dridex | f82e6e8bf49c6980ca60b9747725046747e4a9bea7334177db1e91ccfcb36874

Analysis

max time kernel
14s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 07:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

11ece27856133435ff8c3f2f1c4b8b02.dll
Size

3.5MB
MD5

11ece27856133435ff8c3f2f1c4b8b02
SHA1

beb6982acc8c475def5d020bbf27a683681a6c9f
SHA256

f82e6e8bf49c6980ca60b9747725046747e4a9bea7334177db1e91ccfcb36874
SHA512

ef2cdd6fda9afe492d16d3a966a16854cdf0e589e4e0314e9e3c29455150343253a72f1af56c97c51633a930f0f12f693c5f6e029e02e4487bb039c4b54f1c91
SSDEEP

12288:nVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:OfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1260-5-0x00000000025F0000-0x00000000025F1000-memory.dmp	dridex_stager_shellcode

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2044	rundll32.exe
2044	rundll32.exe
2044	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\11ece27856133435ff8c3f2f1c4b8b02.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2044

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:2904

C:\Users\Admin\AppData\Local\ktK15H\sdclt.exe
C:\Users\Admin\AppData\Local\ktK15H\sdclt.exe
1⤵
PID:2916

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:1824

C:\Users\Admin\AppData\Local\SI36TQJ\Netplwiz.exe
C:\Users\Admin\AppData\Local\SI36TQJ\Netplwiz.exe
1⤵
PID:1584

C:\Windows\system32\irftp.exe
C:\Windows\system32\irftp.exe
1⤵
PID:1036

C:\Users\Admin\AppData\Local\tdqbk\irftp.exe
C:\Users\Admin\AppData\Local\tdqbk\irftp.exe
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SI36TQJ\NETPLWIZ.dll

Filesize
32KB

MD5
7137bee1dbf41d3528eaae2ff4ae4b08

SHA1
3efd39068f7fbbe25b935a99eacd58c37d84efd0

SHA256
96f07b6d109544c03da076112d2c846766f00a9e8c7a4d83b593c1105f2ac0dc

SHA512
42628f8f355fe55ba63ee7b7765f215d4c96e0b134ef7f321b58f546c6f095fa690b435f8565db70134cdfb14cdbd5ad76b8d297fe768758a1154fe33c37ef59

Download Submit
C:\Users\Admin\AppData\Local\SI36TQJ\Netplwiz.exe

Filesize
26KB

MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
C:\Users\Admin\AppData\Local\ktK15H\sdclt.exe

Filesize
30KB

MD5
b041a5fd0ff2ff43540ac4b529285c5f

SHA1
c5f930843a63e93ce0b5be3902a9f7549d82bbcf

SHA256
2df28e3cae406ab310b33bbf4d1feedd49f7004dd6b48370d97f559009ffa1aa

SHA512
b1f1ad2491e69b6cc6a2c57ec3235e2c3e89d7efcefc0541333c4f87ea89b4e2c645e378551aa836414091344ec549ed65ddb22e7a3d3729af5b9285df495bc1

Download Submit
C:\Users\Admin\AppData\Local\ktK15H\sdclt.exe

Filesize
71KB

MD5
039f9b8b9b7f65e356c59c242362ff06

SHA1
1fdcd7a018d14fe5c64c07b7994becf6a7db4454

SHA256
f98c2d04243c2bdbced4ee3cadc1797ca845b03f37dce4d39923928135765407

SHA512
9161f3d76222e100a9f2a29080d1a5a508057f9f9f011f89e3845313328938651acf6c45fbb7a7599bf461be8b1dad2fe5374edf41c0978f0bee9a79e7b29fac

Download Submit
C:\Users\Admin\AppData\Local\ktK15H\slc.dll

Filesize
59KB

MD5
9156227a64b3f9a4220591abd7efba90

SHA1
68e00c4214cddb4c6fc787bba2ce31aeb28c76ee

SHA256
86c274674dab331d152a27948a89ef3ae0aa98ca744119d56c708c0d468eade9

SHA512
7a3d06db09c73a6e5bdcf6c111216c2fbcc24cfe2c1ed3316e4e2769e694cc4c45f5f11dbcd17b89150ca461b29845cd3561e70a2c70b44878f2b317ad37f67d

Download Submit
C:\Users\Admin\AppData\Local\tdqbk\WINMM.dll

Filesize
21KB

MD5
fc5af0009c23ca35e6db65096e2fff08

SHA1
74b29c1e92ec4416a458393f64136906ac222c8c

SHA256
970d7fb628f4c0a5c74a146f50353740dfa9bc72ba124a41f5ce8861aec2c485

SHA512
31d12e438c363657b9fbc921c5dfa23b3b51e4e1a24c87e862c2d3ffcfce2a1cd1167cc4b850fc00e32e3acafa15e97e81a1ae758000f094eaab6ef17a668b34

Download Submit
C:\Users\Admin\AppData\Local\tdqbk\irftp.exe

Filesize
42KB

MD5
982ff572b4c4282fda399476426655b0

SHA1
b525d41c5d1eaa49995ba33132509485413cf569

SHA256
04c2f4679ba4c9c39b9bb8c36491ab6ee83daef32a0415f40891143cbf55d634

SHA512
501aaf73e0063ca1f4286c76673a04dd189f20eb8986ed93bbc72eb2781d34262d367b6253ef4fe352eb5569cb585606461d7a003b041febddeed0ba3cc7c358

Download Submit
C:\Users\Admin\AppData\Local\tdqbk\irftp.exe

Filesize
72KB

MD5
1a63380a459cc2a9745b4fc93fcb3687

SHA1
05944e732d4dc4fa269890e9ed8fa8a17a41adcc

SHA256
3e182f7d8446e9ac4b598537fd43124a03859208129d60bb4cbe1d8c65ef5556

SHA512
e65d233bd3a02ae50ca97d3b8cd87ed94da907d4adc9df8f3d758dc6f6e01d6cf5b3eeb9951636a91019e9c604140d5d08a3e0cdc34e708f7c288260df5c7bcf

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

Filesize
1KB

MD5
6f86fc10048b075d1819d19853772960

SHA1
d65cf5ad4c9b192aaf7bc27e09fd3ded576bf510

SHA256
1f93de89bcc283effef6cecd7e21acbbecb2b53479e24e18219da6a8249784ee

SHA512
61fb0ac4dec9317e6061cf9549cc718c2760bd11e1bdea84ad115d85e5596c1ad0f75ccc81133ee3d27f7e1a153632b9c9b4deb83976aaa625e9cfb7ad1605d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\7q6\NETPLWIZ.dll

Filesize
84KB

MD5
92040dce981421f568442e17ad393f91

SHA1
6c78301e55f191c634fefe8bc0c1fbb96c686984

SHA256
67c62359e61f186d7826996244b5eccd6750754910e784c9adf7223c1e1dd037

SHA512
afe94297392e7228aa162fd03f4961138783d09646e8aeada8c7a3ec9997f0ce0f7736d0474a8fcb5a053526f7bcac949b0d47ebca33ded12bf0db20ff5e94d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\7q6\Netplwiz.exe

Filesize
1KB

MD5
d0d915bcb40691cdcb45b92693060a7e

SHA1
c2c808ae86b1efa72bc925a99bf1c35c1230fcff

SHA256
6fc3792a759ead90869883dde058cbace942b02df240cbbace7bd4f2fc487832

SHA512
7e8d883c17d0f492c2d5dcbacc1b5f4062f275b0abafc0fed8c7a571cb5b5846952993173b15092fd55dcae29fd312688108c5b2f8a6dec929c287bb2b3c2959

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\hft8xF\WINMM.dll

Filesize
20KB

MD5
c5e1cd42867e7e6151077cc395b998e4

SHA1
c400e1e4b2ed9c8a9a5610c8fc6e75e78744af36

SHA256
36c405ef7f86abd9c3e5e24236ee9f43f79fd77461cd3f67d3275c6c2d47cf7a

SHA512
764cce17a1173f49b7e87de71cb05779f36730bffb411f55e4f2c501aba0b47ef397dd6fda3a78d13843c89ec6d3e6cf35a6b5cd1eef84d9105e1b19b3f0565c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\2UFxLNE\slc.dll

Filesize
28KB

MD5
132e18ef895165ae5720d2f4976ddf1d

SHA1
b528535d1bc8975919d6a8c8bdeab6bf8de98175

SHA256
66d2cadfad122267a2e55d5dd8784753a856bb525cc93ac7e50d0e5b59870ef0

SHA512
c2cb43a1d0d096556da689d103f0856165c997528664449eca0b7dab05d187a70b2f97f00bf232452ae361b4d933bb9a0cf661c84445b41c8d46668096797649

Download Submit
\Users\Admin\AppData\Local\SI36TQJ\NETPLWIZ.dll

Filesize
33KB

MD5
0265f0a543275d6a97b88d6c0a044a38

SHA1
180ff362f7ce351d79fe34ee354be816ad5f9335

SHA256
177f2a932b220dc69866ddd7365504109f743769c2833b670b291f2df1d4cd1f

SHA512
805ba4ef7a1c0c02bfed5551d6840b48748ea961c34ab71c3e9620f5b37b0a671333c2d38ec0b461ba977ffa417d745a7df251b04a4cd5fefbd2f5e7f84a7e51

Download Submit
\Users\Admin\AppData\Local\ktK15H\sdclt.exe

Filesize
15KB

MD5
1b9e0489d63aa9a25adea4a464d63f5b

SHA1
b2a4d5a4217a9ec8b6eb4f0bd6821a8e774d96e0

SHA256
e402b627ba740ce6cc5364cd0f03cf4f7d250c4d4b47d1fa46ffbf407abc0bcf

SHA512
fcc56d325e8a905fe67bcca7e987d3eb453fe797fe6bb6464135153b26a68051e06ebb4be9597defe17f4272cda79aac3a93179b521d4f4d6681620855a4905e

Download Submit
\Users\Admin\AppData\Local\ktK15H\slc.dll

Filesize
7KB

MD5
c5a487b0f680b3a05a2b29acc076839e

SHA1
0983d9a19663f93caa9e72164394a773a027b057

SHA256
10fcec64ed8718708e1a0a88a87b7d2bf7a24108e5f250d72732669d6fd9bad2

SHA512
1fff0495da1dbc12121ca7ee566394569bbaf15156cc78e30fc3e84ad8baa1d99c7c71e5f1b98bd5373f605dd382d42294183d51f09b378efcd59f6c15c9a46d

Download Submit
\Users\Admin\AppData\Local\tdqbk\WINMM.dll

Filesize
58KB

MD5
72b0b2e54ebd2c399dcd96edf3487791

SHA1
2fde92a82662b64381c53405011d41822fac5244

SHA256
bbf30bff3a60bb8f9dc298a06d39203511db59d036213de8a9b686c4d594939c

SHA512
a3bfbaf01b2b251e0b9e83dab06f6221ae37f18f71eb0af504de7e362192a77e914dde4847bf9cf60124ff39339225c591ea1c8a914960121ecee86d9107f212

Download Submit
\Users\Admin\AppData\Local\tdqbk\irftp.exe

Filesize
47KB

MD5
0b31d458054385b7a387997a12b6e82f

SHA1
7df45ac38c6cef6f7701d21681a516998f6b34f5

SHA256
ba4ab4ff646276ddbe91ef9d99f1978ae25c7b44cb146f8d98c6b66fe45ac498

SHA512
18d964adeb3a6faded74e71b202d180a100584fea603e0e58fc34cf3f0b75fcb3b1aaf88878ce102b88943eeee8957bbab35e7d7915d1670542d42713a7943ef

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\hft8xF\irftp.exe

Filesize
15KB

MD5
bd1e23d1b052e613cd146a5f282501e2

SHA1
49a79db68b6fc596d5eca31de453b0519cc97d06

SHA256
894fdc939e53ab46479075342672e061fde1d3effc80cf441175bb121dbfa968

SHA512
fca2b79f2c6e4eb7a851d51b504ed51aa4c0e625a72b2ff26e883e7c35b35eae8708a3c7dd37f33abc1a3a7a33d7109903226e059c07e14a2a79a0b4d200ece6

Download Submit
memory/1124-146-0x00000000000A0000-0x00000000000A7000-memory.dmp

Filesize
28KB

Download
memory/1260-25-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-65-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-4-0x0000000076CE6000-0x0000000076CE7000-memory.dmp

Filesize
4KB

Download
memory/1260-26-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-30-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-31-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-29-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-28-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-27-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-33-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-34-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-32-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-35-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-42-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-44-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-43-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-41-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-40-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-46-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-47-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-48-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-45-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-50-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-55-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-56-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-54-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-53-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-52-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-51-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-49-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-39-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-38-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-37-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-36-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-58-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-7-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-64-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-63-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-69-0x00000000025D0000-0x00000000025D7000-memory.dmp

Filesize
28KB

Download
memory/1260-62-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-61-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-60-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-77-0x0000000076DF1000-0x0000000076DF2000-memory.dmp

Filesize
4KB

Download
memory/1260-78-0x0000000076F50000-0x0000000076F52000-memory.dmp

Filesize
8KB

Download
memory/1260-59-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-57-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-23-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-24-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-17-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-18-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-5-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1260-19-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-20-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-22-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-12-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-21-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-16-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-174-0x0000000076CE6000-0x0000000076CE7000-memory.dmp

Filesize
4KB

Download
memory/1260-9-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-10-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-13-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-14-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-15-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1260-11-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/1584-129-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/2044-8-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/2044-0-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2044-1-0x0000000140000000-0x0000000140379000-memory.dmp

Filesize
3.5MB

Download
memory/2916-105-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download