dridex | 18b45bd4552f4f6ada10aaef4f131e845f9e39e20312f3fe6f67f243ce241eb3

Analysis

max time kernel
4s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c620a9384a551d18ef1006fa2b89f15.dll
Size

1.6MB
MD5

4c620a9384a551d18ef1006fa2b89f15
SHA1

5fdc4e376461609c1848ae651ddaa15e53d47b7d
SHA256

18b45bd4552f4f6ada10aaef4f131e845f9e39e20312f3fe6f67f243ce241eb3
SHA512

b1c93e1d0600a4fb519a9dffc4007f1be4e44076c54d0cd1d76637d26d288f56ae975d9819286e7ccdee4655b5ade039404502a84d2fdc2f64d92a56d3677898
SSDEEP

12288:+VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:jfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1284-5-0x0000000002990000-0x0000000002991000-memory.dmp	dridex_stager_shellcode

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3012	rundll32.exe
3012	rundll32.exe
3012	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c620a9384a551d18ef1006fa2b89f15.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3012

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:2608

C:\Users\Admin\AppData\Local\ZUZmp\rdpshell.exe
C:\Users\Admin\AppData\Local\ZUZmp\rdpshell.exe
1⤵
PID:2756

C:\Windows\system32\wisptis.exe
C:\Windows\system32\wisptis.exe
1⤵
PID:2880

C:\Users\Admin\AppData\Local\4N7SF\wisptis.exe
C:\Users\Admin\AppData\Local\4N7SF\wisptis.exe
1⤵
PID:2848

C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
1⤵
PID:1672

C:\Users\Admin\AppData\Local\Bw70O5\notepad.exe
C:\Users\Admin\AppData\Local\Bw70O5\notepad.exe
1⤵
PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4N7SF\MAGNIFICATION.dll

Filesize
41KB

MD5
8a7d9993166f00cff86519e029730897

SHA1
6bf611baa2f73287022a07e7d683401e5dbd9408

SHA256
437ec5d754babca8d1cefe366c39c17fdedae4e6b50b9a30968868d2fdece8db

SHA512
b5560866af0e05ebca9ebfe30976adaf26c04d8ad676893801c105cd465d4b10a521d2b15a00313b2509246f454a1e279065342d602f8f284de374a41be49f7a

Download Submit
C:\Users\Admin\AppData\Local\4N7SF\wisptis.exe

Filesize
93KB

MD5
c5c55c8e34d18d0b680bfe8a8d342553

SHA1
d31019e7e40f55453ec4283824ba6c9e4cf93629

SHA256
bb7a9d1cbd9ef3d89f9776250c37e32f2a250c1637e5c9f8360047d86da0f70e

SHA512
88a31faabf0e6e4bc6aa68a2f3c978535e85cc3909598d5e2b06f8109be972d966ff01118080c3c574ce482a5f73663faa6bdc25c7559609df9a98d003e6bde3

Download Submit
C:\Users\Admin\AppData\Local\4N7SF\wisptis.exe

Filesize
386KB

MD5
a3b2a8821e62e537ef910c305ccfa0ae

SHA1
e30999733e952a7bc26d084533a6fc97dfd93732

SHA256
9d4ad6a9f1e5b3901cc633a23bdf7d1ffc17459da89799b1db3298ff5d79c95b

SHA512
f6b7f89b5a6bb187f99efb6d03f75981d0eb4b845f3292a047a8c84ab0c033eaa0bec3da501078f751e5cf8d03a6f12c71a6db427af25c16089c9f35ca5b793d

Download Submit
C:\Users\Admin\AppData\Local\Bw70O5\VERSION.dll

Filesize
260KB

MD5
248fdee8035d899c836bbdac411a53f8

SHA1
6c3192740aad06a05ecc94d6a405eb1d3c7c365f

SHA256
09d82468230a334ad5d919a0b9bfe4fc856e1951d6f94fc748a419e37e3fd939

SHA512
a2205a7c411bc61c7ef66aa1e4e3b1300afd85fde24b74c3eed4d4a4404354abeb201479b0122d3b642f15dbeac4df14049d30bb252cc76372e58f9d28e116dd

Download Submit
C:\Users\Admin\AppData\Local\Bw70O5\notepad.exe

Filesize
189KB

MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
C:\Users\Admin\AppData\Local\Bw70O5\notepad.exe

Filesize
39KB

MD5
e7774b4f294c7fcf1ef0da7c0d2ea4c4

SHA1
f328d3226121cadf96d461d8b703ed37098979fa

SHA256
a79bfb1a19174ed413ce42932bd6b4280bfc0dc938691bf40b7f3db4417e61ef

SHA512
030c3a609eca5c914ee150a019ef84940b772f2482f73c47368c8b2bcafe3b2e4e73d8d097952ef83c96fd9f6038237b6240330bd73b244be6cd8ce3f176665f

Download Submit
C:\Users\Admin\AppData\Local\ZUZmp\WINSTA.dll

Filesize
147KB

MD5
cc9c6337458158cf95d98bf2e1d0e21f

SHA1
1aac09db106d1e5c2505fa48df8665f0157019d7

SHA256
a3213e6b73abe4062891ce5694ac53ee06906e443f90138029278675a4fa57f7

SHA512
c324796e9150957b8990ef8e5f83c77ebd704d1fb3b9b59c07b2537097b45064cb073a614c1e315aa341d830448685680f1aedfe0cf42873b7c1284b6fa1791a

Download Submit
C:\Users\Admin\AppData\Local\ZUZmp\rdpshell.exe

Filesize
94KB

MD5
391c60b8f59a866152859f65d951fd1f

SHA1
3716381152e8d65e2ce0b09cb0ec4498f78b0d9f

SHA256
d19bec9ea0cefa64aee2585ecf3a9410096ef57b91841b0e2b66ca650bc8479c

SHA512
96e11dbb59ee20c516a319d9c5a1a1498687ae8fa4b9c4c637679aedb86acc599c1f432c481b8efae937e6a3e091c8f2c69d5d41f632d14f67a41cdd1830681a

Download Submit
C:\Users\Admin\AppData\Local\ZUZmp\rdpshell.exe

Filesize
47KB

MD5
38f86aae13a9f3854a62cb5caca8f6d0

SHA1
2f387427799364cd4f49d336587b173e752e6b00

SHA256
429a7157f8aa9e856ef22bd60855d89e4ef5a50c3a29f21d6c78d0bcda8910b9

SHA512
732af99e01331d26cba1e46680944957995caf690cd544553b498b0ba93edbb07f4d2dad2ddf72231a6161dbb46dd24f2ca8ff3c156b296cbc2a96db64dde2bc

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

Filesize
1KB

MD5
a38b14ffb6709e550fcf2e89deb15596

SHA1
2528df3a06570893cf0e34087675552d6b2e0011

SHA256
a8c9d5bd5f16a4019b85bf852dff20d414616fa49ce8e1873a10eb76234548aa

SHA512
1a1b02b74cf614dc5c8f55a6c04331f94d8382bbc57d3cd4b014d138741c9e6151054b33e7886b531243939ec00addfc7d0e60e0d4a3d37f5d8178cd9984bb35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\dKmCV\VERSION.dll

Filesize
86KB

MD5
ebfe97ef118835146ab472c994b70c32

SHA1
a95dd3db10e565d1593d5818ea30ca23fbd747c3

SHA256
7d04e52596975f4a0f21151a7712aa996eefe37b194caaa3745e03e2d1f904b9

SHA512
9ba331b8889234a059f81c2cac5c527d0c488b393567e89f4b1dc5f4d5aec930466a12de7613585c5038eff2a9de8f33b29bc68d9e5d72a9001861f5103ff05a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2444714103-3190537498-3629098939-1000\p7gELJ\MAGNIFICATION.dll

Filesize
41KB

MD5
d871231ed3d7a96fd8da6cc0e083f92a

SHA1
580fa967109a7ce53b81ef9a3048cfb9680e84c9

SHA256
0916b0337c51baccec3fe2d47355a878f91775742156638efeb68033954c40a2

SHA512
7b4e00ce148316cc296c493bb1dbc81083174ec46c485830d758ca8236a2d92c58ca25d5f76f40a5707be751c280d727b8850d6d2786e8b260eb2693db56aa2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\5HrhNDsM\WINSTA.dll

Filesize
35KB

MD5
a56a8e6edaf21ecf134fce832cc44292

SHA1
ffc93b9415190115a66d65ecdd7a69b3785c8834

SHA256
1f41c739775c0b45938648fc53786ed4bdba5c94fb1811de70f7125e59f09782

SHA512
f60abf044b5f6a79c6f489ee8e5f2060bd633efb22754716742045f973d1b9b54e7a416ebbdb1ab54b03534180daea355c8861208b65c1b20c175e3d67bc02cc

Download Submit
\Users\Admin\AppData\Local\4N7SF\MAGNIFICATION.dll

Filesize
94KB

MD5
b7509ac5b8748e4ce864034f9de44110

SHA1
0c48930e07dc5192a97347e33355a8416f31797a

SHA256
d8e79f93ac6a2de8a7751ea27b2184f3508888d1ba3b2c40e341ccdadb328e39

SHA512
93d2f585a5735c737873b18cd34790360f6d4ce7e4bba311e81c74640d93d47b034dd5bcd9f1f475e4612cf5a1facc70cf64d92c7937a965ad22f2d2b89ce832

Download Submit
\Users\Admin\AppData\Local\4N7SF\wisptis.exe

Filesize
33KB

MD5
7b00ad2f65389ea1c76b270bb5a7ec91

SHA1
03b2796eb42b5c881cf429353b0d620f11e09f50

SHA256
8792fb3a9d0ca0d6e3fa1a1494fc1e9746d035073eee3bdffde9be1c38f45c09

SHA512
531941566eb1578aa1ee90043e84c008c521e3805c6b6fbccbb2de0311534cf7363fc114b51f4af99a6359bb96d17d1235a63c1d2747a48f46f796f61f3f0f4e

Download Submit
\Users\Admin\AppData\Local\Bw70O5\VERSION.dll

Filesize
237KB

MD5
cab6d51f25dff658002c45025ed75040

SHA1
227e8a46d5fc10238b18bb5525d93cf0326b0124

SHA256
8b13ed0d1465efa7f81565b9c56505bea0ed3f1e39aed454aee03218e103b48c

SHA512
5ce459a1ee4a2823bb3feda2ef355709b72faf5314f88be2a034fe7df4cca03cdf9ab6f82599905be7556183deb759b6a97478bd5bab7f3c9cf9f62aa4047960

Download Submit
\Users\Admin\AppData\Local\ZUZmp\WINSTA.dll

Filesize
137KB

MD5
be41b9e0bf60f79a105ca90d00175ba3

SHA1
2bff60266cf99e6516b740706aaeef78d35eebb7

SHA256
630be0aed962864314d4c0c2accdc76bb4daaf70245d7b3a16616e4049c5dfba

SHA512
f57e479b6c80a023dd19a64afe8a33a8fd2c5335bbd1d6684c23f9d6de74b56ddef0ec100f809b5d08ce995bc0a0ea037a35a113ed28b5f78b6924410ee56c5c

Download Submit
\Users\Admin\AppData\Local\ZUZmp\rdpshell.exe

Filesize
184KB

MD5
2e0dcfbebb7fe4d7b6c430bbc48b1a67

SHA1
e9d06359ac711afeb1f8ca2cfb8faab7647a6396

SHA256
a3116e26ac07636e3c9726f58413550df83247823f6938831fd505a53bea0549

SHA512
b5d014e5c3b7a9c158a03c0f4c8b5f603b51785283d508570e6eb6ea78356bf3901926833cb46b9c3ca237bf66b310dd4334949ab5401b13bdba64d566dea660

Download Submit
memory/1084-110-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1084-115-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/1284-17-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-45-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-4-0x00000000777A6000-0x00000000777A7000-memory.dmp

Filesize
4KB

Download
memory/1284-14-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-51-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-20-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-57-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-18-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-19-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-15-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-16-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-13-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-12-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-11-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-9-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-10-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-136-0x00000000777A6000-0x00000000777A7000-memory.dmp

Filesize
4KB

Download
memory/1284-8-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-5-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/1284-26-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-29-0x0000000002970000-0x0000000002977000-memory.dmp

Filesize
28KB

Download
memory/1284-34-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-36-0x0000000077A10000-0x0000000077A12000-memory.dmp

Filesize
8KB

Download
memory/1284-22-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-21-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-23-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-24-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-25-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1284-35-0x00000000778B1000-0x00000000778B2000-memory.dmp

Filesize
4KB

Download
memory/2756-68-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2756-63-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2756-64-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2848-86-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/2848-91-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/2848-87-0x0000000000320000-0x0000000000327000-memory.dmp

Filesize
28KB

Download
memory/3012-7-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3012-1-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3012-0-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download