dridex | 3a52c4f27db221ed975af3d38ac4b9060203b9c6fb3532cdc61b969e21ca666c

Analysis

max time kernel
4294211s
max time network
119s
platform
windows7_x64
resource
win7-20220223-en
submitted
27-02-2022 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dpnhupnp.dll
Size

1.0MB
MD5

cf22fca6a1c8035cb38867787f16be21
SHA1

85cae7532a21983295a2c0aad5889e8dbd024c9f
SHA256

3a52c4f27db221ed975af3d38ac4b9060203b9c6fb3532cdc61b969e21ca666c
SHA512

0a1e9e8f6d149d6cada2b29257087819a7a09ebf47f31e31c03b0cd26241f487a695faa9d23ce509b413f2585be426e310b8308818445ad039328293bd17cd4c

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1388-59-0x0000000002A70000-0x0000000002A71000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

tabcal.exelpksetup.exetaskmgr.exe

pid process

1588 tabcal.exe
1080 lpksetup.exe
1272 taskmgr.exe
Loads dropped DLL 7 IoCs

Processes:

tabcal.exelpksetup.exetaskmgr.exe

pid process

1388
1588 tabcal.exe
1388
1080 lpksetup.exe
1388
1272 taskmgr.exe
1388

pid	process
1588	tabcal.exe
1080	lpksetup.exe
1272	taskmgr.exe

pid	process
1388
1588	tabcal.exe
1388
1080	lpksetup.exe
1388
1272	taskmgr.exe
1388

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dxvtsffzcoo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Fcy4sU\\lpksetup.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

tabcal.exelpksetup.exetaskmgr.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lpksetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exetabcal.exelpksetup.exe

pid	process
1792	rundll32.exe
1792	rundll32.exe
1792	rundll32.exe
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1588	tabcal.exe
1588	tabcal.exe
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1388
1080	lpksetup.exe
1080	lpksetup.exe
1388
1388
1388
1388
1388
1388

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1388

pid	process
1388

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1388 wrote to memory of 1620	1388	tabcal.exe
PID 1388 wrote to memory of 1620	1388	tabcal.exe
PID 1388 wrote to memory of 1620	1388	tabcal.exe
PID 1388 wrote to memory of 1588	1388	tabcal.exe
PID 1388 wrote to memory of 1588	1388	tabcal.exe
PID 1388 wrote to memory of 1588	1388	tabcal.exe
PID 1388 wrote to memory of 1980	1388	lpksetup.exe
PID 1388 wrote to memory of 1980	1388	lpksetup.exe
PID 1388 wrote to memory of 1980	1388	lpksetup.exe
PID 1388 wrote to memory of 1080	1388	lpksetup.exe
PID 1388 wrote to memory of 1080	1388	lpksetup.exe
PID 1388 wrote to memory of 1080	1388	lpksetup.exe
PID 1388 wrote to memory of 2028	1388	taskmgr.exe
PID 1388 wrote to memory of 2028	1388	taskmgr.exe
PID 1388 wrote to memory of 2028	1388	taskmgr.exe
PID 1388 wrote to memory of 1272	1388	taskmgr.exe
PID 1388 wrote to memory of 1272	1388	taskmgr.exe
PID 1388 wrote to memory of 1272	1388	taskmgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dpnhupnp.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1792

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:1620

C:\Users\Admin\AppData\Local\AN6bw\tabcal.exe
C:\Users\Admin\AppData\Local\AN6bw\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1588

C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
1⤵
PID:1980

C:\Users\Admin\AppData\Local\XZ6\lpksetup.exe
C:\Users\Admin\AppData\Local\XZ6\lpksetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1080

C:\Windows\system32\taskmgr.exe
C:\Windows\system32\taskmgr.exe
1⤵
PID:2028

C:\Users\Admin\AppData\Local\NRQ9FYdX7\taskmgr.exe
C:\Users\Admin\AppData\Local\NRQ9FYdX7\taskmgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1272

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AN6bw\HID.DLL
MD5
facce3099b0d939c1345a46cc7f267c8

SHA1
576b6ac0211cac2a6b5014bb2f3ba698cd1f5b32

SHA256
2ebc7a8beed6ee21844f7c9a7c2550be1a008b297b32d207c5e00abd2fe2bff7

SHA512
b1ddf32eaaa71a504ab34ff61efaa095d377535570b789389390deb5f06a4c68352436eee93c8ad037a7f7075050b0d75653d97e9bc44cecae027b57b2986ae5

Download Submit
C:\Users\Admin\AppData\Local\AN6bw\tabcal.exe
MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
C:\Users\Admin\AppData\Local\NRQ9FYdX7\UxTheme.dll
MD5
f6eb6bade0ddacd0b2f38bacb44e4d60

SHA1
0384c0717effb64bb44bfd671c43d0f6e2322947

SHA256
3ae57e7634bbda9a4537fc967336e2d527746e6aba9ea945378896ad42ed85fa

SHA512
53be377abb45472c5a4269580f3581807db65d2cf1ed1b5746fcdca5f6230d178f33324260cedd0733a241f528bd31486a195ecb081e0e5bf7482d41d046fa76

Download Submit
C:\Users\Admin\AppData\Local\NRQ9FYdX7\taskmgr.exe
MD5
09f7401d56f2393c6ca534ff0241a590

SHA1
e8b4d84a28e5ea17272416ec45726964fdf25883

SHA256
6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1

SHA512
7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192

Download Submit
C:\Users\Admin\AppData\Local\XZ6\dpx.dll
MD5
8ec28be5cf367b3f23f47af3735aa893

SHA1
18205b7ff49a2c27f506e12c55126200bb076c54

SHA256
983bdeb0499b3e363d4b0b38aae4c3c07a23727024bd293118fd9300d49efd7b

SHA512
cc034abd206fabdfe1a8a0c4207b2a86dfe94adb1c1f31c0cd1f7822fbe2aaed39e6693ab667e466a8c6c25e1cd94c3bdbcddb224ac54dbcd45c7388afbea98b

Download Submit
C:\Users\Admin\AppData\Local\XZ6\lpksetup.exe
MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
\Users\Admin\AppData\Local\AN6bw\HID.DLL
MD5
facce3099b0d939c1345a46cc7f267c8

SHA1
576b6ac0211cac2a6b5014bb2f3ba698cd1f5b32

SHA256
2ebc7a8beed6ee21844f7c9a7c2550be1a008b297b32d207c5e00abd2fe2bff7

SHA512
b1ddf32eaaa71a504ab34ff61efaa095d377535570b789389390deb5f06a4c68352436eee93c8ad037a7f7075050b0d75653d97e9bc44cecae027b57b2986ae5

Download Submit
\Users\Admin\AppData\Local\AN6bw\tabcal.exe
MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
\Users\Admin\AppData\Local\NRQ9FYdX7\UxTheme.dll
MD5
f6eb6bade0ddacd0b2f38bacb44e4d60

SHA1
0384c0717effb64bb44bfd671c43d0f6e2322947

SHA256
3ae57e7634bbda9a4537fc967336e2d527746e6aba9ea945378896ad42ed85fa

SHA512
53be377abb45472c5a4269580f3581807db65d2cf1ed1b5746fcdca5f6230d178f33324260cedd0733a241f528bd31486a195ecb081e0e5bf7482d41d046fa76

Download Submit
\Users\Admin\AppData\Local\NRQ9FYdX7\taskmgr.exe
MD5
09f7401d56f2393c6ca534ff0241a590

SHA1
e8b4d84a28e5ea17272416ec45726964fdf25883

SHA256
6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1

SHA512
7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192

Download Submit
\Users\Admin\AppData\Local\XZ6\dpx.dll
MD5
8ec28be5cf367b3f23f47af3735aa893

SHA1
18205b7ff49a2c27f506e12c55126200bb076c54

SHA256
983bdeb0499b3e363d4b0b38aae4c3c07a23727024bd293118fd9300d49efd7b

SHA512
cc034abd206fabdfe1a8a0c4207b2a86dfe94adb1c1f31c0cd1f7822fbe2aaed39e6693ab667e466a8c6c25e1cd94c3bdbcddb224ac54dbcd45c7388afbea98b

Download Submit
\Users\Admin\AppData\Local\XZ6\lpksetup.exe
MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\QsOn5Qs\taskmgr.exe
MD5
09f7401d56f2393c6ca534ff0241a590

SHA1
e8b4d84a28e5ea17272416ec45726964fdf25883

SHA256
6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1

SHA512
7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192

Download Submit
memory/1080-139-0x00000000000E0000-0x00000000000E7000-memory.dmp

Filesize
28KB

Download
memory/1272-149-0x0000000000160000-0x0000000000167000-memory.dmp

Filesize
28KB

Download
memory/1388-101-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-111-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-74-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-75-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-77-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-78-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-76-0x0000000076BD6000-0x0000000076BD7000-memory.dmp

Filesize
4KB

Download
memory/1388-79-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-81-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-83-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-82-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-80-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-85-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-86-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-87-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-88-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-91-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-89-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-94-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-96-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-95-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-97-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-98-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-59-0x0000000002A70000-0x0000000002A71000-memory.dmp

Filesize
4KB

Download
memory/1388-100-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-102-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-105-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-107-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-108-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-110-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-109-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-73-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-112-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-113-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-106-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-103-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-104-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-99-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-93-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-118-0x0000000002A80000-0x0000000002A87000-memory.dmp

Filesize
28KB

Download
memory/1388-92-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-90-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-84-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-71-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-72-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-70-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-69-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-60-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-127-0x0000000076DE1000-0x0000000076DE2000-memory.dmp

Filesize
4KB

Download
memory/1388-61-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-128-0x0000000076F40000-0x0000000076F42000-memory.dmp

Filesize
8KB

Download
memory/1388-68-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-67-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-66-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-65-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-64-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-63-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1388-62-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1588-129-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1588-123-0x000007FEF6410000-0x000007FEF6515000-memory.dmp

Filesize
1.0MB

Download
memory/1792-54-0x000007FEF5D80000-0x000007FEF5E84000-memory.dmp

Filesize
1.0MB

Download
memory/1792-58-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads