dridex | 56694afcab87bb68f6c478cf667ddad3dbfd6a73809d72313639591a9361a19f

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
18-05-2024 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91aaac0b996f3f158a236c39a4a91850_NeikiAnalytics.dll
Size

2.1MB
MD5

91aaac0b996f3f158a236c39a4a91850
SHA1

bc49fcca5e998aa71a591d219efbb235c4028e53
SHA256

56694afcab87bb68f6c478cf667ddad3dbfd6a73809d72313639591a9361a19f
SHA512

84c035af80cd72060df1259e3d0cf720a7adde93f03526c9dcc5e98514deefd2fccccf82a6172759ab748ceefcb4ed07e74929c196dab68a62a1c8446291e6b3
SSDEEP

12288:8VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:JfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
botnet payload

Processes:

resource yara_rule

behavioral1/memory/1200-5-0x0000000002FD0000-0x0000000002FD1000-memory.dmp dridex_stager_shellcode
Executes dropped EXE 3 IoCs

Processes:

p2phost.exeiexpress.exeosk.exe

pid process

760 p2phost.exe
1248 iexpress.exe
1692 osk.exe
Loads dropped DLL 7 IoCs

Processes:

p2phost.exeiexpress.exeosk.exe

pid process

1200
760 p2phost.exe
1200
1248 iexpress.exe
1200
1692 osk.exe
1200

resource	yara_rule
behavioral1/memory/1200-5-0x0000000002FD0000-0x0000000002FD1000-memory.dmp	dridex_stager_shellcode

pid	process
760	p2phost.exe
1248	iexpress.exe
1692	osk.exe

pid	process
1200
760	p2phost.exe
1200
1248	iexpress.exe
1200
1692	osk.exe
1200

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mwyjnbrrs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\kh35m\\iexpress.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exep2phost.exeiexpress.exeosk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	p2phost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1600	rundll32.exe
1600	rundll32.exe
1600	rundll32.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1200 wrote to memory of 2312	1200	p2phost.exe
PID 1200 wrote to memory of 2312	1200	p2phost.exe
PID 1200 wrote to memory of 2312	1200	p2phost.exe
PID 1200 wrote to memory of 760	1200	p2phost.exe
PID 1200 wrote to memory of 760	1200	p2phost.exe
PID 1200 wrote to memory of 760	1200	p2phost.exe
PID 1200 wrote to memory of 2788	1200	iexpress.exe
PID 1200 wrote to memory of 2788	1200	iexpress.exe
PID 1200 wrote to memory of 2788	1200	iexpress.exe
PID 1200 wrote to memory of 1248	1200	iexpress.exe
PID 1200 wrote to memory of 1248	1200	iexpress.exe
PID 1200 wrote to memory of 1248	1200	iexpress.exe
PID 1200 wrote to memory of 2412	1200	osk.exe
PID 1200 wrote to memory of 2412	1200	osk.exe
PID 1200 wrote to memory of 2412	1200	osk.exe
PID 1200 wrote to memory of 1692	1200	osk.exe
PID 1200 wrote to memory of 1692	1200	osk.exe
PID 1200 wrote to memory of 1692	1200	osk.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\91aaac0b996f3f158a236c39a4a91850_NeikiAnalytics.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1600

C:\Windows\system32\p2phost.exe
C:\Windows\system32\p2phost.exe
1⤵
PID:2312

C:\Users\Admin\AppData\Local\zFox5dOlf\p2phost.exe
C:\Users\Admin\AppData\Local\zFox5dOlf\p2phost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:760

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:2788

C:\Users\Admin\AppData\Local\3amMj\iexpress.exe
C:\Users\Admin\AppData\Local\3amMj\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1248

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:2412

C:\Users\Admin\AppData\Local\Sgklt6JS\osk.exe
C:\Users\Admin\AppData\Local\Sgklt6JS\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1692

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3amMj\VERSION.dll
Filesize
2.1MB

MD5
33bbef3bf3bcd03fdb00f1020fbe054f

SHA1
4df4c17dfbfdf9af13328493ea06294b497d7f49

SHA256
5beea1ca8c269bd47bf07d48f4f11aeb1be2f359c21e33ef29483c9f91776031

SHA512
1b46405979a96f1c379cd507fc9422f70ef15dc907e3e9f763d2a00e97a0e3dbe175efd0e95255da6b897da3e94a704c6b4c474d95d9385ea885fd6b62147372

Download Submit
C:\Users\Admin\AppData\Local\Sgklt6JS\UxTheme.dll
Filesize
2.1MB

MD5
e9c9e6d01578299029cfecfeaf679066

SHA1
ac85ddc7eeafe171c8ce15c2e512163b8ffd0e4a

SHA256
40a79c1a5137066e70119ee251be5fb8505d855febb3bd1612fb7cf42dbd59d1

SHA512
a274f1c16e8602a14a96e661cf213c4eb57d1a72367a42d8389d6cf356aedc073466ed235993687134d35552f23bfe9b5024bd7058ec8dea2218047e89e48f49

Download Submit
C:\Users\Admin\AppData\Local\zFox5dOlf\P2PCOLLAB.dll
Filesize
2.1MB

MD5
979a6797058a7272567b2bec5f3f8e78

SHA1
2087626d5b7ef8c66d2b0761fb584021868fcde8

SHA256
69141ee10629dd8304d86f769bd660ee35b712f09b81b18ab17d626dae0d2442

SHA512
ebceb73147dc5d394beb9f81a8f871f4deaee2acbe95ac9773d0a8e58a41fd8dec63b5bc4266795fbe7a6f0142c4e8fc536979249cbe3c7c082b8bed67a7ea84

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pclfpjzoauil.lnk
Filesize
947B

MD5
ed4e3636f3a72256f0d127ab36572097

SHA1
9f5dd96fd2e9d3e3d7ca8dd68b7eb6ab0df6f055

SHA256
07f2c358624fd7acc38ce7ade118d928ff9bfe0250b19908c7d5770c13d8fcbd

SHA512
bea7e7c48df1512528f865f63a7f1994383ce14ab88c42f652edad55af84ed4fb1092b88046c14ac6a4c7c81f6b7330827940c17f6e5c4fbd96e7886b83b8851

Download Submit
\Users\Admin\AppData\Local\3amMj\iexpress.exe
Filesize
163KB

MD5
46fd16f9b1924a2ea8cd5c6716cc654f

SHA1
99284bc91cf829e9602b4b95811c1d72977700b6

SHA256
9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3

SHA512
52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

Download Submit
\Users\Admin\AppData\Local\Sgklt6JS\osk.exe
Filesize
676KB

MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
\Users\Admin\AppData\Local\zFox5dOlf\p2phost.exe
Filesize
172KB

MD5
0dbd420477352b278dfdc24f4672b79c

SHA1
df446f25be33ac60371557717073249a64e04bb2

SHA256
1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345

SHA512
84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

Download Submit
memory/760-107-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1200-40-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-58-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-9-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-72-0x0000000002FB0000-0x0000000002FB7000-memory.dmp

Filesize
28KB

Download
memory/1200-18-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-44-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-64-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-35-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-63-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-62-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-61-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-60-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-59-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-34-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-57-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-56-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-55-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-33-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-52-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-51-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-50-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-49-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-48-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-47-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-45-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-43-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-42-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-41-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-46-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-38-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-37-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-36-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-73-0x0000000077791000-0x0000000077792000-memory.dmp

Filesize
4KB

Download
memory/1200-53-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-54-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-32-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-31-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-30-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-29-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-28-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-26-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-25-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-24-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-23-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-22-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-21-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-19-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-17-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-16-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-15-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-14-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-13-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-12-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-10-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-74-0x00000000778F0000-0x00000000778F2000-memory.dmp

Filesize
8KB

Download
memory/1200-39-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-27-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-20-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-7-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-8-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1200-5-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

Filesize
4KB

Download
memory/1200-4-0x0000000077586000-0x0000000077587000-memory.dmp

Filesize
4KB

Download
memory/1200-158-0x0000000077586000-0x0000000077587000-memory.dmp

Filesize
4KB

Download
memory/1600-11-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1600-0-0x0000000140000000-0x000000014020D000-memory.dmp

Filesize
2.1MB

Download
memory/1600-3-0x00000000021E0000-0x00000000021E7000-memory.dmp

Filesize
28KB

Download
memory/1692-142-0x00000000001D0000-0x00000000001D7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads