dridex | 991746defed60acf26bf8be7092687985943997ced5069691d44f25639894c99

Analysis

max time kernel
149s
max time network
44s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

991746defed60acf26bf8be7092687985943997ced5069691d44f25639894c99.dll
Size

693KB
MD5

29a1b962a713d5f2c0c4758896a38591
SHA1

43b22480bccba9f0dfbde48637a6886d4a58ab15
SHA256

991746defed60acf26bf8be7092687985943997ced5069691d44f25639894c99
SHA512

6fe2e2b945ab1c2dcf0ec33fbd96041d731d126a37ebf95c18ffc9f24942479d02506b2ddee96797536c2b8131507872f0c1f164a6c4f89d48cb32bae247155c

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 2 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1980-54-0x0000000140000000-0x00000001400B2000-memory.dmp	dridex_payload
behavioral1/memory/1124-80-0x0000000140000000-0x00000001400B3000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

p2phost.exepsr.exefvenotify.exe

pid process

1124 p2phost.exe
1888 psr.exe
1536 fvenotify.exe
Loads dropped DLL 7 IoCs

Processes:

p2phost.exepsr.exefvenotify.exe

pid process

1352
1124 p2phost.exe
1352
1888 psr.exe
1352
1536 fvenotify.exe
1352

pid	process
1124	p2phost.exe
1888	psr.exe
1536	fvenotify.exe

pid	process
1352
1124	p2phost.exe
1352
1888	psr.exe
1352
1536	fvenotify.exe
1352

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lwausnzctoco = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Wy\\psr.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

p2phost.exepsr.exefvenotify.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	p2phost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fvenotify.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exep2phost.exepsr.exefvenotify.exe

pid	process
1980	rundll32.exe
1980	rundll32.exe
1980	rundll32.exe
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1124	p2phost.exe
1124	p2phost.exe
1352
1352
1352
1352
1352
1352
1352
1352
1888	psr.exe
1888	psr.exe
1352
1352
1352
1352
1536	fvenotify.exe
1536	fvenotify.exe
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352
1352

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1352 wrote to memory of 1900	1352	p2phost.exe
PID 1352 wrote to memory of 1900	1352	p2phost.exe
PID 1352 wrote to memory of 1900	1352	p2phost.exe
PID 1352 wrote to memory of 1124	1352	p2phost.exe
PID 1352 wrote to memory of 1124	1352	p2phost.exe
PID 1352 wrote to memory of 1124	1352	p2phost.exe
PID 1352 wrote to memory of 676	1352	psr.exe
PID 1352 wrote to memory of 676	1352	psr.exe
PID 1352 wrote to memory of 676	1352	psr.exe
PID 1352 wrote to memory of 1888	1352	psr.exe
PID 1352 wrote to memory of 1888	1352	psr.exe
PID 1352 wrote to memory of 1888	1352	psr.exe
PID 1352 wrote to memory of 1832	1352	fvenotify.exe
PID 1352 wrote to memory of 1832	1352	fvenotify.exe
PID 1352 wrote to memory of 1832	1352	fvenotify.exe
PID 1352 wrote to memory of 1536	1352	fvenotify.exe
PID 1352 wrote to memory of 1536	1352	fvenotify.exe
PID 1352 wrote to memory of 1536	1352	fvenotify.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\991746defed60acf26bf8be7092687985943997ced5069691d44f25639894c99.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1980

C:\Windows\system32\p2phost.exe
C:\Windows\system32\p2phost.exe
1⤵
PID:1900

C:\Users\Admin\AppData\Local\Vl2plmR5Z\p2phost.exe
C:\Users\Admin\AppData\Local\Vl2plmR5Z\p2phost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1124

C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
1⤵
PID:676

C:\Users\Admin\AppData\Local\Dqp8jnrFz\psr.exe
C:\Users\Admin\AppData\Local\Dqp8jnrFz\psr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1888

C:\Windows\system32\fvenotify.exe
C:\Windows\system32\fvenotify.exe
1⤵
PID:1832

C:\Users\Admin\AppData\Local\bntc\fvenotify.exe
C:\Users\Admin\AppData\Local\bntc\fvenotify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1536

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Dqp8jnrFz\OLEACC.dll
Filesize
695KB

MD5
8a234a0e8bc92dd21f465a18a490ca3c

SHA1
8c4449ae3d5e7f3d50762028c2e77f523082af13

SHA256
85aaa8e300620f38807cfd498559c0c8a3f66f38e4b802e71bef5cd06dfb0bc0

SHA512
9e14f4cac877740a1808592dfb6b58885343309784b53e3aca8081237fab857e393e83bb4eae02955c36c8d3152300e0dffec08fbb82f20d3d27aa1083b65c8b

Download Submit
C:\Users\Admin\AppData\Local\Dqp8jnrFz\psr.exe
Filesize
715KB

MD5
a80527109d75cba125d940b007eea151

SHA1
facf32a9ede6abfaa09368bfdfcfec8554107272

SHA256
68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

SHA512
77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

Download Submit
C:\Users\Admin\AppData\Local\Vl2plmR5Z\P2PCOLLAB.dll
Filesize
697KB

MD5
e6348023a06d986e9c0df5739605df04

SHA1
985eeee92ad39d0ce0b166c5aba0f1ffc23cf4c9

SHA256
353347848d1b8787cf10488ec3974bc9efa3c4f7f7e26ea9f5170aae65ae39c8

SHA512
94f6737da150f03909e717f7f8317d625635c1fe08200a6cffc18303d4c04e32fc9da27ea6377505b75e1c9facb492309e398a7473744f1b579a265045119c2c

Download Submit
C:\Users\Admin\AppData\Local\Vl2plmR5Z\p2phost.exe
Filesize
172KB

MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
C:\Users\Admin\AppData\Local\bntc\fvenotify.exe
Filesize
117KB

MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
C:\Users\Admin\AppData\Local\bntc\slc.dll
Filesize
695KB

MD5
19ff58ff16c2c2ffba4a32b0051351f3

SHA1
3f2161376344e3811ea9c6340f101efd7399afe7

SHA256
6313196fbe0306835e7f3d5a905003056e0cd65032aa3748a7a6c34d54fbe730

SHA512
eb8f1065dd06517bd8fd75d4c413da899a43a14fc40c67a4af122f4d962925dc660ab46ae9288c59140bace676b6807d89b49e86018dbb82f678ae767ac44927

Download Submit
\Users\Admin\AppData\Local\Dqp8jnrFz\OLEACC.dll
Filesize
695KB

MD5
8a234a0e8bc92dd21f465a18a490ca3c

SHA1
8c4449ae3d5e7f3d50762028c2e77f523082af13

SHA256
85aaa8e300620f38807cfd498559c0c8a3f66f38e4b802e71bef5cd06dfb0bc0

SHA512
9e14f4cac877740a1808592dfb6b58885343309784b53e3aca8081237fab857e393e83bb4eae02955c36c8d3152300e0dffec08fbb82f20d3d27aa1083b65c8b

Download Submit
\Users\Admin\AppData\Local\Dqp8jnrFz\psr.exe
Filesize
715KB

MD5
a80527109d75cba125d940b007eea151

SHA1
facf32a9ede6abfaa09368bfdfcfec8554107272

SHA256
68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

SHA512
77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

Download Submit
\Users\Admin\AppData\Local\Vl2plmR5Z\P2PCOLLAB.dll
Filesize
697KB

MD5
e6348023a06d986e9c0df5739605df04

SHA1
985eeee92ad39d0ce0b166c5aba0f1ffc23cf4c9

SHA256
353347848d1b8787cf10488ec3974bc9efa3c4f7f7e26ea9f5170aae65ae39c8

SHA512
94f6737da150f03909e717f7f8317d625635c1fe08200a6cffc18303d4c04e32fc9da27ea6377505b75e1c9facb492309e398a7473744f1b579a265045119c2c

Download Submit
\Users\Admin\AppData\Local\Vl2plmR5Z\p2phost.exe
Filesize
172KB

MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
\Users\Admin\AppData\Local\bntc\fvenotify.exe
Filesize
117KB

MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
\Users\Admin\AppData\Local\bntc\slc.dll
Filesize
695KB

MD5
19ff58ff16c2c2ffba4a32b0051351f3

SHA1
3f2161376344e3811ea9c6340f101efd7399afe7

SHA256
6313196fbe0306835e7f3d5a905003056e0cd65032aa3748a7a6c34d54fbe730

SHA512
eb8f1065dd06517bd8fd75d4c413da899a43a14fc40c67a4af122f4d962925dc660ab46ae9288c59140bace676b6807d89b49e86018dbb82f678ae767ac44927

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\oIyAn\fvenotify.exe
Filesize
117KB

MD5
e61d644998e07c02f0999388808ac109

SHA1
183130ad81ff4c7997582a484e759bf7769592d6

SHA256
15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa

SHA512
310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

Download Submit
memory/1124-80-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/1124-83-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1124-76-0x0000000000000000-mapping.dmp

Download
memory/1352-60-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1352-63-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1352-58-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1352-59-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1352-62-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1352-64-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1352-74-0x0000000002780000-0x0000000002787000-memory.dmp

Filesize
28KB

Download
memory/1352-61-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1352-65-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1536-103-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1536-95-0x0000000000000000-mapping.dmp

Download
memory/1888-89-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/1888-93-0x0000000000580000-0x0000000000587000-memory.dmp

Filesize
28KB

Download
memory/1888-85-0x0000000000000000-mapping.dmp

Download
memory/1980-54-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1980-57-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads