dridex | 73caa28a71480350c140f8cb71bf182687bf83c0d481692b2b3bf03aa5fbcfc9

Analysis

max time kernel
151s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73caa28a71480350c140f8cb71bf182687bf83c0d481692b2b3bf03aa5fbcfc9.dll
Size

889KB
MD5

1460c61535d4ed50db9b869de9730df8
SHA1

fe13819850c1539cbd2cbefe62f5ad72f9b03fb5
SHA256

73caa28a71480350c140f8cb71bf182687bf83c0d481692b2b3bf03aa5fbcfc9
SHA512

ce3cbaad3e075cdfcbf0889d82f6a2d8fe8947fa00e09cc58b4bd77a85dbbace5564ea3ad33026dc1b482bf3b17f1194a8988b2c33513dc957550a3e713d5d10

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1264-54-0x00000000026A0000-0x00000000026A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

tabcal.exeDeviceDisplayObjectProvider.exerecdisc.exe

pid process

1780 tabcal.exe
304 DeviceDisplayObjectProvider.exe
1804 recdisc.exe
Loads dropped DLL 7 IoCs

Processes:

tabcal.exeDeviceDisplayObjectProvider.exerecdisc.exe

pid process

1264
1780 tabcal.exe
1264
304 DeviceDisplayObjectProvider.exe
1264
1804 recdisc.exe
1264

pid	process
1780	tabcal.exe
304	DeviceDisplayObjectProvider.exe
1804	recdisc.exe

pid	process
1264
1780	tabcal.exe
1264
304	DeviceDisplayObjectProvider.exe
1264
1804	recdisc.exe
1264

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gcehmtlftxqmyqm = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\9Sc\\DEVICE~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exetabcal.exeDeviceDisplayObjectProvider.exerecdisc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceDisplayObjectProvider.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	recdisc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exetabcal.exe

pid	process
1904	rundll32.exe
1904	rundll32.exe
1904	rundll32.exe
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1780	tabcal.exe
1780	tabcal.exe
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264
1264

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1264

description	pid	process
Token: SeShutdownPrivilege	1264

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1264 wrote to memory of 1284	1264	tabcal.exe
PID 1264 wrote to memory of 1284	1264	tabcal.exe
PID 1264 wrote to memory of 1284	1264	tabcal.exe
PID 1264 wrote to memory of 1780	1264	tabcal.exe
PID 1264 wrote to memory of 1780	1264	tabcal.exe
PID 1264 wrote to memory of 1780	1264	tabcal.exe
PID 1264 wrote to memory of 1796	1264	DeviceDisplayObjectProvider.exe
PID 1264 wrote to memory of 1796	1264	DeviceDisplayObjectProvider.exe
PID 1264 wrote to memory of 1796	1264	DeviceDisplayObjectProvider.exe
PID 1264 wrote to memory of 304	1264	DeviceDisplayObjectProvider.exe
PID 1264 wrote to memory of 304	1264	DeviceDisplayObjectProvider.exe
PID 1264 wrote to memory of 304	1264	DeviceDisplayObjectProvider.exe
PID 1264 wrote to memory of 1080	1264	recdisc.exe
PID 1264 wrote to memory of 1080	1264	recdisc.exe
PID 1264 wrote to memory of 1080	1264	recdisc.exe
PID 1264 wrote to memory of 1804	1264	recdisc.exe
PID 1264 wrote to memory of 1804	1264	recdisc.exe
PID 1264 wrote to memory of 1804	1264	recdisc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\73caa28a71480350c140f8cb71bf182687bf83c0d481692b2b3bf03aa5fbcfc9.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1904

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:1284

C:\Users\Admin\AppData\Local\Wkup\tabcal.exe
C:\Users\Admin\AppData\Local\Wkup\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1780

C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
1⤵
PID:1796

C:\Users\Admin\AppData\Local\RiSaYwh\DeviceDisplayObjectProvider.exe
C:\Users\Admin\AppData\Local\RiSaYwh\DeviceDisplayObjectProvider.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:304

C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
1⤵
PID:1080

C:\Users\Admin\AppData\Local\GaGlcj\recdisc.exe
C:\Users\Admin\AppData\Local\GaGlcj\recdisc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1804

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GaGlcj\ReAgent.dll
Filesize
890KB

MD5
a709241d961235324de73b427e7188a4

SHA1
1cda58d7af092f433f7811226ec67edd0939f2b9

SHA256
5aeb51eece2d02afd444cf792377ff0cc65994c16b5c6d36559666ec02762f7b

SHA512
6a2fd6399590e9bae1fd74b346ce154b29326f5678a945a458fa9f8907e6630a9069982ad4774ac37bda2374d76d62523ff8513b1856708eb6bff663c2040fdb

Download Submit
C:\Users\Admin\AppData\Local\GaGlcj\recdisc.exe
Filesize
232KB

MD5
f3b306179f1840c0813dc6771b018358

SHA1
dec7ce3c13f7a684cb52ae6007c99cf03afef005

SHA256
dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

SHA512
9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

Download Submit
C:\Users\Admin\AppData\Local\RiSaYwh\DeviceDisplayObjectProvider.exe
Filesize
109KB

MD5
7e2eb3a4ae11190ef4c8a9b9a9123234

SHA1
72e98687a8d28614e2131c300403c2822856e865

SHA256
8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

SHA512
18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

Download Submit
C:\Users\Admin\AppData\Local\RiSaYwh\XmlLite.dll
Filesize
890KB

MD5
0ef7a0d6bf360eecf617b7ea0a909edb

SHA1
75a6aeff69db8609bf726e171dc157563ea2d528

SHA256
b585154109c8bf839aba9bf96fbd8ba92905e696faa998a29ae323c1461ab4b2

SHA512
ab079699cff0010d403a9592dbc12b50124544016f87d4cba670fc09459c6780a63c345b47bf97f11d85257cef0fb8bc22c7b96965d493a94d9c9d3b34cf6ba1

Download Submit
C:\Users\Admin\AppData\Local\Wkup\HID.DLL
Filesize
891KB

MD5
6f3347913fcc2d4f15dc0759b6ab0198

SHA1
31f8ffc93a1001880582d6bf6197f2f5fcf55687

SHA256
095cb616cf0714b54f530edb18a5b96c9640e27186c50c5e47cce079b4f0ef38

SHA512
b672ffc04c591ddc8f5116bd4b94eb72ecfd886e452d0e79783b6a1e4c2364df36774b226c7e1e60418c6e1f05fd2a828acb0d7e819cc1b7d9a5fda7bfd59f23

Download Submit
C:\Users\Admin\AppData\Local\Wkup\tabcal.exe
Filesize
77KB

MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
\Users\Admin\AppData\Local\GaGlcj\ReAgent.dll
Filesize
890KB

MD5
a709241d961235324de73b427e7188a4

SHA1
1cda58d7af092f433f7811226ec67edd0939f2b9

SHA256
5aeb51eece2d02afd444cf792377ff0cc65994c16b5c6d36559666ec02762f7b

SHA512
6a2fd6399590e9bae1fd74b346ce154b29326f5678a945a458fa9f8907e6630a9069982ad4774ac37bda2374d76d62523ff8513b1856708eb6bff663c2040fdb

Download Submit
\Users\Admin\AppData\Local\GaGlcj\recdisc.exe
Filesize
232KB

MD5
f3b306179f1840c0813dc6771b018358

SHA1
dec7ce3c13f7a684cb52ae6007c99cf03afef005

SHA256
dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

SHA512
9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

Download Submit
\Users\Admin\AppData\Local\RiSaYwh\DeviceDisplayObjectProvider.exe
Filesize
109KB

MD5
7e2eb3a4ae11190ef4c8a9b9a9123234

SHA1
72e98687a8d28614e2131c300403c2822856e865

SHA256
8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

SHA512
18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

Download Submit
\Users\Admin\AppData\Local\RiSaYwh\XmlLite.dll
Filesize
890KB

MD5
0ef7a0d6bf360eecf617b7ea0a909edb

SHA1
75a6aeff69db8609bf726e171dc157563ea2d528

SHA256
b585154109c8bf839aba9bf96fbd8ba92905e696faa998a29ae323c1461ab4b2

SHA512
ab079699cff0010d403a9592dbc12b50124544016f87d4cba670fc09459c6780a63c345b47bf97f11d85257cef0fb8bc22c7b96965d493a94d9c9d3b34cf6ba1

Download Submit
\Users\Admin\AppData\Local\Wkup\HID.DLL
Filesize
891KB

MD5
6f3347913fcc2d4f15dc0759b6ab0198

SHA1
31f8ffc93a1001880582d6bf6197f2f5fcf55687

SHA256
095cb616cf0714b54f530edb18a5b96c9640e27186c50c5e47cce079b4f0ef38

SHA512
b672ffc04c591ddc8f5116bd4b94eb72ecfd886e452d0e79783b6a1e4c2364df36774b226c7e1e60418c6e1f05fd2a828acb0d7e819cc1b7d9a5fda7bfd59f23

Download Submit
\Users\Admin\AppData\Local\Wkup\tabcal.exe
Filesize
77KB

MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\krBhg74l9G\recdisc.exe
Filesize
232KB

MD5
f3b306179f1840c0813dc6771b018358

SHA1
dec7ce3c13f7a684cb52ae6007c99cf03afef005

SHA256
dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

SHA512
9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

Download Submit
memory/304-74-0x0000000000000000-mapping.dmp

Download
memory/1264-62-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1264-64-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1264-67-0x0000000077030000-0x0000000077032000-memory.dmp

Filesize
8KB

Download
memory/1264-55-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1264-57-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1264-58-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1264-59-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1264-60-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1264-54-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/1264-56-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1264-61-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1264-65-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1264-66-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1264-63-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1780-69-0x0000000000000000-mapping.dmp

Download
memory/1804-81-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

Filesize
8KB

Download
memory/1804-79-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads