dridex | 0a0ba528af098638e931933949dffb3feed060ddec12f389bb83521f0d3ce43b

Analysis

max time kernel
186s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 16:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f239af16619d76415b158d573873e3b2.dll
Size

1.7MB
MD5

f239af16619d76415b158d573873e3b2
SHA1

4b6f35e1cbb45fb8ab2a770d3d72f651bf5396be
SHA256

0a0ba528af098638e931933949dffb3feed060ddec12f389bb83521f0d3ce43b
SHA512

4f322e1b8d4dee07f689b0d645325474e1f7eabcaf3731f2d29c11345d901985fb651f0c579196929b160b33da6d303aa95db4dba8a405a37bc738b8c5f1c491
SSDEEP

12288:5VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:4fP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3468-4-0x00000000008D0000-0x00000000008D1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
2180	bdeunlock.exe
2124	recdisc.exe
5104	SysResetErr.exe

Loads dropped DLL 3 IoCs

pid	Process
2180	bdeunlock.exe
2124	recdisc.exe
5104	SysResetErr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\TSM8AB~1\\recdisc.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdeunlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	recdisc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SysResetErr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 2340	3468	Process not Found	93
PID 3468 wrote to memory of 2340	3468	Process not Found	93
PID 3468 wrote to memory of 2180	3468	Process not Found	92
PID 3468 wrote to memory of 2180	3468	Process not Found	92
PID 3468 wrote to memory of 2388	3468	Process not Found	94
PID 3468 wrote to memory of 2388	3468	Process not Found	94
PID 3468 wrote to memory of 2124	3468	Process not Found	96
PID 3468 wrote to memory of 2124	3468	Process not Found	96
PID 3468 wrote to memory of 5064	3468	Process not Found	95
PID 3468 wrote to memory of 5064	3468	Process not Found	95
PID 3468 wrote to memory of 5104	3468	Process not Found	97
PID 3468 wrote to memory of 5104	3468	Process not Found	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f239af16619d76415b158d573873e3b2.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2376

C:\Users\Admin\AppData\Local\RNA9\bdeunlock.exe
C:\Users\Admin\AppData\Local\RNA9\bdeunlock.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2180

C:\Windows\system32\bdeunlock.exe
C:\Windows\system32\bdeunlock.exe
1⤵
PID:2340

C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
1⤵
PID:2388

C:\Windows\system32\SysResetErr.exe
C:\Windows\system32\SysResetErr.exe
1⤵
PID:5064

C:\Users\Admin\AppData\Local\zIAQOzX6\recdisc.exe
C:\Users\Admin\AppData\Local\zIAQOzX6\recdisc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2124

C:\Users\Admin\AppData\Local\OxrItI\SysResetErr.exe
C:\Users\Admin\AppData\Local\OxrItI\SysResetErr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\OxrItI\DUI70.dll

Filesize
75KB

MD5
ead720982565335f699d46c76b23c1e0

SHA1
c5145b751a31bd549937a833355721fe917d94e4

SHA256
5a0842a7ecada60ce1629fe0d85f3590d5140c4584c6d884344979857790f3c0

SHA512
52808a6dab0314731427706358439056ae618b67de89b34ae4c1ad39ece0d21932184fa475c4b6b7991ece07f4eea29c8b7d99dbc54963353560a80b215adc04

Download Submit
C:\Users\Admin\AppData\Local\OxrItI\DUI70.dll

Filesize
116KB

MD5
df68887dceb8a4ef0f5383a03ccf2425

SHA1
1cf2efe70d11892d402d8b8d73186d0db7ea1107

SHA256
02568a921daa77d2a5360c8f41513e081581dcaca779b546d95ed5660d721f6a

SHA512
6fc8a538b5df3785bac27e642956d8415553ae90b85eaa2dc8ddfc3a8ad1416b38fd92ccce74f253142108eb9fe4b5dc9d92f496aa8c05a1c62c11bb25b95fb2

Download Submit
C:\Users\Admin\AppData\Local\OxrItI\SysResetErr.exe

Filesize
41KB

MD5
090c6f458d61b7ddbdcfa54e761b8b57

SHA1
c5a93e9d6eca4c3842156cc0262933b334113864

SHA256
a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

SHA512
c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

Download Submit
C:\Users\Admin\AppData\Local\RNA9\DUser.dll

Filesize
176KB

MD5
1eb7992af08b6d3a747d53e48c38a57c

SHA1
801ddfd1fdd9a31d8af8be7e4aaa7e4322333a19

SHA256
0a92e5528e230af42302d1972e67c78455671cadbad8c5ca4249f5214127eee2

SHA512
844c9deb99569e104a81f2d3646667ed41ed4a649abf170343a015abd487534b94e380c7b9bd265fdb242a78039ed6ca2669ae083d59fbfa6e8271acc3add917

Download Submit
C:\Users\Admin\AppData\Local\RNA9\DUser.dll

Filesize
147KB

MD5
2ea38e8ecd1ff6f3e247731ac1a0d687

SHA1
5a7f6b51d95ccec201f17a823eb79e65331625b8

SHA256
7d65287f34e2decae3f4aa0ea52b118c5903ecf44b07e87f8089180bad94f4fb

SHA512
56bff3b770ba1b641c5d9cc7ab3b7ac51274aeb44e70eecd4fea6d3026ec0866752d9c3e9550e673b6bd8bbd08039a89c5935c4d7211bfaee57ac029f4f25209

Download Submit
C:\Users\Admin\AppData\Local\RNA9\bdeunlock.exe

Filesize
91KB

MD5
df2602352af424a0a17d20624fc0010c

SHA1
0183176758f55da48ef85bc203f0cc0c25b6d35c

SHA256
cfad8cb3f1f164001b8d307655f002e4cd5cb2e2cce1541a99bd4e25c6319012

SHA512
086f8ab5303ef944d27dca710cbc8f3c20e6aa226f32169b78951776574159acb286902ce95b661b8c410792d8e6a765e480433b89b3107d91237bb247b8b98e

Download Submit
C:\Users\Admin\AppData\Local\RNA9\bdeunlock.exe

Filesize
176KB

MD5
06231930aafc20018ac93a89d714c8b4

SHA1
f63710447d5e4d26d1a220207ea275a9490db897

SHA256
7b3a5cf207547260b58254d14fa62bdcbc09ab7150f850f11d3a50c74ed989b3

SHA512
7fe1134f87a40bbcccbb918760d019ad98a419fdc4319ea35686525983ead46207efdacaffe2a324061a25c169830072adade89f2f7d934f676cf5f67249371d

Download Submit
C:\Users\Admin\AppData\Local\zIAQOzX6\ReAgent.dll

Filesize
40KB

MD5
f11d2fa90f8d9f03cd6a663d4ed236fb

SHA1
92932b28e991300cd80690136abc0b7a70b66a3a

SHA256
ea3720183b7d22204121021ea8981d293b8f480862e02466f871376d583b5a67

SHA512
bb74b2fca0982dfaad230b47ddd380c0c455a00e1f5181d291c4706e14e28275b77e0c79392a04ffa53ee3acfa014b9aa3996726a25359d15351f2a0257a468a

Download Submit
C:\Users\Admin\AppData\Local\zIAQOzX6\ReAgent.dll

Filesize
131KB

MD5
f9da5e920b84bffe485aca8443afe2c7

SHA1
088e7d093fbcb8ddaeebc80a418e1a8873624e0b

SHA256
8ed47731678c2d0c07f44ea051e3923985e430373382baaaf8e31bad2fe5251b

SHA512
6849847a89a4238c6ed0c2aa22cb78cecd55f588c5c4e857071082236ee0bd8e9cdd79b2ad7ad08020af2b38c6a7def92a90d95115009869b372440c4c9a646b

Download Submit
C:\Users\Admin\AppData\Local\zIAQOzX6\recdisc.exe

Filesize
92KB

MD5
cd798bbdfee5263605a0835d082ef101

SHA1
fdbf07a47603f8e06ee7920adbbbc5faec188d61

SHA256
9f15e909009b6789154a89c8fbd933bc3880221c75ed28825865be3b15aa3c8d

SHA512
d15bb8664717ded319b00312e30a4aec89eab7df07c2a0ddc46269001cc83dc41153e24763c12a683b109b261b1b6af47bbcabbbd30abb3d3c11439dcf6de9ac

Download Submit
C:\Users\Admin\AppData\Local\zIAQOzX6\recdisc.exe

Filesize
110KB

MD5
44b7c030d1d0b8aa881c0516ba4b0fd8

SHA1
0bfe74e0bf7202233c217f5801f942d62a9e3a5c

SHA256
bc4baa596f3d7204af7371eb7378c8c728ecf01cb08e49e9885b73988a528c11

SHA512
20186697aa0f7081092516f593b449d68a2dbcb0faa5506998a33870e1417d9a54e862bdeaea44ca8d4a10d23179f40968ce9e486f1b32a44a862393a9752237

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxquhu.lnk

Filesize
1KB

MD5
a83eec1d078a16d0dc0b47e24a72db46

SHA1
849bb8c7b2746f5bcba4eb73f4173f9e4cb6b6b9

SHA256
f4fcb1e44bf93c23c42bac8936b5eb7b78e4ce653fdffd7175116f8a8e25b090

SHA512
dc19a7930ce96e21dcbd5683ff4254bae81b0e253a09d83f32803190c39a9bd10362656d6e277000a865d291a62eea56f012d3a01192c5c26ae9b3cfd63a858a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\bI5\DUser.dll

Filesize
1.2MB

MD5
452fa0bed71320510d248382f83dc108

SHA1
e64fc255e3f50ab999b16c6c3102bd870e6b1fb6

SHA256
55fb99031e2218f9e396b42f2bc87814f917c1baf199448cba18bd3b7e1f3183

SHA512
879e61c8da1cf6cbf3c4fa97151e49f6b2bd77dfcc94bce08d1c5b48c49c58eb6a4f45511a98880fc578df7dff762fe5b4c8c90c39a41c62cd6362e6a5dc2407

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\TsM8AbsQZ\ReAgent.dll

Filesize
1.7MB

MD5
9d21ab4a379d7416b9ae0a7cbcb7cded

SHA1
3bb71b3bc02d694ea8efeb5fcc2f832f39a4d3bd

SHA256
4e484fdb329dd95529fa671ae759912283d7f4c4f5e2a752d829abdbc83e4e67

SHA512
61a998ac3b00a7f3b9c2ffee594b2e950e96f303186ac73b686919a90776d3360806540b30045d444747e6b4d884adb74e9dd812204939f1cd538d0bbf6fa020

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\TsM8AbsQZ\SF1\DUI70.dll

Filesize
2.0MB

MD5
7ccf67b30e057ea6a7289144d0487a25

SHA1
2e9dd7c3719f522afc96c8d833acd367207a86d2

SHA256
dfc773f9043a76d83042bf849ea6bdb63fe96f56fae9b4bb51041dbe421eb791

SHA512
a182c7d69cecdb302a5ed25a3b22e112f687f62e592c5a7749673505cdb19de3cfb471751029cf5dfef91807caf04e5cd5125cf2ee209bcc796ad66dc469820c

Download Submit
memory/2124-77-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/2124-83-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/2124-78-0x000001E54BDE0000-0x000001E54BDE7000-memory.dmp

Filesize
28KB

Download
memory/2180-66-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/2180-60-0x0000000140000000-0x00000001401B2000-memory.dmp

Filesize
1.7MB

Download
memory/2180-61-0x000001DFB6240000-0x000001DFB6247000-memory.dmp

Filesize
28KB

Download
memory/2376-0-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/2376-7-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/2376-1-0x0000018C885D0000-0x0000018C885D7000-memory.dmp

Filesize
28KB

Download
memory/3468-23-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-18-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-31-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-28-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-39-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-27-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-26-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-40-0x00007FFBC6520000-0x00007FFBC6530000-memory.dmp

Filesize
64KB

Download
memory/3468-49-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-51-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-29-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-30-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-25-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-12-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-14-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-16-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-17-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-32-0x00000000008A0000-0x00000000008A7000-memory.dmp

Filesize
28KB

Download
memory/3468-19-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-24-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-21-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-22-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-20-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-15-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-13-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-11-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-4-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/3468-9-0x00007FFBC49EA000-0x00007FFBC49EB000-memory.dmp

Filesize
4KB

Download
memory/3468-10-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-6-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3468-8-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/5104-94-0x000001116CFA0000-0x000001116CFA7000-memory.dmp

Filesize
28KB

Download
memory/5104-100-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download
memory/5104-95-0x0000000140000000-0x00000001401F6000-memory.dmp

Filesize
2.0MB

Download