dridex | 71ad14dfe6f748dcf5b72c9b6ce19ea03d33e5cd2a0cb649020b3e187d568eec

Analysis

max time kernel
150s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71ad14dfe6f748dcf5b72c9b6ce19ea03d33e5cd2a0cb649020b3e187d568eec.dll
Size

881KB
MD5

46fe98c098555a5781788c232d294163
SHA1

f6c334c3afadb2110e4520b840fc799faa0f21f8
SHA256

71ad14dfe6f748dcf5b72c9b6ce19ea03d33e5cd2a0cb649020b3e187d568eec
SHA512

4e3e24275361bf43dd79ddc1a92170d0357f10f6d448cf8f76054fddbe9eb20fa289eb2b39c092af8fc94759fed757863723be0cb3cc12cec3e00424db315a99

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1208-54-0x0000000002950000-0x0000000002951000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

sigverif.exeOptionalFeatures.exetcmsetup.exe

pid process

2008 sigverif.exe
1312 OptionalFeatures.exe
272 tcmsetup.exe
Loads dropped DLL 7 IoCs

Processes:

sigverif.exeOptionalFeatures.exetcmsetup.exe

pid process

1208
2008 sigverif.exe
1208
1312 OptionalFeatures.exe
1208
272 tcmsetup.exe
1208

pid	process
2008	sigverif.exe
1312	OptionalFeatures.exe
272	tcmsetup.exe

pid	process
1208
2008	sigverif.exe
1208
1312	OptionalFeatures.exe
1208
272	tcmsetup.exe
1208

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gcehmtlftxqmyqm = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\9PRPOR~1\\OPTION~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exesigverif.exeOptionalFeatures.exetcmsetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OptionalFeatures.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tcmsetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exesigverif.exe

pid	process
552	rundll32.exe
552	rundll32.exe
552	rundll32.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
2008	sigverif.exe
2008	sigverif.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1208 wrote to memory of 952	1208	sigverif.exe
PID 1208 wrote to memory of 952	1208	sigverif.exe
PID 1208 wrote to memory of 952	1208	sigverif.exe
PID 1208 wrote to memory of 2008	1208	sigverif.exe
PID 1208 wrote to memory of 2008	1208	sigverif.exe
PID 1208 wrote to memory of 2008	1208	sigverif.exe
PID 1208 wrote to memory of 468	1208	OptionalFeatures.exe
PID 1208 wrote to memory of 468	1208	OptionalFeatures.exe
PID 1208 wrote to memory of 468	1208	OptionalFeatures.exe
PID 1208 wrote to memory of 1312	1208	OptionalFeatures.exe
PID 1208 wrote to memory of 1312	1208	OptionalFeatures.exe
PID 1208 wrote to memory of 1312	1208	OptionalFeatures.exe
PID 1208 wrote to memory of 988	1208	tcmsetup.exe
PID 1208 wrote to memory of 988	1208	tcmsetup.exe
PID 1208 wrote to memory of 988	1208	tcmsetup.exe
PID 1208 wrote to memory of 272	1208	tcmsetup.exe
PID 1208 wrote to memory of 272	1208	tcmsetup.exe
PID 1208 wrote to memory of 272	1208	tcmsetup.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\71ad14dfe6f748dcf5b72c9b6ce19ea03d33e5cd2a0cb649020b3e187d568eec.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:552

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:952

C:\Users\Admin\AppData\Local\fYvGSL0CD\sigverif.exe
C:\Users\Admin\AppData\Local\fYvGSL0CD\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2008

C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
1⤵
PID:468

C:\Users\Admin\AppData\Local\6NcC4s\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\6NcC4s\OptionalFeatures.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1312

C:\Windows\system32\tcmsetup.exe
C:\Windows\system32\tcmsetup.exe
1⤵
PID:988

C:\Users\Admin\AppData\Local\xbEVU1xq\tcmsetup.exe
C:\Users\Admin\AppData\Local\xbEVU1xq\tcmsetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:272

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6NcC4s\OptionalFeatures.exe
Filesize
95KB

MD5
eae7af6084667c8f05412ddf096167fc

SHA1
0dbe8aba001447030e48e8ad5466fd23481e6140

SHA256
01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

SHA512
172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

Download Submit
C:\Users\Admin\AppData\Local\6NcC4s\appwiz.cpl
Filesize
881KB

MD5
113df2bc2c7250536dd69e7165b6295d

SHA1
136f68f6b6e5407fa8bdbd42c320eca1daa1fa9a

SHA256
a5a4f3c20cb55193234f31393fbd9f5888a6f916acf1b0099875daffd2f40557

SHA512
2fae5dcfe2677237b2889851127f55b96aa22ac55020d5acf214afaf95ee348972f1e50e820f5c7e62f902ca4bd9fa8c7a540b30b1c70a6f1b16d3c5a3cb00bf

Download Submit
C:\Users\Admin\AppData\Local\fYvGSL0CD\VERSION.dll
Filesize
881KB

MD5
bb6498fa7a082c1b9a9a0ce1b2c7fe72

SHA1
944cc26abc3de927744f5c7d6a8908a530448d6d

SHA256
8d7c22795a3494fe97454d48cb9ddaea2f7715f52998818ee318332a6cd2ec6a

SHA512
625bcddcd9c0d71e30acf384a0010a4b955004720837033995025bfb744296d3c95bfb54168c98a3db70207132ed43e20a177792c066d43d445ba7f0c5005ed0

Download Submit
C:\Users\Admin\AppData\Local\fYvGSL0CD\sigverif.exe
Filesize
73KB

MD5
e8e95ae5534553fc055051cee99a7f55

SHA1
4e0f668849fd546edd083d5981ed685d02a68df4

SHA256
9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

SHA512
5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

Download Submit
C:\Users\Admin\AppData\Local\xbEVU1xq\TAPI32.dll
Filesize
889KB

MD5
a954128100b2703189ea33d1c11e938d

SHA1
e9e3460dce97a052ff1a1cdf5d03d2614db34964

SHA256
252f9de598106fc2be3e85e05dfba2412db2daffc0c4165134e5a02f60c1e067

SHA512
ab9d9cf6ad3c569649cce2de40b68d31364799cb04a1cbedd93390e752807b7f1999175d5bd72effcf194f6045e0586f1490b00a981f3dae9ea0b74e088938e6

Download Submit
C:\Users\Admin\AppData\Local\xbEVU1xq\tcmsetup.exe
Filesize
15KB

MD5
0b08315da0da7f9f472fbab510bfe7b8

SHA1
33ba48fd980216becc532466a5ff8476bec0b31c

SHA256
e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

SHA512
c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

Download Submit
\Users\Admin\AppData\Local\6NcC4s\OptionalFeatures.exe
Filesize
95KB

MD5
eae7af6084667c8f05412ddf096167fc

SHA1
0dbe8aba001447030e48e8ad5466fd23481e6140

SHA256
01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

SHA512
172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

Download Submit
\Users\Admin\AppData\Local\6NcC4s\appwiz.cpl
Filesize
881KB

MD5
113df2bc2c7250536dd69e7165b6295d

SHA1
136f68f6b6e5407fa8bdbd42c320eca1daa1fa9a

SHA256
a5a4f3c20cb55193234f31393fbd9f5888a6f916acf1b0099875daffd2f40557

SHA512
2fae5dcfe2677237b2889851127f55b96aa22ac55020d5acf214afaf95ee348972f1e50e820f5c7e62f902ca4bd9fa8c7a540b30b1c70a6f1b16d3c5a3cb00bf

Download Submit
\Users\Admin\AppData\Local\fYvGSL0CD\VERSION.dll
Filesize
881KB

MD5
bb6498fa7a082c1b9a9a0ce1b2c7fe72

SHA1
944cc26abc3de927744f5c7d6a8908a530448d6d

SHA256
8d7c22795a3494fe97454d48cb9ddaea2f7715f52998818ee318332a6cd2ec6a

SHA512
625bcddcd9c0d71e30acf384a0010a4b955004720837033995025bfb744296d3c95bfb54168c98a3db70207132ed43e20a177792c066d43d445ba7f0c5005ed0

Download Submit
\Users\Admin\AppData\Local\fYvGSL0CD\sigverif.exe
Filesize
73KB

MD5
e8e95ae5534553fc055051cee99a7f55

SHA1
4e0f668849fd546edd083d5981ed685d02a68df4

SHA256
9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

SHA512
5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

Download Submit
\Users\Admin\AppData\Local\xbEVU1xq\TAPI32.dll
Filesize
889KB

MD5
a954128100b2703189ea33d1c11e938d

SHA1
e9e3460dce97a052ff1a1cdf5d03d2614db34964

SHA256
252f9de598106fc2be3e85e05dfba2412db2daffc0c4165134e5a02f60c1e067

SHA512
ab9d9cf6ad3c569649cce2de40b68d31364799cb04a1cbedd93390e752807b7f1999175d5bd72effcf194f6045e0586f1490b00a981f3dae9ea0b74e088938e6

Download Submit
\Users\Admin\AppData\Local\xbEVU1xq\tcmsetup.exe
Filesize
15KB

MD5
0b08315da0da7f9f472fbab510bfe7b8

SHA1
33ba48fd980216becc532466a5ff8476bec0b31c

SHA256
e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

SHA512
c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\xWXv418GQH\tcmsetup.exe
Filesize
15KB

MD5
0b08315da0da7f9f472fbab510bfe7b8

SHA1
33ba48fd980216becc532466a5ff8476bec0b31c

SHA256
e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7

SHA512
c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

Download Submit
memory/272-78-0x0000000000000000-mapping.dmp

Download
memory/1208-54-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/1208-55-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1208-58-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1208-57-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1208-61-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1208-59-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1208-56-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1208-65-0x0000000077110000-0x0000000077112000-memory.dmp

Filesize
8KB

Download
memory/1208-62-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1208-60-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1208-64-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1208-63-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1312-73-0x0000000000000000-mapping.dmp

Download
memory/2008-67-0x0000000000000000-mapping.dmp

Download
memory/2008-69-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads