Analysis Report Dridex.exe

Overview

General Information

Sample Name: Dridex.exe
Analysis ID: 393200
MD5: 6e5654da58c03df6808466f0197207ed
SHA1: 594f33ad9d7f85625a88c24903243ba9788fba86
SHA256: e30b76f9454a5fd3d11b5792ff93e56c52bf5dfba6ab375c3b96e17af562f5fc
Tags: DridexProcessHollowingRunPE
Infos:

Most interesting Screenshot:

Detection

Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Program does not show much activity (idle)
Queries the installation date of Windows
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: Dridex.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: Dridex.exe Virustotal: Detection: 88% Perma Link
Source: Dridex.exe Metadefender: Detection: 86% Perma Link
Source: Dridex.exe ReversingLabs: Detection: 100%
Machine Learning detection for sample
Source: Dridex.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.Dridex.exe.400000.1.unpack Avira: Label: TR/Taranis.403
Source: 1.0.Dridex.exe.400000.0.unpack Avira: Label: TR/Taranis.403
Source: 1.2.Dridex.exe.990000.4.unpack Avira: Label: TR/Taranis.403
Source: 3.0.Dridex.exe.400000.0.unpack Avira: Label: TR/Taranis.403
Source: 1.1.Dridex.exe.400000.0.unpack Avira: Label: TR/Taranis.403
Source: 1.2.Dridex.exe.26f0000.7.unpack Avira: Label: TR/Taranis.403

Compliance:

barindex
Uses 32bit PE files
Source: Dridex.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\Dridex.exe Code function: 1_2_00401160 MapViewOfFile,GetLocaleInfoW,FindFirstFileA,MessageBoxIndirectA,RegDeleteKeyW,GetCharABCWidthsFloatA,FindNextFileW,EnableWindow,GetTimeZoneInformation,ExitProcess, 1_2_00401160
Source: C:\Users\user\Desktop\Dridex.exe Code function: 1_1_00401160 MapViewOfFile,GetLocaleInfoW,FindFirstFileA,RegDeleteKeyW,GetCharABCWidthsFloatA,FindNextFileW,GetTimeZoneInformation,ExitProcess, 1_1_00401160

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49713 -> 94.73.155.12:2448
Source: global traffic TCP traffic: 192.168.2.3:49723 -> 103.252.100.44:4493
Source: global traffic TCP traffic: 192.168.2.3:49726 -> 89.108.71.148:8843
Source: global traffic TCP traffic: 192.168.2.3:49729 -> 221.132.35.56:8843
Source: unknown TCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknown TCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknown TCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknown TCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknown TCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknown TCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknown TCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknown TCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknown TCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknown TCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknown TCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknown TCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknown TCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknown TCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknown TCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknown TCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknown TCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknown TCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknown TCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknown TCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknown TCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknown TCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknown TCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknown TCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknown TCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknown TCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknown TCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknown TCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknown TCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknown TCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknown TCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknown TCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknown TCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknown TCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknown TCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknown TCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknown TCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknown TCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknown TCP traffic detected without corresponding DNS query: 94.73.155.12
Source: unknown TCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknown TCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknown TCP traffic detected without corresponding DNS query: 103.252.100.44
Source: unknown TCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknown TCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknown TCP traffic detected without corresponding DNS query: 89.108.71.148
Source: unknown TCP traffic detected without corresponding DNS query: 221.132.35.56
Source: unknown TCP traffic detected without corresponding DNS query: 221.132.35.56

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Dridex.exe Code function: 1_2_00980018 LoadLibraryA,CreateProcessW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CreateFileW,TerminateProcess,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,CreateFileW,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc, 1_2_00980018
Detected potential crypto function
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_2_0040AC50 3_2_0040AC50
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_2_00412888 3_2_00412888
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_2_0040BB48 3_2_0040BB48
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_2_0041434E 3_2_0041434E
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_2_00407B1D 3_2_00407B1D
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_2_00413F88 3_2_00413F88
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_1_0040AC50 3_1_0040AC50
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_1_00412888 3_1_00412888
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_1_0040BB48 3_1_0040BB48
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_1_0041434E 3_1_0041434E
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_1_00407B1D 3_1_00407B1D
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_1_00413F88 3_1_00413F88
Sample file is different than original file name gathered from version info
Source: Dridex.exe, 00000001.00000002.210644885.0000000000930000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameMFC42.DLL.MUIR vs Dridex.exe
Source: Dridex.exe, 00000001.00000002.213138111.00000000026F0000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemation.exe vs Dridex.exe
Source: Dridex.exe, 00000001.00000002.210674389.0000000000960000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Dridex.exe
Source: Dridex.exe, 00000003.00000002.603461689.0000000003E10000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Dridex.exe
Source: Dridex.exe Binary or memory string: OriginalFilenamemation.exe vs Dridex.exe
Uses 32bit PE files
Source: Dridex.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal84.evad.winEXE@3/0@0/4
Source: C:\Users\user\Desktop\Dridex.exe Code function: 1_2_00980018 LoadLibraryA,CreateProcessW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CreateFileW,TerminateProcess,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,CreateFileW,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc, 1_2_00980018
Source: C:\Users\user\Desktop\Dridex.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Dridex.exe Virustotal: Detection: 88%
Source: Dridex.exe Metadefender: Detection: 86%
Source: Dridex.exe ReversingLabs: Detection: 100%
Source: C:\Users\user\Desktop\Dridex.exe File read: C:\Users\user\Desktop\Dridex.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Dridex.exe 'C:\Users\user\Desktop\Dridex.exe'
Source: C:\Users\user\Desktop\Dridex.exe Process created: C:\Users\user\Desktop\Dridex.exe C:\Users\user\Desktop\Dridex.exe
Source: C:\Users\user\Desktop\Dridex.exe Process created: C:\Users\user\Desktop\Dridex.exe C:\Users\user\Desktop\Dridex.exe Jump to behavior
Source: Dridex.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Dridex.exe Unpacked PE file: 3.2.Dridex.exe.400000.0.unpack .text:R;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.data1:W;.reloc:R;
PE file contains an invalid checksum
Source: Dridex.exe Static PE information: real checksum: 0x22e32 should be: 0x2b73e
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Dridex.exe Code function: 1_2_004025C0 push eax; ret 1_2_004025EE
Source: C:\Users\user\Desktop\Dridex.exe Code function: 1_2_009840C0 push eax; ret 1_2_009840EE
Source: C:\Users\user\Desktop\Dridex.exe Code function: 1_1_004025C0 push eax; ret 1_1_004025EE
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_2_00410075 push 4D8A84E3h; retf 3_2_0041007A
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_2_0041009D push 4D8A84E3h; retf 3_2_004100A2
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_2_0041017B push cs; iretd 3_2_0041017E
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_2_004105D4 pushfd ; ret 3_2_004105E5
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_2_004105AF pushfd ; ret 3_2_004105BD
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_2_004101B6 push cs; retf 3_2_004101BE
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_2_00414EDC push edi; ret 3_2_00414EE2
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_1_00410075 push 4D8A84E3h; retf 3_1_0041007A
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_1_0041009D push 4D8A84E3h; retf 3_1_004100A2
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_1_0041017B push cs; iretd 3_1_0041017E
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_1_004105D4 pushfd ; ret 3_1_004105E5
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_1_004105AF pushfd ; ret 3_1_004105BD
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_1_004101B6 push cs; retf 3_1_004101BE
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_1_00414EDC push edi; ret 3_1_00414EE2

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Dridex.exe Code function: 1_2_00401C40 IsIconic,#470,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#755,#2379, 1_2_00401C40
Source: C:\Users\user\Desktop\Dridex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contain functionality to detect virtual machines
Source: C:\Users\user\Desktop\Dridex.exe Code function: VBoxService.exe VBoxService.exe VBoxService.exe VBoxService.exe vmtoolsd.exe vmtoolsd.exe 1_2_00980018
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Source: C:\Users\user\Desktop\Dridex.exe File opened: C:\myapp.exe Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Dridex.exe Thread delayed: delay time: 344000 Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Thread delayed: delay time: 290000 Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Thread delayed: delay time: 278000 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Dridex.exe TID: 1736 Thread sleep time: -128000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 1736 Thread sleep time: -131000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 1736 Thread sleep time: -163000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 1736 Thread sleep time: -344000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 1736 Thread sleep time: -148000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 1736 Thread sleep time: -124000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 1736 Thread sleep time: -147000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 1736 Thread sleep time: -290000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 1736 Thread sleep time: -358000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 1736 Thread sleep time: -159000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 1736 Thread sleep time: -174000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 1736 Thread sleep time: -278000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 1736 Thread sleep time: -169000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe TID: 1736 Thread sleep time: -156000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\Dridex.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Dridex.exe Code function: 1_2_00401160 MapViewOfFile,GetLocaleInfoW,FindFirstFileA,MessageBoxIndirectA,RegDeleteKeyW,GetCharABCWidthsFloatA,FindNextFileW,EnableWindow,GetTimeZoneInformation,ExitProcess, 1_2_00401160
Source: C:\Users\user\Desktop\Dridex.exe Code function: 1_1_00401160 MapViewOfFile,GetLocaleInfoW,FindFirstFileA,RegDeleteKeyW,GetCharABCWidthsFloatA,FindNextFileW,GetTimeZoneInformation,ExitProcess, 1_1_00401160
Source: C:\Users\user\Desktop\Dridex.exe Thread delayed: delay time: 128000 Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Thread delayed: delay time: 131000 Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Thread delayed: delay time: 163000 Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Thread delayed: delay time: 344000 Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Thread delayed: delay time: 148000 Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Thread delayed: delay time: 124000 Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Thread delayed: delay time: 147000 Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Thread delayed: delay time: 290000 Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Thread delayed: delay time: 179000 Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Thread delayed: delay time: 159000 Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Thread delayed: delay time: 174000 Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Thread delayed: delay time: 278000 Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Thread delayed: delay time: 169000 Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Thread delayed: delay time: 156000 Jump to behavior
Source: Dridex.exe Binary or memory string: VBoxService.exe
Source: Dridex.exe Binary or memory string: vmtoolsd.exe
Source: C:\Users\user\Desktop\Dridex.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Dridex.exe Code function: 1_2_00983BD4 push dword ptr fs:[00000030h] 1_2_00983BD4
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_2_0040E874 mov eax, dword ptr fs:[00000030h] 3_2_0040E874
Source: C:\Users\user\Desktop\Dridex.exe Code function: 3_1_0040E874 mov eax, dword ptr fs:[00000030h] 3_1_0040E874
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\Dridex.exe Code function: 1_2_00980018 LoadLibraryA,CreateProcessW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CreateFileW,TerminateProcess,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,CreateFileW,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc, 1_2_00980018
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Dridex.exe Memory written: C:\Users\user\Desktop\Dridex.exe base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\Desktop\Dridex.exe Code function: LoadLibraryA,CreateProcessW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CreateFileW,TerminateProcess,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,CreateFileW,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc, explorer.exe.\ 1_2_00980018
Source: C:\Users\user\Desktop\Dridex.exe Code function: LoadLibraryA,CreateProcessW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,NtUnmapViewOfSection,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,CreateFileW,TerminateProcess,CreateFileW,CreateFileW,CreateFileW,CreateFileW,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,CreateFileA,CreateFileA,CreateFileW,CreateFileW,CreateFileW,VirtualAlloc,ReadFile,FindCloseChangeNotification,VirtualAlloc, explorer.exe.\ 1_2_00980018
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Dridex.exe Process created: C:\Users\user\Desktop\Dridex.exe C:\Users\user\Desktop\Dridex.exe Jump to behavior
Source: Dridex.exe, 00000003.00000002.601260180.00000000022A0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Dridex.exe, 00000003.00000002.601260180.00000000022A0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Dridex.exe, 00000003.00000002.601260180.00000000022A0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Dridex.exe, 00000003.00000002.601260180.00000000022A0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Dridex.exe Code function: MapViewOfFile,GetLocaleInfoW,FindFirstFileA,MessageBoxIndirectA,RegDeleteKeyW,GetCharABCWidthsFloatA,FindNextFileW,EnableWindow,GetTimeZoneInformation,ExitProcess, 1_2_00401160
Source: C:\Users\user\Desktop\Dridex.exe Code function: MapViewOfFile,GetLocaleInfoW,FindFirstFileA,RegDeleteKeyW,GetCharABCWidthsFloatA,FindNextFileW,GetTimeZoneInformation,ExitProcess, 1_1_00401160
Queries the installation date of Windows
Source: C:\Users\user\Desktop\Dridex.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Users\user\Desktop\Dridex.exe Code function: 1_2_00401160 MapViewOfFile,GetLocaleInfoW,FindFirstFileA,MessageBoxIndirectA,RegDeleteKeyW,GetCharABCWidthsFloatA,FindNextFileW,EnableWindow,GetTimeZoneInformation,ExitProcess, 1_2_00401160
Source: C:\Users\user\Desktop\Dridex.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 393200 Sample: Dridex.exe Startdate: 20/04/2021 Architecture: WINDOWS Score: 84 18 Antivirus / Scanner detection for submitted sample 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Machine Learning detection for sample 2->22 6 Dridex.exe 6 2->6         started        process3 signatures4 24 Detected unpacking (changes PE section rights) 6->24 26 Tries to detect sandboxes / dynamic malware analysis system (file name check) 6->26 28 Contain functionality to detect virtual machines 6->28 30 2 other signatures 6->30 9 Dridex.exe 12 6->9         started        process5 dnsIp6 12 221.132.35.56, 8843 VNPT-AS-VNVNPTCorpVN Viet Nam 9->12 14 103.252.100.44, 4493, 49723, 49742 IDNIC-DRUPADI-AS-IDPTDrupadiPrimaID Indonesia 9->14 16 2 other IPs or domains 9->16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.252.100.44
 unknown Indonesia
59147 IDNIC-DRUPADI-AS-IDPTDrupadiPrimaID false
89.108.71.148
 unknown Russian Federation
43146 AGAVA3RU false
221.132.35.56
 unknown Viet Nam
45899 VNPT-AS-VNVNPTCorpVN false
94.73.155.12
 unknown Turkey
34619 CIZGITR false