dridex | a0a7108d7f34ff577b4a8db39b03563800dc3700d33e2f9829c057b93bde7aa6

Analysis

max time kernel
152s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-04-2022 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0a7108d7f34ff577b4a8db39b03563800dc3700d33e2f9829c057b93bde7aa6.dll
Size

1.2MB
MD5

928e03c371cf2e36675fe8aaf3651b8f
SHA1

60a06ac1dee727b35f783c8da28426100d4ba527
SHA256

a0a7108d7f34ff577b4a8db39b03563800dc3700d33e2f9829c057b93bde7aa6
SHA512

24511d0641f02a0a762c47831d4bd64ca2e65a4573afeba8facb463d88275dc2d858e10b2e633260a0d623ce81d3d16ad79bca6b4cbc17409e2fc1a26d625d99

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 2 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/4648-130-0x0000000140000000-0x0000000140140000-memory.dmp	dridex_payload
behavioral2/memory/4940-163-0x0000000140000000-0x0000000140141000-memory.dmp	dridex_payload

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2480-134-0x00000000006D0000-0x00000000006D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

ddodiag.exeDisplaySwitch.exeApplicationFrameHost.exe

pid process

4940 ddodiag.exe
2312 DisplaySwitch.exe
892 ApplicationFrameHost.exe
Loads dropped DLL 3 IoCs

Processes:

ddodiag.exeDisplaySwitch.exeApplicationFrameHost.exe

pid process

4940 ddodiag.exe
2312 DisplaySwitch.exe
892 ApplicationFrameHost.exe

pid	process
4940	ddodiag.exe
2312	DisplaySwitch.exe
892	ApplicationFrameHost.exe

pid	process
4940	ddodiag.exe
2312	DisplaySwitch.exe
892	ApplicationFrameHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wurgjldbctt = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Lv\\DisplaySwitch.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ApplicationFrameHost.exerundll32.exeddodiag.exeDisplaySwitch.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplicationFrameHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddodiag.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
4648	rundll32.exe
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480
2480

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2480

pid	process
2480

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2480 wrote to memory of 4612	2480	ddodiag.exe
PID 2480 wrote to memory of 4612	2480	ddodiag.exe
PID 2480 wrote to memory of 4940	2480	ddodiag.exe
PID 2480 wrote to memory of 4940	2480	ddodiag.exe
PID 2480 wrote to memory of 4984	2480	DisplaySwitch.exe
PID 2480 wrote to memory of 4984	2480	DisplaySwitch.exe
PID 2480 wrote to memory of 2312	2480	DisplaySwitch.exe
PID 2480 wrote to memory of 2312	2480	DisplaySwitch.exe
PID 2480 wrote to memory of 2624	2480	ApplicationFrameHost.exe
PID 2480 wrote to memory of 2624	2480	ApplicationFrameHost.exe
PID 2480 wrote to memory of 892	2480	ApplicationFrameHost.exe
PID 2480 wrote to memory of 892	2480	ApplicationFrameHost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a0a7108d7f34ff577b4a8db39b03563800dc3700d33e2f9829c057b93bde7aa6.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4648

C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
1⤵
PID:4612

C:\Users\Admin\AppData\Local\VkRobpclu\ddodiag.exe
C:\Users\Admin\AppData\Local\VkRobpclu\ddodiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4940

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:4984

C:\Users\Admin\AppData\Local\oVoABqFd\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\oVoABqFd\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2312

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe
1⤵
PID:2624

C:\Users\Admin\AppData\Local\rQl\ApplicationFrameHost.exe
C:\Users\Admin\AppData\Local\rQl\ApplicationFrameHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\VkRobpclu\XmlLite.dll
Filesize
1.2MB

MD5
681851afcca8c3b89c654aa23af8dae6

SHA1
ea88c88e003b03b9172c50d6b25b9f0e97bccee8

SHA256
bab5e7aa9af9bee570d6583ced4bdf5eaade513680992b8da77d9718eaed35a4

SHA512
35c4d1d05b348d7075b7e0ce7402ad6d0c96e5aeeec93dcbccba6be8470c34fbb1656bcd9e0f01d4742a8b1fdbf11b13491cd84a2817748a1cb1db3910dd48e3

Download Submit
C:\Users\Admin\AppData\Local\VkRobpclu\XmlLite.dll
Filesize
1.2MB

MD5
681851afcca8c3b89c654aa23af8dae6

SHA1
ea88c88e003b03b9172c50d6b25b9f0e97bccee8

SHA256
bab5e7aa9af9bee570d6583ced4bdf5eaade513680992b8da77d9718eaed35a4

SHA512
35c4d1d05b348d7075b7e0ce7402ad6d0c96e5aeeec93dcbccba6be8470c34fbb1656bcd9e0f01d4742a8b1fdbf11b13491cd84a2817748a1cb1db3910dd48e3

Download Submit
C:\Users\Admin\AppData\Local\VkRobpclu\ddodiag.exe
Filesize
39KB

MD5
85feee634a6aee90f0108e26d3d9bc1f

SHA1
a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2

SHA256
99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6

SHA512
b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff

Download Submit
C:\Users\Admin\AppData\Local\oVoABqFd\DisplaySwitch.exe
Filesize
1.8MB

MD5
5338d4beddf23db817eb5c37500b5735

SHA1
1b5c56f00b53fca3205ff24770203af46cbc7c54

SHA256
8b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e

SHA512
173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c

Download Submit
C:\Users\Admin\AppData\Local\oVoABqFd\UxTheme.dll
Filesize
1.2MB

MD5
12f98a886a05917de918b014956d57a3

SHA1
5d666445e45912781880094e260d8df296bc1c03

SHA256
fbf0163d1ed0d5964a5c89f935766e5cef4b17c0b3353669ec606a8befece343

SHA512
088c4823f40ddffad694fc213d91a068f3882b7c1d4b2aeafe6c82f3b39151a944b5beea88a1649151c452732a06b80a3a1885f154c0517abfbd9e20ae1a8fd6

Download Submit
C:\Users\Admin\AppData\Local\oVoABqFd\UxTheme.dll
Filesize
1.2MB

MD5
12f98a886a05917de918b014956d57a3

SHA1
5d666445e45912781880094e260d8df296bc1c03

SHA256
fbf0163d1ed0d5964a5c89f935766e5cef4b17c0b3353669ec606a8befece343

SHA512
088c4823f40ddffad694fc213d91a068f3882b7c1d4b2aeafe6c82f3b39151a944b5beea88a1649151c452732a06b80a3a1885f154c0517abfbd9e20ae1a8fd6

Download Submit
C:\Users\Admin\AppData\Local\rQl\ApplicationFrameHost.exe
Filesize
76KB

MD5
d58a8a987a8dafad9dc32a548cc061e7

SHA1
f79fc9e0ab066cad530b949c2153c532a5223156

SHA256
cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4

SHA512
93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265

Download Submit
C:\Users\Admin\AppData\Local\rQl\dxgi.dll
Filesize
1.2MB

MD5
71644e4e2291e35fbb629650e0dd7f14

SHA1
0dd063db2fa9737c28c3f046df887e00d850482e

SHA256
5035a17350731803611951f957398e3cdf982e98fb0143f04146d0b8f6ae786d

SHA512
d6faf558e0875afe4a723dbb0920df3f495549d3f026577a56c81d8c7ca8c520031af226ec26bfdc8bade45dc57fc6e2af0fa643741adb5860c7becc332d9a6e

Download Submit
C:\Users\Admin\AppData\Local\rQl\dxgi.dll
Filesize
1.2MB

MD5
71644e4e2291e35fbb629650e0dd7f14

SHA1
0dd063db2fa9737c28c3f046df887e00d850482e

SHA256
5035a17350731803611951f957398e3cdf982e98fb0143f04146d0b8f6ae786d

SHA512
d6faf558e0875afe4a723dbb0920df3f495549d3f026577a56c81d8c7ca8c520031af226ec26bfdc8bade45dc57fc6e2af0fa643741adb5860c7becc332d9a6e

Download Submit
memory/892-175-0x0000000000000000-mapping.dmp

Download
memory/892-182-0x0000023A7BB30000-0x0000023A7BB37000-memory.dmp

Filesize
28KB

Download
memory/2312-172-0x0000015BEDA70000-0x0000015BEDA77000-memory.dmp

Filesize
28KB

Download
memory/2312-167-0x0000000000000000-mapping.dmp

Download
memory/2480-156-0x00007FFD6ACCC000-0x00007FFD6ACCD000-memory.dmp

Filesize
4KB

Download
memory/2480-143-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2480-155-0x00007FFD6ACFC000-0x00007FFD6ACFD000-memory.dmp

Filesize
4KB

Download
memory/2480-137-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2480-157-0x00000000006C0000-0x00000000006C7000-memory.dmp

Filesize
28KB

Download
memory/2480-158-0x00007FFD6AC10000-0x00007FFD6AC20000-memory.dmp

Filesize
64KB

Download
memory/2480-146-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2480-145-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2480-144-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2480-136-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2480-135-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2480-134-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/2480-142-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2480-141-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2480-140-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2480-139-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2480-138-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4648-133-0x000002C00EEB0000-0x000002C00EEB7000-memory.dmp

Filesize
28KB

Download
memory/4648-130-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4940-159-0x0000000000000000-mapping.dmp

Download
memory/4940-166-0x0000018CD52E0000-0x0000018CD52E7000-memory.dmp

Filesize
28KB

Download
memory/4940-163-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download