dridex | 7589df6fc73705e680ebb569b62e9ac1517ed7f50ce4131e7fde26cdbacc9db2

Analysis

max time kernel
186s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7589df6fc73705e680ebb569b62e9ac1517ed7f50ce4131e7fde26cdbacc9db2.dll
Size

693KB
MD5

08a19101e1128428702d7dd9f509bebd
SHA1

0d69fcb18412ad3216ce0ba4d8a3fdf36510d5c7
SHA256

7589df6fc73705e680ebb569b62e9ac1517ed7f50ce4131e7fde26cdbacc9db2
SHA512

12a9fe8a62323b65a9c0a85f29fb05eaba22c557b5e7bbc246c3092ea17f5bd4be7a61596d3b597c447ac33d3dd6b649c40b462571c2e825d990ffdbd0d8cb28

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 3 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1912-54-0x0000000140000000-0x00000001400B2000-memory.dmp	dridex_payload
behavioral1/memory/608-82-0x0000000140000000-0x00000001400B3000-memory.dmp	dridex_payload
behavioral1/memory/1268-92-0x0000000140000000-0x00000001400B4000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1292-58-0x00000000021D0000-0x00000000021D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

rdpinit.exemspaint.exeunregmp2.exe

pid process

608 rdpinit.exe
1268 mspaint.exe
1472 unregmp2.exe
Loads dropped DLL 7 IoCs

Processes:

rdpinit.exemspaint.exeunregmp2.exe

pid process

1292
608 rdpinit.exe
1292
1268 mspaint.exe
1292
1472 unregmp2.exe
1292

pid	process
608	rdpinit.exe
1268	mspaint.exe
1472	unregmp2.exe

pid	process
1292
608	rdpinit.exe
1292
1268	mspaint.exe
1292
1472	unregmp2.exe
1292

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Evgmngveltmlhb = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\Qade6F\\mspaint.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpinit.exemspaint.exeunregmp2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unregmp2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exerdpinit.exemspaint.exeunregmp2.exe

pid	process
1912	rundll32.exe
1912	rundll32.exe
1912	rundll32.exe
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
608	rdpinit.exe
608	rdpinit.exe
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1268	mspaint.exe
1268	mspaint.exe
1292
1292
1292
1292
1292
1292
1292
1292
1292
1472	unregmp2.exe
1472	unregmp2.exe
1292
1292
1292
1292
1292

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1292

description	pid	process
Token: SeShutdownPrivilege	1292

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1292 wrote to memory of 1700	1292	rdpinit.exe
PID 1292 wrote to memory of 1700	1292	rdpinit.exe
PID 1292 wrote to memory of 1700	1292	rdpinit.exe
PID 1292 wrote to memory of 608	1292	rdpinit.exe
PID 1292 wrote to memory of 608	1292	rdpinit.exe
PID 1292 wrote to memory of 608	1292	rdpinit.exe
PID 1292 wrote to memory of 1648	1292	mspaint.exe
PID 1292 wrote to memory of 1648	1292	mspaint.exe
PID 1292 wrote to memory of 1648	1292	mspaint.exe
PID 1292 wrote to memory of 1268	1292	mspaint.exe
PID 1292 wrote to memory of 1268	1292	mspaint.exe
PID 1292 wrote to memory of 1268	1292	mspaint.exe
PID 1292 wrote to memory of 1752	1292	unregmp2.exe
PID 1292 wrote to memory of 1752	1292	unregmp2.exe
PID 1292 wrote to memory of 1752	1292	unregmp2.exe
PID 1292 wrote to memory of 1472	1292	unregmp2.exe
PID 1292 wrote to memory of 1472	1292	unregmp2.exe
PID 1292 wrote to memory of 1472	1292	unregmp2.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7589df6fc73705e680ebb569b62e9ac1517ed7f50ce4131e7fde26cdbacc9db2.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1912

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:1700

C:\Users\Admin\AppData\Local\qp5Uptb\rdpinit.exe
C:\Users\Admin\AppData\Local\qp5Uptb\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:608

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:1648

C:\Users\Admin\AppData\Local\kv4A6fK\mspaint.exe
C:\Users\Admin\AppData\Local\kv4A6fK\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1268

C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
1⤵
PID:1752

C:\Users\Admin\AppData\Local\dfpg8\unregmp2.exe
C:\Users\Admin\AppData\Local\dfpg8\unregmp2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1472

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\dfpg8\slc.dll
Filesize
695KB

MD5
b35bfa28aa2ff25d3e151160bfcb5369

SHA1
ac5f132d3018aa98259dc3ea1ddb05509305c2b8

SHA256
cb89dab3026cfa1c29f2a26f571c3d1ab041ddf485abd4cb2de065d0c5275bb7

SHA512
b32ac849b3f22c1ff0c8b98fa7c7c3f30b85380eeb2524116940ea93f71bc51f53be165fb93c97a94c848ec73888ffe678de6fe8873cbc5b472bfe0bf3d8197d

Download Submit
C:\Users\Admin\AppData\Local\dfpg8\unregmp2.exe
Filesize
316KB

MD5
64b328d52dfc8cda123093e3f6e4c37c

SHA1
f68f45b21b911906f3aa982e64504e662a92e5ab

SHA256
7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

SHA512
e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

Download Submit
C:\Users\Admin\AppData\Local\kv4A6fK\WINMM.dll
Filesize
699KB

MD5
f7a65c44f491621d64b8749209483f6c

SHA1
bba374105f6bb0cf56e876369cc238c8121cedff

SHA256
0070f92d65fa1817a7335d614521533bf2b7018c3759ccc2212813450a9f3552

SHA512
e5d73014f9bd27934d1744433432541711b176c63c69eeda81fcae0a5497efdab16a5f0c3c71bd95b902a0cd9fe005a9ee223878c48110071525e0ef079211a3

Download Submit
C:\Users\Admin\AppData\Local\kv4A6fK\mspaint.exe
Filesize
6.4MB

MD5
458f4590f80563eb2a0a72709bfc2bd9

SHA1
3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

SHA256
ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

SHA512
e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

Download Submit
C:\Users\Admin\AppData\Local\qp5Uptb\WTSAPI32.dll
Filesize
696KB

MD5
1412831643187cee9926e95e3d14c1fd

SHA1
0c662f819f4803caaa5262c17fd4fa24beada925

SHA256
a1a8b0ebf30bc1e6e41438348148e2b6918cd0d806033a2699dd8ae329f7d4f3

SHA512
7f1526a648a9f0b4f062ca6051d365be296259c514ee37caec71add3630e1b7b8a42ebd421af06cdeb649cd3417de8d7d5a4e3d30d263131b3bb38ac910d7d42

Download Submit
C:\Users\Admin\AppData\Local\qp5Uptb\rdpinit.exe
Filesize
174KB

MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
\Users\Admin\AppData\Local\dfpg8\slc.dll
Filesize
695KB

MD5
b35bfa28aa2ff25d3e151160bfcb5369

SHA1
ac5f132d3018aa98259dc3ea1ddb05509305c2b8

SHA256
cb89dab3026cfa1c29f2a26f571c3d1ab041ddf485abd4cb2de065d0c5275bb7

SHA512
b32ac849b3f22c1ff0c8b98fa7c7c3f30b85380eeb2524116940ea93f71bc51f53be165fb93c97a94c848ec73888ffe678de6fe8873cbc5b472bfe0bf3d8197d

Download Submit
\Users\Admin\AppData\Local\dfpg8\unregmp2.exe
Filesize
316KB

MD5
64b328d52dfc8cda123093e3f6e4c37c

SHA1
f68f45b21b911906f3aa982e64504e662a92e5ab

SHA256
7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

SHA512
e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

Download Submit
\Users\Admin\AppData\Local\kv4A6fK\WINMM.dll
Filesize
699KB

MD5
f7a65c44f491621d64b8749209483f6c

SHA1
bba374105f6bb0cf56e876369cc238c8121cedff

SHA256
0070f92d65fa1817a7335d614521533bf2b7018c3759ccc2212813450a9f3552

SHA512
e5d73014f9bd27934d1744433432541711b176c63c69eeda81fcae0a5497efdab16a5f0c3c71bd95b902a0cd9fe005a9ee223878c48110071525e0ef079211a3

Download Submit
\Users\Admin\AppData\Local\kv4A6fK\mspaint.exe
Filesize
6.4MB

MD5
458f4590f80563eb2a0a72709bfc2bd9

SHA1
3f97dc3bd1467c710c6a8d26b97bb6cf47deb4c6

SHA256
ff923c051ae380bf30d749ebe9cf310ccab6572d84eb81b76fb1012bcbdf557f

SHA512
e34500658dbe105a704fff6988b75d13aa9931adfd585b8ce1f023c61abd573d58067ee1f43e80076729ba99c9a00c17eb8cfcfac9c3d271d76bd251ccab1681

Download Submit
\Users\Admin\AppData\Local\qp5Uptb\WTSAPI32.dll
Filesize
696KB

MD5
1412831643187cee9926e95e3d14c1fd

SHA1
0c662f819f4803caaa5262c17fd4fa24beada925

SHA256
a1a8b0ebf30bc1e6e41438348148e2b6918cd0d806033a2699dd8ae329f7d4f3

SHA512
7f1526a648a9f0b4f062ca6051d365be296259c514ee37caec71add3630e1b7b8a42ebd421af06cdeb649cd3417de8d7d5a4e3d30d263131b3bb38ac910d7d42

Download Submit
\Users\Admin\AppData\Local\qp5Uptb\rdpinit.exe
Filesize
174KB

MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\fIo36Bf78Kd\unregmp2.exe
Filesize
316KB

MD5
64b328d52dfc8cda123093e3f6e4c37c

SHA1
f68f45b21b911906f3aa982e64504e662a92e5ab

SHA256
7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1

SHA512
e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00

Download Submit
memory/608-85-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/608-82-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/608-78-0x0000000000000000-mapping.dmp

Download
memory/1268-92-0x0000000140000000-0x00000001400B4000-memory.dmp

Filesize
720KB

Download
memory/1268-87-0x0000000000000000-mapping.dmp

Download
memory/1268-95-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/1268-89-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmp

Filesize
8KB

Download
memory/1292-65-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1292-75-0x00000000021B0000-0x00000000021B7000-memory.dmp

Filesize
28KB

Download
memory/1292-60-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1292-76-0x0000000077880000-0x0000000077882000-memory.dmp

Filesize
8KB

Download
memory/1292-59-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1292-62-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1292-61-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1292-66-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1292-64-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1292-63-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1292-58-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1472-97-0x0000000000000000-mapping.dmp

Download
memory/1472-104-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1912-57-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/1912-54-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads