dridex | 7f99fa6b320c69b5a80cd50b772da933825a0bef75bf56ba2939f87bee136a95

Analysis

max time kernel
60s
max time network
0s
platform
windows7_x64
resource
win7-en-20211104
submitted
06-12-2021 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f99fa6b320c69b5a80cd50b772da933825a0bef75bf56ba2939f87bee136a95.dll
Size

772KB
MD5

f11a250479b111aebbf272a7b6315728
SHA1

27e219c25e4d31e97d157d5004f118179f66d0bd
SHA256

7f99fa6b320c69b5a80cd50b772da933825a0bef75bf56ba2939f87bee136a95
SHA512

074a893bcc9ffe302cc2d27de9eda3ea67f9f3b1df592bb907cba8aa2f4895311329fc0d11bb7f5e2f638c9501c40f26522620a9e954c4f1b9800948af1712e5

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 4 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1512-55-0x000007FEF7120000-0x000007FEF71EB000-memory.dmp	dridex_payload
behavioral1/memory/1244-64-0x0000000140000000-0x00000001400CB000-memory.dmp	dridex_payload
behavioral1/memory/1756-74-0x000007FEF71F0000-0x000007FEF72BC000-memory.dmp	dridex_payload
behavioral1/memory/1064-82-0x000007FEF6F10000-0x000007FEF6FDC000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1244-59-0x00000000021E0000-0x00000000021E1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

ddodiag.exeosk.exeperfmon.exe

pid process

1756 ddodiag.exe
1064 osk.exe
1388 perfmon.exe
Loads dropped DLL 7 IoCs

Processes:

ddodiag.exeosk.exeperfmon.exe

pid process

1244
1756 ddodiag.exe
1244
1064 osk.exe
1244
1388 perfmon.exe
1244

pid	process
1756	ddodiag.exe
1064	osk.exe
1388	perfmon.exe

pid	process
1244
1756	ddodiag.exe
1244
1064	osk.exe
1244
1388	perfmon.exe
1244

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myzdcwow = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\ObCnZ99\\osk.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

osk.exeperfmon.exerundll32.exeddodiag.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddodiag.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeddodiag.exeosk.exe

pid	process
1512	rundll32.exe
1512	rundll32.exe
1512	rundll32.exe
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1756	ddodiag.exe
1756	ddodiag.exe
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1064	osk.exe
1064	osk.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1244 wrote to memory of 292	1244	ddodiag.exe
PID 1244 wrote to memory of 292	1244	ddodiag.exe
PID 1244 wrote to memory of 292	1244	ddodiag.exe
PID 1244 wrote to memory of 1756	1244	ddodiag.exe
PID 1244 wrote to memory of 1756	1244	ddodiag.exe
PID 1244 wrote to memory of 1756	1244	ddodiag.exe
PID 1244 wrote to memory of 1604	1244	osk.exe
PID 1244 wrote to memory of 1604	1244	osk.exe
PID 1244 wrote to memory of 1604	1244	osk.exe
PID 1244 wrote to memory of 1064	1244	osk.exe
PID 1244 wrote to memory of 1064	1244	osk.exe
PID 1244 wrote to memory of 1064	1244	osk.exe
PID 1244 wrote to memory of 1860	1244	perfmon.exe
PID 1244 wrote to memory of 1860	1244	perfmon.exe
PID 1244 wrote to memory of 1860	1244	perfmon.exe
PID 1244 wrote to memory of 1388	1244	perfmon.exe
PID 1244 wrote to memory of 1388	1244	perfmon.exe
PID 1244 wrote to memory of 1388	1244	perfmon.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7f99fa6b320c69b5a80cd50b772da933825a0bef75bf56ba2939f87bee136a95.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
1⤵
PID:292

C:\Users\Admin\AppData\Local\V0aKDVRm\ddodiag.exe
C:\Users\Admin\AppData\Local\V0aKDVRm\ddodiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1756

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:1604

C:\Users\Admin\AppData\Local\hPN\osk.exe
C:\Users\Admin\AppData\Local\hPN\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1064

C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
1⤵
PID:1860

C:\Users\Admin\AppData\Local\PX5Y\perfmon.exe
C:\Users\Admin\AppData\Local\PX5Y\perfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1388

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PX5Y\Secur32.dll
MD5
af2f5b32bceacbe31c3ffcedae8abe17

SHA1
4271f6cdb11fb6c79bcb048f817562f4c270f700

SHA256
10583e3a4462444c807a4da4c6109339107e3054e5b798608aaa88e7ed4090a4

SHA512
9c6bcddcde92382732bdda9ffab8d10c92602cc17a4dd0940dd7d8d8c62ce778e06a875c3685e181aace0877e42c3bed569ab97d8bdee42d599a7fc930dfe253

Download Submit
C:\Users\Admin\AppData\Local\PX5Y\perfmon.exe
MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
C:\Users\Admin\AppData\Local\V0aKDVRm\XmlLite.dll
MD5
6eea58f4c812bc943582da33194e1221

SHA1
8f4ad4dc14b4e7e08a94e47e43f5410752978187

SHA256
9892ad437a4d2343d9220e9e2c78cefceb0480f54e6d18a80b55a0f6c4c2d32a

SHA512
1ea81c84224a5bbc996b722b7730f9a742be1c9897db4afe651bcf2143487c0f5cd6550176e9dc200dec943144d045f70ee00bf281ff47994cf2c32b2358daab

Download Submit
C:\Users\Admin\AppData\Local\V0aKDVRm\ddodiag.exe
MD5
509f9513ca16ba2f2047f5227a05d1a8

SHA1
fe8d63259cb9afa17da7b7b8ede4e75081071b1a

SHA256
ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

SHA512
ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

Download Submit
C:\Users\Admin\AppData\Local\hPN\OLEACC.dll
MD5
0e1f60a8783957bde9f783c6dbcff254

SHA1
03380c23409449b096df7bfbd4828c67221ee073

SHA256
2e06714c284cad28348b9497eb407f211ba4cd02b9c6538a2524dec1f4468bfc

SHA512
39839686c52abfea4a87c9e02151548c9b1b0a367c643f9d2d5734ea0b90c86c97d9e3258e85cbfe2d6244a4c8b70631e67d635ea690192a75678cfcaed50629

Download Submit
C:\Users\Admin\AppData\Local\hPN\osk.exe
MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
\Users\Admin\AppData\Local\PX5Y\Secur32.dll
MD5
af2f5b32bceacbe31c3ffcedae8abe17

SHA1
4271f6cdb11fb6c79bcb048f817562f4c270f700

SHA256
10583e3a4462444c807a4da4c6109339107e3054e5b798608aaa88e7ed4090a4

SHA512
9c6bcddcde92382732bdda9ffab8d10c92602cc17a4dd0940dd7d8d8c62ce778e06a875c3685e181aace0877e42c3bed569ab97d8bdee42d599a7fc930dfe253

Download Submit
\Users\Admin\AppData\Local\PX5Y\perfmon.exe
MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
\Users\Admin\AppData\Local\V0aKDVRm\XmlLite.dll
MD5
6eea58f4c812bc943582da33194e1221

SHA1
8f4ad4dc14b4e7e08a94e47e43f5410752978187

SHA256
9892ad437a4d2343d9220e9e2c78cefceb0480f54e6d18a80b55a0f6c4c2d32a

SHA512
1ea81c84224a5bbc996b722b7730f9a742be1c9897db4afe651bcf2143487c0f5cd6550176e9dc200dec943144d045f70ee00bf281ff47994cf2c32b2358daab

Download Submit
\Users\Admin\AppData\Local\V0aKDVRm\ddodiag.exe
MD5
509f9513ca16ba2f2047f5227a05d1a8

SHA1
fe8d63259cb9afa17da7b7b8ede4e75081071b1a

SHA256
ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

SHA512
ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

Download Submit
\Users\Admin\AppData\Local\hPN\OLEACC.dll
MD5
0e1f60a8783957bde9f783c6dbcff254

SHA1
03380c23409449b096df7bfbd4828c67221ee073

SHA256
2e06714c284cad28348b9497eb407f211ba4cd02b9c6538a2524dec1f4468bfc

SHA512
39839686c52abfea4a87c9e02151548c9b1b0a367c643f9d2d5734ea0b90c86c97d9e3258e85cbfe2d6244a4c8b70631e67d635ea690192a75678cfcaed50629

Download Submit
\Users\Admin\AppData\Local\hPN\osk.exe
MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Protect\SWEcVY\perfmon.exe
MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
memory/1064-82-0x000007FEF6F10000-0x000007FEF6FDC000-memory.dmp

Filesize
816KB

Download
memory/1064-78-0x0000000000000000-mapping.dmp

Download
memory/1244-59-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/1244-62-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1244-63-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1244-64-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1244-61-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1244-60-0x0000000140000000-0x00000001400CB000-memory.dmp

Filesize
812KB

Download
memory/1388-86-0x0000000000000000-mapping.dmp

Download
memory/1388-90-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp

Filesize
8KB

Download
memory/1512-55-0x000007FEF7120000-0x000007FEF71EB000-memory.dmp

Filesize
812KB

Download
memory/1512-57-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1756-70-0x0000000000000000-mapping.dmp

Download
memory/1756-74-0x000007FEF71F0000-0x000007FEF72BC000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads