dridex | 42012850646049ef86749410810b29abfd3c823e9987c9e1b5ac551ed3cc4101

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10-03-2023 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100.dll
Size

768KB
MD5

bd5cfa593ed87901f8184eaa44c0a8b8
SHA1

963a57fb83ca6361624fb057058ea4fb538015dc
SHA256

86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100
SHA512

f6235abb0503db5a7cc7a0f6d2a4682db1491127a4f5700d3f68e15535b838651e1df8a8292643e46febb678e16abe9f36f6990db57db3f58c60ceae186ae489
SSDEEP

12288:4lORVEAueQmTmQKO2nMlqVaSEwzH7YxiCyJ86azEZy1f11pNx:8ORVEVNmaDznMlqVNE27dJ8J2inNx

Score

10^/10

dridex botnet evasion payload trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1268-59-0x0000000002A90000-0x0000000002A91000-memory.dmp	dridex_stager_shellcode

Drops startup file 3 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iuoRs
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iuoRs\Secur32.dll
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iuoRs\TpmInit.exe

Executes dropped EXE 2 IoCs

Processes:

TpmInit.exetabcal.exe

pid process

1352 TpmInit.exe
2028 tabcal.exe
Loads dropped DLL 4 IoCs

Processes:

TpmInit.exetabcal.exe

pid process

1268
1352 TpmInit.exe
1268
2028 tabcal.exe

pid	process
1352	TpmInit.exe
2028	tabcal.exe

pid	process
1268
1352	TpmInit.exe
1268
2028	tabcal.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeTpmInit.exetabcal.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TpmInit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exeTpmInit.exe

pid	process
1264	rundll32.exe
1264	rundll32.exe
1264	rundll32.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1352	TpmInit.exe
1352	TpmInit.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1268

pid	process
1268

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 1268 wrote to memory of 288	1268	TpmInit.exe
PID 1268 wrote to memory of 288	1268	TpmInit.exe
PID 1268 wrote to memory of 288	1268	TpmInit.exe
PID 1268 wrote to memory of 1352	1268	TpmInit.exe
PID 1268 wrote to memory of 1352	1268	TpmInit.exe
PID 1268 wrote to memory of 1352	1268	TpmInit.exe
PID 1268 wrote to memory of 1816	1268	tabcal.exe
PID 1268 wrote to memory of 1816	1268	tabcal.exe
PID 1268 wrote to memory of 1816	1268	tabcal.exe
PID 1268 wrote to memory of 2028	1268	tabcal.exe
PID 1268 wrote to memory of 2028	1268	tabcal.exe
PID 1268 wrote to memory of 2028	1268	tabcal.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1264

C:\Windows\system32\TpmInit.exe
C:\Windows\system32\TpmInit.exe
1⤵
PID:288

C:\Users\Admin\AppData\Local\QjEeWMTU9\TpmInit.exe
C:\Users\Admin\AppData\Local\QjEeWMTU9\TpmInit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1352

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:1816

C:\Users\Admin\AppData\Local\kf6\tabcal.exe
C:\Users\Admin\AppData\Local\kf6\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2028

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\QjEeWMTU9\Secur32.dll
Filesize
772KB

MD5
b17441e6edf97ae98f85f5f964d2ffd5

SHA1
cd63d4b627df8a7e340438df86328a08e3a9b826

SHA256
2f46aeb438703a47525cd183379efbb1fcf4bea2091355b5630f6f6d68ae0c41

SHA512
6b23345ff2e5efc22fa7ab030d5b32ef850e3cf645fe6953b008894b481c22bc7fd0080b72fe07277f11294f752507f44dab5045e18a226ae9c931da34fb9ff8

Download Submit
C:\Users\Admin\AppData\Local\QjEeWMTU9\TpmInit.exe
Filesize
112KB

MD5
8b5eb38e08a678afa129e23129ca1e6d

SHA1
a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

SHA256
4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

SHA512
a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

Download Submit
C:\Users\Admin\AppData\Local\QjEeWMTU9\TpmInit.exe
Filesize
112KB

MD5
8b5eb38e08a678afa129e23129ca1e6d

SHA1
a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

SHA256
4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

SHA512
a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

Download Submit
C:\Users\Admin\AppData\Local\kf6\HID.DLL
Filesize
768KB

MD5
7d27675d9d9d992564a35703733e2fef

SHA1
a891583677e494a99b9e47e20a250f79ebd5f5d6

SHA256
301b810d00906936194c79dcd4d1d9855f7fa17713bf3c02ca5ad5a1b7d63e5f

SHA512
5c78e0391ac3471bdb0fa7be3998256184bc19783c033fffe8f81d8ee506fd5f3da2399d0ea1c1e3f5f3cb8538c963ff9a855492d4d96d0fb91a2bdd5e2ab982

Download Submit
C:\Users\Admin\AppData\Local\kf6\tabcal.exe
Filesize
77KB

MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
C:\Users\Admin\AppData\Local\kf6\tabcal.exe
Filesize
77KB

MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
\Users\Admin\AppData\Local\QjEeWMTU9\Secur32.dll
Filesize
772KB

MD5
b17441e6edf97ae98f85f5f964d2ffd5

SHA1
cd63d4b627df8a7e340438df86328a08e3a9b826

SHA256
2f46aeb438703a47525cd183379efbb1fcf4bea2091355b5630f6f6d68ae0c41

SHA512
6b23345ff2e5efc22fa7ab030d5b32ef850e3cf645fe6953b008894b481c22bc7fd0080b72fe07277f11294f752507f44dab5045e18a226ae9c931da34fb9ff8

Download Submit
\Users\Admin\AppData\Local\QjEeWMTU9\TpmInit.exe
Filesize
112KB

MD5
8b5eb38e08a678afa129e23129ca1e6d

SHA1
a27d30bb04f9fabdb5c92d5150661a75c5c7bc42

SHA256
4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c

SHA512
a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

Download Submit
\Users\Admin\AppData\Local\kf6\HID.DLL
Filesize
768KB

MD5
7d27675d9d9d992564a35703733e2fef

SHA1
a891583677e494a99b9e47e20a250f79ebd5f5d6

SHA256
301b810d00906936194c79dcd4d1d9855f7fa17713bf3c02ca5ad5a1b7d63e5f

SHA512
5c78e0391ac3471bdb0fa7be3998256184bc19783c033fffe8f81d8ee506fd5f3da2399d0ea1c1e3f5f3cb8538c963ff9a855492d4d96d0fb91a2bdd5e2ab982

Download Submit
\Users\Admin\AppData\Local\kf6\tabcal.exe
Filesize
77KB

MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
memory/1264-54-0x000007FEF70C0000-0x000007FEF7180000-memory.dmp

Filesize
768KB

Download
memory/1264-58-0x000007FEF70C0000-0x000007FEF7180000-memory.dmp

Filesize
768KB

Download
memory/1264-57-0x0000000000380000-0x0000000000387000-memory.dmp

Filesize
28KB

Download
memory/1268-67-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1268-64-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1268-80-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1268-86-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1268-79-0x0000000077A70000-0x0000000077A72000-memory.dmp

Filesize
8KB

Download
memory/1268-75-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1268-69-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1268-68-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1268-59-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/1268-61-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1268-63-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1268-66-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1268-65-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/1268-78-0x0000000002A70000-0x0000000002A77000-memory.dmp

Filesize
28KB

Download
memory/1352-104-0x000007FEFAE50000-0x000007FEFAF11000-memory.dmp

Filesize
772KB

Download
memory/1352-101-0x00000000000E0000-0x00000000000E7000-memory.dmp

Filesize
28KB

Download
memory/1352-98-0x000007FEFAE50000-0x000007FEFAF11000-memory.dmp

Filesize
772KB

Download
memory/2028-116-0x000007FEFAE60000-0x000007FEFAF20000-memory.dmp

Filesize
768KB

Download
memory/2028-119-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2028-122-0x000007FEFAE60000-0x000007FEFAF20000-memory.dmp

Filesize
768KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads