dridex | 71294290d7f4be76b77229c3e0cc626186843b3600634463711a04b7b69a4cd1

Analysis

max time kernel
152s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71294290d7f4be76b77229c3e0cc626186843b3600634463711a04b7b69a4cd1.dll
Size

693KB
MD5

7c62918ed4a99483c0766db2fdafe75c
SHA1

2bee00c0b9ee71667da7a7ec57aac1d0cca147d0
SHA256

71294290d7f4be76b77229c3e0cc626186843b3600634463711a04b7b69a4cd1
SHA512

b76cd8d4b5a27cc6ad17ff1a17c80f2f5bc182f6594a214df7eee4ceec339ad78014fdf6afddf1f4e6be3bc78248c02344f27b0c96d86d49d86b4cd191af5cc4

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 2 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1864-54-0x0000000140000000-0x00000001400B2000-memory.dmp	dridex_payload
behavioral1/memory/792-83-0x0000000140000000-0x00000001400B3000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1228-58-0x0000000002AB0000-0x0000000002AB1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

AdapterTroubleshooter.exerdpinit.exeddodiag.exe

pid process

792 AdapterTroubleshooter.exe
1572 rdpinit.exe
816 ddodiag.exe
Loads dropped DLL 7 IoCs

Processes:

AdapterTroubleshooter.exerdpinit.exeddodiag.exe

pid process

1228
792 AdapterTroubleshooter.exe
1228
1572 rdpinit.exe
1228
816 ddodiag.exe
1228

pid	process
792	AdapterTroubleshooter.exe
1572	rdpinit.exe
816	ddodiag.exe

pid	process
1228
792	AdapterTroubleshooter.exe
1228
1572	rdpinit.exe
1228
816	ddodiag.exe
1228

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gcehmtlftxqmyqm = "C:\\Users\\Admin\\AppData\\Roaming\\MEDIAC~1\\GBZGFZ~1\\rdpinit.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeAdapterTroubleshooter.exerdpinit.exeddodiag.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AdapterTroubleshooter.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddodiag.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeAdapterTroubleshooter.exerdpinit.exeddodiag.exe

pid	process
1864	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
792	AdapterTroubleshooter.exe
792	AdapterTroubleshooter.exe
1228
1228
1228
1228
1572	rdpinit.exe
1572	rdpinit.exe
1228
1228
1228
1228
1228
1228
816	ddodiag.exe
816	ddodiag.exe
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1228 wrote to memory of 780	1228	AdapterTroubleshooter.exe
PID 1228 wrote to memory of 780	1228	AdapterTroubleshooter.exe
PID 1228 wrote to memory of 780	1228	AdapterTroubleshooter.exe
PID 1228 wrote to memory of 792	1228	AdapterTroubleshooter.exe
PID 1228 wrote to memory of 792	1228	AdapterTroubleshooter.exe
PID 1228 wrote to memory of 792	1228	AdapterTroubleshooter.exe
PID 1228 wrote to memory of 852	1228	rdpinit.exe
PID 1228 wrote to memory of 852	1228	rdpinit.exe
PID 1228 wrote to memory of 852	1228	rdpinit.exe
PID 1228 wrote to memory of 1572	1228	rdpinit.exe
PID 1228 wrote to memory of 1572	1228	rdpinit.exe
PID 1228 wrote to memory of 1572	1228	rdpinit.exe
PID 1228 wrote to memory of 240	1228	ddodiag.exe
PID 1228 wrote to memory of 240	1228	ddodiag.exe
PID 1228 wrote to memory of 240	1228	ddodiag.exe
PID 1228 wrote to memory of 816	1228	ddodiag.exe
PID 1228 wrote to memory of 816	1228	ddodiag.exe
PID 1228 wrote to memory of 816	1228	ddodiag.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\71294290d7f4be76b77229c3e0cc626186843b3600634463711a04b7b69a4cd1.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1864

C:\Windows\system32\AdapterTroubleshooter.exe
C:\Windows\system32\AdapterTroubleshooter.exe
1⤵
PID:780

C:\Users\Admin\AppData\Local\5xjJe\AdapterTroubleshooter.exe
C:\Users\Admin\AppData\Local\5xjJe\AdapterTroubleshooter.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:792

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:852

C:\Users\Admin\AppData\Local\ZZWNo0\rdpinit.exe
C:\Users\Admin\AppData\Local\ZZWNo0\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1572

C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
1⤵
PID:240

C:\Users\Admin\AppData\Local\04SA\ddodiag.exe
C:\Users\Admin\AppData\Local\04SA\ddodiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:816

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\04SA\XmlLite.dll
Filesize
694KB

MD5
f6c07cffb7f98a30690260f29dc9bf51

SHA1
449c127d5a60f53f32ed1d553ecc3e34156d3727

SHA256
3d54397f5e230c969b4396572855f6846bade73ab8d57e6f6557336fa57562b6

SHA512
ea40cf712ed2f91e0a45893f9e0ba12b7dfb082153d045891ec2696bbbad9dee84b4d4a8eb578c54a4ee67252f63e6c3da3c3ddb7b0fb445b067c55e76f326c0

Download Submit
C:\Users\Admin\AppData\Local\04SA\ddodiag.exe
Filesize
42KB

MD5
509f9513ca16ba2f2047f5227a05d1a8

SHA1
fe8d63259cb9afa17da7b7b8ede4e75081071b1a

SHA256
ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

SHA512
ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

Download Submit
C:\Users\Admin\AppData\Local\5xjJe\AdapterTroubleshooter.exe
Filesize
39KB

MD5
d4170c9ff5b2f85b0ce0246033d26919

SHA1
a76118e8775e16237cf00f2fb79718be0dc84db1

SHA256
d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da

SHA512
9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

Download Submit
C:\Users\Admin\AppData\Local\5xjJe\d3d9.dll
Filesize
694KB

MD5
63c5231e2075c61c0dbc78da20102d48

SHA1
3854d352982b8894ed23494f654ee9cea92f6f9b

SHA256
a97033a22d84ec14f032fb819c73b40dcfa260924c194d3d90ea3f42bc8eaae2

SHA512
dd943f00c479c99a3f85adfd36f9a94c730aaa1e49113df7ad1f57e83c7f3ece6e308e5065fb8d8651b1c482782270ec2c675d74438cdcd0e0bf20efd1036900

Download Submit
C:\Users\Admin\AppData\Local\ZZWNo0\WTSAPI32.dll
Filesize
695KB

MD5
401bc4f40622c9004fc94fb22010a4d6

SHA1
628b86f29997e9ad4b544bea1a2217a5807e50bc

SHA256
547ed8c38b0f44381122868e184240b99a3f60f13afb89a7b68abdf6cbfdb671

SHA512
b80a5af8abf18311e7804bd7d3c2bf79029b89da2e5ac3a29534e76fda74b076dcd656870a98232d9aefa32d018be2ee3b3c0a36ed986b555f472778e1c105aa

Download Submit
C:\Users\Admin\AppData\Local\ZZWNo0\rdpinit.exe
Filesize
174KB

MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
\Users\Admin\AppData\Local\04SA\XmlLite.dll
Filesize
694KB

MD5
f6c07cffb7f98a30690260f29dc9bf51

SHA1
449c127d5a60f53f32ed1d553ecc3e34156d3727

SHA256
3d54397f5e230c969b4396572855f6846bade73ab8d57e6f6557336fa57562b6

SHA512
ea40cf712ed2f91e0a45893f9e0ba12b7dfb082153d045891ec2696bbbad9dee84b4d4a8eb578c54a4ee67252f63e6c3da3c3ddb7b0fb445b067c55e76f326c0

Download Submit
\Users\Admin\AppData\Local\04SA\ddodiag.exe
Filesize
42KB

MD5
509f9513ca16ba2f2047f5227a05d1a8

SHA1
fe8d63259cb9afa17da7b7b8ede4e75081071b1a

SHA256
ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

SHA512
ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

Download Submit
\Users\Admin\AppData\Local\5xjJe\AdapterTroubleshooter.exe
Filesize
39KB

MD5
d4170c9ff5b2f85b0ce0246033d26919

SHA1
a76118e8775e16237cf00f2fb79718be0dc84db1

SHA256
d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da

SHA512
9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

Download Submit
\Users\Admin\AppData\Local\5xjJe\d3d9.dll
Filesize
694KB

MD5
63c5231e2075c61c0dbc78da20102d48

SHA1
3854d352982b8894ed23494f654ee9cea92f6f9b

SHA256
a97033a22d84ec14f032fb819c73b40dcfa260924c194d3d90ea3f42bc8eaae2

SHA512
dd943f00c479c99a3f85adfd36f9a94c730aaa1e49113df7ad1f57e83c7f3ece6e308e5065fb8d8651b1c482782270ec2c675d74438cdcd0e0bf20efd1036900

Download Submit
\Users\Admin\AppData\Local\ZZWNo0\WTSAPI32.dll
Filesize
695KB

MD5
401bc4f40622c9004fc94fb22010a4d6

SHA1
628b86f29997e9ad4b544bea1a2217a5807e50bc

SHA256
547ed8c38b0f44381122868e184240b99a3f60f13afb89a7b68abdf6cbfdb671

SHA512
b80a5af8abf18311e7804bd7d3c2bf79029b89da2e5ac3a29534e76fda74b076dcd656870a98232d9aefa32d018be2ee3b3c0a36ed986b555f472778e1c105aa

Download Submit
\Users\Admin\AppData\Local\ZZWNo0\rdpinit.exe
Filesize
174KB

MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
\Users\Admin\AppData\Roaming\Identities\I97wx\ddodiag.exe
Filesize
42KB

MD5
509f9513ca16ba2f2047f5227a05d1a8

SHA1
fe8d63259cb9afa17da7b7b8ede4e75081071b1a

SHA256
ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

SHA512
ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

Download Submit
memory/792-83-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/792-78-0x0000000000000000-mapping.dmp

Download
memory/792-82-0x0000000000270000-0x0000000000277000-memory.dmp

Filesize
28KB

Download
memory/816-96-0x0000000000000000-mapping.dmp

Download
memory/1228-60-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1228-75-0x0000000002720000-0x0000000002727000-memory.dmp

Filesize
28KB

Download
memory/1228-76-0x0000000077030000-0x0000000077032000-memory.dmp

Filesize
8KB

Download
memory/1228-66-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1228-58-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/1228-59-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1228-62-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1228-63-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1228-65-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1228-64-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1228-61-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1572-94-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1572-87-0x0000000000000000-mapping.dmp

Download
memory/1864-57-0x0000000000320000-0x0000000000327000-memory.dmp

Filesize
28KB

Download
memory/1864-54-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads