dridex | d95eec365ca1737b4a967ec123f3d2fc0115c92672aa08a8f7b153dd05d6569b

Analysis

max time kernel
152s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d95eec365ca1737b4a967ec123f3d2fc0115c92672aa08a8f7b153dd05d6569b.dll
Size

689KB
MD5

b1cdb53b8ab59c27a81d06855ba5b6bd
SHA1

1725f3f1f6a59e2349846136291da89e568d0286
SHA256

d95eec365ca1737b4a967ec123f3d2fc0115c92672aa08a8f7b153dd05d6569b
SHA512

31b62bfac64df1f534e44466d896bd80c46fed15f4ea7c0db6d65a6727ffb21d9ab47ee573d8878cbb8c11fe173aefa12261b502bf6279dc653348b27f39be8a

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 2 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/972-54-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral1/memory/680-83-0x0000000140000000-0x00000001400B2000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1260-58-0x0000000002990000-0x0000000002991000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

psr.exemsdtc.exeDeviceDisplayObjectProvider.exe

pid process

680 psr.exe
1044 msdtc.exe
560 DeviceDisplayObjectProvider.exe
Loads dropped DLL 7 IoCs

Processes:

psr.exemsdtc.exeDeviceDisplayObjectProvider.exe

pid process

1260
680 psr.exe
1260
1044 msdtc.exe
1260
560 DeviceDisplayObjectProvider.exe
1260

pid	process
680	psr.exe
1044	msdtc.exe
560	DeviceDisplayObjectProvider.exe

pid	process
1260
680	psr.exe
1260
1044	msdtc.exe
1260
560	DeviceDisplayObjectProvider.exe
1260

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Evgmngveltmlhb = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\iVbnf\\msdtc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msdtc.exeDeviceDisplayObjectProvider.exerundll32.exepsr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdtc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceDisplayObjectProvider.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exepsr.exemsdtc.exe

pid	process
972	rundll32.exe
972	rundll32.exe
972	rundll32.exe
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
680	psr.exe
680	psr.exe
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1044	msdtc.exe
1044	msdtc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1260

description	pid	process
Token: SeShutdownPrivilege	1260

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1260 wrote to memory of 784	1260	psr.exe
PID 1260 wrote to memory of 784	1260	psr.exe
PID 1260 wrote to memory of 784	1260	psr.exe
PID 1260 wrote to memory of 680	1260	psr.exe
PID 1260 wrote to memory of 680	1260	psr.exe
PID 1260 wrote to memory of 680	1260	psr.exe
PID 1260 wrote to memory of 848	1260	msdtc.exe
PID 1260 wrote to memory of 848	1260	msdtc.exe
PID 1260 wrote to memory of 848	1260	msdtc.exe
PID 1260 wrote to memory of 1044	1260	msdtc.exe
PID 1260 wrote to memory of 1044	1260	msdtc.exe
PID 1260 wrote to memory of 1044	1260	msdtc.exe
PID 1260 wrote to memory of 1640	1260	DeviceDisplayObjectProvider.exe
PID 1260 wrote to memory of 1640	1260	DeviceDisplayObjectProvider.exe
PID 1260 wrote to memory of 1640	1260	DeviceDisplayObjectProvider.exe
PID 1260 wrote to memory of 560	1260	DeviceDisplayObjectProvider.exe
PID 1260 wrote to memory of 560	1260	DeviceDisplayObjectProvider.exe
PID 1260 wrote to memory of 560	1260	DeviceDisplayObjectProvider.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d95eec365ca1737b4a967ec123f3d2fc0115c92672aa08a8f7b153dd05d6569b.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:972

C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
1⤵
PID:784

C:\Users\Admin\AppData\Local\ZZgCv\psr.exe
C:\Users\Admin\AppData\Local\ZZgCv\psr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:680

C:\Windows\system32\msdtc.exe
C:\Windows\system32\msdtc.exe
1⤵
PID:848

C:\Users\Admin\AppData\Local\T6X5W4t\msdtc.exe
C:\Users\Admin\AppData\Local\T6X5W4t\msdtc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1044

C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
1⤵
PID:1640

C:\Users\Admin\AppData\Local\yTg3SYS\DeviceDisplayObjectProvider.exe
C:\Users\Admin\AppData\Local\yTg3SYS\DeviceDisplayObjectProvider.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:560

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\T6X5W4t\VERSION.dll
Filesize
690KB

MD5
b0a89d5e71522ee6d4c2dbc09f98fe79

SHA1
dfc8007d44efcb24524d3bba31feba19474604f4

SHA256
8ddcc0092996a498ff22ca5617a607950a99b8758ced448c66cd8477ccf45c68

SHA512
ed545a19ea5b7ce289dff287154a8a135b0787a1f990d014787970b1a26eb4209f504b8bf7896696fc13c0c391d36e817fce49d0b466e1c1685030d327ba6e8c

Download Submit
C:\Users\Admin\AppData\Local\T6X5W4t\msdtc.exe
Filesize
138KB

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
C:\Users\Admin\AppData\Local\ZZgCv\VERSION.dll
Filesize
690KB

MD5
5b764114333430cf2c5bfdee8474d0f3

SHA1
4e59df2ac893478aabc413d4065dd84c661c743d

SHA256
9c0c1864cb020a62046e70a9622bb0eac54b9561068c4fc8c0b71182e98cf956

SHA512
ac39013cd3c10b4b3e2698fbfc9405d777ba16ff90dc56556b5bcee95f26e1e193e17916cc8cb12da29e5468227d885c0196d0830b0089dc38f69b0d77d261a7

Download Submit
C:\Users\Admin\AppData\Local\ZZgCv\psr.exe
Filesize
715KB

MD5
a80527109d75cba125d940b007eea151

SHA1
facf32a9ede6abfaa09368bfdfcfec8554107272

SHA256
68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

SHA512
77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

Download Submit
C:\Users\Admin\AppData\Local\yTg3SYS\DeviceDisplayObjectProvider.exe
Filesize
109KB

MD5
7e2eb3a4ae11190ef4c8a9b9a9123234

SHA1
72e98687a8d28614e2131c300403c2822856e865

SHA256
8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

SHA512
18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

Download Submit
C:\Users\Admin\AppData\Local\yTg3SYS\XmlLite.dll
Filesize
690KB

MD5
613172cff3b5bc749bc3d32e49c9808f

SHA1
6c82b6536413506f56005b51490f8c9c5e162e96

SHA256
007007af6dc0b721d6ca35533fcac94fd81af911777079b244d73dcef3b7a612

SHA512
eb1dfe4e1f21fda7edfde490b618c2677bf6a11f4994169ad981b09528d5eed2faafbc2a083e3dac3eeaa1d8c948e51419fa457b6f0dbc0f7a2dff2dc2ed45aa

Download Submit
\Users\Admin\AppData\Local\T6X5W4t\VERSION.dll
Filesize
690KB

MD5
b0a89d5e71522ee6d4c2dbc09f98fe79

SHA1
dfc8007d44efcb24524d3bba31feba19474604f4

SHA256
8ddcc0092996a498ff22ca5617a607950a99b8758ced448c66cd8477ccf45c68

SHA512
ed545a19ea5b7ce289dff287154a8a135b0787a1f990d014787970b1a26eb4209f504b8bf7896696fc13c0c391d36e817fce49d0b466e1c1685030d327ba6e8c

Download Submit
\Users\Admin\AppData\Local\T6X5W4t\msdtc.exe
Filesize
138KB

MD5
de0ece52236cfa3ed2dbfc03f28253a8

SHA1
84bbd2495c1809fcd19b535d41114e4fb101466c

SHA256
2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3

SHA512
69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

Download Submit
\Users\Admin\AppData\Local\ZZgCv\VERSION.dll
Filesize
690KB

MD5
5b764114333430cf2c5bfdee8474d0f3

SHA1
4e59df2ac893478aabc413d4065dd84c661c743d

SHA256
9c0c1864cb020a62046e70a9622bb0eac54b9561068c4fc8c0b71182e98cf956

SHA512
ac39013cd3c10b4b3e2698fbfc9405d777ba16ff90dc56556b5bcee95f26e1e193e17916cc8cb12da29e5468227d885c0196d0830b0089dc38f69b0d77d261a7

Download Submit
\Users\Admin\AppData\Local\ZZgCv\psr.exe
Filesize
715KB

MD5
a80527109d75cba125d940b007eea151

SHA1
facf32a9ede6abfaa09368bfdfcfec8554107272

SHA256
68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

SHA512
77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

Download Submit
\Users\Admin\AppData\Local\yTg3SYS\DeviceDisplayObjectProvider.exe
Filesize
109KB

MD5
7e2eb3a4ae11190ef4c8a9b9a9123234

SHA1
72e98687a8d28614e2131c300403c2822856e865

SHA256
8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

SHA512
18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

Download Submit
\Users\Admin\AppData\Local\yTg3SYS\XmlLite.dll
Filesize
690KB

MD5
613172cff3b5bc749bc3d32e49c9808f

SHA1
6c82b6536413506f56005b51490f8c9c5e162e96

SHA256
007007af6dc0b721d6ca35533fcac94fd81af911777079b244d73dcef3b7a612

SHA512
eb1dfe4e1f21fda7edfde490b618c2677bf6a11f4994169ad981b09528d5eed2faafbc2a083e3dac3eeaa1d8c948e51419fa457b6f0dbc0f7a2dff2dc2ed45aa

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\AxlsaqbMe\DeviceDisplayObjectProvider.exe
Filesize
109KB

MD5
7e2eb3a4ae11190ef4c8a9b9a9123234

SHA1
72e98687a8d28614e2131c300403c2822856e865

SHA256
8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

SHA512
18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

Download Submit
memory/560-97-0x0000000000000000-mapping.dmp

Download
memory/560-104-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/680-80-0x000007FEFBDA1000-0x000007FEFBDA3000-memory.dmp

Filesize
8KB

Download
memory/680-78-0x0000000000000000-mapping.dmp

Download
memory/680-83-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/680-86-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/972-54-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/972-57-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/1044-88-0x0000000000000000-mapping.dmp

Download
memory/1044-95-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1260-59-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1260-60-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1260-61-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1260-76-0x0000000077700000-0x0000000077702000-memory.dmp

Filesize
8KB

Download
memory/1260-62-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1260-63-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1260-64-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1260-65-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1260-66-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1260-58-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/1260-75-0x0000000002940000-0x0000000002947000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads