dridex | 8d5eff954d4007b82f25726e186a63c143a7ff8d08a5ef97b126af4b1b59e420

Analysis

max time kernel
151s
max time network
45s
platform
windows7_x64
resource
win7-20220414-en
submitted
19-04-2022 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d5eff954d4007b82f25726e186a63c143a7ff8d08a5ef97b126af4b1b59e420.dll
Size

1000KB
MD5

d7a528bb13724df58aaa94592ae77705
SHA1

645926db80190683e6da70f5c1ef23064de9e112
SHA256

8d5eff954d4007b82f25726e186a63c143a7ff8d08a5ef97b126af4b1b59e420
SHA512

4bff9527c37b785d468bb0162ce1904d340f87ef1ad713f055380f39e9af338efc539238939bc68bfe09cd0f678bed0caf26d3640abdadcc12390fa257d77abc

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1384-59-0x0000000002170000-0x0000000002171000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

dccw.exedwm.exerrinstaller.exe

pid process

320 dccw.exe
340 dwm.exe
2016 rrinstaller.exe
Loads dropped DLL 7 IoCs

Processes:

dccw.exedwm.exerrinstaller.exe

pid process

1384
320 dccw.exe
1384
340 dwm.exe
1384
2016 rrinstaller.exe
1384

pid	process
320	dccw.exe
340	dwm.exe
2016	rrinstaller.exe

pid	process
1384
320	dccw.exe
1384
340	dwm.exe
1384
2016	rrinstaller.exe
1384

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gcehmtlftxqmyqm = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\CBSIMT~1\\dwm.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exedccw.exedwm.exerrinstaller.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dccw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rrinstaller.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exedccw.exe

pid	process
776	rundll32.exe
776	rundll32.exe
776	rundll32.exe
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
320	dccw.exe
320	dccw.exe
1384
1384
1384
1384
1384
1384
1384
1384

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1384 wrote to memory of 528	1384	dccw.exe
PID 1384 wrote to memory of 528	1384	dccw.exe
PID 1384 wrote to memory of 528	1384	dccw.exe
PID 1384 wrote to memory of 320	1384	dccw.exe
PID 1384 wrote to memory of 320	1384	dccw.exe
PID 1384 wrote to memory of 320	1384	dccw.exe
PID 1384 wrote to memory of 540	1384	dwm.exe
PID 1384 wrote to memory of 540	1384	dwm.exe
PID 1384 wrote to memory of 540	1384	dwm.exe
PID 1384 wrote to memory of 340	1384	dwm.exe
PID 1384 wrote to memory of 340	1384	dwm.exe
PID 1384 wrote to memory of 340	1384	dwm.exe
PID 1384 wrote to memory of 880	1384	rrinstaller.exe
PID 1384 wrote to memory of 880	1384	rrinstaller.exe
PID 1384 wrote to memory of 880	1384	rrinstaller.exe
PID 1384 wrote to memory of 2016	1384	rrinstaller.exe
PID 1384 wrote to memory of 2016	1384	rrinstaller.exe
PID 1384 wrote to memory of 2016	1384	rrinstaller.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8d5eff954d4007b82f25726e186a63c143a7ff8d08a5ef97b126af4b1b59e420.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:776

C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
1⤵
PID:528

C:\Users\Admin\AppData\Local\2c2RJ7Qa\dccw.exe
C:\Users\Admin\AppData\Local\2c2RJ7Qa\dccw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:320

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:540

C:\Users\Admin\AppData\Local\ZRaK1\dwm.exe
C:\Users\Admin\AppData\Local\ZRaK1\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:340

C:\Windows\system32\rrinstaller.exe
C:\Windows\system32\rrinstaller.exe
1⤵
PID:880

C:\Users\Admin\AppData\Local\0GJ6PC3J\rrinstaller.exe
C:\Users\Admin\AppData\Local\0GJ6PC3J\rrinstaller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2016

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0GJ6PC3J\MFPlat.DLL
Filesize
1006KB

MD5
2b2e2a65f2b2a1ea6f080e237fdd7c66

SHA1
a8513f0d5f4d2b16912b080af385fb3c6ac1a625

SHA256
4ad543212324fe3a8767ef89fcebf3377b880f0ee1c44a6e77273f047d52e3bd

SHA512
18b720061307538b19c517ce78392a4e37ee5b6c1cf2d547b0ecb96d87b54444fbd43aec55fba45abcacdebaeee9437c3c45907e5881410a614b3f453904b3c4

Download Submit
C:\Users\Admin\AppData\Local\0GJ6PC3J\rrinstaller.exe
Filesize
54KB

MD5
0d3a73b0b30252680b383532f1758649

SHA1
9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

SHA256
fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

SHA512
a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

Download Submit
C:\Users\Admin\AppData\Local\2c2RJ7Qa\dccw.exe
Filesize
861KB

MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
C:\Users\Admin\AppData\Local\2c2RJ7Qa\dxva2.dll
Filesize
1002KB

MD5
cde4e0088159dc3aeaee8b86c1d24638

SHA1
708909d42d5206f3b211a26179a3c33a949695d0

SHA256
9b6b4eda79107ffc5414535a774e8bd8eeb57c8f7d24352f94ec431638c4d2d3

SHA512
4a1ac7d8562e7f4a6f371917683aaebc8f39a0269c3f5f50d24abcded3d469f66b8f615af3e21756731177db2eb74978e5f21a7374bdc6b8372d3d0479d03599

Download Submit
C:\Users\Admin\AppData\Local\ZRaK1\UxTheme.dll
Filesize
1003KB

MD5
a269235b1dff2f8898866d71850a8101

SHA1
ba9ba3c0424043af5f85eb4371cdbd7185d85751

SHA256
77ac60c132d80cd38df1029f8fd77a41f12db66a9844c628a3b08bf92ee82aa5

SHA512
cc5bf6f68029cd84d4a34bbf52adc2704c22b286239284d4dcf92f4bd9124c6c243b66ed6fe73f07c4ef0f4bebd6d60c2e35af17ad492d8f09b291ddd6fcf60f

Download Submit
C:\Users\Admin\AppData\Local\ZRaK1\dwm.exe
Filesize
117KB

MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
C:\Users\Admin\AppData\Local\ZRaK1\dwm.exe
Filesize
117KB

MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
\Users\Admin\AppData\Local\0GJ6PC3J\MFPlat.DLL
Filesize
1006KB

MD5
2b2e2a65f2b2a1ea6f080e237fdd7c66

SHA1
a8513f0d5f4d2b16912b080af385fb3c6ac1a625

SHA256
4ad543212324fe3a8767ef89fcebf3377b880f0ee1c44a6e77273f047d52e3bd

SHA512
18b720061307538b19c517ce78392a4e37ee5b6c1cf2d547b0ecb96d87b54444fbd43aec55fba45abcacdebaeee9437c3c45907e5881410a614b3f453904b3c4

Download Submit
\Users\Admin\AppData\Local\0GJ6PC3J\rrinstaller.exe
Filesize
54KB

MD5
0d3a73b0b30252680b383532f1758649

SHA1
9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

SHA256
fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

SHA512
a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

Download Submit
\Users\Admin\AppData\Local\2c2RJ7Qa\dccw.exe
Filesize
861KB

MD5
a46cee731351eb4146db8e8a63a5c520

SHA1
8ea441e4a77642e12987ac842b36034230edd731

SHA256
283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5

SHA512
3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

Download Submit
\Users\Admin\AppData\Local\2c2RJ7Qa\dxva2.dll
Filesize
1002KB

MD5
cde4e0088159dc3aeaee8b86c1d24638

SHA1
708909d42d5206f3b211a26179a3c33a949695d0

SHA256
9b6b4eda79107ffc5414535a774e8bd8eeb57c8f7d24352f94ec431638c4d2d3

SHA512
4a1ac7d8562e7f4a6f371917683aaebc8f39a0269c3f5f50d24abcded3d469f66b8f615af3e21756731177db2eb74978e5f21a7374bdc6b8372d3d0479d03599

Download Submit
\Users\Admin\AppData\Local\ZRaK1\UxTheme.dll
Filesize
1003KB

MD5
a269235b1dff2f8898866d71850a8101

SHA1
ba9ba3c0424043af5f85eb4371cdbd7185d85751

SHA256
77ac60c132d80cd38df1029f8fd77a41f12db66a9844c628a3b08bf92ee82aa5

SHA512
cc5bf6f68029cd84d4a34bbf52adc2704c22b286239284d4dcf92f4bd9124c6c243b66ed6fe73f07c4ef0f4bebd6d60c2e35af17ad492d8f09b291ddd6fcf60f

Download Submit
\Users\Admin\AppData\Local\ZRaK1\dwm.exe
Filesize
117KB

MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\UQASBYVA\ZIAg1zAvMU\rrinstaller.exe
Filesize
54KB

MD5
0d3a73b0b30252680b383532f1758649

SHA1
9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

SHA256
fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

SHA512
a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

Download Submit
memory/320-86-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

Filesize
8KB

Download
memory/320-91-0x0000000000170000-0x0000000000177000-memory.dmp

Filesize
28KB

Download
memory/320-87-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/320-82-0x0000000000000000-mapping.dmp

Download
memory/340-103-0x0000000001990000-0x0000000001997000-memory.dmp

Filesize
28KB

Download
memory/340-93-0x0000000000000000-mapping.dmp

Download
memory/776-58-0x0000000001CA0000-0x0000000001CA7000-memory.dmp

Filesize
28KB

Download
memory/776-54-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1384-69-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1384-61-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1384-79-0x0000000002150000-0x0000000002157000-memory.dmp

Filesize
28KB

Download
memory/1384-63-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1384-67-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1384-64-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1384-68-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1384-65-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1384-62-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1384-80-0x0000000077400000-0x0000000077402000-memory.dmp

Filesize
8KB

Download
memory/1384-70-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1384-60-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/1384-59-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/1384-66-0x0000000140000000-0x0000000140101000-memory.dmp

Filesize
1.0MB

Download
memory/2016-109-0x0000000140000000-0x0000000140103000-memory.dmp

Filesize
1.0MB

Download
memory/2016-113-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2016-105-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads