dridex | b9f324fa5539974cf6acbda3ad6e9c25d4fe48780b2ab7b1c48e6db7fca035b5

Analysis

max time kernel
150s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 14:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b4a954bb396e620a9b3179cd6f035911.dll
Size

2.0MB
MD5

b4a954bb396e620a9b3179cd6f035911
SHA1

e26ba090e476482a2ba2c8233f54a5e096f2a86a
SHA256

b9f324fa5539974cf6acbda3ad6e9c25d4fe48780b2ab7b1c48e6db7fca035b5
SHA512

ae95bca09f9b90d2a28e8de9a092592670b9cfc3322104fb3b0a8655c58d99699610c3cd4b3221e5422cafd48375a6b4e546602db5a50edd5ef83b3bcd951674
SSDEEP

12288:sVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1Tw:ZfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3596-4-0x0000000002EA0000-0x0000000002EA1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
968	unregmp2.exe
4948	DeviceEnroller.exe
4284	CameraSettingsUIHost.exe

Loads dropped DLL 3 IoCs

pid	Process
968	unregmp2.exe
4948	DeviceEnroller.exe
4284	CameraSettingsUIHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\vNqS\\DeviceEnroller.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unregmp2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DeviceEnroller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CameraSettingsUIHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2332	regsvr32.exe
2332	regsvr32.exe
2332	regsvr32.exe
2332	regsvr32.exe
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found
3596	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3596	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 3104	3596	Process not Found	92
PID 3596 wrote to memory of 3104	3596	Process not Found	92
PID 3596 wrote to memory of 968	3596	Process not Found	91
PID 3596 wrote to memory of 968	3596	Process not Found	91
PID 3596 wrote to memory of 1240	3596	Process not Found	94
PID 3596 wrote to memory of 1240	3596	Process not Found	94
PID 3596 wrote to memory of 4948	3596	Process not Found	93
PID 3596 wrote to memory of 4948	3596	Process not Found	93
PID 3596 wrote to memory of 740	3596	Process not Found	95
PID 3596 wrote to memory of 740	3596	Process not Found	95
PID 3596 wrote to memory of 4284	3596	Process not Found	98
PID 3596 wrote to memory of 4284	3596	Process not Found	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b4a954bb396e620a9b3179cd6f035911.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2332

C:\Users\Admin\AppData\Local\KgjY\unregmp2.exe
C:\Users\Admin\AppData\Local\KgjY\unregmp2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:968

C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
1⤵
PID:3104

C:\Users\Admin\AppData\Local\j30\DeviceEnroller.exe
C:\Users\Admin\AppData\Local\j30\DeviceEnroller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4948

C:\Windows\system32\DeviceEnroller.exe
C:\Windows\system32\DeviceEnroller.exe
1⤵
PID:1240

C:\Windows\system32\CameraSettingsUIHost.exe
C:\Windows\system32\CameraSettingsUIHost.exe
1⤵
PID:740

C:\Users\Admin\AppData\Local\VXMONf\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Local\VXMONf\CameraSettingsUIHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\KgjY\VERSION.dll

Filesize
130KB

MD5
0c24f11fb3fa0a3c7be467d4a71ebcf7

SHA1
2f4511a221bd8ae7ed7b5852434eb845e2dff658

SHA256
6e28e26300558b1049880b31655125fbeed8ec4286cefd851999da22671ca1b7

SHA512
9f49ebb6d92201b43e88bfd8e6ce9aa030098d906e49f55a1257fa1309907e52d5840eb411b9d0d91521873a55ee9c2cd02cfcf7e0e03274676b688e527e40e8

Download Submit
C:\Users\Admin\AppData\Local\KgjY\VERSION.dll

Filesize
138KB

MD5
a042b02fd33f36b9a50aa47493c8daf4

SHA1
27b9b952c52dd91fbd993c664891147948e03662

SHA256
0478b3faae46064d919427ea5db24b9af3948b15b9c3fcfdb34cab4bc12ed974

SHA512
ee3d5bd6c9436be2c492beab3964b955f141c40b18125dbc3f2e15c5c335faee31890726a110b5821802ef559ed8a44b815bd1d3e63978c8c4b1c20ee49eb02b

Download Submit
C:\Users\Admin\AppData\Local\KgjY\unregmp2.exe

Filesize
249KB

MD5
814e5b571d1e4d5ca73c47f5cfa015ee

SHA1
0234203c1413ed94eaed5a946442631b5bd41b03

SHA256
999918ee8d03930118e637caeb143fdbbc94b22d3585e5c00d757b888a3d0550

SHA512
2e8d6edea8849dabd7fca3fad13271658937b28ea041ca1811f0d4f1373f7e1c6fffdec58fd7c44426132ac5bbd8b92753f19849ca243a9d75f68c6113c2c31a

Download Submit
C:\Users\Admin\AppData\Local\KgjY\unregmp2.exe

Filesize
69KB

MD5
b9b03932df4b117ffe83743ad699aed5

SHA1
df73462a743d2151e598fd326cf59c05a39e3d3a

SHA256
6ea1a05295dd3651d8018c425ab4fe305808ea629ddb6802db11e60dc99024b1

SHA512
f9a76ffb8da3b881b534caaa959584ddb1f50126352d16e6e0c294ce897390d743fc216d539414fda7775438c6ec398b6e95e4d840f3bd497db546b78b98fbff

Download Submit
C:\Users\Admin\AppData\Local\VXMONf\CameraSettingsUIHost.exe

Filesize
14KB

MD5
9cdc06046a6da4b8fdcb6ce9e5395f2e

SHA1
3109fee5703bd499cc27b2a808114f29d73b307f

SHA256
f0639ff36819d76716068d708da11c0e7f6f5093126105a5ff4aea1955614ead

SHA512
6823d17dcc16575db3aa9a4143d898f0dd2a4304ed67ab44bc26fbc39044a4df411c686590ade5dc0e40d4a031732550d2d81f6d896be9dfc94eabc66a90d525

Download Submit
C:\Users\Admin\AppData\Local\VXMONf\CameraSettingsUIHost.exe

Filesize
31KB

MD5
9e98636523a653c7a648f37be229cf69

SHA1
bd4da030e7cf4d55b7c644dfacd26b152e6a14c4

SHA256
3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717

SHA512
41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

Download Submit
C:\Users\Admin\AppData\Local\VXMONf\DUI70.dll

Filesize
28KB

MD5
ba843f89555335aaaa9561d37b3b029c

SHA1
445a9cf849cd06ee481be9885e6f411a570bdf56

SHA256
2a697407903708dba3515befb7dee410fa33fee9c7b12b0bc0e5ddd733e1b4dd

SHA512
016ac9a14d4898638e89ddbf329dd7dfd260652ed91e1c56a999021191d08db9f885d96047641d67f651267d7eac6a86e7800534aa8bc5a0001ce0e3847b89a1

Download Submit
C:\Users\Admin\AppData\Local\VXMONf\DUI70.dll

Filesize
24KB

MD5
750dd5bee81b1444c1a743e92db22ae5

SHA1
1dc33952425968b327a0ffefb0f0cb4a3b313190

SHA256
20284168974892c5191f8015aa3834655ef8041ae0bfc629fc02a80d57c6cc2b

SHA512
be69a3239874f69a7213fd512cad0b2af5299836ecc71be06596a3c0b05de70fd787536eab4633e658e90234bb9fd15b26cf29afe9d4833ce76807d22abd679d

Download Submit
C:\Users\Admin\AppData\Local\j30\DeviceEnroller.exe

Filesize
52KB

MD5
2f470bea6477544c4bacf75bd668ba02

SHA1
8b543cc5e6d3ca04954bcf6753abc0d879787a5f

SHA256
1a0d88a0d9061944b7cb3b7a7bf920d18b44e8a0de70a3f74d422ceb995f370b

SHA512
46545e27e551777c094b040784e691858686c77c9525f53d003df3003ce87f5c58cbd8a4f4c0faee24fd71fea311cbe72edfbda06bbe866c261207cb869e6c83

Download Submit
C:\Users\Admin\AppData\Local\j30\DeviceEnroller.exe

Filesize
156KB

MD5
763487debc3575cf5ccdf7eea9d102f7

SHA1
4c756f71b3eaef686f57f14bb985aa6aeed22c3b

SHA256
52f6b5cca65f5fbbbd81cb31deab28b39ff179fa607e1effa058a0bec9eef4de

SHA512
e81acaa1604dac621b0240b16b1dcc90e3adc5d941f240575569798ac683f93576bdc50d5150ab673d45ce2e831c42d33c8c7841c43fb3615b15cb123f3b35c2

Download Submit
C:\Users\Admin\AppData\Local\j30\XmlLite.dll

Filesize
93KB

MD5
be812d5d1166e4cebac1b7fa8ff5a2b7

SHA1
7a9630526e2153856c97f33b1b3002dcfdb20a18

SHA256
42e89ff152249d9ca131476ef4278f68f780bd843267ec6179b4b7679234b1cf

SHA512
46b79e050a7d4616029a32ed330a8678daef0e1096ff37d7850792dfb53c42a59c482211cf18044cc639b055e7d205828db563590c5a7a1d806eb3523c441ca4

Download Submit
C:\Users\Admin\AppData\Local\j30\XmlLite.dll

Filesize
77KB

MD5
e26950e4725bc34df433022aa578ae8a

SHA1
e7075ad921c52139f6c809f315a07f342b5cd4da

SHA256
f619ef01af7fd52930f0263f46d6d88e7dc139f33761b4f1ec274475d1443347

SHA512
109e2e2572ab424deff964f04428bb2be1b99f6c08fbdb5dd292bdc0d10dabef6980803e6418f2e78144c36c7dcc86996e9becac8e46accb9158dc5d61c507b4

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\vNqS\XmlLite.dll

Filesize
2.0MB

MD5
61f86b4d3a9626b4ce41af28b767616a

SHA1
50e16de12e7e746748ea1d3c9992d4553dd4d1da

SHA256
1a7fba1df1c078c7ecd1aef75262657f3573d477945a750960abf9253dc2bb69

SHA512
8b84717a40220804c4370cfb2cd6765416e6151271382541295863cdae92c3e188770870def33521c37331953461120bf3f447de00e6b59b0f37878ebf918ed2

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\7o\DUI70.dll

Filesize
2.3MB

MD5
75c8df0a168502c57bcbf556c062394d

SHA1
b5b2e002d7f520132d7549f4a4a4c41890396f8e

SHA256
444d7509ecd4120746f69b513cb40fb7aa417251d0afb6428b0d901c5b96cb87

SHA512
4f60d45b4242fa32df1bd7d3a6f1eba508706f3bb524bfe30c31090927250bdc1d59553d6008c064612f231c8f67e3cdadfd1c96762d23cdae5ca9d550a953ef

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

Filesize
1KB

MD5
4e1738383608d1b5aeb84eb99e1ab0cf

SHA1
c4c2d21c2e687121642ab79c8bc32b7611f22f04

SHA256
be52a8ac3d5b7d2d95e128e36eb36cb1be96f4c0301b9984c11c1499482d9e2c

SHA512
59863e4baf7c847c911c3f49910f766d9aa1cf54afe1df06e5fa3dc45c2b30b56ed3bcd059c9d3110033328a0acfa10ea583d0ac802ab5b27f1b23f541768085

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\81UgQqVlKGc\VERSION.dll

Filesize
2.0MB

MD5
ea5a9b438e7b4eb35d3af2dd8c2a828f

SHA1
cff3787490165d3625a6d952c2f51ea5ee505b84

SHA256
d0dc340f7ed217dc1cbfc822c7ff86f716cfbb2ade18846b0fd3f8ce49424b75

SHA512
5388ce17aa79e26cb5a96428c54cbf072ab96deace9749507fb4885cba480f0ac1fb3dac06efa9d0e51df809c016905d5fb093e3d12e48b0af76264516f095e8

Download Submit
memory/968-71-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/968-65-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/968-66-0x0000018E9F930000-0x0000018E9F937000-memory.dmp

Filesize
28KB

Download
memory/2332-0-0x0000000000A10000-0x0000000000A17000-memory.dmp

Filesize
28KB

Download
memory/2332-7-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/2332-1-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-28-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-38-0x0000000000E30000-0x0000000000E37000-memory.dmp

Filesize
28KB

Download
memory/3596-54-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-45-0x00007FF8E3BE0000-0x00007FF8E3BF0000-memory.dmp

Filesize
64KB

Download
memory/3596-31-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-30-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-27-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-26-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-25-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-23-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-56-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-22-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-21-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-20-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-19-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-15-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-14-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-32-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-34-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-35-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-36-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-44-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-33-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-29-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-24-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-16-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-4-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

Filesize
4KB

Download
memory/3596-6-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-17-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-18-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-12-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-9-0x00007FF8E1D4A000-0x00007FF8E1D4B000-memory.dmp

Filesize
4KB

Download
memory/3596-8-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-10-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-13-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/3596-11-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/4284-100-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4284-105-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4284-99-0x000002BF5A350000-0x000002BF5A357000-memory.dmp

Filesize
28KB

Download
memory/4948-88-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4948-84-0x000001F605810000-0x000001F605817000-memory.dmp

Filesize
28KB

Download