dridex | 3a52c4f27db221ed975af3d38ac4b9060203b9c6fb3532cdc61b969e21ca666c

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
27-02-2022 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dpnhupnp.dll
Size

1.0MB
MD5

cf22fca6a1c8035cb38867787f16be21
SHA1

85cae7532a21983295a2c0aad5889e8dbd024c9f
SHA256

3a52c4f27db221ed975af3d38ac4b9060203b9c6fb3532cdc61b969e21ca666c
SHA512

0a1e9e8f6d149d6cada2b29257087819a7a09ebf47f31e31c03b0cd26241f487a695faa9d23ce509b413f2585be426e310b8308818445ad039328293bd17cd4c

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2436-137-0x00000000006D0000-0x00000000006D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

dwm.exeprintfilterpipelinesvc.exemsdt.exe

pid process

3040 dwm.exe
1900 printfilterpipelinesvc.exe
724 msdt.exe
Loads dropped DLL 3 IoCs

Processes:

dwm.exeprintfilterpipelinesvc.exemsdt.exe

pid process

3040 dwm.exe
1900 printfilterpipelinesvc.exe
724 msdt.exe

pid	process
3040	dwm.exe
1900	printfilterpipelinesvc.exe
724	msdt.exe

pid	process
3040	dwm.exe
1900	printfilterpipelinesvc.exe
724	msdt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Flqldkhbz = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\DlY\\printfilterpipelinesvc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

printfilterpipelinesvc.exemsdt.exerundll32.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	printfilterpipelinesvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exedwm.exe

pid	process
516	rundll32.exe
516	rundll32.exe
516	rundll32.exe
516	rundll32.exe
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
2436
3040	dwm.exe
3040	dwm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2436

pid	process
2436

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2436 wrote to memory of 2740	2436	dwm.exe
PID 2436 wrote to memory of 2740	2436	dwm.exe
PID 2436 wrote to memory of 3040	2436	dwm.exe
PID 2436 wrote to memory of 3040	2436	dwm.exe
PID 2436 wrote to memory of 2144	2436	printfilterpipelinesvc.exe
PID 2436 wrote to memory of 2144	2436	printfilterpipelinesvc.exe
PID 2436 wrote to memory of 1900	2436	printfilterpipelinesvc.exe
PID 2436 wrote to memory of 1900	2436	printfilterpipelinesvc.exe
PID 2436 wrote to memory of 828	2436	msdt.exe
PID 2436 wrote to memory of 828	2436	msdt.exe
PID 2436 wrote to memory of 724	2436	msdt.exe
PID 2436 wrote to memory of 724	2436	msdt.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\dpnhupnp.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:516

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:2740

C:\Users\Admin\AppData\Local\YyuJKbj\dwm.exe
C:\Users\Admin\AppData\Local\YyuJKbj\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3040

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe
1⤵
PID:2144

C:\Users\Admin\AppData\Local\KUmlMZ\printfilterpipelinesvc.exe
C:\Users\Admin\AppData\Local\KUmlMZ\printfilterpipelinesvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1900

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:828

C:\Users\Admin\AppData\Local\UczCQyVfv\msdt.exe
C:\Users\Admin\AppData\Local\UczCQyVfv\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\KUmlMZ\XmlLite.dll
MD5
8cd81a99a2ad45b250341ec247cd6d3e

SHA1
8904060ec24d854678debeb487d1a94e450a269a

SHA256
11eac58fc9bd739284b950e5e0f4f5f6318985b4f1e806118c1ff3d54f720148

SHA512
1e7442e6aa1e5bc7fefc4658814f12bf0382879d88f29219456d1c81969398f25ee43e24446e335a0b143d5255efe1fc2374d026915a232d132ee5c7e7521b85

Download Submit
C:\Users\Admin\AppData\Local\KUmlMZ\XmlLite.dll
MD5
8cd81a99a2ad45b250341ec247cd6d3e

SHA1
8904060ec24d854678debeb487d1a94e450a269a

SHA256
11eac58fc9bd739284b950e5e0f4f5f6318985b4f1e806118c1ff3d54f720148

SHA512
1e7442e6aa1e5bc7fefc4658814f12bf0382879d88f29219456d1c81969398f25ee43e24446e335a0b143d5255efe1fc2374d026915a232d132ee5c7e7521b85

Download Submit
C:\Users\Admin\AppData\Local\KUmlMZ\printfilterpipelinesvc.exe
MD5
331a40eabaa5870e316b401bd81c4861

SHA1
ddff65771ca30142172c0d91d5bfff4eb1b12b73

SHA256
105099819555ed87ef3dab70a2eaf2cb61076f453266cec57ffccb8f4c00df88

SHA512
29992dbf10f327d77865af5e6ebbe66b937a5b4ad04c68cafbf4e6adbd6c6532c8a82ac7e638d97c1f053353a7c8a6d7e379f389af15443c94a1e8f9b16be5f8

Download Submit
C:\Users\Admin\AppData\Local\UczCQyVfv\Secur32.dll
MD5
f24bd3a7596dd2d2de84ee1c9d23e126

SHA1
32b46e9647fd1c4deee1655d147cac0708ea2c33

SHA256
b6328d9448237b2734bc8d6c7f8d84c90772e328069b427d6b00040d0e008e80

SHA512
aeb5d51954dc18d4b519ada0bd28885cf8b3fc0938afd20bad279d33e7329ff540a9c446f8d650b752e9dc666cdd793ca0b69b887bc2fc785ef86bfe97f0428d

Download Submit
C:\Users\Admin\AppData\Local\UczCQyVfv\Secur32.dll
MD5
f24bd3a7596dd2d2de84ee1c9d23e126

SHA1
32b46e9647fd1c4deee1655d147cac0708ea2c33

SHA256
b6328d9448237b2734bc8d6c7f8d84c90772e328069b427d6b00040d0e008e80

SHA512
aeb5d51954dc18d4b519ada0bd28885cf8b3fc0938afd20bad279d33e7329ff540a9c446f8d650b752e9dc666cdd793ca0b69b887bc2fc785ef86bfe97f0428d

Download Submit
C:\Users\Admin\AppData\Local\UczCQyVfv\msdt.exe
MD5
992c3f0cc8180f2f51156671e027ae75

SHA1
942ec8c2ccfcacd75a1cd86cbe8873aee5115e29

SHA256
6859d1b5d1beaa2985b298f3fcee67f0aac747687a9dec2b4376585e99e9756f

SHA512
1f1b8d39e29274cfc87a9ef1510adb9c530086a421c121523376731c8933c6e234e9146310d3767ce888a8dce7a5713221f4d25e5b7b6398d06ae2be2b99eadf

Download Submit
C:\Users\Admin\AppData\Local\YyuJKbj\dwm.exe
MD5
5c27608411832c5b39ba04e33d53536c

SHA1
f92f8b7439ce1de4c297046ed1d3ff9f20bc97af

SHA256
0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565

SHA512
1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

Download Submit
C:\Users\Admin\AppData\Local\YyuJKbj\dwm.exe
MD5
5c27608411832c5b39ba04e33d53536c

SHA1
f92f8b7439ce1de4c297046ed1d3ff9f20bc97af

SHA256
0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565

SHA512
1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

Download Submit
C:\Users\Admin\AppData\Local\YyuJKbj\dxgi.dll
MD5
41b9fe459818495869c1433405d421d1

SHA1
9a0ff367c39f4c0eddc897267effd7d56b146b3f

SHA256
48cc3b2e1cd1bbb9969ea710f0b9bed9cf9b88b61b5d9cc723be5918d1f54270

SHA512
c4deba4ef3e41f244849806ebf2c6a965c77006b2a44730595112737efb0ca1fdfe5bbf1628b6a278190bcfbd57eef911e263f9a74660e2dbfea1d05f42be894

Download Submit
C:\Users\Admin\AppData\Local\YyuJKbj\dxgi.dll
MD5
41b9fe459818495869c1433405d421d1

SHA1
9a0ff367c39f4c0eddc897267effd7d56b146b3f

SHA256
48cc3b2e1cd1bbb9969ea710f0b9bed9cf9b88b61b5d9cc723be5918d1f54270

SHA512
c4deba4ef3e41f244849806ebf2c6a965c77006b2a44730595112737efb0ca1fdfe5bbf1628b6a278190bcfbd57eef911e263f9a74660e2dbfea1d05f42be894

Download Submit
memory/516-136-0x000002360A400000-0x000002360A407000-memory.dmp

Filesize
28KB

Download
memory/516-130-0x00007FFB368D0000-0x00007FFB369D4000-memory.dmp

Filesize
1.0MB

Download
memory/724-232-0x000002396AF80000-0x000002396AF87000-memory.dmp

Filesize
28KB

Download
memory/1900-221-0x0000017954C20000-0x0000017954C27000-memory.dmp

Filesize
28KB

Download
memory/2436-168-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-173-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-146-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-147-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-148-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-149-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-150-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-151-0x00007FFB53DAA000-0x00007FFB53DAB000-memory.dmp

Filesize
4KB

Download
memory/2436-152-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-153-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-154-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-155-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-156-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-157-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-160-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-161-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-162-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-163-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-164-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-165-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-166-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-167-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-144-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-159-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-158-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-169-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-170-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-171-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-172-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-145-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-174-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-175-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-176-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-177-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-179-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-178-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-180-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-181-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-182-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-183-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-184-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-185-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-186-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-187-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-188-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-189-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-190-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-191-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-196-0x00007FFB54A8C000-0x00007FFB54A8D000-memory.dmp

Filesize
4KB

Download
memory/2436-197-0x00000000006C0000-0x00000000006C7000-memory.dmp

Filesize
28KB

Download
memory/2436-198-0x00007FFB549E0000-0x00007FFB549F0000-memory.dmp

Filesize
64KB

Download
memory/2436-137-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/2436-143-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-142-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-141-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-140-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-139-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/2436-138-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/3040-203-0x00007FFB354B0000-0x00007FFB355B5000-memory.dmp

Filesize
1.0MB

Download
memory/3040-210-0x000001840D020000-0x000001840D027000-memory.dmp

Filesize
28KB

Download