dridex | 7c5e216954042551a62e65b75b021e27d4d86a814dd36003caef2925e7bfc4a3

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd3c39a72d024833abfc4ffa2c7b6200.dll
Size

1.7MB
MD5

fd3c39a72d024833abfc4ffa2c7b6200
SHA1

1667b1adb7b2ec5bddbe58321a67200b5335249b
SHA256

7c5e216954042551a62e65b75b021e27d4d86a814dd36003caef2925e7bfc4a3
SHA512

0ee543473cee8f69397174cf32191e696d9e6050996459ee7782ca94e135a7ce263d36cc284fe49b9eac8b5ea57e3ba7fa8317cdc01fcacdc568871543430986
SSDEEP

12288:7VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:afP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1348-5-0x00000000025C0000-0x00000000025C1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2136	Dxpserver.exe
752	rdrleakdiag.exe
2876	perfmon.exe

Loads dropped DLL 7 IoCs

pid	Process
1348	Process not Found
2136	Dxpserver.exe
1348	Process not Found
752	rdrleakdiag.exe
1348	Process not Found
2876	perfmon.exe
1348	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\C2VX\\rdrleakdiag.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdrleakdiag.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1700	rundll32.exe
1700	rundll32.exe
1700	rundll32.exe
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found
1348	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 3024	1348	Process not Found	28
PID 1348 wrote to memory of 3024	1348	Process not Found	28
PID 1348 wrote to memory of 3024	1348	Process not Found	28
PID 1348 wrote to memory of 2136	1348	Process not Found	29
PID 1348 wrote to memory of 2136	1348	Process not Found	29
PID 1348 wrote to memory of 2136	1348	Process not Found	29
PID 1348 wrote to memory of 1608	1348	Process not Found	30
PID 1348 wrote to memory of 1608	1348	Process not Found	30
PID 1348 wrote to memory of 1608	1348	Process not Found	30
PID 1348 wrote to memory of 752	1348	Process not Found	31
PID 1348 wrote to memory of 752	1348	Process not Found	31
PID 1348 wrote to memory of 752	1348	Process not Found	31
PID 1348 wrote to memory of 1748	1348	Process not Found	32
PID 1348 wrote to memory of 1748	1348	Process not Found	32
PID 1348 wrote to memory of 1748	1348	Process not Found	32
PID 1348 wrote to memory of 2876	1348	Process not Found	33
PID 1348 wrote to memory of 2876	1348	Process not Found	33
PID 1348 wrote to memory of 2876	1348	Process not Found	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fd3c39a72d024833abfc4ffa2c7b6200.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1700

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:3024

C:\Users\Admin\AppData\Local\TVKMx\Dxpserver.exe
C:\Users\Admin\AppData\Local\TVKMx\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2136

C:\Windows\system32\rdrleakdiag.exe
C:\Windows\system32\rdrleakdiag.exe
1⤵
PID:1608

C:\Users\Admin\AppData\Local\uxvPwL\rdrleakdiag.exe
C:\Users\Admin\AppData\Local\uxvPwL\rdrleakdiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:752

C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
1⤵
PID:1748

C:\Users\Admin\AppData\Local\m8X9\perfmon.exe
C:\Users\Admin\AppData\Local\m8X9\perfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TVKMx\XmlLite.dll

Filesize
1.7MB

MD5
effeaf9634af5fb705876ac6c555c065

SHA1
ea1119419dc29fe0f6196f4e6a98da1517f3a520

SHA256
247c78bb9a9602fa33f3c7f7a0a5d60de9224523afcba569d1f41fa02cb2a12c

SHA512
3f880f7570c5afeafbdef06254b6a9550bc88baadd762823890ba5f521650b99aac7b6578f89fdfae1d67e71904c4fa3611267f4209710c3436a7d357bc6bef6

Download Submit
C:\Users\Admin\AppData\Local\m8X9\Secur32.dll

Filesize
1.7MB

MD5
e5eaf976938ee824e6680565d4e5c59e

SHA1
9f9b3910daab097e04bbe17225e41fd993575f1a

SHA256
ac4379904636dc08ce304902b4b816d12a6da1b7836728218077bb0c9dd037cd

SHA512
543d6092199226fb8c14d4cb00b129edec60d2802c01324d95684b137f1aee3c47895b61e1084dd6d922823ba06a596a82acc652c871382082c84066fa24e549

Download Submit
C:\Users\Admin\AppData\Local\m8X9\perfmon.exe

Filesize
168KB

MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
C:\Users\Admin\AppData\Local\uxvPwL\VERSION.dll

Filesize
1.7MB

MD5
4666002e3d81468ded4ef524df2dcab6

SHA1
76af20d44f886e01fabcc0a03934d5c21107b6c3

SHA256
5c55bb9a84745c54591427ebc86bd8363692fe13d22f3ef250a7a76ba1766f23

SHA512
55d6021ff4ab875b84fc1d777749a6a94fa17c136929c6c118190cd5beb597fa375ef71e435df98e26e49bd1421785c0d4195027ed67e0123e7db2b1585e8581

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

Filesize
1KB

MD5
0d526736e4caeaca616f0d57a6241af9

SHA1
bd5d7adf152cf7ca6598dbf0309e8eb364357051

SHA256
9ab6e78eb3070e16dab85b7a10c7c25a1f2c738d46632d10317c4d52d370e5c7

SHA512
4b10ce3477f2e4edb1893a3d662a55910a5fe32d08ad459418e32cc3eddd6cc08bc6bdfc7b220faa95c0cbf1cec68a3f801b06ac47d82e15f544029405f06168

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\g3Z82OGEu9\Secur32.dll

Filesize
557KB

MD5
68cdd0bbe7f21226a34ba537247274b8

SHA1
a3f7b0bcc054a5293a598c5acdaf6e30ad4951a4

SHA256
4952a017226da95737c209f0aad643da4f5fa79253791a5ee92b72949388a93b

SHA512
e0b50c369c6b61c07c2c8a8bd93445c4c3b4d5f26932fba2c38ec5aeb06e25e0e5df3548301826841c89f907c626ef5ae186908d478e0693e5a0dfafecd48295

Download Submit
\Users\Admin\AppData\Local\TVKMx\Dxpserver.exe

Filesize
259KB

MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
\Users\Admin\AppData\Local\uxvPwL\rdrleakdiag.exe

Filesize
39KB

MD5
5e058566af53848541fa23fba4bb5b81

SHA1
769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

SHA256
ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

SHA512
352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

Download Submit
memory/752-101-0x00000000001F0000-0x00000000001F7000-memory.dmp

Filesize
28KB

Download
memory/1348-36-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-42-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-17-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-18-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-19-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-20-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-22-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-21-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-23-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-24-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-25-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-26-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-27-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-28-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-29-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-31-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-30-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-33-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-32-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-34-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-35-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-4-0x0000000076C26000-0x0000000076C27000-memory.dmp

Filesize
4KB

Download
memory/1348-37-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-38-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-40-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-39-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-41-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-16-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-43-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-44-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-45-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-46-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-47-0x0000000002590000-0x0000000002597000-memory.dmp

Filesize
28KB

Download
memory/1348-54-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-55-0x0000000076E31000-0x0000000076E32000-memory.dmp

Filesize
4KB

Download
memory/1348-56-0x0000000076F90000-0x0000000076F92000-memory.dmp

Filesize
8KB

Download
memory/1348-65-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-71-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-14-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-15-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-5-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1348-7-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-141-0x0000000076C26000-0x0000000076C27000-memory.dmp

Filesize
4KB

Download
memory/1348-9-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-10-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-13-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-12-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1348-11-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1700-8-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/1700-1-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/1700-0-0x0000000140000000-0x00000001401BA000-memory.dmp

Filesize
1.7MB

Download
memory/2136-84-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/2136-83-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2876-119-0x0000000001B60000-0x0000000001B67000-memory.dmp

Filesize
28KB

Download