dridex | 7680c695e0b6d5727a579ec97176868aa3f58f4fc0a9433aaa6d999e18749818

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbfd27dde404d77469120bed9bbce202.dll
Size

3.7MB
MD5

cbfd27dde404d77469120bed9bbce202
SHA1

ad3f6b2db5b62b5d60cd897afc61cddd309c601e
SHA256

7680c695e0b6d5727a579ec97176868aa3f58f4fc0a9433aaa6d999e18749818
SHA512

fbbda697f62273f9964c124d2e24b6d3ba90c28c7053cadf403590860f129bdc9555b679f18cb74c662e2efbf686f22dded317a8f9ab8e5d37126a773e0b877e
SSDEEP

12288:KVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1OSuQ2:XfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1392-5-0x0000000002700000-0x0000000002701000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1948	osk.exe
1936	raserver.exe
2312	Dxpserver.exe

Loads dropped DLL 7 IoCs

pid	Process
1392	Process not Found
1948	osk.exe
1392	Process not Found
1936	raserver.exe
1392	Process not Found
2312	Dxpserver.exe
1392	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\W2PX52CE\\Vm\\raserver.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Dxpserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2076	rundll32.exe
2076	rundll32.exe
2076	rundll32.exe
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 2356	1392	Process not Found	28
PID 1392 wrote to memory of 2356	1392	Process not Found	28
PID 1392 wrote to memory of 2356	1392	Process not Found	28
PID 1392 wrote to memory of 1948	1392	Process not Found	29
PID 1392 wrote to memory of 1948	1392	Process not Found	29
PID 1392 wrote to memory of 1948	1392	Process not Found	29
PID 1392 wrote to memory of 2308	1392	Process not Found	30
PID 1392 wrote to memory of 2308	1392	Process not Found	30
PID 1392 wrote to memory of 2308	1392	Process not Found	30
PID 1392 wrote to memory of 1936	1392	Process not Found	31
PID 1392 wrote to memory of 1936	1392	Process not Found	31
PID 1392 wrote to memory of 1936	1392	Process not Found	31
PID 1392 wrote to memory of 1080	1392	Process not Found	32
PID 1392 wrote to memory of 1080	1392	Process not Found	32
PID 1392 wrote to memory of 1080	1392	Process not Found	32
PID 1392 wrote to memory of 2312	1392	Process not Found	33
PID 1392 wrote to memory of 2312	1392	Process not Found	33
PID 1392 wrote to memory of 2312	1392	Process not Found	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cbfd27dde404d77469120bed9bbce202.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:2356

C:\Users\Admin\AppData\Local\slKo1\osk.exe
C:\Users\Admin\AppData\Local\slKo1\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1948

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:2308

C:\Users\Admin\AppData\Local\7ix\raserver.exe
C:\Users\Admin\AppData\Local\7ix\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1936

C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
1⤵
PID:1080

C:\Users\Admin\AppData\Local\V1en\Dxpserver.exe
C:\Users\Admin\AppData\Local\V1en\Dxpserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7ix\WTSAPI32.dll

Filesize
3.6MB

MD5
7c741a8d59caac78b2e6c82a8a4522ee

SHA1
cc65c89e987e5ea12f94455032ca376d89035673

SHA256
03f6b0c2ba44736e5cf1b9cbff300a10aefb21a086638209b2ef5115cdcddb6e

SHA512
65cc2cbe7845dcf27e9e4eb1ca932a9ef2dc8d2e0bb5d90a4a5d3adb98e39cbe6996a1b381a4f1fcbe66c3ed969a0eee09d4bc53c848ab13a722b137f34eda3f

Download Submit
C:\Users\Admin\AppData\Local\7ix\raserver.exe

Filesize
123KB

MD5
cd0bc0b6b8d219808aea3ecd4e889b19

SHA1
9f8f4071ce2484008e36fdfd963378f4ebad703f

SHA256
16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

SHA512
84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

Download Submit
C:\Users\Admin\AppData\Local\V1en\Dxpserver.exe

Filesize
64KB

MD5
afa448d4f32a100d79a92b810a186134

SHA1
0730f11792b08dac0c51b3a3bab6e82159754f3b

SHA256
1520fe771206411abee2ba69a307ef7020e0aa8a0f69540e39c995a010fc3bd9

SHA512
6369ca19fc6ad2c0052547bf4771f38067c60f1bdca95ea16580466a0eada0b6e4c8b2f00e72bd4fd506770a52a380e54bef1dcc1c875dcc9f51a6509bb6edbd

Download Submit
C:\Users\Admin\AppData\Local\V1en\dwmapi.dll

Filesize
64KB

MD5
95f6942757d03300dee7e5901b0497fe

SHA1
5b30c6f76e965880e8f794423653914960d7af43

SHA256
2551b3ff8d7fff9a0f6b016264283fde40147e13e476bc52c85c6b837d7b25b6

SHA512
d2258544d0496192660897c3746b29dcd697dc75a419503746ff2175e1b9b55e7d3fab006522af4df9176200b975ee0d47effe5f3e0b1d4eb7829552fbd11120

Download Submit
C:\Users\Admin\AppData\Local\slKo1\OLEACC.dll

Filesize
968KB

MD5
e03751055fb720e3383af6110e9beaf5

SHA1
644e84f5442c010adb5d953b7d435639cb8de226

SHA256
09c3cc4d3d0a62ece59a5c2833ffa3698cfc983ec365691c1e542fe4ee479592

SHA512
bdc653e6337fac425f838fe63c3aae50295491fbea9f282a79808ed3d6616cffac460933367f244c16d83f32243f1bd58674dc1f499ebeea3c3cd32822ee8f26

Download Submit
C:\Users\Admin\AppData\Local\slKo1\osk.exe

Filesize
676KB

MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dgsmy.lnk

Filesize
976B

MD5
afbc32a549015b7a251a2228fd0f2b58

SHA1
5d851b7436c8254125f7e8ff42fdfdca273d521c

SHA256
de4654542d3cb6d91094d0f29138d62a8591e615f0709f836cfd148e49881664

SHA512
2229807fc2da83e736f5a320da96e278880e102446c469b7bda7fe7f277e2a9c181b8617732d5d8847e237ff6660a5f02bcbec582729d2047ac00b5cdda18d9a

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\pvtov\OLEACC.dll

Filesize
3.7MB

MD5
73ed39ce4b3acc701b066463434e1044

SHA1
4deb6c23e4424405076fd023b07a98f96c7f3e60

SHA256
f1bcc6db84ad15322d868ee469eaa3cd5758ca27c5bad8011297ea487c4171e2

SHA512
3e54489023954b99781dab670b6ec842d14ed9231c434290dbce48f9f3913f57ec0a83519365c052cdc0126ac0a945a2afd4ee5251280e4bc91c299fcbd25865

Download Submit
C:\Users\Admin\AppData\Roaming\Macromedia\pvtov\osk.exe

Filesize
154KB

MD5
7f4254cc8264d2c75a2966cecda77b23

SHA1
2753a074e88b5acb9cbaf1d2b989b323eacd1961

SHA256
cc5111211390022b709650008979403a6c8360df958358cec66084ffc08fc502

SHA512
5382256097c1d2c464abf338128ce7da27862bf17510adf9bf7d5b3d04426a70aaa9197ec48419a6699e0e02effafbf04f23e0ddcf63cb1a983c5847916239fb

Download Submit
\Users\Admin\AppData\Local\7ix\WTSAPI32.dll

Filesize
3.7MB

MD5
774fbf51a76fac8204b7a1c2089b7c14

SHA1
7bdd9460948aba6c57f958e1ddb9490b8c4f660e

SHA256
9a4d76982944d9c2e8b8c0bf597e7a3b4f01579a5ef6f7ce1eb895b0f2f44b53

SHA512
7ac4d3fc840cccd87d70e0f08f173aa6a138818ae1a21dadfd442f289151537ad4bfa7d21eebec3852e60bd6422a25fb8cf636033332d246f8cb04cc1241c0db

Download Submit
\Users\Admin\AppData\Local\V1en\Dxpserver.exe

Filesize
259KB

MD5
4d38389fb92e43c77a524fd96dbafd21

SHA1
08014e52f6894cad4f1d1e6fc1a703732e9acd19

SHA256
070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73

SHA512
02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

Download Submit
\Users\Admin\AppData\Local\V1en\dwmapi.dll

Filesize
3.7MB

MD5
71e901588246a9fd4b2edd7fd8a3b787

SHA1
9b72acc1702912ddfeabb21e7eee60bdf8c69812

SHA256
3d89ffb4733b0f70577b470d3a0ceddba0781e9a95bc3537d2f64c2caa02ff11

SHA512
2289cffc1cc50c29f330de6175ff2a41f92ef078e964ed2ba687582aa6bd57c32cbb6bbe2a4c5e99e5dadfea92e2cc2d746f3f3f25dd17ad59b48e204bd5db3c

Download Submit
\Users\Admin\AppData\Local\slKo1\OLEACC.dll

Filesize
979KB

MD5
39ff0fd5c62ddf79b73a6804921d7d5f

SHA1
f29cb7ea7d3b7292d02e71abdeec0e8fe5c2f0a5

SHA256
3045dba7f5f4f9ba29b58e7ee18d408ea9f24d65553400b2bc148c7998c9c18d

SHA512
f6bc476d2da15a0cb2c83f76c264df64f34cdeb1dc33d8a39c2a3c57d631b5b0a0af03e5321fce4e7c13019b4cd4140ba6783c028511d75522e6f3598df2aa7a

Download Submit
\Users\Admin\AppData\Local\slKo1\osk.exe

Filesize
568KB

MD5
99906cc5dfe5fbfa52b9c5b1694357d3

SHA1
9100736a1c95ac2a81b69d8499fa809f71cf2c83

SHA256
bbea08a668c99df40026f7e9b1acac033ecaec6e3f7cea10078e8a3df2d064ea

SHA512
6fcd9ff3d66f1f8820ea260609630b911cc069c1e688de3b00104cf1cde16e357c6de7edac756d8cac15e56933fd9db82b722c2db0320b65c528451e73456f41

Download Submit
memory/1392-46-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-55-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-15-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-11-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-24-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-27-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-28-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-25-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-29-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-26-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-31-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-32-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-33-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-34-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-30-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-35-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-37-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-36-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-38-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-41-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-42-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-43-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-39-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-44-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-40-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-45-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-4-0x0000000077306000-0x0000000077307000-memory.dmp

Filesize
4KB

Download
memory/1392-47-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-48-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-49-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-50-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-51-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-52-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-53-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-54-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-19-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-56-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-57-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-58-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-59-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-60-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-61-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-62-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-63-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-64-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-65-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-73-0x00000000026D0000-0x00000000026D7000-memory.dmp

Filesize
28KB

Download
memory/1392-81-0x0000000077511000-0x0000000077512000-memory.dmp

Filesize
4KB

Download
memory/1392-82-0x0000000077670000-0x0000000077672000-memory.dmp

Filesize
8KB

Download
memory/1392-23-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-22-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-21-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-20-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-5-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1392-18-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-17-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-16-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-13-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-7-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-14-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-12-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-10-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-9-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/1392-165-0x0000000077306000-0x0000000077307000-memory.dmp

Filesize
4KB

Download
memory/1936-126-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/1948-109-0x00000000001F0000-0x00000000001F7000-memory.dmp

Filesize
28KB

Download
memory/2076-0-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2076-1-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download
memory/2076-8-0x0000000140000000-0x00000001403B8000-memory.dmp

Filesize
3.7MB

Download