dridex | ca8c670d287814ca4a56b220c360a7c3caa0ef396a9b29f391f21c9b29d49862

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18-05-2024 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca8c670d287814ca4a56b220c360a7c3caa0ef396a9b29f391f21c9b29d49862.dll
Size

2.0MB
MD5

c310c7db42c40895be867d7bc96f7047
SHA1

f17440cf1fd4ddce619ac0a0ce78ec05efc3b658
SHA256

ca8c670d287814ca4a56b220c360a7c3caa0ef396a9b29f391f21c9b29d49862
SHA512

268f4d01d481d5f941ecb64ef5103c0a21c3ea977abd834360dd04437d8b2d2d5287ebd2cc1f2f662d138dfeda74ea930a99a29fcb04b18f0af9351d7c201901
SSDEEP

12288:YVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:NfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1376-5-0x0000000002AA0000-0x0000000002AA1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

Netplwiz.exeDWWIN.EXEDevicePairingWizard.exe

pid process

2872 Netplwiz.exe
2792 DWWIN.EXE
1068 DevicePairingWizard.exe
Loads dropped DLL 7 IoCs

Processes:

Netplwiz.exeDWWIN.EXEDevicePairingWizard.exe

pid process

1376
2872 Netplwiz.exe
1376
2792 DWWIN.EXE
1376
1068 DevicePairingWizard.exe
1376

pid	process
2872	Netplwiz.exe
2792	DWWIN.EXE
1068	DevicePairingWizard.exe

pid	process
1376
2872	Netplwiz.exe
1376
2792	DWWIN.EXE
1376
1068	DevicePairingWizard.exe
1376

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\SlO1BW\\DWWIN.EXE"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeNetplwiz.exeDWWIN.EXEDevicePairingWizard.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2088	rundll32.exe
2088	rundll32.exe
2088	rundll32.exe
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376
1376

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1376 wrote to memory of 2520	1376	Netplwiz.exe
PID 1376 wrote to memory of 2520	1376	Netplwiz.exe
PID 1376 wrote to memory of 2520	1376	Netplwiz.exe
PID 1376 wrote to memory of 2872	1376	Netplwiz.exe
PID 1376 wrote to memory of 2872	1376	Netplwiz.exe
PID 1376 wrote to memory of 2872	1376	Netplwiz.exe
PID 1376 wrote to memory of 2716	1376	DWWIN.EXE
PID 1376 wrote to memory of 2716	1376	DWWIN.EXE
PID 1376 wrote to memory of 2716	1376	DWWIN.EXE
PID 1376 wrote to memory of 2792	1376	DWWIN.EXE
PID 1376 wrote to memory of 2792	1376	DWWIN.EXE
PID 1376 wrote to memory of 2792	1376	DWWIN.EXE
PID 1376 wrote to memory of 2648	1376	DevicePairingWizard.exe
PID 1376 wrote to memory of 2648	1376	DevicePairingWizard.exe
PID 1376 wrote to memory of 2648	1376	DevicePairingWizard.exe
PID 1376 wrote to memory of 1068	1376	DevicePairingWizard.exe
PID 1376 wrote to memory of 1068	1376	DevicePairingWizard.exe
PID 1376 wrote to memory of 1068	1376	DevicePairingWizard.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ca8c670d287814ca4a56b220c360a7c3caa0ef396a9b29f391f21c9b29d49862.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2088

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:2520

C:\Users\Admin\AppData\Local\6cMxZ\Netplwiz.exe
C:\Users\Admin\AppData\Local\6cMxZ\Netplwiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2872

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:2716

C:\Users\Admin\AppData\Local\X8aZKL6\DWWIN.EXE
C:\Users\Admin\AppData\Local\X8aZKL6\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2792

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:2648

C:\Users\Admin\AppData\Local\Trz\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\Trz\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\6cMxZ\Netplwiz.exe

Filesize
26KB

MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
C:\Users\Admin\AppData\Local\Trz\MFC42u.dll

Filesize
2.1MB

MD5
65b2c7a834f128061824bcd77c7a1435

SHA1
3ac823efdd0014f04a05baf819fad3a24ee37536

SHA256
071e4ae92c4bc9c5b5e74b322a8314e15fcb60132e36e761dcb5118680a95626

SHA512
c927b067327aa8fdb0fe08fea9fdf1b36efdbfd0e8aa92c372dc2ae3151cb5d37ab641e1da0d38e81b63f947998e6b07e6dbcf1a94c0775b32d89f5b2a436d6c

Download Submit
C:\Users\Admin\AppData\Local\X8aZKL6\wer.dll

Filesize
2.0MB

MD5
d7ed9f888bc968d07555719a270c9ae2

SHA1
8f92a78b121658fab04146427e01abe08bdf4235

SHA256
0f369930fdad14617228f6ead47a3cd08c524c565a292d171e590fdae6f982c5

SHA512
1b2ddabce15004e2b3874e2856497938c2ca0a5bc111804fe8af689b283a2dfde3ff13c0a75f62009ea5b1ee89602b4ca221302a6b1e015aecc25026e7dbef33

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

Filesize
1KB

MD5
6a502b92ae40eaf72a5650d91ad1abec

SHA1
d4ec10cfb80b8f013577e2149265b4ff26b9b4e8

SHA256
3b861af83657cf985b5eb2705bc293a519b51ccb3fb30f751437c4fc70ebe470

SHA512
9d79159ba8b202db06ea86521b85be5e6e65310af8b34c3dd8740840ca16c27283952173f0d553d75a7d9517a7d9d34dd0ff9f7030a907d3b5f11bd251fe1952

Download Submit
\Users\Admin\AppData\Local\6cMxZ\NETPLWIZ.dll

Filesize
2.0MB

MD5
bd33378efaa7f3691d2a26ef01572833

SHA1
9e6f6b915800db305582a8ea2481a8801fbba734

SHA256
bba3b4158adb7ceb391c9c48a1e480466b96468e24d148ce2790f945da936607

SHA512
1fad96eb05a266fbc03547c9f235bf6333fe31b12a436f8deedd1733f2dfd8efeffbd443c81ca8aaa1ae9a2b36777a4d4909e6ef02871f4931a763a0947325e0

Download Submit
\Users\Admin\AppData\Local\Trz\DevicePairingWizard.exe

Filesize
73KB

MD5
9728725678f32e84575e0cd2d2c58e9b

SHA1
dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c

SHA256
d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544

SHA512
a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

Download Submit
\Users\Admin\AppData\Local\X8aZKL6\DWWIN.EXE

Filesize
149KB

MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
memory/1068-125-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1376-33-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-26-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-43-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-48-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-10-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-25-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-59-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-61-0x00000000779C1000-0x00000000779C2000-memory.dmp

Filesize
4KB

Download
memory/1376-52-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-51-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-50-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-49-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-47-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-46-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-45-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-44-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-42-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-41-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-40-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-39-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-38-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-36-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-35-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-34-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-4-0x00000000777B6000-0x00000000777B7000-memory.dmp

Filesize
4KB

Download
memory/1376-32-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-30-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-29-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-28-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-37-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-24-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-23-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-21-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-20-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-19-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-18-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-16-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-62-0x0000000077B20000-0x0000000077B22000-memory.dmp

Filesize
8KB

Download
memory/1376-15-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-14-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-13-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-11-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-60-0x0000000002A80000-0x0000000002A87000-memory.dmp

Filesize
28KB

Download
memory/1376-71-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-31-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-150-0x00000000777B6000-0x00000000777B7000-memory.dmp

Filesize
4KB

Download
memory/1376-5-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

Filesize
4KB

Download
memory/1376-9-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-7-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-27-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-22-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-17-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/1376-12-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/2088-8-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/2088-1-0x0000000140000000-0x0000000140208000-memory.dmp

Filesize
2.0MB

Download
memory/2088-0-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2792-107-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/2872-89-0x0000000001F20000-0x0000000001F27000-memory.dmp

Filesize
28KB

Download