dridex | 972a7c7225ddd802c9c9cb9922b2093d96bba57e3138ef918e94884858976caf

Analysis

max time kernel
3s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d9ae0ed5c0c8c5ffd0c9a0e02fa8bad.dll
Size

1.4MB
MD5

1d9ae0ed5c0c8c5ffd0c9a0e02fa8bad
SHA1

242695be2fdd86026c48618af478f9686fcbad55
SHA256

972a7c7225ddd802c9c9cb9922b2093d96bba57e3138ef918e94884858976caf
SHA512

7a6244df30e43c56e99dc8f8917a4c9e8d614f012ad6d0366626d0a5fadffae149325ba9e3dc0d899042ff672f21fd72461ee16b61bea145927cdb4b55154415
SSDEEP

12288:6VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1N1:nfP7fWsK5z9A+WGAW+V5SB6Ct4bnbN1

Score

10^/10

dridex botnet evasion payload trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1260-5-0x00000000025D0000-0x00000000025D1000-memory.dmp	dridex_stager_shellcode

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1660	rundll32.exe
1660	rundll32.exe
1660	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d9ae0ed5c0c8c5ffd0c9a0e02fa8bad.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1660

C:\Windows\system32\RDVGHelper.exe
C:\Windows\system32\RDVGHelper.exe
1⤵
PID:2044

C:\Users\Admin\AppData\Local\KBkSYkkw\RDVGHelper.exe
C:\Users\Admin\AppData\Local\KBkSYkkw\RDVGHelper.exe
1⤵
PID:2548

C:\Users\Admin\AppData\Local\w0yxS\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\w0yxS\SystemPropertiesRemote.exe
1⤵
PID:1676

C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
1⤵
PID:2948

C:\Users\Admin\AppData\Local\2RMK\ComputerDefaults.exe
C:\Users\Admin\AppData\Local\2RMK\ComputerDefaults.exe
1⤵
PID:2680

C:\Windows\system32\ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
1⤵
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2RMK\ComputerDefaults.exe

Filesize
36KB

MD5
86bd981f55341273753ac42ea200a81e

SHA1
14fe410efc9aeb0a905b984ac27719ff0dd10ea7

SHA256
40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3

SHA512
49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

Download Submit
C:\Users\Admin\AppData\Local\2RMK\ComputerDefaults.exe

Filesize
33KB

MD5
931db3a018be09b76d9c6b5cd4b32dc6

SHA1
8b62905ab656d97f09f4e247b8b0906373c6a97f

SHA256
7f7cb28aa0ee88537c94fb3085196e68d420fd0c1dc82bef69a7f512bb8ad2ae

SHA512
469f4e9d5fe20d07e5848041a75b3b1d3e524c17d0a952bf450e49e3774fc4664ab1ae141e1822205625fb3fad57ef5c1853d632ca46aeeba321589287d6902e

Download Submit
C:\Users\Admin\AppData\Local\2RMK\appwiz.cpl

Filesize
31KB

MD5
91041a757bba42c5d496342c64360e85

SHA1
45c9b036cdd3165228038514619e2723cc595735

SHA256
e8de3fda3f895e4ec2022a56373afe28504eb2267ebaf1c26c18ce7dbd44b8e1

SHA512
701c5ba05ecf913db8ab3f9541e09b561170ea14ac794cbb3adca7af0c44d328030f16f7f7366827b52ad1c6023ab89e5342080707d523f1a8051a9ab460675c

Download Submit
C:\Users\Admin\AppData\Local\KBkSYkkw\RDVGHelper.exe

Filesize
25KB

MD5
5cd579bc9e79310253a538c013a2d5fb

SHA1
5022fcc9bcd44767a965a6b805e4ec388c569441

SHA256
b4bc7cad65bacb19fb90140c7f29cdef71bbd84540e403c73afee918a3aad18a

SHA512
203e716a65498ec89e5afc700c4a46dc99f88cafa39d21a6242dc469afb38607ceab48e9ea4fc8e0dd40c8a66039f617872f41aadfe0cdcffe710f3dcafd40cf

Download Submit
C:\Users\Admin\AppData\Local\KBkSYkkw\dwmapi.dll

Filesize
20KB

MD5
a1a45f5a7f011ad4435514d2e061b2b5

SHA1
b3748f9994510e084fb8001402fdfab1d248603a

SHA256
637a82a7f4591b7e69bcc55e27656152fad2301f5a876eb5e56c618b1f7e0ed5

SHA512
de41e50030dd0e3cc985369d6885f082e0dcb91a14961a7e8320beec97ed07a9790bc0d14aeca5d6a68154fbe2fb31aa0d0f859e5e67b737512d856393067881

Download Submit
C:\Users\Admin\AppData\Local\w0yxS\SYSDM.CPL

Filesize
45KB

MD5
efffe409ddfb1cc1e9389fbb12b16c1c

SHA1
68e07283bccefd7c62264e8a20f2cb0ae3641f1b

SHA256
9ca0ff84b5958096656052db4717c0cb6340543f4a7a649a1d5d5dabb9302dbd

SHA512
36b619face2e4d5f534a46973df81860b10c797e821855b1e94d22591ccb173bb6f8d26aac8233bfb9d0f1973d4845ec4d4d64b1549c152c121d0cc25d91f2cd

Download Submit
C:\Users\Admin\AppData\Local\w0yxS\SystemPropertiesRemote.exe

Filesize
6KB

MD5
b6c2c0a1663cdf3d0461824292a3847b

SHA1
6ea2cbc03bf6838d196cb84ae461e20cd44cf81a

SHA256
c1a18bbfb579b4989d6cc89e3657a224c2dcecff5574af939396afed379cb59d

SHA512
4693dd7db3cca09a6307dbd2319155277d1693226101f26d8c645d46f840fd9564a1a41f2dea546ca0b750f896bb5cf303cc7e89ef9aeffc9d93740ecc80bafd

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

Filesize
1KB

MD5
58b42ebc5e10ca5cbb844e992a422040

SHA1
bbe8448eb8e9a640eefe6b5f559498bd12e5bc42

SHA256
9ffa804048737d58891452041fb880099c77e9730ad49236dd72d2ac366fa8ce

SHA512
b8d9679193c2c2e8323c43291b24f1c500f19a5810b38bd074e79258e5df71f5dd793afc9290856d67924a66b78db6758dc1a33e4665fff28b23f9f70ebe406e

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\OiGftr3\RDVGHelper.exe

Filesize
9KB

MD5
63206cbd0750c633eb51f2a865415cfb

SHA1
c902d749cac86ad15f03a669487e1b0cc48737b3

SHA256
663670dd29dead93ee3a911dfdd8cc50f8c298a336451a2d13ba0419987d4713

SHA512
95d2827910b4abf742b2a5589a5618026280744431df9473b1cac205c8b4d43b11d3178f195a68c7b624e5219e84dab44362015d5db8883450c308801d44985c

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\OiGftr3\dwmapi.dll

Filesize
11KB

MD5
6f86eb7fed6c7214e02120bad2b1b348

SHA1
bb069e40ba6513d95a4f4b4c05d2635899f76a20

SHA256
e033aa94690921f102506508c50483bc9e579edeaa6f1d4ea70761bf2b0501aa

SHA512
922a1f5f0a7d704ad0978a7d9e44aad500cadc0c1423ebeef9e30da2e8b2792ffd394673fdbc25594e1c6eeb788f730c2866d146609a1b43c180bab965c2eb80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\KNGVw1\appwiz.cpl

Filesize
1KB

MD5
24deded2cea054f803b96a77d31a078b

SHA1
8e345cb0594d107c188c8aa07f1749b4ea9b38b2

SHA256
c7b03b23faa2361bb97c7c217b3d0e8c2e5a8fafba0cd737c7d2c53c9422f3e2

SHA512
1ab7796762740df5f3af401fe19bbbe856771d5d26b657f9b384bc3f7a2ebc350545088e00c061164a0a155b5faaf0d339426ac987b0329e17d44efe499ad5ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Zkrs3Oj\SYSDM.CPL

Filesize
37KB

MD5
bd9e2c25aa403d4dbb6e6b27536a88f3

SHA1
f55e8e120289e198aa02a6a8ac4f7c0d93510e38

SHA256
12df9dd5c48152b19d9f78a36c9ca04951df29ddc6d9b169ac9b5a29ccdc1af2

SHA512
8debfbba1ba919e262c75f3f9e3f22d00293c401cc24fe607d25cfdc619335ea8e39b99f4dd9b6de7a17125d7f2e5acb33e622a0267c3e16d73cc9001a740bed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Zkrs3Oj\SystemPropertiesRemote.exe

Filesize
28KB

MD5
1b20259566998712cb90de1318eb39b0

SHA1
f6b2fc9a20228cee32b4318a61d5a236e406ab90

SHA256
8023f14adc67f6995023247aec943cc07e71b134370023d8c3fbbea2dda2dd70

SHA512
0f89958b74b31bebe88937ceb479792c2deab27b4f013eead1c9f70ac287b0fedcc78d4a9aefb95d3877ef822f4cbc5217b26962676132a42798b92be3c0324b

Download Submit
\Users\Admin\AppData\Local\2RMK\ComputerDefaults.exe

Filesize
11KB

MD5
92c6308b792b3094434d5c4d5274ead7

SHA1
20a17a963680a61647bae3024f8916ac46a458cb

SHA256
de884af8f28f55b2ae4343937e6f01aff2d56eebc2de321d7f1eebab472871ad

SHA512
15ed01a8de92ffc8ebbb4126b185be3de818cf33db9339fb2f358173ea105acd15c4c661b16e1633b755981558dbad6da98b6e29988154e76589dee2fb55b75e

Download Submit
\Users\Admin\AppData\Local\2RMK\appwiz.cpl

Filesize
20KB

MD5
73fc30bc92cdef317782c611318321d4

SHA1
5e04335abff192b98d8dec2199a43bc4da0ee1ed

SHA256
3aa11d59249587436a8ba5ec3c4ea8c8c03d418388c549f67bfd2fb5331ab299

SHA512
3564acf9cbccc65e3c763aaf73b0dc94bb6786386a7c3a928d9d3f13691902b876bff7b1cf0328dc09de7e365409b733bf40fe9c7dc6b7bbab9607ab9df635f4

Download Submit
\Users\Admin\AppData\Local\KBkSYkkw\RDVGHelper.exe

Filesize
35KB

MD5
6cc064101ac1d6a2f0e84368cc486343

SHA1
e976c9204ba92d53347c8add052273e405b53127

SHA256
76a4a0bcef17df20063f8a523ebcf02ec1a166f14461d671abf1b143a9ac09be

SHA512
fe9975dcafa1e179dc359223d03a6adf0138d57afd0017477810745bed3f63da4df981882e34a78fa2e51667934952f5c0197b74f809f7e2fdd2bbe406c5289c

Download Submit
\Users\Admin\AppData\Local\KBkSYkkw\dwmapi.dll

Filesize
45KB

MD5
e4a65b758320c1cd2e1f3b99f30c5cb7

SHA1
81f4a0810ed713008021adab75008e543b14d666

SHA256
4bf85983e3d144247e1caf1b168ee65837a8abf6ca1239d077d4cc2863879ad5

SHA512
620d1664fb5dc83490c489ca598e91f9920e75a1af2977c15a17f2e6a5d4988b038f6b0af915f32043c41f9a3ae3e77792a3ffd82a9fb71896c18eebe528e960

Download Submit
memory/1260-22-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-14-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-36-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-34-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-33-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-32-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-31-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-30-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-29-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-28-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-27-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-26-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-25-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-24-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-4-0x0000000076C36000-0x0000000076C37000-memory.dmp

Filesize
4KB

Download
memory/1260-21-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-20-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-19-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-18-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-65-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-17-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-16-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-15-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-61-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-13-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-132-0x0000000076C36000-0x0000000076C37000-memory.dmp

Filesize
4KB

Download
memory/1260-23-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-35-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-43-0x00000000025B0000-0x00000000025B7000-memory.dmp

Filesize
28KB

Download
memory/1260-12-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-11-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-10-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-9-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-46-0x0000000076EA0000-0x0000000076EA2000-memory.dmp

Filesize
8KB

Download
memory/1260-7-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-5-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1260-44-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1260-45-0x0000000076D41000-0x0000000076D42000-memory.dmp

Filesize
4KB

Download
memory/1260-55-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1660-8-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1660-0-0x0000000140000000-0x000000014016B000-memory.dmp

Filesize
1.4MB

Download
memory/1660-1-0x0000000000430000-0x0000000000437000-memory.dmp

Filesize
28KB

Download
memory/1676-95-0x0000000140000000-0x000000014016C000-memory.dmp

Filesize
1.4MB

Download
memory/1676-90-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2548-74-0x0000000140000000-0x000000014016C000-memory.dmp

Filesize
1.4MB

Download
memory/2548-78-0x0000000140000000-0x000000014016C000-memory.dmp

Filesize
1.4MB

Download
memory/2548-73-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/2680-109-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download