dridex | 07f5bfe8bd8448bed535b3e17ba4a771f8e22d79323409223904651b9c4f637c

Analysis

max time kernel
186s
max time network
43s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07f5bfe8bd8448bed535b3e17ba4a771f8e22d79323409223904651b9c4f637c.dll
Size

882KB
MD5

f7ebaa469f359428eb4c1ae559ccb5a5
SHA1

60e9a7184c28f812116245bacf27d7105acc8572
SHA256

07f5bfe8bd8448bed535b3e17ba4a771f8e22d79323409223904651b9c4f637c
SHA512

84e919b0760df09406224fd669f448f34517170ae7f76a3013da389fccbb501a88f22b8451f83bb11f0bc22e7fc263b991c18bb9d0b86d88fd3839cd80b4c324

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1220-54-0x0000000002700000-0x0000000002701000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

TpmInit.exespinstall.exemsconfig.exe

pid process

588 TpmInit.exe
1448 spinstall.exe
1460 msconfig.exe
Loads dropped DLL 7 IoCs

Processes:

TpmInit.exespinstall.exemsconfig.exe

pid process

1220
588 TpmInit.exe
1220
1448 spinstall.exe
1220
1460 msconfig.exe
1220

pid	process
588	TpmInit.exe
1448	spinstall.exe
1460	msconfig.exe

pid	process
1220
588	TpmInit.exe
1220
1448	spinstall.exe
1220
1460	msconfig.exe
1220

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gcehmtlftxqmyqm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\GTN3K5HSULX\\spinstall.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

spinstall.exemsconfig.exerundll32.exeTpmInit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spinstall.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msconfig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TpmInit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeTpmInit.exe

pid	process
964	rundll32.exe
964	rundll32.exe
964	rundll32.exe
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
1220
588	TpmInit.exe
588	TpmInit.exe
1220
1220
1220
1220
1220
1220
1220
1220

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1220

description	pid	process
Token: SeShutdownPrivilege	1220

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1220 wrote to memory of 1836	1220	TpmInit.exe
PID 1220 wrote to memory of 1836	1220	TpmInit.exe
PID 1220 wrote to memory of 1836	1220	TpmInit.exe
PID 1220 wrote to memory of 588	1220	TpmInit.exe
PID 1220 wrote to memory of 588	1220	TpmInit.exe
PID 1220 wrote to memory of 588	1220	TpmInit.exe
PID 1220 wrote to memory of 600	1220	spinstall.exe
PID 1220 wrote to memory of 600	1220	spinstall.exe
PID 1220 wrote to memory of 600	1220	spinstall.exe
PID 1220 wrote to memory of 1448	1220	spinstall.exe
PID 1220 wrote to memory of 1448	1220	spinstall.exe
PID 1220 wrote to memory of 1448	1220	spinstall.exe
PID 1220 wrote to memory of 1644	1220	msconfig.exe
PID 1220 wrote to memory of 1644	1220	msconfig.exe
PID 1220 wrote to memory of 1644	1220	msconfig.exe
PID 1220 wrote to memory of 1460	1220	msconfig.exe
PID 1220 wrote to memory of 1460	1220	msconfig.exe
PID 1220 wrote to memory of 1460	1220	msconfig.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\07f5bfe8bd8448bed535b3e17ba4a771f8e22d79323409223904651b9c4f637c.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:964

C:\Windows\system32\TpmInit.exe
C:\Windows\system32\TpmInit.exe
1⤵
PID:1836

C:\Users\Admin\AppData\Local\h0R\TpmInit.exe
C:\Users\Admin\AppData\Local\h0R\TpmInit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:588

C:\Windows\system32\spinstall.exe
C:\Windows\system32\spinstall.exe
1⤵
PID:600

C:\Users\Admin\AppData\Local\93OHut\spinstall.exe
C:\Users\Admin\AppData\Local\93OHut\spinstall.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1448

C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
1⤵
PID:1644

C:\Users\Admin\AppData\Local\ab0ES\msconfig.exe
C:\Users\Admin\AppData\Local\ab0ES\msconfig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1460

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\93OHut\WTSAPI32.dll
Filesize
885KB

MD5
a2e39c4347763ebd0497d1f127b496c6

SHA1
985870e728abac3a6f1ea26f8aa6799b75aaa118

SHA256
d3fe868f09009c78d9832ea9eac9fc4760c2341d53a048aec7a5904b20ff5f4c

SHA512
55882fb6d26f1b22a4c0d5882ebcc9d0851cdb1203094ebc96c252f3655ee05eb144dd5875cd887af712dd154d0fef75fcf02a156eb3c2defc0064c7319cf499

Download Submit
C:\Users\Admin\AppData\Local\93OHut\spinstall.exe
Filesize
584KB

MD5
29c1d5b330b802efa1a8357373bc97fe

SHA1
90797aaa2c56fc2a667c74475996ea1841bc368f

SHA256
048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f

SHA512
66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

Download Submit
C:\Users\Admin\AppData\Local\ab0ES\VERSION.dll
Filesize
883KB

MD5
eb5ad39e1ac53941b8dd879968852055

SHA1
9f90502b7fcc201c28f67fff8c47c5a4a319bec3

SHA256
4e4c5e54bb95914cc4b54d7fec773a17e67afc003c8a897869b33ab2b4999faf

SHA512
e11042d5b05ab0cf8c5048fd105382aff12c24ac55ad38bd3b7fb6940b058009a258bd8f6bc73c1d0c03c44c28cd77910d87266f2620be52fd54a9265ae7a36b

Download Submit
C:\Users\Admin\AppData\Local\ab0ES\msconfig.exe
Filesize
293KB

MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
C:\Users\Admin\AppData\Local\h0R\Secur32.dll
Filesize
886KB

MD5
387a3746e519f89eab849784c4671a21

SHA1
57b619ecbc38559f2a92ec437478896b0be77577

SHA256
d94b44be7bb7ea92b501780c6e919c6a62b1792b8bfa6606170fc1dc432fdea9

SHA512
e4bfba268abeed465cadde1a3053222c80cb875c62e82379337157369ef0b47cb31431a33cbe03ee7e4e22ca3d8b7abc7af9aace5a85d64eaac92cb81f3a5050

Download Submit
C:\Users\Admin\AppData\Local\h0R\TpmInit.exe
Filesize
112KB

MD5
8b5eb38e08a678afa129e23129ca1e6d

SHA1
a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

SHA256
4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

SHA512
a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

Download Submit
\Users\Admin\AppData\Local\93OHut\WTSAPI32.dll
Filesize
885KB

MD5
a2e39c4347763ebd0497d1f127b496c6

SHA1
985870e728abac3a6f1ea26f8aa6799b75aaa118

SHA256
d3fe868f09009c78d9832ea9eac9fc4760c2341d53a048aec7a5904b20ff5f4c

SHA512
55882fb6d26f1b22a4c0d5882ebcc9d0851cdb1203094ebc96c252f3655ee05eb144dd5875cd887af712dd154d0fef75fcf02a156eb3c2defc0064c7319cf499

Download Submit
\Users\Admin\AppData\Local\93OHut\spinstall.exe
Filesize
584KB

MD5
29c1d5b330b802efa1a8357373bc97fe

SHA1
90797aaa2c56fc2a667c74475996ea1841bc368f

SHA256
048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f

SHA512
66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

Download Submit
\Users\Admin\AppData\Local\ab0ES\VERSION.dll
Filesize
883KB

MD5
eb5ad39e1ac53941b8dd879968852055

SHA1
9f90502b7fcc201c28f67fff8c47c5a4a319bec3

SHA256
4e4c5e54bb95914cc4b54d7fec773a17e67afc003c8a897869b33ab2b4999faf

SHA512
e11042d5b05ab0cf8c5048fd105382aff12c24ac55ad38bd3b7fb6940b058009a258bd8f6bc73c1d0c03c44c28cd77910d87266f2620be52fd54a9265ae7a36b

Download Submit
\Users\Admin\AppData\Local\ab0ES\msconfig.exe
Filesize
293KB

MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
\Users\Admin\AppData\Local\h0R\Secur32.dll
Filesize
886KB

MD5
387a3746e519f89eab849784c4671a21

SHA1
57b619ecbc38559f2a92ec437478896b0be77577

SHA256
d94b44be7bb7ea92b501780c6e919c6a62b1792b8bfa6606170fc1dc432fdea9

SHA512
e4bfba268abeed465cadde1a3053222c80cb875c62e82379337157369ef0b47cb31431a33cbe03ee7e4e22ca3d8b7abc7af9aace5a85d64eaac92cb81f3a5050

Download Submit
\Users\Admin\AppData\Local\h0R\TpmInit.exe
Filesize
112KB

MD5
8b5eb38e08a678afa129e23129ca1e6d

SHA1
a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

SHA256
4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

SHA512
a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\WQAIqwjzRJK\msconfig.exe
Filesize
293KB

MD5
e19d102baf266f34592f7c742fbfa886

SHA1
c9c9c45b7e97bb7a180064d0a1962429f015686d

SHA256
f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1

SHA512
1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

Download Submit
memory/588-69-0x0000000000000000-mapping.dmp

Download
memory/588-71-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmp

Filesize
8KB

Download
memory/1220-62-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1220-60-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1220-54-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1220-65-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1220-64-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1220-66-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1220-61-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1220-63-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1220-59-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1220-67-0x00000000776A0000-0x00000000776A2000-memory.dmp

Filesize
8KB

Download
memory/1220-58-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1220-57-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1220-55-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1220-56-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1448-75-0x0000000000000000-mapping.dmp

Download
memory/1460-80-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads