	rundll32.exe
1412	rundll32.exe
1412	rundll32.exe
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340
1340

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

rundll32.exedialer.exelpksetup.exeisoburn.exe

pid process

1412 rundll32.exe
1340
972 dialer.exe
1144 lpksetup.exe
992 isoburn.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1340 wrote to memory of 1104	1340	dialer.exe
PID 1340 wrote to memory of 1104	1340	dialer.exe
PID 1340 wrote to memory of 1104	1340	dialer.exe
PID 1340 wrote to memory of 972	1340	dialer.exe
PID 1340 wrote to memory of 972	1340	dialer.exe
PID 1340 wrote to memory of 972	1340	dialer.exe
PID 1340 wrote to memory of 1160	1340	lpksetup.exe
PID 1340 wrote to memory of 1160	1340	lpksetup.exe
PID 1340 wrote to memory of 1160	1340	lpksetup.exe
PID 1340 wrote to memory of 1144	1340	lpksetup.exe
PID 1340 wrote to memory of 1144	1340	lpksetup.exe
PID 1340 wrote to memory of 1144	1340	lpksetup.exe
PID 1340 wrote to memory of 1600	1340	isoburn.exe
PID 1340 wrote to memory of 1600	1340	isoburn.exe
PID 1340 wrote to memory of 1600	1340	isoburn.exe
PID 1340 wrote to memory of 992	1340	isoburn.exe
PID 1340 wrote to memory of 992	1340	isoburn.exe
PID 1340 wrote to memory of 992	1340	isoburn.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\02a28f4bc46d29f2ae0c82813839b3f5661a26937bef1a5c2d9fc8f05406da26.dll,#1

Checks whether UAC is enabled
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam

PID:1412

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

PID:1104

C:\Users\Admin\AppData\Local\D4QMcd3\dialer.exe

C:\Users\Admin\AppData\Local\D4QMcd3\dialer.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:972

C:\Windows\system32\lpksetup.exe

C:\Windows\system32\lpksetup.exe

PID:1160

C:\Users\Admin\AppData\Local\OTo\lpksetup.exe

C:\Users\Admin\AppData\Local\OTo\lpksetup.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:1144

C:\Windows\system32\isoburn.exe

C:\Windows\system32\isoburn.exe

PID:1600

C:\Users\Admin\AppData\Local\oEus5C\isoburn.exe

C:\Users\Admin\AppData\Local\oEus5C\isoburn.exe

Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Suspicious behavior: GetForegroundWindowSpam

PID:992

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

T1112

Discovery

System Information Discovery

T1082

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\D4QMcd3\TAPI32.dll
MD5
07a7517de6c26a67ec1bc4b14241396b

SHA1
cadd76d505fb75fb1522f137a19c03d088089703

SHA256
673ecfc6aa1c4c92ba08cc0fadb68f3e9a1624ac53229d8463ee0f479c02bec9

SHA512
20ec22b8dba919407568e41be30a9736e54e61e70590a317bf560fd400b52ec3f9b6c410678e330f6589216d125b82aa30a9d5cea2c78a9e87c137fba13e2457

Download Submit
C:\Users\Admin\AppData\Local\D4QMcd3\dialer.exe
MD5
46523e17ee0f6837746924eda7e9bac9

SHA1
d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

SHA256
23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

SHA512
c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

Download Submit
C:\Users\Admin\AppData\Local\OTo\dpx.dll
MD5
81822e79c91728967edcbbbdac5b61e8

SHA1
972a0e9399b5f86c40ae621631db689b80ff6fcc

SHA256
2926c23d7c51e41accdadb9e81453975b4999e7f466fc924187179b777c79f0e

SHA512
4da72dafd8ecc37d34518643ca81bebaac61af7b21789c7be2012e297e0590e6a93325949f43cc31af9cb2ba34ecccc1290689df513e018c8c0fd66d8e17481a

Download Submit
C:\Users\Admin\AppData\Local\OTo\lpksetup.exe
MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
C:\Users\Admin\AppData\Local\oEus5C\UxTheme.dll
MD5
5c07a46caf151b34d1eacfe8922c4fc8

SHA1
d9c5e8867e563dcd45c7cdc66b5616b19f0441d9

SHA256
1aebc77290ea5ce6cbcd47200365035d1940efef7dce5d6b0965da55cf2d5665

SHA512
bad0b936df3b0e535b207fd4bf8a7095f3e38d9fbb963ce0fb07ceea8986a016c864bcb26deab49a4d3e311b566230353aaf4c12aaa1db2641e123429b2af8f8

Download Submit
C:\Users\Admin\AppData\Local\oEus5C\isoburn.exe
MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
\Users\Admin\AppData\Local\D4QMcd3\TAPI32.dll
MD5
07a7517de6c26a67ec1bc4b14241396b

SHA1
cadd76d505fb75fb1522f137a19c03d088089703

SHA256
673ecfc6aa1c4c92ba08cc0fadb68f3e9a1624ac53229d8463ee0f479c02bec9

SHA512
20ec22b8dba919407568e41be30a9736e54e61e70590a317bf560fd400b52ec3f9b6c410678e330f6589216d125b82aa30a9d5cea2c78a9e87c137fba13e2457

Download Submit
\Users\Admin\AppData\Local\D4QMcd3\dialer.exe
MD5
46523e17ee0f6837746924eda7e9bac9

SHA1
d6b2a9cc6bd3588fa9804ada5197afda6a9e034b

SHA256
23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382

SHA512
c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

Download Submit
\Users\Admin\AppData\Local\OTo\dpx.dll
MD5
81822e79c91728967edcbbbdac5b61e8

SHA1
972a0e9399b5f86c40ae621631db689b80ff6fcc

SHA256
2926c23d7c51e41accdadb9e81453975b4999e7f466fc924187179b777c79f0e

SHA512
4da72dafd8ecc37d34518643ca81bebaac61af7b21789c7be2012e297e0590e6a93325949f43cc31af9cb2ba34ecccc1290689df513e018c8c0fd66d8e17481a

Download Submit
\Users\Admin\AppData\Local\OTo\lpksetup.exe
MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
\Users\Admin\AppData\Local\oEus5C\UxTheme.dll
MD5
5c07a46caf151b34d1eacfe8922c4fc8

SHA1
d9c5e8867e563dcd45c7cdc66b5616b19f0441d9

SHA256
1aebc77290ea5ce6cbcd47200365035d1940efef7dce5d6b0965da55cf2d5665

SHA512
bad0b936df3b0e535b207fd4bf8a7095f3e38d9fbb963ce0fb07ceea8986a016c864bcb26deab49a4d3e311b566230353aaf4c12aaa1db2641e123429b2af8f8

Download Submit
\Users\Admin\AppData\Local\oEus5C\isoburn.exe
MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\ou\isoburn.exe
MD5
f8051f06e1c4aa3f2efe4402af5919b1

SHA1
bbcf3711501dfb22b04b1a6f356d95a6d5998790

SHA256
50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a

SHA512
5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

Download Submit
memory/972-91-0x0000000140000000-0x000000014010B000-memory.dmp

Filesize
1MB

Download
memory/972-87-0x0000000000000000-mapping.dmp

Download
memory/992-104-0x0000000000000000-mapping.dmp

Download
memory/1144-100-0x0000000140000000-0x000000014010A000-memory.dmp

Filesize
1MB

Download
memory/1144-97-0x000007FEFB8D1000-0x000007FEFB8D3000-memory.dmp

Filesize
8KB

Download
memory/1144-95-0x0000000000000000-mapping.dmp

Download
memory/1340-67-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1MB

Download
memory/1340-70-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1MB

Download
memory/1340-79-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1MB

Download
memory/1340-77-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1MB

Download
memory/1340-85-0x0000000077200000-0x0000000077202000-memory.dmp

Filesize
8KB

Download
memory/1340-76-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1MB

Download
memory/1340-75-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1MB

Download
memory/1340-74-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1MB

Download
memory/1340-73-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1MB

Download
memory/1340-72-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1MB

Download
memory/1340-71-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1MB

Download
memory/1340-78-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1MB

Download
memory/1340-69-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1MB

Download
memory/1340-68-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1MB

Download
memory/1340-59-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1340-66-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1MB

Download
memory/1340-65-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1MB

Download
memory/1340-64-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1MB

Download
memory/1340-63-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1MB

Download
memory/1340-62-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1MB

Download
memory/1340-61-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1MB

Download
memory/1340-60-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1MB

Download
memory/1412-55-0x0000000140000000-0x0000000140109000-memory.dmp

Filesize
1MB

Download
memory/1412-58-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download