dridex | 7fb4c95a329b24e6ab6742747cf896ae5125599548d38388fcb887b3fb871339

Analysis

max time kernel
150s
max time network
28s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17-04-2023 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fb4c95a329b24e6ab6742747cf896ae5125599548d38388fcb887b3fb871339.dll
Size

1.4MB
MD5

76a03b741a85be73b47b1a72cea1becb
SHA1

f453704ee0177d5771766870bc871e7c048a6c61
SHA256

7fb4c95a329b24e6ab6742747cf896ae5125599548d38388fcb887b3fb871339
SHA512

86c59d8d2c2111175d541dd17ecc7b1ab89eb0e5400f2db21d70346af7871d2ac3008aca9ec762bbd7508b2c8ac9122111bfc83356c1d413bf1c693fbc74ec95
SSDEEP

12288:LZgJtlQepQn+NDo7nIYegQCLDF/B9wvj/cLvVZFuw:LZK6F7n5eRmDFJivohZFV

Score

10^/10

dridex botnet evasion payload trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1196-59-0x00000000029F0000-0x00000000029F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 2 IoCs

Processes:

rdpclip.exeshrpubw.exe

pid process

1088 rdpclip.exe
1932 shrpubw.exe
Loads dropped DLL 4 IoCs

Processes:

rdpclip.exeshrpubw.exe

pid process

1196
1088 rdpclip.exe
1196
1932 shrpubw.exe

pid	process
1088	rdpclip.exe
1932	shrpubw.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exerdpclip.exeshrpubw.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpclip.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exerdpclip.exe

pid	process
1968	rundll32.exe
1968	rundll32.exe
1968	rundll32.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1088	rdpclip.exe
1088	rdpclip.exe
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1196
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1196
1196

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

pid	process
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196
1196

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 1196 wrote to memory of 932	1196	rdpclip.exe
PID 1196 wrote to memory of 932	1196	rdpclip.exe
PID 1196 wrote to memory of 932	1196	rdpclip.exe
PID 1196 wrote to memory of 1088	1196	rdpclip.exe
PID 1196 wrote to memory of 1088	1196	rdpclip.exe
PID 1196 wrote to memory of 1088	1196	rdpclip.exe
PID 1196 wrote to memory of 1536	1196	shrpubw.exe
PID 1196 wrote to memory of 1536	1196	shrpubw.exe
PID 1196 wrote to memory of 1536	1196	shrpubw.exe
PID 1196 wrote to memory of 1932	1196	shrpubw.exe
PID 1196 wrote to memory of 1932	1196	shrpubw.exe
PID 1196 wrote to memory of 1932	1196	shrpubw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7fb4c95a329b24e6ab6742747cf896ae5125599548d38388fcb887b3fb871339.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1968

C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
1⤵
PID:932

C:\Users\Admin\AppData\Local\1mR4E\rdpclip.exe
C:\Users\Admin\AppData\Local\1mR4E\rdpclip.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1088

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:1536

C:\Users\Admin\AppData\Local\p73INSvW\shrpubw.exe
C:\Users\Admin\AppData\Local\p73INSvW\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1mR4E\WTSAPI32.dll
Filesize
1.4MB

MD5
3010d35631a23ecb08961a37f06da256

SHA1
70ec3aa9ebec8e7d4fc395a94f1a0e2df061dde1

SHA256
79a3a4113116208ca642ad64f8b52e0b75ff62dda33a1de01b4a1c2bf853476e

SHA512
2733fb5b32fb13e033c87d79248ed54e9755020c7fc26332ad6fb1e71b51e7ecee62125c7b2f012f06fe74a422a5289825377ea08c06abf62f93cf8983af6f10

Download Submit
C:\Users\Admin\AppData\Local\1mR4E\rdpclip.exe
Filesize
206KB

MD5
25d284eb2f12254c001afe9a82575a81

SHA1
cf131801fdd5ec92278f9e0ae62050e31c6670a5

SHA256
837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

SHA512
7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

Download Submit
C:\Users\Admin\AppData\Local\1mR4E\rdpclip.exe
Filesize
206KB

MD5
25d284eb2f12254c001afe9a82575a81

SHA1
cf131801fdd5ec92278f9e0ae62050e31c6670a5

SHA256
837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

SHA512
7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

Download Submit
C:\Users\Admin\AppData\Local\p73INSvW\shrpubw.exe
Filesize
398KB

MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
C:\Users\Admin\AppData\Local\p73INSvW\shrpubw.exe
Filesize
398KB

MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
C:\Users\Admin\AppData\Local\p73INSvW\srvcli.dll
Filesize
1.4MB

MD5
f35e271a433ad42f2b97e95c84b921b3

SHA1
c8b705885642139c5ee3e826932bcb403998315e

SHA256
0cb72f3c120da885291c6d48c4b5b03cc2eef34c6a3ec8737d33fd55d63767be

SHA512
c60c94acbfdbbb0fedce47aaf90384dd0f4dbb754c704fe5fba11c570c706db345657c01efffc997d1a1e0b5ed23e4df160e11b49b40e22821d8aa9166d78807

Download Submit
\Users\Admin\AppData\Local\1mR4E\WTSAPI32.dll
Filesize
1.4MB

MD5
3010d35631a23ecb08961a37f06da256

SHA1
70ec3aa9ebec8e7d4fc395a94f1a0e2df061dde1

SHA256
79a3a4113116208ca642ad64f8b52e0b75ff62dda33a1de01b4a1c2bf853476e

SHA512
2733fb5b32fb13e033c87d79248ed54e9755020c7fc26332ad6fb1e71b51e7ecee62125c7b2f012f06fe74a422a5289825377ea08c06abf62f93cf8983af6f10

Download Submit
\Users\Admin\AppData\Local\1mR4E\rdpclip.exe
Filesize
206KB

MD5
25d284eb2f12254c001afe9a82575a81

SHA1
cf131801fdd5ec92278f9e0ae62050e31c6670a5

SHA256
837e0d864c474956c0d9d4e7ae5f884007f19b7f420db9afcf0d266aefa6608b

SHA512
7b4f208fa1681a0a139577ebc974e7acfc85e3c906a674e111223783460585eb989cb6b38f215d79f89e747a0e9224d90e1aa43e091d2042edb8bac7b27b968b

Download Submit
\Users\Admin\AppData\Local\p73INSvW\shrpubw.exe
Filesize
398KB

MD5
29e6d0016611c8f948db5ea71372f76c

SHA1
01d007a01020370709cd6580717f9ace049647e8

SHA256
53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930

SHA512
300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Download Submit
\Users\Admin\AppData\Local\p73INSvW\srvcli.dll
Filesize
1.4MB

MD5
f35e271a433ad42f2b97e95c84b921b3

SHA1
c8b705885642139c5ee3e826932bcb403998315e

SHA256
0cb72f3c120da885291c6d48c4b5b03cc2eef34c6a3ec8737d33fd55d63767be

SHA512
c60c94acbfdbbb0fedce47aaf90384dd0f4dbb754c704fe5fba11c570c706db345657c01efffc997d1a1e0b5ed23e4df160e11b49b40e22821d8aa9166d78807

Download Submit
memory/1088-164-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1196-95-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-103-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-72-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-73-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-75-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-74-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-78-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-76-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-77-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-79-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-80-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-82-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-83-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-84-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-81-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-85-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-86-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-87-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-88-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-89-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-90-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-92-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-91-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-94-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-93-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-71-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-97-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-96-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-100-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-99-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-98-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-69-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-102-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-101-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-106-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-108-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-107-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-105-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-104-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-111-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-109-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-110-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-114-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-113-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-112-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-117-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-116-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-115-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-118-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-70-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-67-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-68-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-66-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-64-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-65-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-63-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-61-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/1196-141-0x0000000002980000-0x0000000002987000-memory.dmp

Filesize
28KB

Download
memory/1196-142-0x00000000774F0000-0x00000000774F2000-memory.dmp

Filesize
8KB

Download
memory/1196-59-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1932-182-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1968-54-0x000007FEF7210000-0x000007FEF736B000-memory.dmp

Filesize
1.4MB

Download
memory/1968-57-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1968-58-0x000007FEF7210000-0x000007FEF736B000-memory.dmp

Filesize
1.4MB

Download