dridex | d1edb8387c2570a8d1979c748d466d5016454f7aaf4141895be6f6bdbf499bc7

Analysis

max time kernel
36s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

698d381098a0d8b9924e1e102051a85a.dll
Size

3.2MB
MD5

698d381098a0d8b9924e1e102051a85a
SHA1

2b74c2746df95710eaa40d3ba20ed754772228bb
SHA256

d1edb8387c2570a8d1979c748d466d5016454f7aaf4141895be6f6bdbf499bc7
SHA512

3d5173b9231e3f447a7eab5d326030cab4af2e81114e2ff7b026c333a88e0f708a21ad506a89b34856ee5f411485c215206d8e5524aef789998ef8b3fb63a751
SSDEEP

12288:xVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:AfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3364-4-0x0000000002360000-0x0000000002361000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1956	DWWIN.EXE
1644	msra.exe
3580	DWWIN.EXE

Loads dropped DLL 3 IoCs

pid	Process
1956	DWWIN.EXE
1644	msra.exe
3580	DWWIN.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fidpgamyc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Proof\\U7F\\msra.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	rundll32.exe
2700	rundll32.exe
2700	rundll32.exe
2700	rundll32.exe
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found
3364	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 4020	3364	Process not Found	92
PID 3364 wrote to memory of 4020	3364	Process not Found	92
PID 3364 wrote to memory of 1956	3364	Process not Found	93
PID 3364 wrote to memory of 1956	3364	Process not Found	93
PID 3364 wrote to memory of 4172	3364	Process not Found	94
PID 3364 wrote to memory of 4172	3364	Process not Found	94
PID 3364 wrote to memory of 1644	3364	Process not Found	95
PID 3364 wrote to memory of 1644	3364	Process not Found	95
PID 3364 wrote to memory of 2620	3364	Process not Found	96
PID 3364 wrote to memory of 2620	3364	Process not Found	96
PID 3364 wrote to memory of 3580	3364	Process not Found	97
PID 3364 wrote to memory of 3580	3364	Process not Found	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\698d381098a0d8b9924e1e102051a85a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2700

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:4020

C:\Users\Admin\AppData\Local\H4EX4U\DWWIN.EXE
C:\Users\Admin\AppData\Local\H4EX4U\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1956

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:4172

C:\Users\Admin\AppData\Local\aUEK1S\msra.exe
C:\Users\Admin\AppData\Local\aUEK1S\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1644

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:2620

C:\Users\Admin\AppData\Local\tOTj\DWWIN.EXE
C:\Users\Admin\AppData\Local\tOTj\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\H4EX4U\DWWIN.EXE

Filesize
1KB

MD5
dfca1974935557296028f602029a5fe5

SHA1
0d5d3e3d678fb826b0575cd05e28ff110166aa39

SHA256
3d1ab60bd7173dba5babf21a0c1e4bf4e83c41eb97edf31596c74b55966b762c

SHA512
c61aa13fbe10b3a920e55ca4915a802bb653a763b34ea9ca5006dda855d3d80ef0fc354d4cecbe4faf50acda4d2224a3752e7856bed7b3caceff3256709324af

Download Submit
C:\Users\Admin\AppData\Local\H4EX4U\DWWIN.EXE

Filesize
49KB

MD5
cdcc1c5bde577cfcc7ead7eae571b7a6

SHA1
ddaf70613aaae388175aaa850603389a02d95f0b

SHA256
9acfec686df85bd11d6e80414f5a269c1e80eee34e2f0997701a40dc11aec70d

SHA512
030fa6ba7b8f2d6cab8d16e2bf6da4cbba1239a64eb66aaeec24c234f30389e6f2ae5bd797a10a3e477f6debb292ee3e4f5db66f9e2ddda8100f368dd4a318fe

Download Submit
C:\Users\Admin\AppData\Local\H4EX4U\wer.dll

Filesize
96KB

MD5
0889160a70bbded0ce31f2e4f4855ea1

SHA1
0d4a87370f2dc62f4a5bb5540342ed778c2660f7

SHA256
46442871e8b05fa95854da3fd8182f7754a88f9d7948ea7e83be065e43e0dcd5

SHA512
02fdc72728f9429640ebcac475c31369b27d64ba25487574f876ceff7a430b44a9e90904136a68ea70c17bfd0b9ef3c68ee1412b14d21f71348ef4aa3615f199

Download Submit
C:\Users\Admin\AppData\Local\H4EX4U\wer.dll

Filesize
85KB

MD5
5f8e4c527d2b7d97290d67560c33ca42

SHA1
06150784cccc0ebb3239507ee816910091757b0f

SHA256
5186af553218a6bfe3e0ba3f5a288c3d85e1b208a7f20e4a9e483291a218d989

SHA512
d12e31243b191e08a5013a164fc87ba35b23481f9b8a3847e60da3c2c674b28f288ead9193f37032da99035af25eb666eca191a3142e5fd326c7d9cde13767d4

Download Submit
C:\Users\Admin\AppData\Local\aUEK1S\UxTheme.dll

Filesize
80KB

MD5
d035199d019fb2d4ac0516c7e8d6844c

SHA1
2eed4f8d696b9c5b87da18b6cd638ba86140604c

SHA256
e770a45dfb94ea9c09920a4e693d4bb3a279cf77064b4ebe87c09949d564c9eb

SHA512
166886be98cbb54cb0e2e03546567b174f6d32cf3981ae09bbe7f8eb223c307cc1099c14016b3dfe2e37141bbf4f1f4a11b458a43d697f235c799742ebd1ae87

Download Submit
C:\Users\Admin\AppData\Local\aUEK1S\UxTheme.dll

Filesize
76KB

MD5
be99e5e1b17b557bbc90d740e5eb14e8

SHA1
68da3e1f62d48d4eacc17f22543e819cc37a8501

SHA256
73e6a2ce1b03705a6682f63ca7c550c7526ba27caf81cc3ef320722124146e32

SHA512
82461cf281b8086b69e2cc73f22f95b2b01c51951a5103a383f7ec87cf7f405e150774c42c73efc4f5073d1ff2b4f6c5243563d5c8f84e912eabf0a52ed7ffe3

Download Submit
C:\Users\Admin\AppData\Local\aUEK1S\msra.exe

Filesize
87KB

MD5
b10eb1d37dd1028150e3c1dee70a9621

SHA1
6a162a9ff9891a2ca7b8272e6a4074eb9c65e244

SHA256
cebbe3f104e7243e37d49d409c8fe0c04cee8fb05225b159455ded18f8ae5949

SHA512
52fc03fce731a4616caadb899c2c599e9414cd39a4061ab403646fa889b78ace2215a27fa5b9ad81f6373f5c5b1f517939bceee5c922dbb02315b133ce3338ef

Download Submit
C:\Users\Admin\AppData\Local\aUEK1S\msra.exe

Filesize
89KB

MD5
f9978f082eeba8f2a2c9366a98dd7443

SHA1
d36cb4dfdd9dae0dc0a18e821043afb3b34fb783

SHA256
db1ee07b82fedae19be6dfc901783a4afa74dd57557d48d8dd1bb0f3a2e4e89d

SHA512
5893f8b92bdd2a436491bd8b47a70e60d156529861c033bd2e8cce66d2630ed43b854c8b1e2fbf425e992c9c1adbcbe3080bb2a36a1cafe0cdd840c520c9fc1c

Download Submit
C:\Users\Admin\AppData\Local\tOTj\DWWIN.EXE

Filesize
58KB

MD5
41093aa98420969498d727ebc9f06cc2

SHA1
2ed93303fad8983e842520634eb99add48c3c3b4

SHA256
515ca065c7b4ab27243698c8361aaa47d7c8cfe92ed068e2bda7d3b918ebfea8

SHA512
ecc7a58ce0acf86f0202f764e3710ee1d531d2c0edd101d632bde18896f8a2d9d79e3ddba2928363145a34efa8c5dffb4630fafe8f3595f5b1d2ad81da1bfa0f

Download Submit
C:\Users\Admin\AppData\Local\tOTj\VERSION.dll

Filesize
37KB

MD5
74fc47f86969ee9ca6a84c3205b1694a

SHA1
3aff3737b3e02e045b3a5638ca7b163523c1f111

SHA256
103364f69d2d647723bf047f657ca13f50cbbe312fb92ab9d841f1c68c5f2e13

SHA512
8463b2631a3b31d09570d58770d87c832c6fe702f0b887cb5965c999a13c0232cb37ab0c6ec4f9de39f87fbc6ab73752108157b13eb5681872ce842465a6e1a3

Download Submit
C:\Users\Admin\AppData\Local\tOTj\VERSION.dll

Filesize
87KB

MD5
4ca7a86ef2a58a5a41e1ab402ab6fd9f

SHA1
0e9a0ef3dbd85d51d64bbb8583ee07f66f65e22a

SHA256
9cf285f125b4eb35cc55d126c2bd7d1a2d7bb7440db146ce105933523d36b94a

SHA512
9d924564aa4bad3ca94c5077a6b90240e1b59dbda21a1156f60dc7c2e5380ee57193236953da10524a6987dd1aea723fd8fe6f96c14897d979fc5ecb2c60d517

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\9wsqodqwAPd\VERSION.dll

Filesize
239KB

MD5
4cafb6a77ebd89fea88754d51dfd6ce6

SHA1
bb34880fa76511509ecf79e78aa7bba0d6643388

SHA256
e32cda84ba717d64f0818f9972220fa771de5671bfa59fe9d80910fc6c6337a8

SHA512
f4547be3379f6840fa679d5ebb4c201d82d57ab2da3cbb481c4507c5ff4609f3640feef5fe916117eb0b40d316defb3e52bc85a9e6412b7b78e1e81e6f7a8303

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Enpllr.lnk

Filesize
1KB

MD5
547482572a94a3d908f8c23018b7ab18

SHA1
dbd8705e177ca4977d436d8417f34ed60a5ad773

SHA256
91428ccf25c86763374717b1af5ebd43e9ed23130d4ee2360240eeb01fac4a21

SHA512
aef0ec034b7681b1a6ba734981afdca7796984bf64b8c7a0a9ec3050a7deccc9ea548d9fb725a84daa10b4ae5e80d20b4bf27ea9d0663be61f0fd9e8b649e967

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\xadgMixNDv\wer.dll

Filesize
19KB

MD5
135dba0b3bdd4bb91ba40c2a36cbc038

SHA1
f68e318634c5368c6dac3766c11ca4394479d9bf

SHA256
7066a4763e89647366871882747d4e871c88b09ba05611fceddb710a28909a1f

SHA512
6124ff242117ec507d738f31cc987fd5b5e468e88200dd8ada7f55ee19e5338907c9632cd3daca1139cc77c7288cb973288acfd2b0b51361bfc73af768ca7ebf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Proof\U7F\UxTheme.dll

Filesize
57KB

MD5
8d194f0b0e81e7094284529eaa43bbe0

SHA1
c5e6541c3632d3d8888146982bb966f9c61db966

SHA256
8bee24270e335d74cef5b1248a6fb9dc3be830320a68bc4326a8d7aaa14c3c44

SHA512
52c1119005503eda311a098bc4dfc2d38f5458937706aeb92c8eed5664792c5d745f4e63ef5978ad1d35024c041f5d56e557643965aab9c864a60c091af8fdc6

Download Submit
memory/1644-114-0x0000013C64C80000-0x0000013C64C87000-memory.dmp

Filesize
28KB

Download
memory/1956-97-0x0000022E121E0000-0x0000022E121E7000-memory.dmp

Filesize
28KB

Download
memory/2700-7-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/2700-0-0x00000179F53E0000-0x00000179F53E7000-memory.dmp

Filesize
28KB

Download
memory/2700-1-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-44-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-28-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-21-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-22-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-23-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-24-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-26-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-29-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-31-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-34-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-35-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-36-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-39-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-41-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-40-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-38-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-37-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-42-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-45-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-46-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-19-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-47-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-48-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-50-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-49-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-51-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-52-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-43-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-33-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-32-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-30-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-20-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-27-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-25-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-53-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-54-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-56-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-59-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-60-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-61-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-62-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-63-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-64-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-65-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-58-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-5-0x00007FFC8BFDA000-0x00007FFC8BFDB000-memory.dmp

Filesize
4KB

Download
memory/3364-18-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-17-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-16-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-15-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-14-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-13-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-12-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-57-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-55-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-69-0x0000000000B30000-0x0000000000B37000-memory.dmp

Filesize
28KB

Download
memory/3364-77-0x00007FFC8CBC0000-0x00007FFC8CBD0000-memory.dmp

Filesize
64KB

Download
memory/3364-4-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/3364-11-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-10-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-9-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3364-8-0x0000000140000000-0x000000014033A000-memory.dmp

Filesize
3.2MB

Download
memory/3580-131-0x00000132CE770000-0x00000132CE777000-memory.dmp

Filesize
28KB

Download