dridex | a8faa4ec743ad43c615766b2eade75d45186f3657f72555dd2b097b0abe2e3b5

Analysis

max time kernel
186s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8faa4ec743ad43c615766b2eade75d45186f3657f72555dd2b097b0abe2e3b5.dll
Size

999KB
MD5

ac5bf7efa1660de78283ac86e057bb7c
SHA1

4a5d68d13ad08445ec490efb7c960e2b5f78062e
SHA256

a8faa4ec743ad43c615766b2eade75d45186f3657f72555dd2b097b0abe2e3b5
SHA512

f9a3bdaac6ab9f6a20a9b0de8244c42c7287a86c18a3d03a45c3a6036322668d78752ef3d09169cfb951b6c83a11731afd74c9158b097df780491c3d13a2e45d

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1236-60-0x0000000002140000-0x0000000002141000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

WindowsAnytimeUpgradeResults.exemsdt.exeDxpserver.exe

pid process

1484 WindowsAnytimeUpgradeResults.exe
1508 msdt.exe
1972 Dxpserver.exe
Loads dropped DLL 7 IoCs

Processes:

WindowsAnytimeUpgradeResults.exemsdt.exeDxpserver.exe

pid process

1236
1484 WindowsAnytimeUpgradeResults.exe
1236
1508 msdt.exe
1236
1972 Dxpserver.exe
1236

pid	process
1484	WindowsAnytimeUpgradeResults.exe
1508	msdt.exe
1972	Dxpserver.exe

pid	process
1236
1484	WindowsAnytimeUpgradeResults.exe
1236
1508	msdt.exe
1236
1972	Dxpserver.exe
1236

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Evgmngveltmlhb = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\VBxX\\msdt.exe"

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

WindowsAnytimeUpgradeResults.exemsdt.exeDxpserver.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WindowsAnytimeUpgradeResults.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

regsvr32.exeWindowsAnytimeUpgradeResults.exe

pid	process
952	regsvr32.exe
952	regsvr32.exe
952	regsvr32.exe
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1484	WindowsAnytimeUpgradeResults.exe
1484	WindowsAnytimeUpgradeResults.exe
1236
1236
1236
1236
1236
1236
1236
1236
1236

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1236

description	pid	process
Token: SeShutdownPrivilege	1236

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1236 wrote to memory of 1420	1236	WindowsAnytimeUpgradeResults.exe
PID 1236 wrote to memory of 1420	1236	WindowsAnytimeUpgradeResults.exe
PID 1236 wrote to memory of 1420	1236	WindowsAnytimeUpgradeResults.exe
PID 1236 wrote to memory of 1484	1236	WindowsAnytimeUpgradeResults.exe
PID 1236 wrote to memory of 1484	1236	WindowsAnytimeUpgradeResults.exe
PID 1236 wrote to memory of 1484	1236	WindowsAnytimeUpgradeResults.exe
PID 1236 wrote to memory of 1448	1236	msdt.exe
PID 1236 wrote to memory of 1448	1236	msdt.exe
PID 1236 wrote to memory of 1448	1236	msdt.exe
PID 1236 wrote to memory of 1508	1236	msdt.exe
PID 1236 wrote to memory of 1508	1236	msdt.exe
PID 1236 wrote to memory of 1508	1236	msdt.exe
PID 1236 wrote to memory of 1008	1236	Dxpserver.exe
PID 1236 wrote to memory of 1008	1236	Dxpserver.exe
PID 1236 wrote to memory of 1008	1236	Dxpserver.exe
PID 1236 wrote to memory of 1972	1236	Dxpserver.exe
PID 1236 wrote to memory of 1972	1236	Dxpserver.exe
PID 1236 wrote to memory of 1972	1236	Dxpserver.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a8faa4ec743ad43c615766b2eade75d45186f3657f72555dd2b097b0abe2e3b5.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:952

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
1⤵
PID:1420

C:\Users\Admin\AppData\Local\Q5i6J\WindowsAnytimeUpgradeResults.exe
C:\Users\Admin\AppData\Local\Q5i6J\WindowsAnytimeUpgradeResults.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1484

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:1448

C:\Users\Admin\AppData\Local\1lT0Bp0\msdt.exe
C:\Users\Admin\AppData\Local\1lT0Bp0\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1508

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:1008

C:\Users\Admin\AppData\Local\i5fCuiiuR\Dxpserver.exe
C:\Users\Admin\AppData\Local\i5fCuiiuR\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1972

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1lT0Bp0\Secur32.dll
Filesize
1003KB

MD5
ae69bb56de8ef99a899ebc56ac9f3e24

SHA1
935e7430cc9da2a741ae2e5b2e9e5a1693ddf566

SHA256
1cd91128ee32c52dac79faa9ba90c2e0e3788775c0740fdd829ee4139a5e6253

SHA512
1e5e0ab642f82938e66fdf6bb28bb78564fc2a8a6b788301fd3aa3d8ded45a72e30d89d5d11a094d865f419df01535b4cdf17a37bb2ea1d3e14d269207dcf424

Download Submit
C:\Users\Admin\AppData\Local\1lT0Bp0\msdt.exe
Filesize
1.0MB

MD5
aecb7b09566b1f83f61d5a4b44ae9c7e

SHA1
3a4a2338c6b5ac833dc87497e04fe89c5481e289

SHA256
fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

SHA512
6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

Download Submit
C:\Users\Admin\AppData\Local\Q5i6J\UxTheme.dll
Filesize
1002KB

MD5
cdace8a06823832de361fe3e1452bd44

SHA1
a52a01a6e675058e85780cc85e37eccb256faf74

SHA256
cf9f574e2f0e59720e9e67a4e4ad767659b4849b85cbc43601c5539ab9f72a1f

SHA512
d1b11d8685b25d7159793dd02efa285185bff7cc4e068c5de46dbfc93ee64a5853394f1096370d9cce86d56e1bd20ee24c0c7802e5dbacbca3b46d3d1e8b34a3

Download Submit
C:\Users\Admin\AppData\Local\Q5i6J\WindowsAnytimeUpgradeResults.exe
Filesize
288KB

MD5
6f3f29905f0ec4ce22c1fd8acbf6c6de

SHA1
68bdfefe549dfa6262ad659f1578f3e87d862773

SHA256
e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b

SHA512
16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

Download Submit
C:\Users\Admin\AppData\Local\i5fCuiiuR\Dxpserver.exe
Filesize
259KB

MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
C:\Users\Admin\AppData\Local\i5fCuiiuR\XmlLite.dll
Filesize
1000KB

MD5
c6d34c919c9c1e117a955890b1e02f4c

SHA1
87c7a886a8e40b95ac0875eefcf986ff71a6fbde

SHA256
7263badcb49b4c9653c3c4fb7c86e8be07cccc9ea4d1c34d0b9e39a844db4559

SHA512
05c4a0d71dfc2ea8a2ed74d4993f42b4e1e27aa1bb7c52780ffb72ee0bbc7241c06a383ee5c28ee5e1b14e5a7745cee77fd83b2406fa9db582ca1dc34ca3a063

Download Submit
\Users\Admin\AppData\Local\1lT0Bp0\Secur32.dll
Filesize
1003KB

MD5
ae69bb56de8ef99a899ebc56ac9f3e24

SHA1
935e7430cc9da2a741ae2e5b2e9e5a1693ddf566

SHA256
1cd91128ee32c52dac79faa9ba90c2e0e3788775c0740fdd829ee4139a5e6253

SHA512
1e5e0ab642f82938e66fdf6bb28bb78564fc2a8a6b788301fd3aa3d8ded45a72e30d89d5d11a094d865f419df01535b4cdf17a37bb2ea1d3e14d269207dcf424

Download Submit
\Users\Admin\AppData\Local\1lT0Bp0\msdt.exe
Filesize
1.0MB

MD5
aecb7b09566b1f83f61d5a4b44ae9c7e

SHA1
3a4a2338c6b5ac833dc87497e04fe89c5481e289

SHA256
fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

SHA512
6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

Download Submit
\Users\Admin\AppData\Local\Q5i6J\UxTheme.dll
Filesize
1002KB

MD5
cdace8a06823832de361fe3e1452bd44

SHA1
a52a01a6e675058e85780cc85e37eccb256faf74

SHA256
cf9f574e2f0e59720e9e67a4e4ad767659b4849b85cbc43601c5539ab9f72a1f

SHA512
d1b11d8685b25d7159793dd02efa285185bff7cc4e068c5de46dbfc93ee64a5853394f1096370d9cce86d56e1bd20ee24c0c7802e5dbacbca3b46d3d1e8b34a3

Download Submit
\Users\Admin\AppData\Local\Q5i6J\WindowsAnytimeUpgradeResults.exe
Filesize
288KB

MD5
6f3f29905f0ec4ce22c1fd8acbf6c6de

SHA1
68bdfefe549dfa6262ad659f1578f3e87d862773

SHA256
e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b

SHA512
16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

Download Submit
\Users\Admin\AppData\Local\i5fCuiiuR\Dxpserver.exe
Filesize
259KB

MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
\Users\Admin\AppData\Local\i5fCuiiuR\XmlLite.dll
Filesize
1000KB

MD5
c6d34c919c9c1e117a955890b1e02f4c

SHA1
87c7a886a8e40b95ac0875eefcf986ff71a6fbde

SHA256
7263badcb49b4c9653c3c4fb7c86e8be07cccc9ea4d1c34d0b9e39a844db4559

SHA512
05c4a0d71dfc2ea8a2ed74d4993f42b4e1e27aa1bb7c52780ffb72ee0bbc7241c06a383ee5c28ee5e1b14e5a7745cee77fd83b2406fa9db582ca1dc34ca3a063

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Acrobat\7kznQCnYvwz\Dxpserver.exe
Filesize
259KB

MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
memory/952-54-0x000007FEFBE51000-0x000007FEFBE53000-memory.dmp

Filesize
8KB

Download
memory/952-59-0x00000000003B0000-0x00000000003B7000-memory.dmp

Filesize
28KB

Download
memory/952-55-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1236-66-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1236-68-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1236-60-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/1236-80-0x0000000002120000-0x0000000002127000-memory.dmp

Filesize
28KB

Download
memory/1236-61-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1236-62-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1236-69-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1236-70-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1236-63-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1236-64-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1236-81-0x00000000777B0000-0x00000000777B2000-memory.dmp

Filesize
8KB

Download
memory/1236-65-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1236-67-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1236-71-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1484-92-0x0000000000200000-0x0000000000207000-memory.dmp

Filesize
28KB

Download
memory/1484-88-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1484-83-0x0000000000000000-mapping.dmp

Download
memory/1508-103-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1508-94-0x0000000000000000-mapping.dmp

Download
memory/1972-105-0x0000000000000000-mapping.dmp

Download
memory/1972-114-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads