dridex | 1f10d52854a4e7eb1eb2045e481d7c4a4fa84c9f3bf698de800f055f7bfd04a9

Analysis

max time kernel
147s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
17-04-2022 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f10d52854a4e7eb1eb2045e481d7c4a4fa84c9f3bf698de800f055f7bfd04a9.dll
Size

687KB
MD5

2dec966f89ae3919024a4515677f9ebc
SHA1

a0b4f328df803150f21a74e513020f2134f81a9e
SHA256

1f10d52854a4e7eb1eb2045e481d7c4a4fa84c9f3bf698de800f055f7bfd04a9
SHA512

a74825d7baadb04927367be6f2ad3bd4efb60b791ccb8eea5447dc665f1c93565b1d01d6de552a977ce8e0e5482d16801b4f6a4bfc76661c28f318982d9adae1

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 3 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/864-54-0x0000000140000000-0x00000001400B1000-memory.dmp	dridex_payload
behavioral1/memory/584-83-0x0000000140000000-0x00000001400B2000-memory.dmp	dridex_payload
behavioral1/memory/696-103-0x0000000140000000-0x00000001400B3000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1376-58-0x00000000026E0000-0x00000000026E1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

wscript.exelpksetup.execalc.exe

pid process

584 wscript.exe
1460 lpksetup.exe
696 calc.exe
Loads dropped DLL 8 IoCs

Processes:

wscript.exelpksetup.execalc.exe

pid process

1376
1376
584 wscript.exe
1376
1460 lpksetup.exe
1376
696 calc.exe
1376

pid	process
584	wscript.exe
1460	lpksetup.exe
696	calc.exe

pid	process
1376
1376
584	wscript.exe
1376
1460	lpksetup.exe
1376
696	calc.exe
1376

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gcehmtlftxqmyqm = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Km\\lpksetup.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exewscript.exelpksetup.execalc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wscript.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lpksetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	calc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exewscript.exelpksetup.execalc.exe

pid	process
864	rundll32.exe
864	rundll32.exe
864	rundll32.exe
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
584	wscript.exe
584	wscript.exe
1376
1376
1376
1376
1376
1460	lpksetup.exe
1460	lpksetup.exe
1376
1376
1376
1376
1376
1376
1376
1376
696	calc.exe
696	calc.exe
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1376 wrote to memory of 1956	1376	wscript.exe
PID 1376 wrote to memory of 1956	1376	wscript.exe
PID 1376 wrote to memory of 1956	1376	wscript.exe
PID 1376 wrote to memory of 584	1376	wscript.exe
PID 1376 wrote to memory of 584	1376	wscript.exe
PID 1376 wrote to memory of 584	1376	wscript.exe
PID 1376 wrote to memory of 1800	1376	lpksetup.exe
PID 1376 wrote to memory of 1800	1376	lpksetup.exe
PID 1376 wrote to memory of 1800	1376	lpksetup.exe
PID 1376 wrote to memory of 1460	1376	lpksetup.exe
PID 1376 wrote to memory of 1460	1376	lpksetup.exe
PID 1376 wrote to memory of 1460	1376	lpksetup.exe
PID 1376 wrote to memory of 1644	1376	calc.exe
PID 1376 wrote to memory of 1644	1376	calc.exe
PID 1376 wrote to memory of 1644	1376	calc.exe
PID 1376 wrote to memory of 696	1376	calc.exe
PID 1376 wrote to memory of 696	1376	calc.exe
PID 1376 wrote to memory of 696	1376	calc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f10d52854a4e7eb1eb2045e481d7c4a4fa84c9f3bf698de800f055f7bfd04a9.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:864

C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
1⤵
PID:1956

C:\Users\Admin\AppData\Local\szpdr\wscript.exe
C:\Users\Admin\AppData\Local\szpdr\wscript.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:584

C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
1⤵
PID:1800

C:\Users\Admin\AppData\Local\wuo9OG3Uy\lpksetup.exe
C:\Users\Admin\AppData\Local\wuo9OG3Uy\lpksetup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1460

C:\Windows\system32\calc.exe
C:\Windows\system32\calc.exe
1⤵
PID:1644

C:\Users\Admin\AppData\Local\dOJ4X\calc.exe
C:\Users\Admin\AppData\Local\dOJ4X\calc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:696

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\dOJ4X\WINMM.dll
Filesize
693KB

MD5
423413ab5e6821d67574db2d017c2267

SHA1
7234cd83c10ab5cba0b61779ac8b302d24d15925

SHA256
7b5cf3f1a79cee374b26f0b29eaeeb0a271b27a80f5d886e133983f770feffd1

SHA512
355db1b060d49ef05ac52c4b4f6aac440c90fd587004e76b426af807fe08a0f0d993b5a7f461bb5af8e101ee52d9425f5b5f029266d76e3124ae26b3c0cf8950

Download Submit
C:\Users\Admin\AppData\Local\dOJ4X\calc.exe
Filesize
897KB

MD5
10e4a1d2132ccb5c6759f038cdb6f3c9

SHA1
42d36eeb2140441b48287b7cd30b38105986d68f

SHA256
c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

SHA512
9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

Download Submit
C:\Users\Admin\AppData\Local\szpdr\VERSION.dll
Filesize
688KB

MD5
c1b7eec93166179b8e2ead5f5b9fff80

SHA1
895ba485e6700792477f96591be892b6dffc65e5

SHA256
6b47f37c426555a0e79acf8cad9597e6bc062aae88d37ba8a5d2e9e7f8a7209f

SHA512
0fe2d062861c54b994ae9d1671db0d19c520987f5eca985b39d773b8f9cc4484161a68efe9102fdcc10e1c7940f229665694fb6e83b4e3d2085e18dfb81aa343

Download Submit
C:\Users\Admin\AppData\Local\szpdr\wscript.exe
Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
C:\Users\Admin\AppData\Local\wuo9OG3Uy\dpx.dll
Filesize
688KB

MD5
a171b0b8774fa682878dc5ff731941f0

SHA1
cc1948dc75841983aa781968f7fab6d0b7d2370f

SHA256
a379eec3f60372e49a212623f003052b449625006b5cd05224de401f1e4b1ce7

SHA512
b028f0bc0572f80d136045ad316e8ec60e19a20487d2043b5101c73ae988c5eebb82afe67cd4a358c771250534d7c4c59bb7de09c6c80f66c2865f892921ce07

Download Submit
C:\Users\Admin\AppData\Local\wuo9OG3Uy\lpksetup.exe
Filesize
638KB

MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
\Users\Admin\AppData\Local\dOJ4X\WINMM.dll
Filesize
693KB

MD5
423413ab5e6821d67574db2d017c2267

SHA1
7234cd83c10ab5cba0b61779ac8b302d24d15925

SHA256
7b5cf3f1a79cee374b26f0b29eaeeb0a271b27a80f5d886e133983f770feffd1

SHA512
355db1b060d49ef05ac52c4b4f6aac440c90fd587004e76b426af807fe08a0f0d993b5a7f461bb5af8e101ee52d9425f5b5f029266d76e3124ae26b3c0cf8950

Download Submit
\Users\Admin\AppData\Local\dOJ4X\calc.exe
Filesize
897KB

MD5
10e4a1d2132ccb5c6759f038cdb6f3c9

SHA1
42d36eeb2140441b48287b7cd30b38105986d68f

SHA256
c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

SHA512
9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

Download Submit
\Users\Admin\AppData\Local\szpdr\VERSION.dll
Filesize
688KB

MD5
c1b7eec93166179b8e2ead5f5b9fff80

SHA1
895ba485e6700792477f96591be892b6dffc65e5

SHA256
6b47f37c426555a0e79acf8cad9597e6bc062aae88d37ba8a5d2e9e7f8a7209f

SHA512
0fe2d062861c54b994ae9d1671db0d19c520987f5eca985b39d773b8f9cc4484161a68efe9102fdcc10e1c7940f229665694fb6e83b4e3d2085e18dfb81aa343

Download Submit
\Users\Admin\AppData\Local\szpdr\wscript.exe
Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\szpdr\wscript.exe
Filesize
165KB

MD5
8886e0697b0a93c521f99099ef643450

SHA1
851bd390bf559e702b8323062dbeb251d9f2f6f7

SHA256
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f

SHA512
fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

Download Submit
\Users\Admin\AppData\Local\wuo9OG3Uy\dpx.dll
Filesize
688KB

MD5
a171b0b8774fa682878dc5ff731941f0

SHA1
cc1948dc75841983aa781968f7fab6d0b7d2370f

SHA256
a379eec3f60372e49a212623f003052b449625006b5cd05224de401f1e4b1ce7

SHA512
b028f0bc0572f80d136045ad316e8ec60e19a20487d2043b5101c73ae988c5eebb82afe67cd4a358c771250534d7c4c59bb7de09c6c80f66c2865f892921ce07

Download Submit
\Users\Admin\AppData\Local\wuo9OG3Uy\lpksetup.exe
Filesize
638KB

MD5
50d28f3f8b7c17056520c80a29efe17c

SHA1
1b1e62be0a0bdc9aec2e91842c35381297d8f01e

SHA256
71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f

SHA512
92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

Download Submit
\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\bjQ\calc.exe
Filesize
897KB

MD5
10e4a1d2132ccb5c6759f038cdb6f3c9

SHA1
42d36eeb2140441b48287b7cd30b38105986d68f

SHA256
c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

SHA512
9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

Download Submit
memory/584-79-0x0000000000000000-mapping.dmp

Download
memory/584-83-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/584-86-0x0000000000270000-0x0000000000277000-memory.dmp

Filesize
28KB

Download
memory/696-98-0x0000000000000000-mapping.dmp

Download
memory/696-103-0x0000000140000000-0x00000001400B3000-memory.dmp

Filesize
716KB

Download
memory/696-106-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/864-54-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/864-57-0x00000000001A0000-0x00000000001A7000-memory.dmp

Filesize
28KB

Download
memory/1376-65-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1376-62-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1376-76-0x0000000077070000-0x0000000077072000-memory.dmp

Filesize
8KB

Download
memory/1376-72-0x00000000026C0000-0x00000000026C7000-memory.dmp

Filesize
28KB

Download
memory/1376-58-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1376-59-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1376-66-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1376-63-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1376-64-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1376-61-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1376-60-0x0000000140000000-0x00000001400B1000-memory.dmp

Filesize
708KB

Download
memory/1460-88-0x0000000000000000-mapping.dmp

Download
memory/1460-96-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/1460-90-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads