dridex | 3e8094c9c90760a0cfde4ee4f6009a00559e6fc776b255c58f589c3d31c4dde2

Analysis

max time kernel
187s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e8094c9c90760a0cfde4ee4f6009a00559e6fc776b255c58f589c3d31c4dde2.dll
Size

687KB
MD5

2e72504c85d431114f47490953c13451
SHA1

b3d121ae4b85ea4a23d10f743bac6828f74c5b12
SHA256

3e8094c9c90760a0cfde4ee4f6009a00559e6fc776b255c58f589c3d31c4dde2
SHA512

b8d489ffcedca0f9776de3ab631ec6f9e4aa8ce3f3a554d7e53bafa85723ea1176ae6015180ff200f37dd5fef689582103e7cb5ea2f58abbc908cb5312af7b7e

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 3 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1420-54-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral1/memory/1276-83-0x0000000140000000-0x00000001400E5000-memory.dmp	dridex_payload
behavioral1/memory/1620-93-0x0000000140000000-0x00000001400B2000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1260-58-0x00000000029A0000-0x00000000029A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

dpapimig.exemsdt.execmstp.exe

pid process

1276 dpapimig.exe
1620 msdt.exe
764 cmstp.exe
Loads dropped DLL 7 IoCs

Processes:

dpapimig.exemsdt.execmstp.exe

pid process

1260
1276 dpapimig.exe
1260
1620 msdt.exe
1260
764 cmstp.exe
1260

pid	process
1276	dpapimig.exe
1620	msdt.exe
764	cmstp.exe

pid	process
1260
1276	dpapimig.exe
1260
1620	msdt.exe
1260
764	cmstp.exe
1260

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Evgmngveltmlhb = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\GdZVO0fz\\msdt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exedpapimig.exemsdt.execmstp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpapimig.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exedpapimig.exemsdt.execmstp.exe

pid	process
1420	rundll32.exe
1420	rundll32.exe
1420	rundll32.exe
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1276	dpapimig.exe
1276	dpapimig.exe
1260
1260
1260
1260
1260
1260
1260
1260
1620	msdt.exe
1620	msdt.exe
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
764	cmstp.exe
764	cmstp.exe
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1260

description	pid	process
Token: SeShutdownPrivilege	1260

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1260 wrote to memory of 320	1260	dpapimig.exe
PID 1260 wrote to memory of 320	1260	dpapimig.exe
PID 1260 wrote to memory of 320	1260	dpapimig.exe
PID 1260 wrote to memory of 1276	1260	dpapimig.exe
PID 1260 wrote to memory of 1276	1260	dpapimig.exe
PID 1260 wrote to memory of 1276	1260	dpapimig.exe
PID 1260 wrote to memory of 1740	1260	msdt.exe
PID 1260 wrote to memory of 1740	1260	msdt.exe
PID 1260 wrote to memory of 1740	1260	msdt.exe
PID 1260 wrote to memory of 1620	1260	msdt.exe
PID 1260 wrote to memory of 1620	1260	msdt.exe
PID 1260 wrote to memory of 1620	1260	msdt.exe
PID 1260 wrote to memory of 1528	1260	cmstp.exe
PID 1260 wrote to memory of 1528	1260	cmstp.exe
PID 1260 wrote to memory of 1528	1260	cmstp.exe
PID 1260 wrote to memory of 764	1260	cmstp.exe
PID 1260 wrote to memory of 764	1260	cmstp.exe
PID 1260 wrote to memory of 764	1260	cmstp.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3e8094c9c90760a0cfde4ee4f6009a00559e6fc776b255c58f589c3d31c4dde2.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1420

C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
1⤵
PID:320

C:\Users\Admin\AppData\Local\49DIQs\dpapimig.exe
C:\Users\Admin\AppData\Local\49DIQs\dpapimig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1276

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:1740

C:\Users\Admin\AppData\Local\iDaomz\msdt.exe
C:\Users\Admin\AppData\Local\iDaomz\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1620

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:1528

C:\Users\Admin\AppData\Local\yIRqQrP\cmstp.exe
C:\Users\Admin\AppData\Local\yIRqQrP\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:764

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\49DIQs\DUI70.dll
Filesize
894KB

MD5
c850df9b614d4e212914482cab4c8425

SHA1
7b2bcdcd02ca4c1fc232dbb908942595356d03fc

SHA256
5814818c485252a9be91029f90d493c576d019c4cad8a8067bbf95348eaed0c2

SHA512
835cd08e92c66ea350fa9c201d71e73e627f3798afca605707bd323b37cdffbd188d6906b1e93f97ffcba5b326543d956e2c0af05b0a5cdaf817b30555b957ff

Download Submit
C:\Users\Admin\AppData\Local\49DIQs\dpapimig.exe
Filesize
73KB

MD5
0e8b8abea4e23ddc9a70614f3f651303

SHA1
6d332ba4e7a78039f75b211845514ab35ab467b2

SHA256
66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1

SHA512
4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

Download Submit
C:\Users\Admin\AppData\Local\iDaomz\UxTheme.dll
Filesize
690KB

MD5
302c1ac8f3760ea1632d67c98e13d4f1

SHA1
3de509dc2d7a7faaffad9abbc5033b2d1646e9df

SHA256
77c91f5c71c3d6e48f409cfeb85a07bce3e8190848f8d0f72ea0bc5b80b966df

SHA512
38a3f8a1b5899e03279277163b60546aac6744a7c0b304b956690361a693c257820ccda0a6255b36ca6e814131c662b0a1b3a864cbac9276511c5465f1c18647

Download Submit
C:\Users\Admin\AppData\Local\iDaomz\msdt.exe
Filesize
1.0MB

MD5
aecb7b09566b1f83f61d5a4b44ae9c7e

SHA1
3a4a2338c6b5ac833dc87497e04fe89c5481e289

SHA256
fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

SHA512
6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

Download Submit
C:\Users\Admin\AppData\Local\yIRqQrP\VERSION.dll
Filesize
688KB

MD5
4019421b7bbe215babce8d88b4b35573

SHA1
8a02d36111efe3fc903b2da55dc032219739117d

SHA256
e91192c16ca4085532a2ba18b7600e3409aa60d3dc451339b0bfdb341a707a4f

SHA512
492e090049cabfd7125dea9bec38a394a93db2180d70a25c0139e7b917b766ca9ec490f202b6ce5fb3a7df2d12f9d51f64a531be10b6e8ee0dbc5cff62305d3e

Download Submit
C:\Users\Admin\AppData\Local\yIRqQrP\cmstp.exe
Filesize
90KB

MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
\Users\Admin\AppData\Local\49DIQs\DUI70.dll
Filesize
894KB

MD5
c850df9b614d4e212914482cab4c8425

SHA1
7b2bcdcd02ca4c1fc232dbb908942595356d03fc

SHA256
5814818c485252a9be91029f90d493c576d019c4cad8a8067bbf95348eaed0c2

SHA512
835cd08e92c66ea350fa9c201d71e73e627f3798afca605707bd323b37cdffbd188d6906b1e93f97ffcba5b326543d956e2c0af05b0a5cdaf817b30555b957ff

Download Submit
\Users\Admin\AppData\Local\49DIQs\dpapimig.exe
Filesize
73KB

MD5
0e8b8abea4e23ddc9a70614f3f651303

SHA1
6d332ba4e7a78039f75b211845514ab35ab467b2

SHA256
66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1

SHA512
4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

Download Submit
\Users\Admin\AppData\Local\iDaomz\UxTheme.dll
Filesize
690KB

MD5
302c1ac8f3760ea1632d67c98e13d4f1

SHA1
3de509dc2d7a7faaffad9abbc5033b2d1646e9df

SHA256
77c91f5c71c3d6e48f409cfeb85a07bce3e8190848f8d0f72ea0bc5b80b966df

SHA512
38a3f8a1b5899e03279277163b60546aac6744a7c0b304b956690361a693c257820ccda0a6255b36ca6e814131c662b0a1b3a864cbac9276511c5465f1c18647

Download Submit
\Users\Admin\AppData\Local\iDaomz\msdt.exe
Filesize
1.0MB

MD5
aecb7b09566b1f83f61d5a4b44ae9c7e

SHA1
3a4a2338c6b5ac833dc87497e04fe89c5481e289

SHA256
fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

SHA512
6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

Download Submit
\Users\Admin\AppData\Local\yIRqQrP\VERSION.dll
Filesize
688KB

MD5
4019421b7bbe215babce8d88b4b35573

SHA1
8a02d36111efe3fc903b2da55dc032219739117d

SHA256
e91192c16ca4085532a2ba18b7600e3409aa60d3dc451339b0bfdb341a707a4f

SHA512
492e090049cabfd7125dea9bec38a394a93db2180d70a25c0139e7b917b766ca9ec490f202b6ce5fb3a7df2d12f9d51f64a531be10b6e8ee0dbc5cff62305d3e

Download Submit
\Users\Admin\AppData\Local\yIRqQrP\cmstp.exe
Filesize
90KB

MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\FE\cmstp.exe
Filesize
90KB

MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
memory/764-98-0x0000000000000000-mapping.dmp

Download
memory/764-105-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1260-65-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1260-63-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1260-58-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1260-76-0x0000000077100000-0x0000000077102000-memory.dmp

Filesize
8KB

Download
memory/1260-59-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1260-60-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1260-61-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1260-75-0x0000000002980000-0x0000000002987000-memory.dmp

Filesize
28KB

Download
memory/1260-66-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1260-64-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1260-62-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1276-80-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/1276-86-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/1276-83-0x0000000140000000-0x00000001400E5000-memory.dmp

Filesize
916KB

Download
memory/1276-78-0x0000000000000000-mapping.dmp

Download
memory/1420-54-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1420-57-0x0000000001B50000-0x0000000001B57000-memory.dmp

Filesize
28KB

Download
memory/1620-93-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1620-96-0x0000000000380000-0x0000000000387000-memory.dmp

Filesize
28KB

Download
memory/1620-88-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads