dridex | 9303d54f40b9c7f56d95a0aa39078f0878cab85d0b63e6f4b727749253013d8d

Analysis

max time kernel
4294211s
max time network
125s
platform
windows7_x64
resource
win7-20220311-en
submitted
23-03-2022 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9303d54f40b9c7f56d95a0aa39078f0878cab85d0b63e6f4b727749253013d8d.dll
Size

1.3MB
MD5

26c6fe63e7b7ddbbe73a97520ea5d93c
SHA1

8787e8c20838eea270f4a1e11cf0da706ff610ad
SHA256

9303d54f40b9c7f56d95a0aa39078f0878cab85d0b63e6f4b727749253013d8d
SHA512

bd70c8df00cc74e83978cd958e53ca53d8b7a4908c6d673c33c090c7c76eee10a3264c70594d7380ab3ee811fff28511dde98314c9f58d9f42caa468294fe1d8

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1216-59-0x0000000002650000-0x0000000002651000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SoundRecorder.exePresentationSettings.exedpnsvr.exe

pid process

1008 SoundRecorder.exe
1164 PresentationSettings.exe
1764 dpnsvr.exe
Loads dropped DLL 7 IoCs

Processes:

SoundRecorder.exePresentationSettings.exedpnsvr.exe

pid process

1216
1008 SoundRecorder.exe
1216
1164 PresentationSettings.exe
1216
1764 dpnsvr.exe
1216

pid	process
1008	SoundRecorder.exe
1164	PresentationSettings.exe
1764	dpnsvr.exe

pid	process
1216
1008	SoundRecorder.exe
1216
1164	PresentationSettings.exe
1216
1764	dpnsvr.exe
1216

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hurnvozqoa = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2199625441-3471261906-229485034-1000\\1tRVQPT1Cn\\PresentationSettings.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeSoundRecorder.exePresentationSettings.exedpnsvr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SoundRecorder.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationSettings.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpnsvr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeSoundRecorder.exePresentationSettings.exe

pid	process
2012	rundll32.exe
2012	rundll32.exe
2012	rundll32.exe
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1008	SoundRecorder.exe
1008	SoundRecorder.exe
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1164	PresentationSettings.exe
1164	PresentationSettings.exe
1216
1216
1216
1216

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1216

pid	process
1216

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1216 wrote to memory of 1684	1216	SoundRecorder.exe
PID 1216 wrote to memory of 1684	1216	SoundRecorder.exe
PID 1216 wrote to memory of 1684	1216	SoundRecorder.exe
PID 1216 wrote to memory of 1008	1216	SoundRecorder.exe
PID 1216 wrote to memory of 1008	1216	SoundRecorder.exe
PID 1216 wrote to memory of 1008	1216	SoundRecorder.exe
PID 1216 wrote to memory of 1432	1216	PresentationSettings.exe
PID 1216 wrote to memory of 1432	1216	PresentationSettings.exe
PID 1216 wrote to memory of 1432	1216	PresentationSettings.exe
PID 1216 wrote to memory of 1164	1216	PresentationSettings.exe
PID 1216 wrote to memory of 1164	1216	PresentationSettings.exe
PID 1216 wrote to memory of 1164	1216	PresentationSettings.exe
PID 1216 wrote to memory of 1752	1216	dpnsvr.exe
PID 1216 wrote to memory of 1752	1216	dpnsvr.exe
PID 1216 wrote to memory of 1752	1216	dpnsvr.exe
PID 1216 wrote to memory of 1764	1216	dpnsvr.exe
PID 1216 wrote to memory of 1764	1216	dpnsvr.exe
PID 1216 wrote to memory of 1764	1216	dpnsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9303d54f40b9c7f56d95a0aa39078f0878cab85d0b63e6f4b727749253013d8d.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2012

C:\Windows\system32\SoundRecorder.exe
C:\Windows\system32\SoundRecorder.exe
1⤵
PID:1684

C:\Users\Admin\AppData\Local\FMldmtI\SoundRecorder.exe
C:\Users\Admin\AppData\Local\FMldmtI\SoundRecorder.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1008

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:1432

C:\Users\Admin\AppData\Local\5YrDrgs4\PresentationSettings.exe
C:\Users\Admin\AppData\Local\5YrDrgs4\PresentationSettings.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1164

C:\Windows\system32\dpnsvr.exe
C:\Windows\system32\dpnsvr.exe
1⤵
PID:1752

C:\Users\Admin\AppData\Local\i1T\dpnsvr.exe
C:\Users\Admin\AppData\Local\i1T\dpnsvr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1764

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5YrDrgs4\PresentationSettings.exe
MD5
a6f8d318f6041334889481b472000081

SHA1
b8cf08ec17b30c8811f2514246fcdff62731dd58

SHA256
208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

SHA512
60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

Download Submit
C:\Users\Admin\AppData\Local\5YrDrgs4\Secur32.dll
MD5
898e3f2d608ddd102b33ebbda9766f57

SHA1
330275b9fc58ce6694b1e318b67729b78fdf05c5

SHA256
c67ee7edb4f19c06b65c0dd1fa303525363b3f095b4d779b6514528a0fe817a4

SHA512
24088d2880ec743f2a463b1b8d7052bfd31e1f2fcf01f6b5fc24f696c6fae0dd11bc0c9127febd4034e463e2c683985e3866e604a7f72bfddc06f39a0137d6c2

Download Submit
C:\Users\Admin\AppData\Local\FMldmtI\SoundRecorder.exe
MD5
47f0f526ad4982806c54b845b3289de1

SHA1
8420ea488a2e187fe1b7fcfb53040d10d5497236

SHA256
e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

SHA512
4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

Download Submit
C:\Users\Admin\AppData\Local\FMldmtI\UxTheme.dll
MD5
2a2668e2e049ed17d60e14cee579202d

SHA1
dff8afad69fa49ec87abd962c704c3176924b267

SHA256
33c8991554d1baee007ad1efee26fb9851a02e07f1e2bb8cc5b092d4b086f2bf

SHA512
e18ae0e6a87459557897ceceee0445a5e2ea6e58884f0b9ed7d3ecc383ccf73c9841dfe8346f09fe485aff9348f9b3a9a2890a0439985225d92a93bf7a3bb336

Download Submit
C:\Users\Admin\AppData\Local\i1T\WINMM.dll
MD5
90cc8e8b4e37dea12e82e26f833aeeb0

SHA1
c45afaf89817f8c0e00ef38bcb0f9c00dc788496

SHA256
822d56c0b8043d7348a3d4ae181865c95179adbe160d95828004682222876b1b

SHA512
a328a7b6b7ca2cac7e6f84dc0f81310e6b012616796733bc7349ea8b8cb4c2791a9aec2d8e1b2455c781474425e34eaf47a6e90586d03d4a526a0dade5ccf989

Download Submit
C:\Users\Admin\AppData\Local\i1T\dpnsvr.exe
MD5
6806b72978f6bd27aef57899be68b93b

SHA1
713c246d0b0b8dcc298afaed4f62aed82789951c

SHA256
3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

SHA512
43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

Download Submit
\Users\Admin\AppData\Local\5YrDrgs4\PresentationSettings.exe
MD5
a6f8d318f6041334889481b472000081

SHA1
b8cf08ec17b30c8811f2514246fcdff62731dd58

SHA256
208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258

SHA512
60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

Download Submit
\Users\Admin\AppData\Local\5YrDrgs4\Secur32.dll
MD5
898e3f2d608ddd102b33ebbda9766f57

SHA1
330275b9fc58ce6694b1e318b67729b78fdf05c5

SHA256
c67ee7edb4f19c06b65c0dd1fa303525363b3f095b4d779b6514528a0fe817a4

SHA512
24088d2880ec743f2a463b1b8d7052bfd31e1f2fcf01f6b5fc24f696c6fae0dd11bc0c9127febd4034e463e2c683985e3866e604a7f72bfddc06f39a0137d6c2

Download Submit
\Users\Admin\AppData\Local\FMldmtI\SoundRecorder.exe
MD5
47f0f526ad4982806c54b845b3289de1

SHA1
8420ea488a2e187fe1b7fcfb53040d10d5497236

SHA256
e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b

SHA512
4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

Download Submit
\Users\Admin\AppData\Local\FMldmtI\UxTheme.dll
MD5
2a2668e2e049ed17d60e14cee579202d

SHA1
dff8afad69fa49ec87abd962c704c3176924b267

SHA256
33c8991554d1baee007ad1efee26fb9851a02e07f1e2bb8cc5b092d4b086f2bf

SHA512
e18ae0e6a87459557897ceceee0445a5e2ea6e58884f0b9ed7d3ecc383ccf73c9841dfe8346f09fe485aff9348f9b3a9a2890a0439985225d92a93bf7a3bb336

Download Submit
\Users\Admin\AppData\Local\i1T\WINMM.dll
MD5
90cc8e8b4e37dea12e82e26f833aeeb0

SHA1
c45afaf89817f8c0e00ef38bcb0f9c00dc788496

SHA256
822d56c0b8043d7348a3d4ae181865c95179adbe160d95828004682222876b1b

SHA512
a328a7b6b7ca2cac7e6f84dc0f81310e6b012616796733bc7349ea8b8cb4c2791a9aec2d8e1b2455c781474425e34eaf47a6e90586d03d4a526a0dade5ccf989

Download Submit
\Users\Admin\AppData\Local\i1T\dpnsvr.exe
MD5
6806b72978f6bd27aef57899be68b93b

SHA1
713c246d0b0b8dcc298afaed4f62aed82789951c

SHA256
3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

SHA512
43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Crypto\Hg\dpnsvr.exe
MD5
6806b72978f6bd27aef57899be68b93b

SHA1
713c246d0b0b8dcc298afaed4f62aed82789951c

SHA256
3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

SHA512
43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

Download Submit
memory/1008-135-0x00000000000E0000-0x00000000000E7000-memory.dmp

Filesize
28KB

Download
memory/1008-126-0x0000000000000000-mapping.dmp

Download
memory/1164-137-0x0000000000000000-mapping.dmp

Download
memory/1164-146-0x0000000000230000-0x0000000000237000-memory.dmp

Filesize
28KB

Download
memory/1216-82-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-102-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-70-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-69-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-68-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-92-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-93-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-91-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-90-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-89-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-88-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-87-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-86-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-85-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-99-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-100-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-98-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-97-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-96-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-95-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-94-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-84-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-83-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-72-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-81-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-80-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-79-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-78-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-106-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-107-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-105-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-104-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-103-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-71-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-101-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-108-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-114-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-113-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-112-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-111-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-110-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-109-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-115-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-116-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-73-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-74-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-75-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-76-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-77-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-60-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-61-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-62-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-63-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-64-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-117-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-124-0x0000000077040000-0x0000000077042000-memory.dmp

Filesize
8KB

Download
memory/1216-123-0x00000000021E0000-0x00000000021E7000-memory.dmp

Filesize
28KB

Download
memory/1216-59-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1216-65-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-66-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1216-67-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1764-156-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1764-148-0x0000000000000000-mapping.dmp

Download
memory/2012-54-0x000007FEF5D40000-0x000007FEF5E8A000-memory.dmp

Filesize
1.3MB

Download
memory/2012-58-0x00000000001B0000-0x00000000001B7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads