dridex | 0731ec1f9527f2a2c35d1aaee97f959cb02e795821987aaff927d97daa42478d

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0731ec1f9527f2a2c35d1aaee97f959cb02e795821987aaff927d97daa42478d.dll
Size

883KB
MD5

ff389f0230936c0facf48d900e622849
SHA1

2cfcb3253c72dbe733bf9a6831f857c18e6dc7f8
SHA256

0731ec1f9527f2a2c35d1aaee97f959cb02e795821987aaff927d97daa42478d
SHA512

890b8918dc5c33ebc988bc9c6e1b850e1ef80afcbc03df47a0158b1cf072ebc09d0ee06626bd9f2ef287b17217e370150cb3e4ffc9c6b85613508d16ab5628af

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1272-54-0x0000000002A00000-0x0000000002A01000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

dvdupgrd.exemsdtc.exedccw.exe

pid process

804 dvdupgrd.exe
2040 msdtc.exe
1340 dccw.exe
Loads dropped DLL 7 IoCs

Processes:

dvdupgrd.exemsdtc.exedccw.exe

pid process

1272
804 dvdupgrd.exe
1272
2040 msdtc.exe
1272
1340 dccw.exe
1272

pid	process
804	dvdupgrd.exe
2040	msdtc.exe
1340	dccw.exe

pid	process
1272
804	dvdupgrd.exe
1272
2040	msdtc.exe
1272
1340	dccw.exe
1272

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Evgmngveltmlhb = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\DLA3SC~1\\msdtc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msdtc.exedccw.exerundll32.exedvdupgrd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdtc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dvdupgrd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
956	rundll32.exe
956	rundll32.exe
956	rundll32.exe
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1272

description	pid	process
Token: SeShutdownPrivilege	1272

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1272 wrote to memory of 300	1272	dvdupgrd.exe
PID 1272 wrote to memory of 300	1272	dvdupgrd.exe
PID 1272 wrote to memory of 300	1272	dvdupgrd.exe
PID 1272 wrote to memory of 804	1272	dvdupgrd.exe
PID 1272 wrote to memory of 804	1272	dvdupgrd.exe
PID 1272 wrote to memory of 804	1272	dvdupgrd.exe
PID 1272 wrote to memory of 700	1272	msdtc.exe
PID 1272 wrote to memory of 700	1272	msdtc.exe
PID 1272 wrote to memory of 700	1272	msdtc.exe
PID 1272 wrote to memory of 2040	1272	msdtc.exe
PID 1272 wrote to memory of 2040	1272	msdtc.exe
PID 1272 wrote to memory of 2040	1272	msdtc.exe
PID 1272 wrote to memory of 1308	1272	dccw.exe
PID 1272 wrote to memory of 1308	1272	dccw.exe
PID 1272 wrote to memory of 1308	1272	dccw.exe
PID 1272 wrote to memory of 1340	1272	dccw.exe
PID 1272 wrote to memory of 1340	1272	dccw.exe
PID 1272 wrote to memory of 1340	1272	dccw.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0731ec1f9527f2a2c35d1aaee97f959cb02e795821987aaff927d97daa42478d.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:956

C:\Windows\system32\dvdupgrd.exe
C:\Windows\system32\dvdupgrd.exe
1⤵
PID:300

C:\Users\Admin\AppData\Local\sv90wUB\dvdupgrd.exe
C:\Users\Admin\AppData\Local\sv90wUB\dvdupgrd.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:804

C:\Windows\system32\msdtc.exe
C:\Windows\system32\msdtc.exe
1⤵
PID:700

C:\Users\Admin\AppData\Local\MjyRa\msdtc.exe
C:\Users\Admin\AppData\Local\MjyRa\msdtc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2040

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:1308

C:\Users\Admin\AppData\Local\weI\dccw.exe
C:\Users\Admin\AppData\Local\weI\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MjyRa\VERSION.dll
Filesize
884KB

MD5
db36e99780c3e876b14d37f41ab00c93

SHA1
8bd95751422e113bcf54e1373b44f799917662a4

SHA256
913ea5a115335b0083fd232ca802b8d625a0df671bc81da5b10ce19b97c30b71

SHA512
0e0168877cee89019ba86cb562030c9a45938c022045ca4bf1ffbd0398c04dcd61894776e3439e48d818c952c2423d640f437847dc09416c79b7ee2e97dbc471

Download Submit
C:\Users\Admin\AppData\Local\MjyRa\msdtc.exe
Filesize
138KB

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
C:\Users\Admin\AppData\Local\sv90wUB\VERSION.dll
Filesize
884KB

MD5
19f949c835da62fdc0ccb8147c59cc80

SHA1
9962e3a4983a486e4a034b57a90fde8aa32c9435

SHA256
5e0d8fed8e9f675883a36463b3666cf1d574bc464b74a63fd09192eaef4b5bf0

SHA512
809e19130764f8e796c4793840bf71a7133bf9d4c5e3efa936a5e87fbb2f236213e2061d9159412b6abb61e348ab69266eedddb126d87604ac770b0d555bd187

Download Submit
C:\Users\Admin\AppData\Local\sv90wUB\dvdupgrd.exe
Filesize
25KB

MD5
75a9b4172eac01d9648c6d2133af952f

SHA1
63c7e1af762d2b584e9cc841e8b0100f2a482b81

SHA256
18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

SHA512
5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

Download Submit
C:\Users\Admin\AppData\Local\weI\dccw.exe
Filesize
861KB

MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
C:\Users\Admin\AppData\Local\weI\mscms.dll
Filesize
888KB

MD5
bc30c4e7727f0e245678e7fbc144eba6

SHA1
5e83d3714d94b27b72c0f8ea02973a9d976c3202

SHA256
d09406348668d1d7c9f68fe13a8a90d159d063925dbf7cb645d602d7242b01bf

SHA512
23b91ca35dce7e91890d7fef3b22aa56896e36bb3ead199fc7977f507d67d4f700936cc29cd0a0f02d558f114a5bf3132ae3e417b0690635b248b75829f42460

Download Submit
\Users\Admin\AppData\Local\MjyRa\VERSION.dll
Filesize
884KB

MD5
db36e99780c3e876b14d37f41ab00c93

SHA1
8bd95751422e113bcf54e1373b44f799917662a4

SHA256
913ea5a115335b0083fd232ca802b8d625a0df671bc81da5b10ce19b97c30b71

SHA512
0e0168877cee89019ba86cb562030c9a45938c022045ca4bf1ffbd0398c04dcd61894776e3439e48d818c952c2423d640f437847dc09416c79b7ee2e97dbc471

Download Submit
\Users\Admin\AppData\Local\MjyRa\msdtc.exe
Filesize
138KB

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
\Users\Admin\AppData\Local\sv90wUB\VERSION.dll
Filesize
884KB

MD5
19f949c835da62fdc0ccb8147c59cc80

SHA1
9962e3a4983a486e4a034b57a90fde8aa32c9435

SHA256
5e0d8fed8e9f675883a36463b3666cf1d574bc464b74a63fd09192eaef4b5bf0

SHA512
809e19130764f8e796c4793840bf71a7133bf9d4c5e3efa936a5e87fbb2f236213e2061d9159412b6abb61e348ab69266eedddb126d87604ac770b0d555bd187

Download Submit
\Users\Admin\AppData\Local\sv90wUB\dvdupgrd.exe
Filesize
25KB

MD5
75a9b4172eac01d9648c6d2133af952f

SHA1
63c7e1af762d2b584e9cc841e8b0100f2a482b81

SHA256
18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736

SHA512
5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

Download Submit
\Users\Admin\AppData\Local\weI\dccw.exe
Filesize
861KB

MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
\Users\Admin\AppData\Local\weI\mscms.dll
Filesize
888KB

MD5
bc30c4e7727f0e245678e7fbc144eba6

SHA1
5e83d3714d94b27b72c0f8ea02973a9d976c3202

SHA256
d09406348668d1d7c9f68fe13a8a90d159d063925dbf7cb645d602d7242b01bf

SHA512
23b91ca35dce7e91890d7fef3b22aa56896e36bb3ead199fc7977f507d67d4f700936cc29cd0a0f02d558f114a5bf3132ae3e417b0690635b248b75829f42460

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\vd8y93ppv\dccw.exe
Filesize
861KB

MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
memory/804-69-0x0000000000000000-mapping.dmp

Download
memory/1272-62-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1272-63-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1272-58-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1272-59-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1272-61-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1272-56-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1272-57-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1272-55-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1272-64-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1272-65-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1272-67-0x00000000773C0000-0x00000000773C2000-memory.dmp

Filesize
8KB

Download
memory/1272-66-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1272-60-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1272-54-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1340-83-0x000007FEFBA61000-0x000007FEFBA63000-memory.dmp

Filesize
8KB

Download
memory/1340-79-0x0000000000000000-mapping.dmp

Download
memory/2040-74-0x0000000000000000-mapping.dmp

Download