dridex | 7267885574387dc8769908893f2c1ba297a0e4da0798105e1301247df2d8b97a

Analysis

max time kernel
147s
max time network
50s
platform
windows7_x64
resource
win7-20220414-en
submitted
19-04-2022 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7267885574387dc8769908893f2c1ba297a0e4da0798105e1301247df2d8b97a.dll
Size

1.2MB
MD5

513fc64fd591db4f601b9ce9f2da15e0
SHA1

c26e626dcf7c5328675ea73a672ff1b5d27d44a8
SHA256

7267885574387dc8769908893f2c1ba297a0e4da0798105e1301247df2d8b97a
SHA512

a120c47877119d939776c1532592a5b788b8af2185ad15a00fb466c07b916a7f46ac815cd1f2cf19f1974690d29bb812b4c664aa1a47199bc4f10788b2a6e8b1

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Payload 2 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1672-54-0x0000000140000000-0x000000014013F000-memory.dmp	dridex_payload
behavioral1/memory/1680-84-0x0000000140000000-0x0000000140140000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

javaws.exeDisplaySwitch.exetaskmgr.exe

pid process

1680 javaws.exe
924 DisplaySwitch.exe
1560 taskmgr.exe
Loads dropped DLL 7 IoCs

Processes:

javaws.exeDisplaySwitch.exetaskmgr.exe

pid process

1200
1680 javaws.exe
1200
924 DisplaySwitch.exe
1200
1560 taskmgr.exe
1200

pid	process
1680	javaws.exe
924	DisplaySwitch.exe
1560	taskmgr.exe

pid	process
1200
1680	javaws.exe
1200
924	DisplaySwitch.exe
1200
1560	taskmgr.exe
1200

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pvcyr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\kYtUug0\\DISPLA~1.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exejavaws.exeDisplaySwitch.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	javaws.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exejavaws.exeDisplaySwitch.exetaskmgr.exe

pid	process
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1680	javaws.exe
1680	javaws.exe
1200
1200
1200
1200
1200
1200
924	DisplaySwitch.exe
924	DisplaySwitch.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1560	taskmgr.exe
1560	taskmgr.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1200 wrote to memory of 1744	1200	javaws.exe
PID 1200 wrote to memory of 1744	1200	javaws.exe
PID 1200 wrote to memory of 1744	1200	javaws.exe
PID 1200 wrote to memory of 1680	1200	javaws.exe
PID 1200 wrote to memory of 1680	1200	javaws.exe
PID 1200 wrote to memory of 1680	1200	javaws.exe
PID 1200 wrote to memory of 1784	1200	DisplaySwitch.exe
PID 1200 wrote to memory of 1784	1200	DisplaySwitch.exe
PID 1200 wrote to memory of 1784	1200	DisplaySwitch.exe
PID 1200 wrote to memory of 924	1200	DisplaySwitch.exe
PID 1200 wrote to memory of 924	1200	DisplaySwitch.exe
PID 1200 wrote to memory of 924	1200	DisplaySwitch.exe
PID 1200 wrote to memory of 1272	1200	taskmgr.exe
PID 1200 wrote to memory of 1272	1200	taskmgr.exe
PID 1200 wrote to memory of 1272	1200	taskmgr.exe
PID 1200 wrote to memory of 1560	1200	taskmgr.exe
PID 1200 wrote to memory of 1560	1200	taskmgr.exe
PID 1200 wrote to memory of 1560	1200	taskmgr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7267885574387dc8769908893f2c1ba297a0e4da0798105e1301247df2d8b97a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1672

C:\Windows\system32\javaws.exe
C:\Windows\system32\javaws.exe
1⤵
PID:1744

C:\Users\Admin\AppData\Local\VRVfex\javaws.exe
C:\Users\Admin\AppData\Local\VRVfex\javaws.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1680

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:1784

C:\Users\Admin\AppData\Local\lC3e0\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\lC3e0\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:924

C:\Windows\system32\taskmgr.exe
C:\Windows\system32\taskmgr.exe
1⤵
PID:1272

C:\Users\Admin\AppData\Local\oMwyM8oZ5\taskmgr.exe
C:\Users\Admin\AppData\Local\oMwyM8oZ5\taskmgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1560

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\VRVfex\VERSION.dll
Filesize
1.2MB

MD5
577a280c0359164ba8a716ff93ed5a07

SHA1
7a0f1e8738af83420f5e2767a7dccc212a42a2f8

SHA256
67a090c6927e259c16f8c649d4f297fda1fb23c92a36728576652f5094e16a71

SHA512
fb8673c7519f0d09e4695614954d399176a3c71895516a7862d4d747f98a978d48350182d29d4adf6dd6d306fde82ce5e63367258823b9fe9e7477d694a7229a

Download Submit
C:\Users\Admin\AppData\Local\VRVfex\javaws.exe
Filesize
312KB

MD5
f94bc1a70c942621c4279236df284e04

SHA1
8f46d89c7db415a7f48ccd638963028f63df4e4f

SHA256
be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c

SHA512
60edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52

Download Submit
C:\Users\Admin\AppData\Local\lC3e0\DisplaySwitch.exe
Filesize
517KB

MD5
b795e6138e29a37508285fc31e92bd78

SHA1
d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

SHA256
01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

SHA512
8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

Download Submit
C:\Users\Admin\AppData\Local\lC3e0\slc.dll
Filesize
1.2MB

MD5
5c6f202005d182c574bcfbb5dd171c4a

SHA1
b69a01b08a182deba5648676571c8ea7aafb2f00

SHA256
4ccd280574a41f14469dccb612c34ebb6f8ba37ee4ee2b682a754032cd43025d

SHA512
a9d7cb1e8ba2534599af837bec9beff57130784e6d91bfc291bb986970a9eabc296cd508a8de84d913441ab54aae80dc33727066efd4dfb2df9bbf174b5caf5f

Download Submit
C:\Users\Admin\AppData\Local\oMwyM8oZ5\Secur32.dll
Filesize
1.2MB

MD5
24f4bd8a58e9b3bcc42771b8183b7bd0

SHA1
1cb2f553a28e46ba600e2ae7e5a7e60b10588529

SHA256
dc9959eaaf4e40771daf74a3ca605b9a53ef8fd3d4f75152266af9e8f7cd0d0e

SHA512
bfc1e6726f83c62bd024b8583181608d4d719369ce8525b8fdca16515bf3ee6b08222e1d8521e8dca4f40fb4bb0cfcc9e53730e39cd6e63766f87380e8d5cf1e

Download Submit
C:\Users\Admin\AppData\Local\oMwyM8oZ5\taskmgr.exe
Filesize
251KB

MD5
09f7401d56f2393c6ca534ff0241a590

SHA1
e8b4d84a28e5ea17272416ec45726964fdf25883

SHA256
6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1

SHA512
7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192

Download Submit
\Users\Admin\AppData\Local\VRVfex\VERSION.dll
Filesize
1.2MB

MD5
577a280c0359164ba8a716ff93ed5a07

SHA1
7a0f1e8738af83420f5e2767a7dccc212a42a2f8

SHA256
67a090c6927e259c16f8c649d4f297fda1fb23c92a36728576652f5094e16a71

SHA512
fb8673c7519f0d09e4695614954d399176a3c71895516a7862d4d747f98a978d48350182d29d4adf6dd6d306fde82ce5e63367258823b9fe9e7477d694a7229a

Download Submit
\Users\Admin\AppData\Local\VRVfex\javaws.exe
Filesize
312KB

MD5
f94bc1a70c942621c4279236df284e04

SHA1
8f46d89c7db415a7f48ccd638963028f63df4e4f

SHA256
be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c

SHA512
60edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52

Download Submit
\Users\Admin\AppData\Local\lC3e0\DisplaySwitch.exe
Filesize
517KB

MD5
b795e6138e29a37508285fc31e92bd78

SHA1
d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a

SHA256
01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659

SHA512
8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

Download Submit
\Users\Admin\AppData\Local\lC3e0\slc.dll
Filesize
1.2MB

MD5
5c6f202005d182c574bcfbb5dd171c4a

SHA1
b69a01b08a182deba5648676571c8ea7aafb2f00

SHA256
4ccd280574a41f14469dccb612c34ebb6f8ba37ee4ee2b682a754032cd43025d

SHA512
a9d7cb1e8ba2534599af837bec9beff57130784e6d91bfc291bb986970a9eabc296cd508a8de84d913441ab54aae80dc33727066efd4dfb2df9bbf174b5caf5f

Download Submit
\Users\Admin\AppData\Local\oMwyM8oZ5\Secur32.dll
Filesize
1.2MB

MD5
24f4bd8a58e9b3bcc42771b8183b7bd0

SHA1
1cb2f553a28e46ba600e2ae7e5a7e60b10588529

SHA256
dc9959eaaf4e40771daf74a3ca605b9a53ef8fd3d4f75152266af9e8f7cd0d0e

SHA512
bfc1e6726f83c62bd024b8583181608d4d719369ce8525b8fdca16515bf3ee6b08222e1d8521e8dca4f40fb4bb0cfcc9e53730e39cd6e63766f87380e8d5cf1e

Download Submit
\Users\Admin\AppData\Local\oMwyM8oZ5\taskmgr.exe
Filesize
251KB

MD5
09f7401d56f2393c6ca534ff0241a590

SHA1
e8b4d84a28e5ea17272416ec45726964fdf25883

SHA256
6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1

SHA512
7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192

Download Submit
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\vxKvVx5Fg\taskmgr.exe
Filesize
251KB

MD5
09f7401d56f2393c6ca534ff0241a590

SHA1
e8b4d84a28e5ea17272416ec45726964fdf25883

SHA256
6766717b8afafe46b5fd66c7082ccce6b382cbea982c73cb651e35dc8187ace1

SHA512
7187a27cd32c1b295c74e36e1b6148a31d602962448b18395a44a721d17daa7271d0cd198edb2ed05ace439746517ffb1bcc11c7f682e09b025c950ea7b83192

Download Submit
memory/924-97-0x0000000001B50000-0x0000000001B57000-memory.dmp

Filesize
28KB

Download
memory/924-91-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp

Filesize
8KB

Download
memory/924-89-0x0000000000000000-mapping.dmp

Download
memory/1200-64-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1200-61-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1200-70-0x0000000001D90000-0x0000000001D97000-memory.dmp

Filesize
28KB

Download
memory/1200-69-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1200-58-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1200-59-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1200-67-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1200-68-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1200-66-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1200-65-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1200-60-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1200-63-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1200-62-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1560-99-0x0000000000000000-mapping.dmp

Download
memory/1672-54-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/1672-57-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/1680-80-0x0000000000000000-mapping.dmp

Download
memory/1680-87-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1680-84-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads