dridex | a3575f530f130fc338946c0c6c4ac822007a36b4a860671383ce565cb77cbea0

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12/02/2024, 11:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

97013513eec319a4402a818111b261c0.dll
Size

1.8MB
MD5

97013513eec319a4402a818111b261c0
SHA1

fd02ea2d8ff8c99ccaf35124b49c20894e92df82
SHA256

a3575f530f130fc338946c0c6c4ac822007a36b4a860671383ce565cb77cbea0
SHA512

f6d3924530ddb3dc5e1fbb7c864dbbdc517da5610248bde8f2c8628a135d89ad87654b90bde30cc94fe1e7ad0c31ab8e2556ccc4f9e4cc0684ffe5ab2c540901
SSDEEP

12288:BVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1Q:wfP7fWsK5z9A+WGAW+V5SB6Ct4bnbQ

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1304-5-0x00000000024F0000-0x00000000024F1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2544	wusa.exe
1628	DeviceDisplayObjectProvider.exe
2788	tabcal.exe

Loads dropped DLL 7 IoCs

pid	Process
1304	Process not Found
2544	wusa.exe
1304	Process not Found
1628	DeviceDisplayObjectProvider.exe
1304	Process not Found
2788	tabcal.exe
1304	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\8GUF867B\\RJHURI~1\\DEVICE~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tabcal.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wusa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceDisplayObjectProvider.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
944	rundll32.exe
944	rundll32.exe
944	rundll32.exe
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found
1304	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2504	1304	Process not Found	28
PID 1304 wrote to memory of 2504	1304	Process not Found	28
PID 1304 wrote to memory of 2504	1304	Process not Found	28
PID 1304 wrote to memory of 2544	1304	Process not Found	29
PID 1304 wrote to memory of 2544	1304	Process not Found	29
PID 1304 wrote to memory of 2544	1304	Process not Found	29
PID 1304 wrote to memory of 2160	1304	Process not Found	30
PID 1304 wrote to memory of 2160	1304	Process not Found	30
PID 1304 wrote to memory of 2160	1304	Process not Found	30
PID 1304 wrote to memory of 1628	1304	Process not Found	31
PID 1304 wrote to memory of 1628	1304	Process not Found	31
PID 1304 wrote to memory of 1628	1304	Process not Found	31
PID 1304 wrote to memory of 2732	1304	Process not Found	32
PID 1304 wrote to memory of 2732	1304	Process not Found	32
PID 1304 wrote to memory of 2732	1304	Process not Found	32
PID 1304 wrote to memory of 2788	1304	Process not Found	33
PID 1304 wrote to memory of 2788	1304	Process not Found	33
PID 1304 wrote to memory of 2788	1304	Process not Found	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\97013513eec319a4402a818111b261c0.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:944

C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe
1⤵
PID:2504

C:\Users\Admin\AppData\Local\TWiq\wusa.exe
C:\Users\Admin\AppData\Local\TWiq\wusa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2544

C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
1⤵
PID:2160

C:\Users\Admin\AppData\Local\T8FFC\DeviceDisplayObjectProvider.exe
C:\Users\Admin\AppData\Local\T8FFC\DeviceDisplayObjectProvider.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1628

C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
1⤵
PID:2732

C:\Users\Admin\AppData\Local\Rn0rSkHnb\tabcal.exe
C:\Users\Admin\AppData\Local\Rn0rSkHnb\tabcal.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Rn0rSkHnb\HID.DLL

Filesize
1.8MB

MD5
e2938e62b7dbcf611719845a0fc2dc4d

SHA1
78da3489e829cae43b9747fac323967b617249b1

SHA256
265ed6490db6fb07c20feb796e335ad4f1022904c92943ddaf67a9bbe622136d

SHA512
4510a3cdd844785ef9e34f51922fd841fbe2f868e13eadac59e906e9b066a516340884db60b81866fdd3949a64aa83600596f28efc0d49ff1a59aea50746d587

Download Submit
C:\Users\Admin\AppData\Local\T8FFC\XmlLite.dll

Filesize
1.8MB

MD5
41febbb0fc131f59b9bfa464ca466639

SHA1
85e1ca096ffa4ee82fba4f41575f99b99b92a661

SHA256
c45e5fd485c98ee98f8af91029ca70fa97a9f14e8bb3eedac00c053da81bb65f

SHA512
ad11cc80f2371447bcde839390804ecec548b6eeb2aed3a41fdaa8dea0b514f9ae995bf14a20ae55cb0df0b8d6437d29e056f62099783721866032c0a4880c82

Download Submit
C:\Users\Admin\AppData\Local\TWiq\dpx.dll

Filesize
837KB

MD5
b8df6d5e44e4c9c38414ce30a409d50b

SHA1
ca752e3cafaf3ba6b8ae1219adb1217ed8d53bbf

SHA256
5b31634ee07b7336a7ba7c92fbe9d0a6c2eb61f3340a734ae568f07163ffd6a9

SHA512
39cf79a3413f192778d3726be1f062a87a6315f4165ddb811033951859266c3f82ba17cb689934720c3a7a87a8c305933b6be5da95e8f70828e05a8b827f7237

Download Submit
C:\Users\Admin\AppData\Local\TWiq\wusa.exe

Filesize
300KB

MD5
c15b3d813f4382ade98f1892350f21c7

SHA1
a45c5abc6751bc8b9041e5e07923fa4fc1b4542b

SHA256
8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3

SHA512
6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\8GUF867B\rJHuRI3YLMn\XmlLite.dll

Filesize
1005KB

MD5
cfd44de1f4448bd6f46276a093992a62

SHA1
ff2abe05db020d757fae7da71e6c9e38707f7683

SHA256
885b2ac42930ed0e0ea0f7032c2a0da70c99c6f6cd0aac88f24830d49f657a34

SHA512
4c06929048af5c3e9b8a8eb7260d15ed3b519a7111df5e061fa1ed6da6754700091b91da4c321d6f0bd96229fba5590ab4db9a874a8fd3f23fbc94503bd52546

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

Filesize
1KB

MD5
7892a5208fd08e7ffabaae974fdd77fd

SHA1
a1f5dc11996c0e374d8d58efa1575c7a08948674

SHA256
f818dc181f21535a3d9fca8ecfe458d6cf175e7969a8dc259a023ca2f9e54ba7

SHA512
8348ae1b1f327445a6dfb6a5474f9e948fd16f336b5e8664cd386d2d6ea287eb962257bbfc455dd17d661850560286a2981b4742827733f2768a3be87c956776

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\VP\dpx.dll

Filesize
1.8MB

MD5
966766a82a65af9bba4c398eea2962e2

SHA1
67dc080ed4a5896fc581086d3aa550ba3964b6b6

SHA256
2ea9c1176af9dd5fc828198112886686a96c389ba22e414cff5c0bc04358d721

SHA512
778d2ea765adb849f21e5adebb3bdd5bc659a22c256f5eeb62261941f0f20f0fa12275c0624cc9363ebe6c9b212177c2395754864e2b97ce595a4b2fb973ac64

Download Submit
\Users\Admin\AppData\Local\Rn0rSkHnb\tabcal.exe

Filesize
77KB

MD5
98e7911befe83f76777317ce6905666d

SHA1
2780088dffe1dd1356c5dd5112a9f04afee3ee8d

SHA256
3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1

SHA512
fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

Download Submit
\Users\Admin\AppData\Local\T8FFC\DeviceDisplayObjectProvider.exe

Filesize
109KB

MD5
7e2eb3a4ae11190ef4c8a9b9a9123234

SHA1
72e98687a8d28614e2131c300403c2822856e865

SHA256
8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0

SHA512
18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

Download Submit
\Users\Admin\AppData\Local\TWiq\dpx.dll

Filesize
453KB

MD5
69effa06c433c33707b5837d51b81418

SHA1
c9988a67181b92275c3ea3e43fda1f9e7f761166

SHA256
3887dcf8cadbe43a0f29c3e5d8a03a505e8eb6ca52329327aedd0c13f271d11f

SHA512
8a77f2739be908edcecc5555b1a99a7d88429b0c40bcabbfd81a77ce8cdadd783c89909c1407f888d04b2640b7003b8a17cc8401653419578ad7124e9d0cc4c0

Download Submit
memory/944-7-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/944-1-0x0000000001D90000-0x0000000001D97000-memory.dmp

Filesize
28KB

Download
memory/944-0-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-60-0x0000000076E21000-0x0000000076E22000-memory.dmp

Filesize
4KB

Download
memory/1304-30-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-29-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-33-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-36-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-38-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-39-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-42-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-44-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-45-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-48-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-47-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-46-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-50-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-49-0x00000000024D0000-0x00000000024D7000-memory.dmp

Filesize
28KB

Download
memory/1304-43-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-41-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-63-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-64-0x0000000076F80000-0x0000000076F82000-memory.dmp

Filesize
8KB

Download
memory/1304-23-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-57-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-40-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-37-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-35-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-34-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-32-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-31-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-25-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-70-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-28-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-27-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-26-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-24-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-22-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-20-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-18-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-17-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-15-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-14-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-13-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-12-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-10-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-9-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-21-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-8-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-4-0x0000000076D16000-0x0000000076D17000-memory.dmp

Filesize
4KB

Download
memory/1304-19-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-16-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1304-5-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1304-142-0x0000000076D16000-0x0000000076D17000-memory.dmp

Filesize
4KB

Download
memory/1304-11-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/1628-101-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/2544-84-0x0000000001F20000-0x0000000001F27000-memory.dmp

Filesize
28KB

Download
memory/2788-117-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download