dridex | 310fd238e3d99b5a9baf0c0be09026caa8c720076c2af2438ac534146506d7d3

Analysis

max time kernel
150s
max time network
43s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

310fd238e3d99b5a9baf0c0be09026caa8c720076c2af2438ac534146506d7d3.dll
Size

689KB
MD5

dd97fd4acc0e239912f4bc617c5ed95e
SHA1

daf31e92ca109a223f1e73377cd9e5cc65e8a6bf
SHA256

310fd238e3d99b5a9baf0c0be09026caa8c720076c2af2438ac534146506d7d3
SHA512

69c8f2f00800b59125496a5801450405d54d932d9094bb05fdc22d2f3e03af2efbfc1e630eb4b2d6e309cb9efac0e33bacfcb6f1ddba289f2da28c9ff98217dc

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 2 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1868-54-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral1/memory/1692-80-0x0000000140000000-0x00000001400B2000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

BitLockerWizardElev.exemsdt.exeraserver.exe

pid process

1692 BitLockerWizardElev.exe
1656 msdt.exe
2012 raserver.exe
Loads dropped DLL 7 IoCs

Processes:

BitLockerWizardElev.exemsdt.exeraserver.exe

pid process

1208
1692 BitLockerWizardElev.exe
1208
1656 msdt.exe
1208
2012 raserver.exe
1208

pid	process
1692	BitLockerWizardElev.exe
1656	msdt.exe
2012	raserver.exe

pid	process
1208
1692	BitLockerWizardElev.exe
1208
1656	msdt.exe
1208
2012	raserver.exe
1208

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lwausnzctoco = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\GVPlRAh\\msdt.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BitLockerWizardElev.exemsdt.exeraserver.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeBitLockerWizardElev.exemsdt.exeraserver.exe

pid	process
1868	rundll32.exe
1868	rundll32.exe
1868	rundll32.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1692	BitLockerWizardElev.exe
1692	BitLockerWizardElev.exe
1208
1208
1208
1208
1208
1208
1208
1208
1656	msdt.exe
1656	msdt.exe
1208
1208
1208
1208
1208
2012	raserver.exe
2012	raserver.exe
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208
1208

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1208 wrote to memory of 976	1208	BitLockerWizardElev.exe
PID 1208 wrote to memory of 976	1208	BitLockerWizardElev.exe
PID 1208 wrote to memory of 976	1208	BitLockerWizardElev.exe
PID 1208 wrote to memory of 1692	1208	BitLockerWizardElev.exe
PID 1208 wrote to memory of 1692	1208	BitLockerWizardElev.exe
PID 1208 wrote to memory of 1692	1208	BitLockerWizardElev.exe
PID 1208 wrote to memory of 1004	1208	msdt.exe
PID 1208 wrote to memory of 1004	1208	msdt.exe
PID 1208 wrote to memory of 1004	1208	msdt.exe
PID 1208 wrote to memory of 1656	1208	msdt.exe
PID 1208 wrote to memory of 1656	1208	msdt.exe
PID 1208 wrote to memory of 1656	1208	msdt.exe
PID 1208 wrote to memory of 828	1208	raserver.exe
PID 1208 wrote to memory of 828	1208	raserver.exe
PID 1208 wrote to memory of 828	1208	raserver.exe
PID 1208 wrote to memory of 2012	1208	raserver.exe
PID 1208 wrote to memory of 2012	1208	raserver.exe
PID 1208 wrote to memory of 2012	1208	raserver.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\310fd238e3d99b5a9baf0c0be09026caa8c720076c2af2438ac534146506d7d3.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1868

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:976

C:\Users\Admin\AppData\Local\t2EZ8\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\t2EZ8\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1692

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:1004

C:\Users\Admin\AppData\Local\zGBumj9L\msdt.exe
C:\Users\Admin\AppData\Local\zGBumj9L\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1656

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:828

C:\Users\Admin\AppData\Local\fxBM3Lv9\raserver.exe
C:\Users\Admin\AppData\Local\fxBM3Lv9\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2012

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\fxBM3Lv9\WTSAPI32.dll
Filesize
691KB

MD5
75fd3d496696f334a292833634d88bd7

SHA1
f88342db2363ee31a74fd3d089737e7e02995710

SHA256
076d9753820bee4585530f354978bb01f9c6a398901f352e50004ffe7567f270

SHA512
0e63b19877c263348700186bfeb2fcfd83144353a4bcaa8fe664b53596628a55d0adfaf97f73b6561bc9d1cd4ce0908806752ef05866a7debccdb8e3d551a31d

Download Submit
C:\Users\Admin\AppData\Local\fxBM3Lv9\raserver.exe
Filesize
123KB

MD5
cd0bc0b6b8d219808aea3ecd4e889b19

SHA1
9f8f4071ce2484008e36fdfd963378f4ebad703f

SHA256
16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

SHA512
84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

Download Submit
C:\Users\Admin\AppData\Local\t2EZ8\BitLockerWizardElev.exe
Filesize
98KB

MD5
73f13d791e36d3486743244f16875239

SHA1
ed5ec55dbc6b3bda505f0a4c699c257c90c02020

SHA256
2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

SHA512
911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

Download Submit
C:\Users\Admin\AppData\Local\t2EZ8\FVEWIZ.dll
Filesize
691KB

MD5
636e3eb28c8fdab2aca6ef63ca916502

SHA1
83be35af1672b3b3a48718b9bb694e4bf5656386

SHA256
ab5193e17cf43df42874b94a3b0c6b53d932f3749ad7da4e975e40cfc499f749

SHA512
eb51cb8ebe9af17c8ebdd2db15ba7b2eb3f0460cb6232f1d35f9b122406dd35ba17958a9313a34fbbbfeda60b9f35dcd72b6ba78483b7050c75665527c4b5fce

Download Submit
C:\Users\Admin\AppData\Local\zGBumj9L\Secur32.dll
Filesize
693KB

MD5
9b5576cefb97dbdd1a6f0dcbad1aa8c1

SHA1
120fa74039053cb2181969493a6b34979cac5545

SHA256
eed41a156f0012e3596e35bbe55c5c970045e0eeb4781cee135c728480243f78

SHA512
7a00c85053093eb63cc912af83f38b368bc3fd87ed43614c84dc011b7b7cfc53a862958bdf3909c068eb58bad996e5450c4bf77dd171d17f8b234a07511d6b91

Download Submit
C:\Users\Admin\AppData\Local\zGBumj9L\msdt.exe
Filesize
1.0MB

MD5
aecb7b09566b1f83f61d5a4b44ae9c7e

SHA1
3a4a2338c6b5ac833dc87497e04fe89c5481e289

SHA256
fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

SHA512
6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

Download Submit
\Users\Admin\AppData\Local\fxBM3Lv9\WTSAPI32.dll
Filesize
691KB

MD5
75fd3d496696f334a292833634d88bd7

SHA1
f88342db2363ee31a74fd3d089737e7e02995710

SHA256
076d9753820bee4585530f354978bb01f9c6a398901f352e50004ffe7567f270

SHA512
0e63b19877c263348700186bfeb2fcfd83144353a4bcaa8fe664b53596628a55d0adfaf97f73b6561bc9d1cd4ce0908806752ef05866a7debccdb8e3d551a31d

Download Submit
\Users\Admin\AppData\Local\fxBM3Lv9\raserver.exe
Filesize
123KB

MD5
cd0bc0b6b8d219808aea3ecd4e889b19

SHA1
9f8f4071ce2484008e36fdfd963378f4ebad703f

SHA256
16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

SHA512
84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

Download Submit
\Users\Admin\AppData\Local\t2EZ8\BitLockerWizardElev.exe
Filesize
98KB

MD5
73f13d791e36d3486743244f16875239

SHA1
ed5ec55dbc6b3bda505f0a4c699c257c90c02020

SHA256
2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8

SHA512
911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

Download Submit
\Users\Admin\AppData\Local\t2EZ8\FVEWIZ.dll
Filesize
691KB

MD5
636e3eb28c8fdab2aca6ef63ca916502

SHA1
83be35af1672b3b3a48718b9bb694e4bf5656386

SHA256
ab5193e17cf43df42874b94a3b0c6b53d932f3749ad7da4e975e40cfc499f749

SHA512
eb51cb8ebe9af17c8ebdd2db15ba7b2eb3f0460cb6232f1d35f9b122406dd35ba17958a9313a34fbbbfeda60b9f35dcd72b6ba78483b7050c75665527c4b5fce

Download Submit
\Users\Admin\AppData\Local\zGBumj9L\Secur32.dll
Filesize
693KB

MD5
9b5576cefb97dbdd1a6f0dcbad1aa8c1

SHA1
120fa74039053cb2181969493a6b34979cac5545

SHA256
eed41a156f0012e3596e35bbe55c5c970045e0eeb4781cee135c728480243f78

SHA512
7a00c85053093eb63cc912af83f38b368bc3fd87ed43614c84dc011b7b7cfc53a862958bdf3909c068eb58bad996e5450c4bf77dd171d17f8b234a07511d6b91

Download Submit
\Users\Admin\AppData\Local\zGBumj9L\msdt.exe
Filesize
1.0MB

MD5
aecb7b09566b1f83f61d5a4b44ae9c7e

SHA1
3a4a2338c6b5ac833dc87497e04fe89c5481e289

SHA256
fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5

SHA512
6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\GIpa2pKb5dR\raserver.exe
Filesize
123KB

MD5
cd0bc0b6b8d219808aea3ecd4e889b19

SHA1
9f8f4071ce2484008e36fdfd963378f4ebad703f

SHA256
16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

SHA512
84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

Download Submit
memory/1208-63-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1208-64-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1208-74-0x00000000025C0000-0x00000000025C7000-memory.dmp

Filesize
28KB

Download
memory/1208-59-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1208-60-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1208-65-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1208-62-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1208-61-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1208-58-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1656-85-0x0000000000000000-mapping.dmp

Download
memory/1656-93-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1656-87-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

Filesize
8KB

Download
memory/1692-76-0x0000000000000000-mapping.dmp

Download
memory/1692-83-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/1692-80-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/1868-54-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1868-57-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/2012-95-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads