dridex | ab34dad9a255538b46b5c06a9d99d3324a6f204b3f09ff376378580f45f63adb

Analysis

max time kernel
4294211s
max time network
122s
platform
windows7_x64
resource
win7-20220223-en
submitted
02-03-2022 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab34dad9a255538b46b5c06a9d99d3324a6f204b3f09ff376378580f45f63adb.dll
Size

1.2MB
MD5

a121d39d7907071cb07215d25364b798
SHA1

f189ab1ab8a4083c5e37b7a06f33e271dd9c4a59
SHA256

ab34dad9a255538b46b5c06a9d99d3324a6f204b3f09ff376378580f45f63adb
SHA512

e4db45f6baa1ac14b85bc8879373f4bdbc966184ea3b5f6e457cc26781d0e1230d83727d4046750817e86853a779961cccedb2cb9a6f67ebfe374804237fbdcb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1404-59-0x0000000002620000-0x0000000002621000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

TpmInit.exeDeviceDisplayObjectProvider.exep2phost.exe

pid process

1284 TpmInit.exe
1836 DeviceDisplayObjectProvider.exe
1060 p2phost.exe
Loads dropped DLL 7 IoCs

Processes:

TpmInit.exeDeviceDisplayObjectProvider.exep2phost.exe

pid process

1404
1284 TpmInit.exe
1404
1836 DeviceDisplayObjectProvider.exe
1404
1060 p2phost.exe
1404

pid	process
1284	TpmInit.exe
1836	DeviceDisplayObjectProvider.exe
1060	p2phost.exe

pid	process
1404
1284	TpmInit.exe
1404
1836	DeviceDisplayObjectProvider.exe
1404
1060	p2phost.exe
1404

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dxvtsffzcoo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\lmS0\\DeviceDisplayObjectProvider.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

DeviceDisplayObjectProvider.exep2phost.exerundll32.exeTpmInit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceDisplayObjectProvider.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	p2phost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TpmInit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1204	rundll32.exe
1204	rundll32.exe
1204	rundll32.exe
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404
1404

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1404

pid	process
1404

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1404 wrote to memory of 508	1404	TpmInit.exe
PID 1404 wrote to memory of 508	1404	TpmInit.exe
PID 1404 wrote to memory of 508	1404	TpmInit.exe
PID 1404 wrote to memory of 1284	1404	TpmInit.exe
PID 1404 wrote to memory of 1284	1404	TpmInit.exe
PID 1404 wrote to memory of 1284	1404	TpmInit.exe
PID 1404 wrote to memory of 1664	1404	DeviceDisplayObjectProvider.exe
PID 1404 wrote to memory of 1664	1404	DeviceDisplayObjectProvider.exe
PID 1404 wrote to memory of 1664	1404	DeviceDisplayObjectProvider.exe
PID 1404 wrote to memory of 1836	1404	DeviceDisplayObjectProvider.exe
PID 1404 wrote to memory of 1836	1404	DeviceDisplayObjectProvider.exe
PID 1404 wrote to memory of 1836	1404	DeviceDisplayObjectProvider.exe
PID 1404 wrote to memory of 1004	1404	p2phost.exe
PID 1404 wrote to memory of 1004	1404	p2phost.exe
PID 1404 wrote to memory of 1004	1404	p2phost.exe
PID 1404 wrote to memory of 1060	1404	p2phost.exe
PID 1404 wrote to memory of 1060	1404	p2phost.exe
PID 1404 wrote to memory of 1060	1404	p2phost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ab34dad9a255538b46b5c06a9d99d3324a6f204b3f09ff376378580f45f63adb.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1204

C:\Windows\system32\TpmInit.exe
C:\Windows\system32\TpmInit.exe
1⤵
PID:508

C:\Users\Admin\AppData\Local\RrSdLN\TpmInit.exe
C:\Users\Admin\AppData\Local\RrSdLN\TpmInit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1284

C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
1⤵
PID:1664

C:\Users\Admin\AppData\Local\gR2\DeviceDisplayObjectProvider.exe
C:\Users\Admin\AppData\Local\gR2\DeviceDisplayObjectProvider.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1836

C:\Windows\system32\p2phost.exe
C:\Windows\system32\p2phost.exe
1⤵
PID:1004

C:\Users\Admin\AppData\Local\BST2y8WZt\p2phost.exe
C:\Users\Admin\AppData\Local\BST2y8WZt\p2phost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1060

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\BST2y8WZt\P2PCOLLAB.dll
MD5
a6e541babcfdc3c4e7d482660be3b005

SHA1
661eb89a7776bc56ec4746557d6bfb9cbbe3ddbf

SHA256
64ee5e83a562bfe2158b643d357908116ea545b7c03f763bd97dc1b345ab789c

SHA512
1c2b8489781c6343613f60a415a891975345c33173de0728f518f46e498f3463dfbb41ce02c4cbb34d49a0524c7edc219c3853160aadf90f2b77cdedd3922f0d

Download Submit
C:\Users\Admin\AppData\Local\BST2y8WZt\p2phost.exe
MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
C:\Users\Admin\AppData\Local\RrSdLN\ACTIVEDS.dll
MD5
f777c807b9abc7dee124fa2e53c3f040

SHA1
c968c6eb4703c755485d832ed9762451054dbae1

SHA256
5da53395f8917ea0d48aa9abb5db0ae8565f0298a979ad7ad5b3f7463c3b2315

SHA512
d698e5f4b8ddce958470701ef376d997ecc34c1b05c47c9eea1fc30fe5ab9e0ee0e8eb5f3ab0d47146d4d361b42c254cdf7c70cdaeb4446194e34a81a0eca546

Download Submit
C:\Users\Admin\AppData\Local\RrSdLN\TpmInit.exe
MD5
8b5eb38e08a678afa129e23129ca1e6d

SHA1
a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

SHA256
4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

SHA512
a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

Download Submit
C:\Users\Admin\AppData\Local\gR2\DeviceDisplayObjectProvider.exe
MD5
7e2eb3a4ae11190ef4c8a9b9a9123234

SHA1
72e98687a8d28614e2131c300403c2822856e865

SHA256
8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

SHA512
18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

Download Submit
C:\Users\Admin\AppData\Local\gR2\XmlLite.dll
MD5
755abcb54e5844e55be400619db6f816

SHA1
96313878009b0721104058795183245ec26132a3

SHA256
e4ebbe74f7b1c268e2d740771901be633bebadfbb7632f929dc7c1c2a8061c2d

SHA512
b11cf91b3af9d83a6ff52c6fe40902e29c38248c3cf46bad312f5c3fe2143d3c7540079cb10aa48d5be30597717459c8dd66c24fadd8aeecc456413c91c27411

Download Submit
\Users\Admin\AppData\Local\BST2y8WZt\P2PCOLLAB.dll
MD5
a6e541babcfdc3c4e7d482660be3b005

SHA1
661eb89a7776bc56ec4746557d6bfb9cbbe3ddbf

SHA256
64ee5e83a562bfe2158b643d357908116ea545b7c03f763bd97dc1b345ab789c

SHA512
1c2b8489781c6343613f60a415a891975345c33173de0728f518f46e498f3463dfbb41ce02c4cbb34d49a0524c7edc219c3853160aadf90f2b77cdedd3922f0d

Download Submit
\Users\Admin\AppData\Local\BST2y8WZt\p2phost.exe
MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
\Users\Admin\AppData\Local\RrSdLN\ACTIVEDS.dll
MD5
f777c807b9abc7dee124fa2e53c3f040

SHA1
c968c6eb4703c755485d832ed9762451054dbae1

SHA256
5da53395f8917ea0d48aa9abb5db0ae8565f0298a979ad7ad5b3f7463c3b2315

SHA512
d698e5f4b8ddce958470701ef376d997ecc34c1b05c47c9eea1fc30fe5ab9e0ee0e8eb5f3ab0d47146d4d361b42c254cdf7c70cdaeb4446194e34a81a0eca546

Download Submit
\Users\Admin\AppData\Local\RrSdLN\TpmInit.exe
MD5
8b5eb38e08a678afa129e23129ca1e6d

SHA1
a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

SHA256
4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

SHA512
a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

Download Submit
\Users\Admin\AppData\Local\gR2\DeviceDisplayObjectProvider.exe
MD5
7e2eb3a4ae11190ef4c8a9b9a9123234

SHA1
72e98687a8d28614e2131c300403c2822856e865

SHA256
8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

SHA512
18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

Download Submit
\Users\Admin\AppData\Local\gR2\XmlLite.dll
MD5
755abcb54e5844e55be400619db6f816

SHA1
96313878009b0721104058795183245ec26132a3

SHA256
e4ebbe74f7b1c268e2d740771901be633bebadfbb7632f929dc7c1c2a8061c2d

SHA512
b11cf91b3af9d83a6ff52c6fe40902e29c38248c3cf46bad312f5c3fe2143d3c7540079cb10aa48d5be30597717459c8dd66c24fadd8aeecc456413c91c27411

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\eomsGU\p2phost.exe
MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
memory/1060-106-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1204-56-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1204-54-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1284-87-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1284-80-0x000007FEFBAF1000-0x000007FEFBAF3000-memory.dmp

Filesize
8KB

Download
memory/1284-83-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1404-76-0x00000000772C1000-0x00000000772C2000-memory.dmp

Filesize
4KB

Download
memory/1404-63-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1404-65-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1404-77-0x0000000077450000-0x0000000077452000-memory.dmp

Filesize
8KB

Download
memory/1404-62-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1404-75-0x0000000002220000-0x0000000002227000-memory.dmp

Filesize
28KB

Download
memory/1404-68-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1404-67-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1404-60-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1404-59-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1404-61-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1404-64-0x00000000771B6000-0x00000000771B7000-memory.dmp

Filesize
4KB

Download
memory/1404-66-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1836-96-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads