dridex | 10ecb5242bcd516a33c3fcbfd6f7c9b6237e4e9786e0e0c3923475621eb1e833

Analysis

max time kernel
168s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
19-04-2022 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10ecb5242bcd516a33c3fcbfd6f7c9b6237e4e9786e0e0c3923475621eb1e833.dll
Size

884KB
MD5

8127fafd69a7f4a1d9822e0a12d378a4
SHA1

a29bf5dd2b66d78e5561c9a994617b1c1ea38103
SHA256

10ecb5242bcd516a33c3fcbfd6f7c9b6237e4e9786e0e0c3923475621eb1e833
SHA512

5791c73c9f367e52d541bd05b58e4c930603173f3813724e29fcd26d0a94a2feb8749cc519c25cc43d0ee91b6ebe3d30f19ebb84e4289b35a132af912173c8a3

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1292-54-0x00000000021D0000-0x00000000021D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

AdapterTroubleshooter.exerekeywiz.exedpnsvr.exe

pid process

1684 AdapterTroubleshooter.exe
1220 rekeywiz.exe
1944 dpnsvr.exe
Loads dropped DLL 7 IoCs

Processes:

AdapterTroubleshooter.exerekeywiz.exedpnsvr.exe

pid process

1292
1684 AdapterTroubleshooter.exe
1292
1220 rekeywiz.exe
1292
1944 dpnsvr.exe
1292

pid	process
1684	AdapterTroubleshooter.exe
1220	rekeywiz.exe
1944	dpnsvr.exe

pid	process
1292
1684	AdapterTroubleshooter.exe
1292
1220	rekeywiz.exe
1292
1944	dpnsvr.exe
1292

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Evgmngveltmlhb = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\FZx5TL03\\rekeywiz.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeAdapterTroubleshooter.exerekeywiz.exedpnsvr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AdapterTroubleshooter.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rekeywiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpnsvr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeAdapterTroubleshooter.exe

pid	process
1972	rundll32.exe
1972	rundll32.exe
1972	rundll32.exe
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292
1684	AdapterTroubleshooter.exe
1684	AdapterTroubleshooter.exe
1292
1292
1292
1292
1292
1292
1292
1292
1292
1292

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1292 wrote to memory of 1284	1292	AdapterTroubleshooter.exe
PID 1292 wrote to memory of 1284	1292	AdapterTroubleshooter.exe
PID 1292 wrote to memory of 1284	1292	AdapterTroubleshooter.exe
PID 1292 wrote to memory of 1684	1292	AdapterTroubleshooter.exe
PID 1292 wrote to memory of 1684	1292	AdapterTroubleshooter.exe
PID 1292 wrote to memory of 1684	1292	AdapterTroubleshooter.exe
PID 1292 wrote to memory of 608	1292	rekeywiz.exe
PID 1292 wrote to memory of 608	1292	rekeywiz.exe
PID 1292 wrote to memory of 608	1292	rekeywiz.exe
PID 1292 wrote to memory of 1220	1292	rekeywiz.exe
PID 1292 wrote to memory of 1220	1292	rekeywiz.exe
PID 1292 wrote to memory of 1220	1292	rekeywiz.exe
PID 1292 wrote to memory of 2020	1292	dpnsvr.exe
PID 1292 wrote to memory of 2020	1292	dpnsvr.exe
PID 1292 wrote to memory of 2020	1292	dpnsvr.exe
PID 1292 wrote to memory of 1944	1292	dpnsvr.exe
PID 1292 wrote to memory of 1944	1292	dpnsvr.exe
PID 1292 wrote to memory of 1944	1292	dpnsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10ecb5242bcd516a33c3fcbfd6f7c9b6237e4e9786e0e0c3923475621eb1e833.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\Windows\system32\AdapterTroubleshooter.exe
C:\Windows\system32\AdapterTroubleshooter.exe
1⤵
PID:1284

C:\Users\Admin\AppData\Local\MB4MOvPVE\AdapterTroubleshooter.exe
C:\Users\Admin\AppData\Local\MB4MOvPVE\AdapterTroubleshooter.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1684

C:\Windows\system32\rekeywiz.exe
C:\Windows\system32\rekeywiz.exe
1⤵
PID:608

C:\Users\Admin\AppData\Local\a2uvIK2er\rekeywiz.exe
C:\Users\Admin\AppData\Local\a2uvIK2er\rekeywiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1220

C:\Windows\system32\dpnsvr.exe
C:\Windows\system32\dpnsvr.exe
1⤵
PID:2020

C:\Users\Admin\AppData\Local\5n7k\dpnsvr.exe
C:\Users\Admin\AppData\Local\5n7k\dpnsvr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1944

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5n7k\WINMM.dll
Filesize
890KB

MD5
480b52b4479f54bb8d4b2cd6cb204a18

SHA1
8b514ea644b6872961240cd5b223ae8b95a8b3cd

SHA256
83414085bdccdbee3f1bea74742fdbe60a28c0f5a2217ef79535bf8a85610784

SHA512
95f08f8605d98ade27868e02ce6dc1b6136e7484162a0a3a892b48e407579facdd3b899578e678c59827497299a05d32eb9a5cffb16867e158c7c31bc27c068a

Download Submit
C:\Users\Admin\AppData\Local\5n7k\dpnsvr.exe
Filesize
33KB

MD5
6806b72978f6bd27aef57899be68b93b

SHA1
713c246d0b0b8dcc298afaed4f62aed82789951c

SHA256
3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

SHA512
43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

Download Submit
C:\Users\Admin\AppData\Local\MB4MOvPVE\AdapterTroubleshooter.exe
Filesize
39KB

MD5
d4170c9ff5b2f85b0ce0246033d26919

SHA1
a76118e8775e16237cf00f2fb79718be0dc84db1

SHA256
d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da

SHA512
9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

Download Submit
C:\Users\Admin\AppData\Local\MB4MOvPVE\d3d9.dll
Filesize
885KB

MD5
c6005132279cd7de0e225bcee37863e6

SHA1
cc5030f14ba585c12cba9b1a9942833967724218

SHA256
c3784afee6249310eddad08e53ec0968040481884e6726dec881e5dcb08078c7

SHA512
d6d723d8241459e702c2cc1355f86cc4c1c3cab008736d06dfbdac9438bbf656f6c205da51e0c73380056d9b10a8cf33c41452a153ac642602a70158bb573c3b

Download Submit
C:\Users\Admin\AppData\Local\a2uvIK2er\rekeywiz.exe
Filesize
67KB

MD5
767c75767b00ccfd41a547bb7b2adfff

SHA1
91890853a5476def402910e6507417d400c0d3cb

SHA256
bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

SHA512
f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

Download Submit
C:\Users\Admin\AppData\Local\a2uvIK2er\slc.dll
Filesize
886KB

MD5
1e9671ec71ff24a588342be36ccd656d

SHA1
308ba64eefd5f9387aea6ffd50d8bfa2e6a6f1e5

SHA256
036a801f0baeb96831c20848e65d3354d95f9a168d6c0c7658775c4d29eaa41e

SHA512
1eed57ee3fa227b4baa9514e8efbc6a046c107c94d31bb007d2375dc2cd52f3671c659b3b634d90900bbea0181e60a5ed87486bf427aee76c7d2fae6edd4cba6

Download Submit
\Users\Admin\AppData\Local\5n7k\WINMM.dll
Filesize
890KB

MD5
480b52b4479f54bb8d4b2cd6cb204a18

SHA1
8b514ea644b6872961240cd5b223ae8b95a8b3cd

SHA256
83414085bdccdbee3f1bea74742fdbe60a28c0f5a2217ef79535bf8a85610784

SHA512
95f08f8605d98ade27868e02ce6dc1b6136e7484162a0a3a892b48e407579facdd3b899578e678c59827497299a05d32eb9a5cffb16867e158c7c31bc27c068a

Download Submit
\Users\Admin\AppData\Local\5n7k\dpnsvr.exe
Filesize
33KB

MD5
6806b72978f6bd27aef57899be68b93b

SHA1
713c246d0b0b8dcc298afaed4f62aed82789951c

SHA256
3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

SHA512
43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

Download Submit
\Users\Admin\AppData\Local\MB4MOvPVE\AdapterTroubleshooter.exe
Filesize
39KB

MD5
d4170c9ff5b2f85b0ce0246033d26919

SHA1
a76118e8775e16237cf00f2fb79718be0dc84db1

SHA256
d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da

SHA512
9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

Download Submit
\Users\Admin\AppData\Local\MB4MOvPVE\d3d9.dll
Filesize
885KB

MD5
c6005132279cd7de0e225bcee37863e6

SHA1
cc5030f14ba585c12cba9b1a9942833967724218

SHA256
c3784afee6249310eddad08e53ec0968040481884e6726dec881e5dcb08078c7

SHA512
d6d723d8241459e702c2cc1355f86cc4c1c3cab008736d06dfbdac9438bbf656f6c205da51e0c73380056d9b10a8cf33c41452a153ac642602a70158bb573c3b

Download Submit
\Users\Admin\AppData\Local\a2uvIK2er\rekeywiz.exe
Filesize
67KB

MD5
767c75767b00ccfd41a547bb7b2adfff

SHA1
91890853a5476def402910e6507417d400c0d3cb

SHA256
bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

SHA512
f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

Download Submit
\Users\Admin\AppData\Local\a2uvIK2er\slc.dll
Filesize
886KB

MD5
1e9671ec71ff24a588342be36ccd656d

SHA1
308ba64eefd5f9387aea6ffd50d8bfa2e6a6f1e5

SHA256
036a801f0baeb96831c20848e65d3354d95f9a168d6c0c7658775c4d29eaa41e

SHA512
1eed57ee3fa227b4baa9514e8efbc6a046c107c94d31bb007d2375dc2cd52f3671c659b3b634d90900bbea0181e60a5ed87486bf427aee76c7d2fae6edd4cba6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\NWRUay\dpnsvr.exe
Filesize
33KB

MD5
6806b72978f6bd27aef57899be68b93b

SHA1
713c246d0b0b8dcc298afaed4f62aed82789951c

SHA256
3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

SHA512
43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

Download Submit
memory/1220-74-0x0000000000000000-mapping.dmp

Download
memory/1220-76-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmp

Filesize
8KB

Download
memory/1292-64-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1292-54-0x00000000021D0000-0x00000000021D1000-memory.dmp

Filesize
4KB

Download
memory/1292-60-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1292-63-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1292-66-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1292-67-0x0000000077880000-0x0000000077882000-memory.dmp

Filesize
8KB

Download
memory/1292-61-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1292-55-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1292-62-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1292-65-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1292-59-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1292-56-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1292-58-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1292-57-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/1684-69-0x0000000000000000-mapping.dmp

Download
memory/1944-80-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads