dridex | 7430782577e2742413e2626cbbcf65c1e5c3ef365a8c6572e89c92763ed2a2a5

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7430782577e2742413e2626cbbcf65c1e5c3ef365a8c6572e89c92763ed2a2a5.dll
Size

880KB
MD5

07f98fb6236121f89df1416e4370b71d
SHA1

72ab25f7dd2e975d052b64e4878a08d567d96dd7
SHA256

7430782577e2742413e2626cbbcf65c1e5c3ef365a8c6572e89c92763ed2a2a5
SHA512

219a4e92ac76abf7e756ef20a71338207fbe5b4a623671489b0144317861f6e74fe9b1b9fdf32c7755c170479099c9442db74863e514a751a7295b028a215e85

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1256-54-0x0000000002B10000-0x0000000002B11000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

rdpshell.exep2phost.exerdpinit.exe

pid process

1612 rdpshell.exe
1868 p2phost.exe
820 rdpinit.exe
Loads dropped DLL 7 IoCs

Processes:

rdpshell.exep2phost.exerdpinit.exe

pid process

1256
1612 rdpshell.exe
1256
1868 p2phost.exe
1256
820 rdpinit.exe
1256

pid	process
1612	rdpshell.exe
1868	p2phost.exe
820	rdpinit.exe

pid	process
1256
1612	rdpshell.exe
1256
1868	p2phost.exe
1256
820	rdpinit.exe
1256

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Evgmngveltmlhb = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\FLASHP~1\\qKLTz8q\\p2phost.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpshell.exep2phost.exerdpinit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpshell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	p2phost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exerdpshell.exe

pid	process
1664	rundll32.exe
1664	rundll32.exe
1664	rundll32.exe
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1612	rdpshell.exe
1612	rdpshell.exe
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1256 wrote to memory of 1620	1256	rdpshell.exe
PID 1256 wrote to memory of 1620	1256	rdpshell.exe
PID 1256 wrote to memory of 1620	1256	rdpshell.exe
PID 1256 wrote to memory of 1612	1256	rdpshell.exe
PID 1256 wrote to memory of 1612	1256	rdpshell.exe
PID 1256 wrote to memory of 1612	1256	rdpshell.exe
PID 1256 wrote to memory of 1364	1256	p2phost.exe
PID 1256 wrote to memory of 1364	1256	p2phost.exe
PID 1256 wrote to memory of 1364	1256	p2phost.exe
PID 1256 wrote to memory of 1868	1256	p2phost.exe
PID 1256 wrote to memory of 1868	1256	p2phost.exe
PID 1256 wrote to memory of 1868	1256	p2phost.exe
PID 1256 wrote to memory of 1144	1256	rdpinit.exe
PID 1256 wrote to memory of 1144	1256	rdpinit.exe
PID 1256 wrote to memory of 1144	1256	rdpinit.exe
PID 1256 wrote to memory of 820	1256	rdpinit.exe
PID 1256 wrote to memory of 820	1256	rdpinit.exe
PID 1256 wrote to memory of 820	1256	rdpinit.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7430782577e2742413e2626cbbcf65c1e5c3ef365a8c6572e89c92763ed2a2a5.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1664

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:1620

C:\Users\Admin\AppData\Local\SNRtH\rdpshell.exe
C:\Users\Admin\AppData\Local\SNRtH\rdpshell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1612

C:\Windows\system32\p2phost.exe
C:\Windows\system32\p2phost.exe
1⤵
PID:1364

C:\Users\Admin\AppData\Local\kdXe\p2phost.exe
C:\Users\Admin\AppData\Local\kdXe\p2phost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1868

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:1144

C:\Users\Admin\AppData\Local\uRO\rdpinit.exe
C:\Users\Admin\AppData\Local\uRO\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:820

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SNRtH\WINSTA.dll
Filesize
885KB

MD5
df4ebebe9f5bd77b6d8c876a83ff8dc2

SHA1
a831819aee8f53a04af026d00209cc797594f373

SHA256
7f7441ac27ae932d667b2c9ae71bfe0d732f8694e0952b39e7233e7d8094f703

SHA512
85f583c7af7c7d11a22b580ae8c0478385976aa5e529a30ce322d99af8c00823ab1ad82baf03f5aa6fe716557e1095fa4aa9e6fe0db5f2a68e40bf6ff400ef1b

Download Submit
C:\Users\Admin\AppData\Local\SNRtH\rdpshell.exe
Filesize
292KB

MD5
a62dfcea3a58ba8fcf32f831f018fe3f

SHA1
75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

SHA256
f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

SHA512
9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

Download Submit
C:\Users\Admin\AppData\Local\kdXe\P2PCOLLAB.dll
Filesize
883KB

MD5
d5c973fdb2283b26e300fd9799ffbec4

SHA1
c3e50fd608110d2ba790c4521cf801eaae5dae49

SHA256
84edea16db34d7b7021306c41436c525bd9a976d9bd5fca0fdb36fb00916d5c9

SHA512
e69ac5b38767bfe7b08df085cfe4f2702a95b090c9ff639005e098ba3f1e7edafad509d0c5b1b12458691c44d2ee64049f11173c088b67add7a62c2e5417ec96

Download Submit
C:\Users\Admin\AppData\Local\kdXe\p2phost.exe
Filesize
172KB

MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
C:\Users\Admin\AppData\Local\uRO\rdpinit.exe
Filesize
174KB

MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
C:\Users\Admin\AppData\Local\uRO\slc.dll
Filesize
881KB

MD5
970542dc4b8cd5b4ad3de8d91fcd0faf

SHA1
dc49cc0620ab4923bd3ba411906e60134c158c1f

SHA256
fbd9399908751d72c98e3184e50fe03aedf1f05ee634830d6ae487c6d6f3ecee

SHA512
d3398e2ffb4539ef25a4569461ee80f6fe0d37f43cb58b4a85150c0e0dd25671519defadd703bf616bd17369b6c138cccd976d04c8bc15dfec0aa79d2045da59

Download Submit
\Users\Admin\AppData\Local\SNRtH\WINSTA.dll
Filesize
885KB

MD5
df4ebebe9f5bd77b6d8c876a83ff8dc2

SHA1
a831819aee8f53a04af026d00209cc797594f373

SHA256
7f7441ac27ae932d667b2c9ae71bfe0d732f8694e0952b39e7233e7d8094f703

SHA512
85f583c7af7c7d11a22b580ae8c0478385976aa5e529a30ce322d99af8c00823ab1ad82baf03f5aa6fe716557e1095fa4aa9e6fe0db5f2a68e40bf6ff400ef1b

Download Submit
\Users\Admin\AppData\Local\SNRtH\rdpshell.exe
Filesize
292KB

MD5
a62dfcea3a58ba8fcf32f831f018fe3f

SHA1
75f7690b19866f2c2b3dd3bfdff8a1c6fa8e958b

SHA256
f8346a44f12e5b1ca6beaae5fbdf5f7f494ba204379c21d1875b03ba6da6152e

SHA512
9a3df5be95017c23ab144302d2275654e86193e2cd94957d5f72bda3cb171ec2a6da14e6631a7fd4fd053b4529f4083aa287ada57484ad0ee01a8e5b2b54c603

Download Submit
\Users\Admin\AppData\Local\kdXe\P2PCOLLAB.dll
Filesize
883KB

MD5
d5c973fdb2283b26e300fd9799ffbec4

SHA1
c3e50fd608110d2ba790c4521cf801eaae5dae49

SHA256
84edea16db34d7b7021306c41436c525bd9a976d9bd5fca0fdb36fb00916d5c9

SHA512
e69ac5b38767bfe7b08df085cfe4f2702a95b090c9ff639005e098ba3f1e7edafad509d0c5b1b12458691c44d2ee64049f11173c088b67add7a62c2e5417ec96

Download Submit
\Users\Admin\AppData\Local\kdXe\p2phost.exe
Filesize
172KB

MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
\Users\Admin\AppData\Local\uRO\rdpinit.exe
Filesize
174KB

MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
\Users\Admin\AppData\Local\uRO\slc.dll
Filesize
881KB

MD5
970542dc4b8cd5b4ad3de8d91fcd0faf

SHA1
dc49cc0620ab4923bd3ba411906e60134c158c1f

SHA256
fbd9399908751d72c98e3184e50fe03aedf1f05ee634830d6ae487c6d6f3ecee

SHA512
d3398e2ffb4539ef25a4569461ee80f6fe0d37f43cb58b4a85150c0e0dd25671519defadd703bf616bd17369b6c138cccd976d04c8bc15dfec0aa79d2045da59

Download Submit
\Users\Admin\AppData\Roaming\Mozilla\Extensions\tPrzpgFlFeD\rdpinit.exe
Filesize
174KB

MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
memory/820-77-0x0000000000000000-mapping.dmp

Download
memory/1256-54-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/1256-58-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1256-62-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1256-60-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1256-55-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1256-63-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1256-64-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1256-56-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1256-65-0x00000000776B0000-0x00000000776B2000-memory.dmp

Filesize
8KB

Download
memory/1256-59-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1256-61-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1256-57-0x0000000140000000-0x00000001400DF000-memory.dmp

Filesize
892KB

Download
memory/1612-67-0x0000000000000000-mapping.dmp

Download
memory/1868-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads