dridex | 8018d5e151a11dbaa1472e251fa5af0f73c0365e7aaef8a65a43e636c19f0278

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 08:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

be2022cc704ee9381e821864f1e942e0.dll
Size

2.0MB
MD5

be2022cc704ee9381e821864f1e942e0
SHA1

0566000064f220347470864f54b0007c15eeb31e
SHA256

8018d5e151a11dbaa1472e251fa5af0f73c0365e7aaef8a65a43e636c19f0278
SHA512

66dd9eb4c6a3796339a4fd7b992ddad42f537f6a8083cdf06b478ca97dec9f4579049923b323980a692003a50f104b308b0c45559ca96e94da7afe10a845cf77
SSDEEP

12288:2VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:rfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1192-5-0x00000000024B0000-0x00000000024B1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2852	Dxpserver.exe
2424	cmstp.exe
2248	perfmon.exe

Loads dropped DLL 7 IoCs

pid	Process
1192	Process not Found
2852	Dxpserver.exe
1192	Process not Found
2424	cmstp.exe
1192	Process not Found
2248	perfmon.exe
1192	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Javhf = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\1nZ4LZ\\cmstp.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1936	rundll32.exe
1936	rundll32.exe
1936	rundll32.exe
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found
1192	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 2488	1192	Process not Found	28
PID 1192 wrote to memory of 2488	1192	Process not Found	28
PID 1192 wrote to memory of 2488	1192	Process not Found	28
PID 1192 wrote to memory of 2852	1192	Process not Found	29
PID 1192 wrote to memory of 2852	1192	Process not Found	29
PID 1192 wrote to memory of 2852	1192	Process not Found	29
PID 1192 wrote to memory of 1280	1192	Process not Found	30
PID 1192 wrote to memory of 1280	1192	Process not Found	30
PID 1192 wrote to memory of 1280	1192	Process not Found	30
PID 1192 wrote to memory of 2424	1192	Process not Found	31
PID 1192 wrote to memory of 2424	1192	Process not Found	31
PID 1192 wrote to memory of 2424	1192	Process not Found	31
PID 1192 wrote to memory of 2116	1192	Process not Found	32
PID 1192 wrote to memory of 2116	1192	Process not Found	32
PID 1192 wrote to memory of 2116	1192	Process not Found	32
PID 1192 wrote to memory of 2248	1192	Process not Found	33
PID 1192 wrote to memory of 2248	1192	Process not Found	33
PID 1192 wrote to memory of 2248	1192	Process not Found	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\be2022cc704ee9381e821864f1e942e0.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1936

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:2488

C:\Users\Admin\AppData\Local\3yOo8NK\Dxpserver.exe
C:\Users\Admin\AppData\Local\3yOo8NK\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2852

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:1280

C:\Users\Admin\AppData\Local\ukZYPButU\cmstp.exe
C:\Users\Admin\AppData\Local\ukZYPButU\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2424

C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
1⤵
PID:2116

C:\Users\Admin\AppData\Local\2GsR8TDo\perfmon.exe
C:\Users\Admin\AppData\Local\2GsR8TDo\perfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2GsR8TDo\Secur32.dll

Filesize
1.1MB

MD5
32e69e0e21847192539bbcbee0fbc0e7

SHA1
8f3544ef227bd8751e7a12f76bef0e744249391e

SHA256
f3641648bff789c0c998248bccec560224ff5d858835b10631cd6892b7f3b087

SHA512
392896dfd867a1a20988ab9f4f5eeb06b96fd73fc6df82526fabf675fc41dc24daa4a31ff51c911ef0ee630fc2079073a910dca3ebef9a917661692dea55692c

Download Submit
C:\Users\Admin\AppData\Local\2GsR8TDo\perfmon.exe

Filesize
168KB

MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
C:\Users\Admin\AppData\Local\3yOo8NK\XmlLite.dll

Filesize
475KB

MD5
b8149c74b0358632ef61c05f835b54dd

SHA1
d2e5b98d8b2dcd84d5b83ffd77d1c809e45720e6

SHA256
d969ccede7daf915b4ca1219ce51e2d2599a92e1fcc2e46dd89c1e94c09697c7

SHA512
20d8bd4acae746b83a87f4e008b941a5358a27cf1d709e1592a0754ee63df78f75ff83b9fb519b605ddb79baaa4830f8cd2c3b5f60ce38de7773b680349b8766

Download Submit
C:\Users\Admin\AppData\Local\ukZYPButU\VERSION.dll

Filesize
182KB

MD5
b0e998b2deb6fba0bbae852d0081c81e

SHA1
2b7d381166229bd48a0e40779a24c5b9baefc782

SHA256
8d823405938a0660514caf1ae90ecc84e86ced68f1d2189fa285428e62f7e8e4

SHA512
a7a17e5e305165acaaad26c0b9944f4f8cdc3b4726a51bcb8c78a7a14090d0b09272a00ca71c8f2b588a54aebb3d28d57e3ea54a7b5064279d276ec0e6a2e8fd

Download Submit
C:\Users\Admin\AppData\Local\ukZYPButU\cmstp.exe

Filesize
89KB

MD5
fa5237cc43ed4f949a8e9c3ce56dd17e

SHA1
be30c1c92e61a28e4d1e7f047ba6b3df4d217120

SHA256
d8250ead85a6078f9e90963df9436de0903a1179fbbd491d4034026b6ed08dbe

SHA512
55354218d58349bd99378ef39ce92b88ff5039de27e18efec3441d528bf5b08a670d2ab89b1909adc6d2c9a05664f58bab536aa8bb9d1eed86e232fb38a7385e

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\1nZ4LZ\VERSION.dll

Filesize
2.0MB

MD5
8b6f6939cb0cab98b43daf17d7c99072

SHA1
f8c3a345994d72cb6aa44b2499e42801d98e4fa5

SHA256
94f2c71fde53a83de3c4f7fe7bfe96483634bb9b9a895d72858293771951c589

SHA512
4d3964194b8e14cb73cb8b8f82c0fd780e7ee4b743058136445ffd55506779a6856d2271356d7df24e198094b7a24580406e40f165da704d27df60868296b782

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xwtifesqpwfy.lnk

Filesize
1KB

MD5
9b1876affbd3c475b76c04c17cfc9f1b

SHA1
3fedc58cecab40c0cc3dc0fb40d7e6d3dee40947

SHA256
31e5c3211d3719f83c4c6ce08e2bc24f1958b967476d27e2edf2db1857b01821

SHA512
1d2fb1afaf1490df4c4218f13b3883ce7f07bafca21c988662561d853fff97f3ce6118359448c2cbf9e8f5a3cef11c69f0bec42754b4799c884815d154af1474

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Aa\XmlLite.dll

Filesize
2.0MB

MD5
1a44c9a0a0694e215d99bcec504abb20

SHA1
f48926e78a13236b92a1628865f9d4951b72a016

SHA256
c263976e2cb8fb351b1dc1e47bb5cf856a4a6c9d176d6fcc51d2723f640d23b4

SHA512
21d07503ef22a7c69d4a3d83116d6937c8c515285d0ba0ba4b283d76f43cdcedf41afb9d2c8bebd667a5f5283a2b4c0b5d19a79128a548b0eac40f131df063e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\24Vq\Secur32.dll

Filesize
2.0MB

MD5
ac12051cdfea11deb97f40c5dfe84612

SHA1
8c9f144f780ac1db4c655183c7083735408c628f

SHA256
2a87a9e4b0426ab4511ed5e84c6472d6ae2e5b9545f5eb8f2bf999fdbfe85390

SHA512
9b7f511931cafe377b2f08ccd86bdcd3c3a315901c61a36600e37623c1654a5e1e43b2421a9384722fc04c3c3350c5bc452538206661eeeec25ddc7471bcc01f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\24Vq\perfmon.exe

Filesize
139KB

MD5
41702bcaca4ce3a464ce5ff2247d7700

SHA1
c139abc636fbfd2f7da3e7dd0d271a67f4e122e9

SHA256
1ac3f02729f872f44e2cade5afca314659db2f04e77448cf9e0271263d924035

SHA512
7be06a106eee4de245ebcbbef41a7da6e303f0afd5da68f12ac9753587882f22927d386d22037fb6397e7dd4e7a9cc6153d5b538e2930224e11d2ec5f4e352b7

Download Submit
\Users\Admin\AppData\Local\2GsR8TDo\Secur32.dll

Filesize
795KB

MD5
57f96d5bdd6e6d4acec4e83aedbf4b23

SHA1
5060bcdbdbf392b70340d3748239292803d0b9c7

SHA256
b044ccee994aea0d4469934e9db24aa59277cdb6272b51f4d52bfe3a299e8382

SHA512
b79dcdabcec4176fadbf2b3adb7c132b0e722439cccc32edadfe900cc7ff48cc6579ec3bf2f58b77d161a34027ed3d9f8570a6eb0855a07c09bf4ceb4500b113

Download Submit
\Users\Admin\AppData\Local\3yOo8NK\Dxpserver.exe

Filesize
259KB

MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
\Users\Admin\AppData\Local\3yOo8NK\XmlLite.dll

Filesize
522KB

MD5
93d3fe31d32ee2c83cdd3161acd4481a

SHA1
e39f2468bafcb28ddd22617387594ac7ce4a2370

SHA256
333449cab215ab62cb933f7b6f725269ffad409add83f41f763db75e36ad172e

SHA512
1cf4e8c88b67cfcec9c344a0c1382c155c55ca3f77941dde301a239c3f4a987f965d25006a711c9fc03a7cda49ffc7436b60694c8d86d2a6ed4b43f5af2b45b2

Download Submit
\Users\Admin\AppData\Local\ukZYPButU\VERSION.dll

Filesize
256KB

MD5
75703481dac01cfc7be27c8056ddca90

SHA1
ad73754c616b59edd0fd1f0a98a9e8a934c14238

SHA256
bd8d3b8a548c1467a834e8f8dbe8101aef6f21359653a174129574666f8150bf

SHA512
010fafc4cf787b18481227ea4b3e0fdecf5548c6fa3c16ed6573073b39db5fafcb297b3bbe2e19c2790983a9075594d7fc7385f4b290e3cca2a5d3032d914108

Download Submit
\Users\Admin\AppData\Local\ukZYPButU\cmstp.exe

Filesize
90KB

MD5
74c6da5522f420c394ae34b2d3d677e3

SHA1
ba135738ef1fb2f4c2c6c610be2c4e855a526668

SHA256
51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6

SHA512
bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\24Vq\perfmon.exe

Filesize
45KB

MD5
b6e8682dd27c85dd25ea0f0b5a89488b

SHA1
b61dd6f9da6f48ca44e7d24fdfd6f5ac909fba07

SHA256
7bf21cda84c9cef6b63776feaf4aefbe338309c2dcde51442d694e806b035b62

SHA512
9cc1f570f44db86b2cb0648114e7bc2b4cabe6b6ad9b82700ed3e92a971bf16da22399b930351071a5f060a9a2e2ea07dfa363223d558a9e6841b98adabafa04

Download Submit
memory/1192-28-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-59-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-21-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-22-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-24-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-23-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-25-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-27-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-36-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-35-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-34-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-33-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-32-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-31-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-30-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-29-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-4-0x0000000077086000-0x0000000077087000-memory.dmp

Filesize
4KB

Download
memory/1192-26-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-39-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-38-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-37-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-41-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-40-0x0000000002490000-0x0000000002497000-memory.dmp

Filesize
28KB

Download
memory/1192-48-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-50-0x00000000773F0000-0x00000000773F2000-memory.dmp

Filesize
8KB

Download
memory/1192-20-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-49-0x0000000077291000-0x0000000077292000-memory.dmp

Filesize
4KB

Download
memory/1192-63-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-19-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-18-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-5-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1192-135-0x0000000077086000-0x0000000077087000-memory.dmp

Filesize
4KB

Download
memory/1192-7-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-16-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-17-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-15-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-10-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-14-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-13-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-12-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-9-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1192-11-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1936-8-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1936-1-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1936-0-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/2248-111-0x0000000001AC0000-0x0000000001AC7000-memory.dmp

Filesize
28KB

Download
memory/2424-94-0x0000000001F20000-0x0000000001F27000-memory.dmp

Filesize
28KB

Download
memory/2852-79-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/2852-82-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/2852-77-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download