dridex | 57b0d95f62fc7999dd21b6a0aef4087ad855ccb2d28b99463ee6c88ddf037009

Analysis

max time kernel
4294211s
max time network
124s
platform
windows7_x64
resource
win7-20220311-en
submitted
23-03-2022 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57b0d95f62fc7999dd21b6a0aef4087ad855ccb2d28b99463ee6c88ddf037009.dll
Size

1.3MB
MD5

518cc4a9888e76bc1a916fd67a08a075
SHA1

148d6f12f12a0cae195f36f4319839f6687b7144
SHA256

57b0d95f62fc7999dd21b6a0aef4087ad855ccb2d28b99463ee6c88ddf037009
SHA512

b14a3bcbfa68e5cf71ccfdd68ff5da696ca1e44073dbf6cd4d15dfab2a9ff29f56855c828ae7ac0dc346dfab93679f7d1ae52cb24ccc2976e6d4ba1fb5f6221e

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1272-59-0x00000000025D0000-0x00000000025D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

wextract.exeddodiag.execmstp.exe

pid process

1076 wextract.exe
1196 ddodiag.exe
1120 cmstp.exe
Loads dropped DLL 7 IoCs

Processes:

wextract.exeddodiag.execmstp.exe

pid process

1272
1076 wextract.exe
1272
1196 ddodiag.exe
1272
1120 cmstp.exe
1272

pid	process
1076	wextract.exe
1196	ddodiag.exe
1120	cmstp.exe

pid	process
1272
1076	wextract.exe
1272
1196	ddodiag.exe
1272
1120	cmstp.exe
1272

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hurnvozqoa = "C:\\Users\\Admin\\AppData\\Roaming\\MEDIAC~1\\6ZHN3J~1\\ddodiag.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exewextract.exeddodiag.execmstp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewextract.exeddodiag.exe

pid	process
1932	rundll32.exe
1932	rundll32.exe
1932	rundll32.exe
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1076	wextract.exe
1076	wextract.exe
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1196	ddodiag.exe
1196	ddodiag.exe
1272
1272
1272
1272

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1272

pid	process
1272

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1272 wrote to memory of 1668	1272	wextract.exe
PID 1272 wrote to memory of 1668	1272	wextract.exe
PID 1272 wrote to memory of 1668	1272	wextract.exe
PID 1272 wrote to memory of 1076	1272	wextract.exe
PID 1272 wrote to memory of 1076	1272	wextract.exe
PID 1272 wrote to memory of 1076	1272	wextract.exe
PID 1272 wrote to memory of 1684	1272	ddodiag.exe
PID 1272 wrote to memory of 1684	1272	ddodiag.exe
PID 1272 wrote to memory of 1684	1272	ddodiag.exe
PID 1272 wrote to memory of 1196	1272	ddodiag.exe
PID 1272 wrote to memory of 1196	1272	ddodiag.exe
PID 1272 wrote to memory of 1196	1272	ddodiag.exe
PID 1272 wrote to memory of 1756	1272	cmstp.exe
PID 1272 wrote to memory of 1756	1272	cmstp.exe
PID 1272 wrote to memory of 1756	1272	cmstp.exe
PID 1272 wrote to memory of 1120	1272	cmstp.exe
PID 1272 wrote to memory of 1120	1272	cmstp.exe
PID 1272 wrote to memory of 1120	1272	cmstp.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\57b0d95f62fc7999dd21b6a0aef4087ad855ccb2d28b99463ee6c88ddf037009.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:1668

C:\Users\Admin\AppData\Local\JgMOaN\wextract.exe
C:\Users\Admin\AppData\Local\JgMOaN\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1076

C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
1⤵
PID:1684

C:\Users\Admin\AppData\Local\09W\ddodiag.exe
C:\Users\Admin\AppData\Local\09W\ddodiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1196

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:1756

C:\Users\Admin\AppData\Local\cVypG8\cmstp.exe
C:\Users\Admin\AppData\Local\cVypG8\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1120

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\09W\XmlLite.dll
MD5
364eb8af2b086e474816537e63768e31

SHA1
ede3db2f90859784beb82a681dfabef39a84b69f

SHA256
576c0ef825964514c1234bf8da734b5fe0ecfa6cf0c6ae4458f6c13d5dd69cd5

SHA512
de5c20193d0afc4439422fcdf684511bb3645063d37af435ed73dd19d346011be7f6357e81760bc673ddf7ac4bc8853040c24d13cfbd64fdac7a15c6e97a77e8

Download Submit
C:\Users\Admin\AppData\Local\09W\ddodiag.exe
MD5
509f9513ca16ba2f2047f5227a05d1a8

SHA1
fe8d63259cb9afa17da7b7b8ede4e75081071b1a

SHA256
ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

SHA512
ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

Download Submit
C:\Users\Admin\AppData\Local\JgMOaN\VERSION.dll
MD5
33484ef867dd1b5394941643fd045c7d

SHA1
0e167358ba1b7d0e034e3b908cd6fa90568eb55f

SHA256
173a9e02bbdfb540ee8be69206912ac77202e7fd7035d5860ce03f4cb52a0f88

SHA512
3cb9aa566ed23a29b633b28c7e240662d5f641145298cf61e4251a4739b59ebf302d14c2d8a326f416ab48f698a75327dfb7071cf3be80949e5ce55a24a5bc85

Download Submit
C:\Users\Admin\AppData\Local\JgMOaN\wextract.exe
MD5
1ea6500c25a80e8bdb65099c509af993

SHA1
6a090ef561feb4ae1c6794de5b19c5e893c4aafc

SHA256
99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

SHA512
b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

Download Submit
C:\Users\Admin\AppData\Local\cVypG8\VERSION.dll
MD5
ffa6b975894d92d5f56e92617b1e9105

SHA1
b271501f545ae75ae1e235e18c37831dfce3c891

SHA256
a2e9916b0b99088d7886575eab6a3705ef31bd45e2e3940e2b7e7f7435348021

SHA512
e9dfdb0aedd8c6bfbb5e405a6b994b9ca112dd978458efdd9d85b7ab7780172d6b1c51dd10f1ed154954fa1d39d5ef966fa75b4ff3d11268f595c61924d4dfab

Download Submit
C:\Users\Admin\AppData\Local\cVypG8\cmstp.exe
MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
\Users\Admin\AppData\Local\09W\XmlLite.dll
MD5
364eb8af2b086e474816537e63768e31

SHA1
ede3db2f90859784beb82a681dfabef39a84b69f

SHA256
576c0ef825964514c1234bf8da734b5fe0ecfa6cf0c6ae4458f6c13d5dd69cd5

SHA512
de5c20193d0afc4439422fcdf684511bb3645063d37af435ed73dd19d346011be7f6357e81760bc673ddf7ac4bc8853040c24d13cfbd64fdac7a15c6e97a77e8

Download Submit
\Users\Admin\AppData\Local\09W\ddodiag.exe
MD5
509f9513ca16ba2f2047f5227a05d1a8

SHA1
fe8d63259cb9afa17da7b7b8ede4e75081071b1a

SHA256
ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

SHA512
ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

Download Submit
\Users\Admin\AppData\Local\JgMOaN\VERSION.dll
MD5
33484ef867dd1b5394941643fd045c7d

SHA1
0e167358ba1b7d0e034e3b908cd6fa90568eb55f

SHA256
173a9e02bbdfb540ee8be69206912ac77202e7fd7035d5860ce03f4cb52a0f88

SHA512
3cb9aa566ed23a29b633b28c7e240662d5f641145298cf61e4251a4739b59ebf302d14c2d8a326f416ab48f698a75327dfb7071cf3be80949e5ce55a24a5bc85

Download Submit
\Users\Admin\AppData\Local\JgMOaN\wextract.exe
MD5
1ea6500c25a80e8bdb65099c509af993

SHA1
6a090ef561feb4ae1c6794de5b19c5e893c4aafc

SHA256
99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2

SHA512
b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

Download Submit
\Users\Admin\AppData\Local\cVypG8\VERSION.dll
MD5
ffa6b975894d92d5f56e92617b1e9105

SHA1
b271501f545ae75ae1e235e18c37831dfce3c891

SHA256
a2e9916b0b99088d7886575eab6a3705ef31bd45e2e3940e2b7e7f7435348021

SHA512
e9dfdb0aedd8c6bfbb5e405a6b994b9ca112dd978458efdd9d85b7ab7780172d6b1c51dd10f1ed154954fa1d39d5ef966fa75b4ff3d11268f595c61924d4dfab

Download Submit
\Users\Admin\AppData\Local\cVypG8\cmstp.exe
MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\lfmKX29isC\cmstp.exe
MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
memory/1076-126-0x0000000000000000-mapping.dmp

Download
memory/1076-135-0x00000000000E0000-0x00000000000E7000-memory.dmp

Filesize
28KB

Download
memory/1120-155-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1120-147-0x0000000000000000-mapping.dmp

Download
memory/1196-137-0x0000000000000000-mapping.dmp

Download
memory/1196-145-0x0000000000260000-0x0000000000267000-memory.dmp

Filesize
28KB

Download
memory/1272-60-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-109-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-71-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-81-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-82-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-65-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-84-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-83-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-66-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-86-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-88-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-87-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-89-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-90-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-85-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-92-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-91-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-94-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-95-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-96-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-93-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-79-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-97-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-98-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-100-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-99-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-101-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-103-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-104-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-105-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-108-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-80-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-110-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-107-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-111-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-106-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-112-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-115-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-114-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-116-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-113-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-117-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-78-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-77-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-76-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-73-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-75-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-74-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-72-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-70-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-69-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-67-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-68-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-62-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-64-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-63-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-61-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-59-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1272-102-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-123-0x00000000025A0000-0x00000000025A7000-memory.dmp

Filesize
28KB

Download
memory/1272-124-0x0000000077760000-0x0000000077762000-memory.dmp

Filesize
8KB

Download
memory/1932-54-0x000007FEF6540000-0x000007FEF668A000-memory.dmp

Filesize
1.3MB

Download
memory/1932-56-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads