dridex | cb793c295b0bcd3baec5546b7176cdfdf10b0a9291d958c72eb85551825d22d6

Analysis

max time kernel
4294215s
max time network
129s
platform
windows7_x64
resource
win7-20220310-en
submitted
23-03-2022 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb793c295b0bcd3baec5546b7176cdfdf10b0a9291d958c72eb85551825d22d6.dll
Size

1.3MB
MD5

288c35481252c1212cbb764c490c2ad8
SHA1

9c48ba2239b5ae5675d0eb6b92cf0a37884403fd
SHA256

cb793c295b0bcd3baec5546b7176cdfdf10b0a9291d958c72eb85551825d22d6
SHA512

8a3b343ad8819f09f94868b19ab6f94a6fdf852f3c5183a371cd323a57af0b7fb9d5249516044e8f59721e6220ecd43338b6990c56cb0006840842cb923be112

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1196-59-0x0000000002B80000-0x0000000002B81000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

dpnsvr.exeSystemPropertiesProtection.exewermgr.exe

pid process

340 dpnsvr.exe
1192 SystemPropertiesProtection.exe
1612 wermgr.exe
Loads dropped DLL 7 IoCs

Processes:

dpnsvr.exeSystemPropertiesProtection.exewermgr.exe

pid process

1196
340 dpnsvr.exe
1196
1192 SystemPropertiesProtection.exe
1196
1612 wermgr.exe
1196

pid	process
340	dpnsvr.exe
1192	SystemPropertiesProtection.exe
1612	wermgr.exe

pid	process
1196
340	dpnsvr.exe
1196
1192	SystemPropertiesProtection.exe
1196
1612	wermgr.exe
1196

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\Eaylklfntbynuq = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\FSJHSW~1\\SYSTEM~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exedpnsvr.exeSystemPropertiesProtection.exewermgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpnsvr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wermgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exedpnsvr.exe

pid	process
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
340	dpnsvr.exe
340	dpnsvr.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1196

pid	process
1196

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 1744	1196	dpnsvr.exe
PID 1196 wrote to memory of 1744	1196	dpnsvr.exe
PID 1196 wrote to memory of 1744	1196	dpnsvr.exe
PID 1196 wrote to memory of 340	1196	dpnsvr.exe
PID 1196 wrote to memory of 340	1196	dpnsvr.exe
PID 1196 wrote to memory of 340	1196	dpnsvr.exe
PID 1196 wrote to memory of 1548	1196	SystemPropertiesProtection.exe
PID 1196 wrote to memory of 1548	1196	SystemPropertiesProtection.exe
PID 1196 wrote to memory of 1548	1196	SystemPropertiesProtection.exe
PID 1196 wrote to memory of 1192	1196	SystemPropertiesProtection.exe
PID 1196 wrote to memory of 1192	1196	SystemPropertiesProtection.exe
PID 1196 wrote to memory of 1192	1196	SystemPropertiesProtection.exe
PID 1196 wrote to memory of 1588	1196	wermgr.exe
PID 1196 wrote to memory of 1588	1196	wermgr.exe
PID 1196 wrote to memory of 1588	1196	wermgr.exe
PID 1196 wrote to memory of 1612	1196	wermgr.exe
PID 1196 wrote to memory of 1612	1196	wermgr.exe
PID 1196 wrote to memory of 1612	1196	wermgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cb793c295b0bcd3baec5546b7176cdfdf10b0a9291d958c72eb85551825d22d6.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1684

C:\Windows\system32\dpnsvr.exe
C:\Windows\system32\dpnsvr.exe
1⤵
PID:1744

C:\Users\Admin\AppData\Local\Mze\dpnsvr.exe
C:\Users\Admin\AppData\Local\Mze\dpnsvr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:340

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:1548

C:\Users\Admin\AppData\Local\d4GCMD\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\d4GCMD\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1192

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
1⤵
PID:1588

C:\Users\Admin\AppData\Local\Phhakj\wermgr.exe
C:\Users\Admin\AppData\Local\Phhakj\wermgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1612

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mze\WINMM.dll
MD5
4e3a6183965a9ed2f3dff8bd68f2a1e9

SHA1
ae0f7b118baa2dfb015544ad7a66140711644b65

SHA256
460b838a10278648d20c27a88451101ddbc57d2a6d96c06ca47d27bf72bb99a3

SHA512
804d7c85a312695e7bee4fbe5bd736ddd1840c5df64d42c90609f1f946b600a8b4dde5e3adbd60b5bac73c2d13595cdb2ada4d6727f0c54cb405ab84376dad5a

Download Submit
C:\Users\Admin\AppData\Local\Mze\dpnsvr.exe
MD5
6806b72978f6bd27aef57899be68b93b

SHA1
713c246d0b0b8dcc298afaed4f62aed82789951c

SHA256
3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

SHA512
43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

Download Submit
C:\Users\Admin\AppData\Local\Phhakj\wer.dll
MD5
e3f16f9c3fd5c77d84a41972478f2044

SHA1
990a14caea0c489ef07be9ad9d8942f9ecae842a

SHA256
f467ee08dec67358e783c10012d4d83f6e39d5217f46d1850b194f5add57f07b

SHA512
fcf140099028864f6c37c7ba5d5c70fff97480c430865fa9ca37ab3d20f8e7695ef0aca59c5349a231fddfca9c5a322d3aeb673c0dbd96bf637b8d8251b8a29b

Download Submit
C:\Users\Admin\AppData\Local\Phhakj\wermgr.exe
MD5
41df7355a5a907e2c1d7804ec028965d

SHA1
453263d230c6317eb4a2eb3aceeec1bbcf5e153d

SHA256
207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861

SHA512
59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

Download Submit
C:\Users\Admin\AppData\Local\d4GCMD\SYSDM.CPL
MD5
4783f5aed980527e046114c9d1fbea6a

SHA1
9cf89a3058dc3c0935648e48ae8f16b11043acad

SHA256
5f47b6b1417109d6d4ffd3e53a8ebd07beb9a0522538c0fa0d96e60172dd9fcf

SHA512
de9b40c9a0be1841b8604b7490043ad26ffbfac8cfbae663afb9defb3e9c44615784f8ca715f25b47cc3cf3322d37c4ba5c89bb62932c798c1cec9b29f535658

Download Submit
C:\Users\Admin\AppData\Local\d4GCMD\SystemPropertiesProtection.exe
MD5
05138d8f952d3fff1362f7c50158bc38

SHA1
780bc59fcddf06a7494d09771b8340acffdcc720

SHA256
753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

SHA512
27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

Download Submit
\Users\Admin\AppData\Local\Mze\WINMM.dll
MD5
4e3a6183965a9ed2f3dff8bd68f2a1e9

SHA1
ae0f7b118baa2dfb015544ad7a66140711644b65

SHA256
460b838a10278648d20c27a88451101ddbc57d2a6d96c06ca47d27bf72bb99a3

SHA512
804d7c85a312695e7bee4fbe5bd736ddd1840c5df64d42c90609f1f946b600a8b4dde5e3adbd60b5bac73c2d13595cdb2ada4d6727f0c54cb405ab84376dad5a

Download Submit
\Users\Admin\AppData\Local\Mze\dpnsvr.exe
MD5
6806b72978f6bd27aef57899be68b93b

SHA1
713c246d0b0b8dcc298afaed4f62aed82789951c

SHA256
3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

SHA512
43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

Download Submit
\Users\Admin\AppData\Local\Phhakj\wer.dll
MD5
e3f16f9c3fd5c77d84a41972478f2044

SHA1
990a14caea0c489ef07be9ad9d8942f9ecae842a

SHA256
f467ee08dec67358e783c10012d4d83f6e39d5217f46d1850b194f5add57f07b

SHA512
fcf140099028864f6c37c7ba5d5c70fff97480c430865fa9ca37ab3d20f8e7695ef0aca59c5349a231fddfca9c5a322d3aeb673c0dbd96bf637b8d8251b8a29b

Download Submit
\Users\Admin\AppData\Local\Phhakj\wermgr.exe
MD5
41df7355a5a907e2c1d7804ec028965d

SHA1
453263d230c6317eb4a2eb3aceeec1bbcf5e153d

SHA256
207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861

SHA512
59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

Download Submit
\Users\Admin\AppData\Local\d4GCMD\SYSDM.CPL
MD5
4783f5aed980527e046114c9d1fbea6a

SHA1
9cf89a3058dc3c0935648e48ae8f16b11043acad

SHA256
5f47b6b1417109d6d4ffd3e53a8ebd07beb9a0522538c0fa0d96e60172dd9fcf

SHA512
de9b40c9a0be1841b8604b7490043ad26ffbfac8cfbae663afb9defb3e9c44615784f8ca715f25b47cc3cf3322d37c4ba5c89bb62932c798c1cec9b29f535658

Download Submit
\Users\Admin\AppData\Local\d4GCMD\SystemPropertiesProtection.exe
MD5
05138d8f952d3fff1362f7c50158bc38

SHA1
780bc59fcddf06a7494d09771b8340acffdcc720

SHA256
753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd

SHA512
27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\7Q\wermgr.exe
MD5
41df7355a5a907e2c1d7804ec028965d

SHA1
453263d230c6317eb4a2eb3aceeec1bbcf5e153d

SHA256
207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861

SHA512
59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

Download Submit
memory/340-137-0x00000000000E0000-0x00000000000E7000-memory.dmp

Filesize
28KB

Download
memory/340-129-0x0000000000000000-mapping.dmp

Download
memory/1192-147-0x0000000000020000-0x0000000000027000-memory.dmp

Filesize
28KB

Download
memory/1192-139-0x0000000000000000-mapping.dmp

Download
memory/1196-96-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-106-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-75-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-76-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-77-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-78-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-79-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-80-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-81-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-82-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-83-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-84-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-85-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-86-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-87-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-88-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-89-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-90-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-91-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-92-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-93-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-94-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-95-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-73-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-97-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-98-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-99-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-100-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-101-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-102-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-103-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-104-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-105-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-74-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-107-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-108-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-109-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-110-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-111-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-112-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-113-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-114-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-115-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-116-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-117-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-72-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-71-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-70-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-69-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-68-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-67-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-60-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-61-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-62-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-63-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-118-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-122-0x0000000002B60000-0x0000000002B67000-memory.dmp

Filesize
28KB

Download
memory/1196-127-0x0000000076ED0000-0x0000000076ED2000-memory.dmp

Filesize
8KB

Download
memory/1196-59-0x0000000002B80000-0x0000000002B81000-memory.dmp

Filesize
4KB

Download
memory/1196-64-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-65-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1196-66-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1612-149-0x0000000000000000-mapping.dmp

Download
memory/1684-54-0x000007FEF6360000-0x000007FEF64AE000-memory.dmp

Filesize
1.3MB

Download
memory/1684-58-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads