dridex | e98ec64dd1a7e8a99356a9ee5c619df9d93bc0be63df2ea03e30c01d37b4da2b

Analysis

max time kernel
177s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc0aa6dcbc1cfdd09dd1e8bacb20ef16.dll
Size

1.7MB
MD5

fc0aa6dcbc1cfdd09dd1e8bacb20ef16
SHA1

8840124afefe1d0401b17f9cf49403699eec6872
SHA256

e98ec64dd1a7e8a99356a9ee5c619df9d93bc0be63df2ea03e30c01d37b4da2b
SHA512

42a0d90d28ca5d75c915a777502543fc3ef77f2edfe60cf155b91b840693007a88a60c2a3722f2663832292027ae1149d9098b0b34f3c81d914ecea35a0af911
SSDEEP

12288:rVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:qfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3428-4-0x00000000021A0000-0x00000000021A1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
4440	rdpshell.exe
2512	BitLockerWizardElev.exe
1932	Magnify.exe

Loads dropped DLL 5 IoCs

pid	Process
4440	rdpshell.exe
2512	BitLockerWizardElev.exe
1932	Magnify.exe
1932	Magnify.exe
1932	Magnify.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Proof\\DH0HHs\\BitLockerWizardElev.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpshell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Magnify.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5108	rundll32.exe
5108	rundll32.exe
5108	rundll32.exe
5108	rundll32.exe
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3428	Process not Found
Token: SeCreatePagefilePrivilege	3428	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 2520	3428	Process not Found	92
PID 3428 wrote to memory of 2520	3428	Process not Found	92
PID 3428 wrote to memory of 4440	3428	Process not Found	94
PID 3428 wrote to memory of 4440	3428	Process not Found	94
PID 3428 wrote to memory of 2560	3428	Process not Found	95
PID 3428 wrote to memory of 2560	3428	Process not Found	95
PID 3428 wrote to memory of 2512	3428	Process not Found	96
PID 3428 wrote to memory of 2512	3428	Process not Found	96
PID 3428 wrote to memory of 3528	3428	Process not Found	97
PID 3428 wrote to memory of 3528	3428	Process not Found	97
PID 3428 wrote to memory of 1932	3428	Process not Found	100
PID 3428 wrote to memory of 1932	3428	Process not Found	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fc0aa6dcbc1cfdd09dd1e8bacb20ef16.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5108

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:2520

C:\Users\Admin\AppData\Local\qVV8\rdpshell.exe
C:\Users\Admin\AppData\Local\qVV8\rdpshell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4440

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:2560

C:\Users\Admin\AppData\Local\3n4\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\3n4\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2512

C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
1⤵
PID:3528

C:\Users\Admin\AppData\Local\n4UhoG0\Magnify.exe
C:\Users\Admin\AppData\Local\n4UhoG0\Magnify.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3n4\BitLockerWizardElev.exe

Filesize
100KB

MD5
8ac5a3a20cf18ae2308c64fd707eeb81

SHA1
31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

SHA256
803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

SHA512
85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

Download Submit
C:\Users\Admin\AppData\Local\3n4\FVEWIZ.dll

Filesize
1.7MB

MD5
ee1e9eb98597b527f36bceec1647148f

SHA1
1d748b20a639cb5a87b6a202726c48d9612dbb50

SHA256
eee027b8a20c240b64611ea48e78b285b60f9bcb0261f1ca4061a74026ea0ce8

SHA512
33eece0c572a1cc9eeff4a491930df2ecd39dea4e866154ffd6915219d37a4aa349e4057c7892f226c9c375e0049af9b919875e88787e97140ad142fdb65d903

Download Submit
C:\Users\Admin\AppData\Local\n4UhoG0\Magnify.exe

Filesize
639KB

MD5
4029890c147e3b4c6f41dfb5f9834d42

SHA1
10d08b3f6dabe8171ca2dd52e5737e3402951c75

SHA256
57137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d

SHA512
dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d

Download Submit
C:\Users\Admin\AppData\Local\n4UhoG0\dwmapi.dll

Filesize
619KB

MD5
5b71a21b82720c7006842c71ab606f7a

SHA1
ef360935001da2e9e4799a070e415b8a83e6fc18

SHA256
b3b22803f79bb9a80c58df9073ee1f3c95a8e6df60b448c81781eb6b85753957

SHA512
ef7c5b1732c2d226daed68caac5145009273594f46438f2769d654069fb7ba17f06c188773dae74a443da2651fa99924b7357416a87ba46c3a13a7e43a2a9a28

Download Submit
C:\Users\Admin\AppData\Local\n4UhoG0\dwmapi.dll

Filesize
776KB

MD5
8971b4075b9f316ea6030108fa7ef21f

SHA1
7c786e61d359039d1e48c9a8ed6669bd6e5a5289

SHA256
6c4996ad8856d45187239df62a2247af2c6d88586c8d6223136bcaecdcf5f043

SHA512
4209c59092f4a7d9f5a650dedabdba4482816b3036b38de710b80f563da52b8899fd36036180e47071b625956752f5aaaafb43c88b96bcfc6d201bdcf2a68800

Download Submit
C:\Users\Admin\AppData\Local\n4UhoG0\dwmapi.dll

Filesize
485KB

MD5
1e3d445c811acc3caac86a43ad6569b1

SHA1
1130d1ae34c7e5ed5590a3a40ddbf9375ae4d2e6

SHA256
df8b3c07f11fb7b90aa3db76b155120d33168b9e9e45d5c75004a840815088eb

SHA512
2490b2999f77e20868b42245d9d04d2ab2cffd1c077594340d448b8aa42b502d4d87faf8883050e2153275549f9c21d09ea815235234d11e65961f6e80abf894

Download Submit
C:\Users\Admin\AppData\Local\n4UhoG0\dwmapi.dll

Filesize
854KB

MD5
1f466ebdea280446a25dba16c4f72976

SHA1
3c88b1827727f5c930d7ac982afbd4b9f018f7ca

SHA256
16d365fcb89f9fdd2615c424633713ea16b4ab85d9ffd753afabff988817bb18

SHA512
0511832d73105925ff2be267fd86715ca4a49cd1d5049abda798ab88bcdfb349ad02ac0ea3fcdbcea92b5f473fb6545b7c3f42dacf83ed18d148aae015cdd657

Download Submit
C:\Users\Admin\AppData\Local\qVV8\WINSTA.dll

Filesize
211KB

MD5
8d7ad06e2b4867da47cc7c7bc6230f01

SHA1
9c474659789fe945f195743b07afb741598d2e20

SHA256
4b00a3fa84f73e9b10624a802f42917d1ca408b375e37aa12184c1504e5ddc36

SHA512
c47c3d0fc16edbb9c03d034fde55266b0cf4dee40fd9cbcd93588c8fdbca3c7fc21f92e0cbcf9e6c5eeacb4fe76f9b2c77fe0a86991ab66c26aaf146dccbbda9

Download Submit
C:\Users\Admin\AppData\Local\qVV8\WINSTA.dll

Filesize
275KB

MD5
1dd9b45cf5ab19c6bdb63796eb3096c6

SHA1
500cbd5f21108e44ea2ea536341f7e5a6ecfca8e

SHA256
886ac2e8d0f0fce428755bc7bb4f6100fcbb61fc48e81b3a303849411f1555a4

SHA512
70e54b513bbc6003f7662e6d08446653af12fd23098e5cbb1ed38efe72d74278a711c1d0d54f8fab6459ff114c7a1b0d6dddbeef8d78c7ff99bb7a171d1d873a

Download Submit
C:\Users\Admin\AppData\Local\qVV8\rdpshell.exe

Filesize
278KB

MD5
8e8b65c44b276a55ab8061959a4d432f

SHA1
84a0e1dcfbca3dad31a180a19afafaa9bf895b9a

SHA256
e8ad5833edf06c2e88d70a5d4de3ceeb89a2f397fb7c4156900ab601830a7ba6

SHA512
93d7e90c0f58df48684667098007105bfd64913456c251afad6ade7871a64b738db86dad68e1f81492fc9f7b5a989f1124573b6513a5d0eac827fb983585096c

Download Submit
C:\Users\Admin\AppData\Local\qVV8\rdpshell.exe

Filesize
235KB

MD5
84ce3b249c8dc5f87b57d2fc254a9864

SHA1
a2125553dd3859ebc3cefcd19ce9672d86d83a0e

SHA256
ec30885e16ed34e5141767c32c86f7b96421a643c6f25eef4dc0a67fcf84cbec

SHA512
b678c7e269c899d24666ddc8bdd8158bda4600f53fc374fa96d019c9c03be7d59fb1256fd8409f7d96e34176e3352c81055e0c62548e4723977a00269c9ddc03

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

Filesize
1KB

MD5
0fea8d7e3ae63b413084fa66ae3528ca

SHA1
88294a8d45191bca1107d2fe402418803a43e244

SHA256
879fa9d922dbdaca0dbadaf52355b93b9739eae8784dd2c83ebce3f044469ba9

SHA512
88ecca9bf65779c2c2fdb2209ba3ce7234124cc0e45c173160308b6aeacc335ea978ecfacfd950e621cfde4b3d36f57a57f7fafc2c08b2d1611da543e53a5975

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\CV1Fi22\WINSTA.dll

Filesize
1.7MB

MD5
2a103daa9cc9f1e5e4e55f861f4ac7a6

SHA1
2fa5e301ae32baacd2b5cfb1fb094ea6ab5dce57

SHA256
e503821560c4c905e982d90a299a90b464fe2c89b4b09a914f9ae0090a65b03e

SHA512
8af4458650f47aeb4d9869691e32a66cc908c0788a00618e9c85127652b93adf1b7d1786ae780c41ca5257a1e6f58d3ad7881276988ea6ca978ed771bd6b9230

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\hsrevTFoUH\dwmapi.dll

Filesize
1.7MB

MD5
6dbab8748dec9d1b0212edb70680fe92

SHA1
8e3648a63da67b19680fa2297af6dab16d9465d7

SHA256
28748076c4a4cc9d8d3836196301a534616b8e4facc485528cbb18dd2ac5026d

SHA512
3a15c3d2f0e345ace0e4a94c715f8e433da51f19f9b4391a29a16f041024bd0654fceaca2190df3373d155ff5c88802cf61839d52dc87c35af676816a8ff2eff

Download Submit
memory/1932-109-0x000002813B140000-0x000002813B147000-memory.dmp

Filesize
28KB

Download
memory/2512-96-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/2512-88-0x0000029567580000-0x0000029567587000-memory.dmp

Filesize
28KB

Download
memory/2512-89-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/3428-38-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-36-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-23-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-25-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-27-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-28-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-32-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-31-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-30-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-29-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-26-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-24-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-34-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-33-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-4-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/3428-39-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-41-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-43-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-42-0x0000000000860000-0x0000000000867000-memory.dmp

Filesize
28KB

Download
memory/3428-40-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-37-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-50-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-51-0x00007FFAD83C0000-0x00007FFAD83D0000-memory.dmp

Filesize
64KB

Download
memory/3428-22-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-35-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-62-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-60-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-21-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-19-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-6-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-9-0x00007FFAD729A000-0x00007FFAD729B000-memory.dmp

Filesize
4KB

Download
memory/3428-20-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-11-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-18-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-17-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-16-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-15-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-14-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-13-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-8-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-10-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3428-12-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4440-72-0x0000000140000000-0x00000001401B8000-memory.dmp

Filesize
1.7MB

Download
memory/4440-77-0x0000000140000000-0x00000001401B8000-memory.dmp

Filesize
1.7MB

Download
memory/4440-71-0x0000026324290000-0x0000026324297000-memory.dmp

Filesize
28KB

Download
memory/5108-7-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/5108-1-0x0000026A454F0000-0x0000026A454F7000-memory.dmp

Filesize
28KB

Download
memory/5108-0-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download