dridex | c628d9de914a3bf9ae9ae4ed0f1e5c25e08a87419bdb8292e44ade1c7f09c76d

Analysis

max time kernel
130s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2023 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100.dll
Size

768KB
MD5

bd5cfa593ed87901f8184eaa44c0a8b8
SHA1

963a57fb83ca6361624fb057058ea4fb538015dc
SHA256

86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100
SHA512

f6235abb0503db5a7cc7a0f6d2a4682db1491127a4f5700d3f68e15535b838651e1df8a8292643e46febb678e16abe9f36f6990db57db3f58c60ceae186ae489
SSDEEP

12288:4lORVEAueQmTmQKO2nMlqVaSEwzH7YxiCyJ86azEZy1f11pNx:8ORVEVNmaDznMlqVNE27dJ8J2inNx

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/2704-137-0x0000000000760000-0x0000000000761000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

SppExtComObj.Exeupfc.exetabcal.exe

pid process

4760 SppExtComObj.Exe
1716 upfc.exe
488 tabcal.exe
Loads dropped DLL 3 IoCs

Processes:

SppExtComObj.Exeupfc.exetabcal.exe

pid process

4760 SppExtComObj.Exe
1716 upfc.exe
488 tabcal.exe

pid	process
4760	SppExtComObj.Exe
1716	upfc.exe
488	tabcal.exe

pid	process
4760	SppExtComObj.Exe
1716	upfc.exe
488	tabcal.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xjibqlu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\yljY9Etk\\upfc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SppExtComObj.Exeupfc.exetabcal.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SppExtComObj.Exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeSppExtComObj.Exe

pid	process
1332	rundll32.exe
1332	rundll32.exe
1332	rundll32.exe
1332	rundll32.exe
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
2704
4760	SppExtComObj.Exe
4760	SppExtComObj.Exe
2704
2704
2704
2704

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2704

pid	process
2704

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2704 wrote to memory of 3936	2704	SppExtComObj.Exe
PID 2704 wrote to memory of 3936	2704	SppExtComObj.Exe
PID 2704 wrote to memory of 4760	2704	SppExtComObj.Exe
PID 2704 wrote to memory of 4760	2704	SppExtComObj.Exe
PID 2704 wrote to memory of 3856	2704	upfc.exe
PID 2704 wrote to memory of 3856	2704	upfc.exe
PID 2704 wrote to memory of 1716	2704	upfc.exe
PID 2704 wrote to memory of 1716	2704	upfc.exe
PID 2704 wrote to memory of 4468	2704	tabcal.exe
PID 2704 wrote to memory of 4468	2704	tabcal.exe
PID 2704 wrote to memory of 488	2704	tabcal.exe
PID 2704 wrote to memory of 488	2704	tabcal.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1332

C:\Windows\system32\SppExtComObj.Exe
C:\Windows\system32\SppExtComObj.Exe
1⤵
PID:3936

C:\Users\Admin\AppData\Local\XC0x\SppExtComObj.Exe
C:\Users\Admin\AppData\Local\XC0x\SppExtComObj.Exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4760

C:\Windows\system32\upfc.exe
C:\Windows\system32\upfc.exe
1⤵
PID:3856

C:\Users\Admin\AppData\Local\0MrPy\upfc.exe
C:\Users\Admin\AppData\Local\0MrPy\upfc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1716

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:4468

C:\Users\Admin\AppData\Local\xLrHj\tabcal.exe
C:\Users\Admin\AppData\Local\xLrHj\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0MrPy\XmlLite.dll
Filesize
768KB

MD5
d5f879685e801e3a824fe8bb95eb6f2e

SHA1
3b385bd66991c384aa75d3c972cf7e81f1a47f5a

SHA256
4b4a275c5b20c683eb1e7bd2506a0191b57d439cdccfc521617ec46fd10e9353

SHA512
5c4eb543183f09831845f9587fd2c0cda73f19836f9d16e5f19f22f4ce8fc4d6104826e0c21ab250da8c882ac70b7f488296506cfd933b1b7adf94652cbf0f63

Download Submit
C:\Users\Admin\AppData\Local\0MrPy\XmlLite.dll
Filesize
768KB

MD5
d5f879685e801e3a824fe8bb95eb6f2e

SHA1
3b385bd66991c384aa75d3c972cf7e81f1a47f5a

SHA256
4b4a275c5b20c683eb1e7bd2506a0191b57d439cdccfc521617ec46fd10e9353

SHA512
5c4eb543183f09831845f9587fd2c0cda73f19836f9d16e5f19f22f4ce8fc4d6104826e0c21ab250da8c882ac70b7f488296506cfd933b1b7adf94652cbf0f63

Download Submit
C:\Users\Admin\AppData\Local\0MrPy\upfc.exe
Filesize
118KB

MD5
299ea296575ccb9d2c1a779062535d5c

SHA1
2497169c13b0ba46a6be8a1fe493b250094079b7

SHA256
ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2

SHA512
02fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa

Download Submit
C:\Users\Admin\AppData\Local\0MrPy\upfc.exe
Filesize
118KB

MD5
299ea296575ccb9d2c1a779062535d5c

SHA1
2497169c13b0ba46a6be8a1fe493b250094079b7

SHA256
ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2

SHA512
02fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa

Download Submit
C:\Users\Admin\AppData\Local\XC0x\ACTIVEDS.dll
Filesize
768KB

MD5
ea3f674be659b00748cabbab89b8c831

SHA1
96b5b54b52e03dbd7efbf89f3e20c03478485921

SHA256
0602bb75247df9562be21aa789d485d4bc6da6aa6d3958bb51ba657150d2bd08

SHA512
d4d583e14c057539452be9589adf524a57e57760b8d16a4e47a7c9ec2ecec48a0af377b0c43ce3c530d418ee1b4600f0edac7fb07a34681bcd8ec8eda9115cdd

Download Submit
C:\Users\Admin\AppData\Local\XC0x\ACTIVEDS.dll
Filesize
768KB

MD5
ea3f674be659b00748cabbab89b8c831

SHA1
96b5b54b52e03dbd7efbf89f3e20c03478485921

SHA256
0602bb75247df9562be21aa789d485d4bc6da6aa6d3958bb51ba657150d2bd08

SHA512
d4d583e14c057539452be9589adf524a57e57760b8d16a4e47a7c9ec2ecec48a0af377b0c43ce3c530d418ee1b4600f0edac7fb07a34681bcd8ec8eda9115cdd

Download Submit
C:\Users\Admin\AppData\Local\XC0x\SppExtComObj.Exe
Filesize
559KB

MD5
728a78909aa69ca0e976e94482350700

SHA1
6508dfcbf37df25cae8ae68cf1fcd4b78084abb7

SHA256
2a6581576305771044f07ea0fef27f77859996dbf66c2017e938f90bfc1e010c

SHA512
22bf985e71afa58a1365cc733c0aa03dabd4b44e7c6a136eb5f9b870db14470201b4ef88a19fa3864af6c44e79e1a01d6f8806062d9d4861ba7dac77d82074f1

Download Submit
C:\Users\Admin\AppData\Local\XC0x\SppExtComObj.Exe
Filesize
559KB

MD5
728a78909aa69ca0e976e94482350700

SHA1
6508dfcbf37df25cae8ae68cf1fcd4b78084abb7

SHA256
2a6581576305771044f07ea0fef27f77859996dbf66c2017e938f90bfc1e010c

SHA512
22bf985e71afa58a1365cc733c0aa03dabd4b44e7c6a136eb5f9b870db14470201b4ef88a19fa3864af6c44e79e1a01d6f8806062d9d4861ba7dac77d82074f1

Download Submit
C:\Users\Admin\AppData\Local\xLrHj\HID.DLL
Filesize
768KB

MD5
e5e73267fdabab00c3af437fb0546677

SHA1
2b8a635120d5dc667eaac00c5676fb7280f38662

SHA256
49eab83dee97c8e6f14440b2729d0d1090cc4d2d3fb070760740a9bc09234d74

SHA512
0ba5e289303a7eb2617b77606de7ab9cbbb4fba3dafea572fd5f15f1e921ef9b6efd179a2ed9e95abd6823f79f0440eb571a94901aae935cd9cc7d0fcc55250a

Download Submit
C:\Users\Admin\AppData\Local\xLrHj\HID.DLL
Filesize
768KB

MD5
e5e73267fdabab00c3af437fb0546677

SHA1
2b8a635120d5dc667eaac00c5676fb7280f38662

SHA256
49eab83dee97c8e6f14440b2729d0d1090cc4d2d3fb070760740a9bc09234d74

SHA512
0ba5e289303a7eb2617b77606de7ab9cbbb4fba3dafea572fd5f15f1e921ef9b6efd179a2ed9e95abd6823f79f0440eb571a94901aae935cd9cc7d0fcc55250a

Download Submit
C:\Users\Admin\AppData\Local\xLrHj\tabcal.exe
Filesize
84KB

MD5
40f4014416ff0cbf92a9509f67a69754

SHA1
1798ff7324724a32c810e2075b11c09b41e4fede

SHA256
f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

SHA512
646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

Download Submit
C:\Users\Admin\AppData\Local\xLrHj\tabcal.exe
Filesize
84KB

MD5
40f4014416ff0cbf92a9509f67a69754

SHA1
1798ff7324724a32c810e2075b11c09b41e4fede

SHA256
f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c

SHA512
646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gytjzonguizwcx.lnk
Filesize
1KB

MD5
1b19922cfe860bca320e287df722b3de

SHA1
25abbfe00727a9e446fa3171e8c0d0977e8213c7

SHA256
2385d41ba413fdc431839a0d2dfde2b473cd0e52645e2b0d66d737e82019b06e

SHA512
71679180ea16ed6b0107aa86f57f04873e06ded336b6e61eaf977431333fb118598915c7784c2d6b3d2460a767901218d6821877dccc576c0a8939bf2032b8ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TAtdQ\ACTIVEDS.dll
Filesize
768KB

MD5
ea3f674be659b00748cabbab89b8c831

SHA1
96b5b54b52e03dbd7efbf89f3e20c03478485921

SHA256
0602bb75247df9562be21aa789d485d4bc6da6aa6d3958bb51ba657150d2bd08

SHA512
d4d583e14c057539452be9589adf524a57e57760b8d16a4e47a7c9ec2ecec48a0af377b0c43ce3c530d418ee1b4600f0edac7fb07a34681bcd8ec8eda9115cdd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\gDdCvW\HID.DLL
Filesize
768KB

MD5
e5e73267fdabab00c3af437fb0546677

SHA1
2b8a635120d5dc667eaac00c5676fb7280f38662

SHA256
49eab83dee97c8e6f14440b2729d0d1090cc4d2d3fb070760740a9bc09234d74

SHA512
0ba5e289303a7eb2617b77606de7ab9cbbb4fba3dafea572fd5f15f1e921ef9b6efd179a2ed9e95abd6823f79f0440eb571a94901aae935cd9cc7d0fcc55250a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\yljY9Etk\XmlLite.dll
Filesize
768KB

MD5
d5f879685e801e3a824fe8bb95eb6f2e

SHA1
3b385bd66991c384aa75d3c972cf7e81f1a47f5a

SHA256
4b4a275c5b20c683eb1e7bd2506a0191b57d439cdccfc521617ec46fd10e9353

SHA512
5c4eb543183f09831845f9587fd2c0cda73f19836f9d16e5f19f22f4ce8fc4d6104826e0c21ab250da8c882ac70b7f488296506cfd933b1b7adf94652cbf0f63

Download Submit
memory/488-212-0x0000025C577D0000-0x0000025C577D7000-memory.dmp

Filesize
28KB

Download
memory/488-215-0x00007FFDEC020000-0x00007FFDEC0E0000-memory.dmp

Filesize
768KB

Download
memory/1332-133-0x00007FFDEC020000-0x00007FFDEC0E0000-memory.dmp

Filesize
768KB

Download
memory/1332-140-0x00007FFDEC020000-0x00007FFDEC0E0000-memory.dmp

Filesize
768KB

Download
memory/1332-136-0x00000273BCDB0000-0x00000273BCDB7000-memory.dmp

Filesize
28KB

Download
memory/1716-198-0x00007FFDEC020000-0x00007FFDEC0E0000-memory.dmp

Filesize
768KB

Download
memory/1716-195-0x00000293D9840000-0x00000293D9847000-memory.dmp

Filesize
28KB

Download
memory/2704-147-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/2704-149-0x00000000006A0000-0x00000000006A7000-memory.dmp

Filesize
28KB

Download
memory/2704-164-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/2704-137-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2704-146-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/2704-154-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/2704-166-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/2704-139-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/2704-158-0x00007FFE0A760000-0x00007FFE0A770000-memory.dmp

Filesize
64KB

Download
memory/2704-144-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/2704-145-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/2704-143-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/2704-142-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/2704-141-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/4760-181-0x00007FFDEC020000-0x00007FFDEC0E0000-memory.dmp

Filesize
768KB

Download
memory/4760-178-0x000002C007CD0000-0x000002C007CD7000-memory.dmp

Filesize
28KB

Download