dridex | 668f015f2009a05024a99c756f684e3f1056c9b5a49e241379934daa27f031ed

Analysis

max time kernel
151s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

668f015f2009a05024a99c756f684e3f1056c9b5a49e241379934daa27f031ed.dll
Size

1003KB
MD5

218d477824d47647d4b594fba6c72d16
SHA1

e1321bb45459d5a414d8816eb354a55ac4dd7610
SHA256

668f015f2009a05024a99c756f684e3f1056c9b5a49e241379934daa27f031ed
SHA512

96674362aff08b3de475809fddf3a918d23da6ed34202975e6c268b417bacd98c097fe9455aa45443296f20e1ca16095bf47a8d36e90d53eb48fb427dfe30503

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1256-59-0x00000000029D0000-0x00000000029D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

OptionalFeatures.exeRDVGHelper.exeirftp.exe

pid process

288 OptionalFeatures.exe
1812 RDVGHelper.exe
1804 irftp.exe
Loads dropped DLL 7 IoCs

Processes:

OptionalFeatures.exeRDVGHelper.exeirftp.exe

pid process

1256
288 OptionalFeatures.exe
1256
1812 RDVGHelper.exe
1256
1804 irftp.exe
1256

pid	process
288	OptionalFeatures.exe
1812	RDVGHelper.exe
1804	irftp.exe

pid	process
1256
288	OptionalFeatures.exe
1256
1812	RDVGHelper.exe
1256
1804	irftp.exe
1256

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gcehmtlftxqmyqm = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\fiEW\\RDVGHelper.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeOptionalFeatures.exeRDVGHelper.exeirftp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OptionalFeatures.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RDVGHelper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	irftp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1312	rundll32.exe
1312	rundll32.exe
1312	rundll32.exe
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256
1256

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1256 wrote to memory of 548	1256	OptionalFeatures.exe
PID 1256 wrote to memory of 548	1256	OptionalFeatures.exe
PID 1256 wrote to memory of 548	1256	OptionalFeatures.exe
PID 1256 wrote to memory of 288	1256	OptionalFeatures.exe
PID 1256 wrote to memory of 288	1256	OptionalFeatures.exe
PID 1256 wrote to memory of 288	1256	OptionalFeatures.exe
PID 1256 wrote to memory of 1640	1256	RDVGHelper.exe
PID 1256 wrote to memory of 1640	1256	RDVGHelper.exe
PID 1256 wrote to memory of 1640	1256	RDVGHelper.exe
PID 1256 wrote to memory of 1812	1256	RDVGHelper.exe
PID 1256 wrote to memory of 1812	1256	RDVGHelper.exe
PID 1256 wrote to memory of 1812	1256	RDVGHelper.exe
PID 1256 wrote to memory of 560	1256	irftp.exe
PID 1256 wrote to memory of 560	1256	irftp.exe
PID 1256 wrote to memory of 560	1256	irftp.exe
PID 1256 wrote to memory of 1804	1256	irftp.exe
PID 1256 wrote to memory of 1804	1256	irftp.exe
PID 1256 wrote to memory of 1804	1256	irftp.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\668f015f2009a05024a99c756f684e3f1056c9b5a49e241379934daa27f031ed.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
1⤵
PID:548

C:\Users\Admin\AppData\Local\iDfKN3P\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\iDfKN3P\OptionalFeatures.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:288

C:\Windows\system32\RDVGHelper.exe
C:\Windows\system32\RDVGHelper.exe
1⤵
PID:1640

C:\Users\Admin\AppData\Local\V1IhJ\RDVGHelper.exe
C:\Users\Admin\AppData\Local\V1IhJ\RDVGHelper.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1812

C:\Windows\system32\irftp.exe
C:\Windows\system32\irftp.exe
1⤵
PID:560

C:\Users\Admin\AppData\Local\hMV1hDn\irftp.exe
C:\Users\Admin\AppData\Local\hMV1hDn\irftp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1804

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\V1IhJ\RDVGHelper.exe
Filesize
93KB

MD5
53fda4af81e7c4895357a50e848b7cfe

SHA1
01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

SHA256
62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

SHA512
dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

Download Submit
C:\Users\Admin\AppData\Local\V1IhJ\dwmapi.dll
Filesize
1005KB

MD5
a1546d1c01576d162e75697cb54d42b0

SHA1
17202b3a97fd2c0c76a19d5190e2fc869ec1d549

SHA256
377a867d126facf6acaae5c94b8e0f48a4cf3bb1157180d7cebeb98a75831f29

SHA512
91ccdacad4c6987028b92fa213c643df464a5ea620332ed6369751651714a083f5d11e8daf431e7469c774785a6b497cb854ea08a5a02fc8db2781cf4b0f8aea

Download Submit
C:\Users\Admin\AppData\Local\hMV1hDn\WINMM.dll
Filesize
1009KB

MD5
07f0c362f31e643825067916a3054e48

SHA1
a2f39c57aea3de0c768b2cd7630176c30a42a704

SHA256
4d5c16f6f8ac77da83c193d6bb89557d74912c4525f077b45e78af1a9cf75d81

SHA512
1155597f43ebfedfaad1b2cc9821e1a02bf306fea188697f39017f2aab8d0a6df03dbb21f7b760d35241149108feb622f000ed5897b64ed287870acb9ce90890

Download Submit
C:\Users\Admin\AppData\Local\hMV1hDn\irftp.exe
Filesize
192KB

MD5
0cae1fb725c56d260bfd6feba7ae9a75

SHA1
102ac676a1de3ec3d56401f8efd518c31c8b0b80

SHA256
312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

SHA512
db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

Download Submit
C:\Users\Admin\AppData\Local\iDfKN3P\OptionalFeatures.exe
Filesize
95KB

MD5
eae7af6084667c8f05412ddf096167fc

SHA1
0dbe8aba001447030e48e8ad5466fd23481e6140

SHA256
01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

SHA512
172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

Download Submit
C:\Users\Admin\AppData\Local\iDfKN3P\appwiz.cpl
Filesize
1004KB

MD5
5e6328edb9067f6f2b964ff542f93ed1

SHA1
98a073b0c4f7aee09b7c5559e003dc95d7a02fdc

SHA256
c53fda0d34f1c5a05c346a199ec5913395d76f8675d8c750c40d8f0426ecb60d

SHA512
4bbb323039459103564995114bb35b37eecb9a5091dab7dc6739bd178bc61468ad97200870f27e3d6608f878dfd8c03ec7938e0497a9e0602881cfe2d585906e

Download Submit
\Users\Admin\AppData\Local\V1IhJ\RDVGHelper.exe
Filesize
93KB

MD5
53fda4af81e7c4895357a50e848b7cfe

SHA1
01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f

SHA256
62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038

SHA512
dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

Download Submit
\Users\Admin\AppData\Local\V1IhJ\dwmapi.dll
Filesize
1005KB

MD5
a1546d1c01576d162e75697cb54d42b0

SHA1
17202b3a97fd2c0c76a19d5190e2fc869ec1d549

SHA256
377a867d126facf6acaae5c94b8e0f48a4cf3bb1157180d7cebeb98a75831f29

SHA512
91ccdacad4c6987028b92fa213c643df464a5ea620332ed6369751651714a083f5d11e8daf431e7469c774785a6b497cb854ea08a5a02fc8db2781cf4b0f8aea

Download Submit
\Users\Admin\AppData\Local\hMV1hDn\WINMM.dll
Filesize
1009KB

MD5
07f0c362f31e643825067916a3054e48

SHA1
a2f39c57aea3de0c768b2cd7630176c30a42a704

SHA256
4d5c16f6f8ac77da83c193d6bb89557d74912c4525f077b45e78af1a9cf75d81

SHA512
1155597f43ebfedfaad1b2cc9821e1a02bf306fea188697f39017f2aab8d0a6df03dbb21f7b760d35241149108feb622f000ed5897b64ed287870acb9ce90890

Download Submit
\Users\Admin\AppData\Local\hMV1hDn\irftp.exe
Filesize
192KB

MD5
0cae1fb725c56d260bfd6feba7ae9a75

SHA1
102ac676a1de3ec3d56401f8efd518c31c8b0b80

SHA256
312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

SHA512
db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

Download Submit
\Users\Admin\AppData\Local\iDfKN3P\OptionalFeatures.exe
Filesize
95KB

MD5
eae7af6084667c8f05412ddf096167fc

SHA1
0dbe8aba001447030e48e8ad5466fd23481e6140

SHA256
01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc

SHA512
172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

Download Submit
\Users\Admin\AppData\Local\iDfKN3P\appwiz.cpl
Filesize
1004KB

MD5
5e6328edb9067f6f2b964ff542f93ed1

SHA1
98a073b0c4f7aee09b7c5559e003dc95d7a02fdc

SHA256
c53fda0d34f1c5a05c346a199ec5913395d76f8675d8c750c40d8f0426ecb60d

SHA512
4bbb323039459103564995114bb35b37eecb9a5091dab7dc6739bd178bc61468ad97200870f27e3d6608f878dfd8c03ec7938e0497a9e0602881cfe2d585906e

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Iyt6lvX\irftp.exe
Filesize
192KB

MD5
0cae1fb725c56d260bfd6feba7ae9a75

SHA1
102ac676a1de3ec3d56401f8efd518c31c8b0b80

SHA256
312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d

SHA512
db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

Download Submit
memory/288-82-0x0000000000000000-mapping.dmp

Download
memory/288-91-0x0000000000270000-0x0000000000277000-memory.dmp

Filesize
28KB

Download
memory/288-87-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/288-86-0x000007FEFBF91000-0x000007FEFBF93000-memory.dmp

Filesize
8KB

Download
memory/1256-63-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1256-61-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1256-79-0x0000000002760000-0x0000000002767000-memory.dmp

Filesize
28KB

Download
memory/1256-80-0x00000000778F0000-0x00000000778F2000-memory.dmp

Filesize
8KB

Download
memory/1256-62-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1256-64-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1256-65-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1256-70-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1256-67-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1256-66-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1256-60-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1256-68-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1256-59-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1256-69-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1312-55-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1312-54-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1804-103-0x0000000000000000-mapping.dmp

Download
memory/1804-108-0x0000000140000000-0x0000000140104000-memory.dmp

Filesize
1.0MB

Download
memory/1812-101-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/1812-93-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads