dridex | 82f87ae7f82947667739ae073c48d9e810af9c638fad471918918ab78d5aea9d

Analysis

max time kernel
24s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fb0650833a45e6b7611fd961af6cc8f.dll
Size

2.0MB
MD5

1fb0650833a45e6b7611fd961af6cc8f
SHA1

2d18b7d863757678c0f9f2832026352e4b94c418
SHA256

82f87ae7f82947667739ae073c48d9e810af9c638fad471918918ab78d5aea9d
SHA512

60b2b5be0a2f6e3dc7c865c94a984778b027850a87306f75721fd9c18b88fecaf37bc06516ceb43fbf5fb9e79e799e42ec6f300f13df29fe752a56e256b1778e
SSDEEP

12288:JVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1V:ofP7fWsK5z9A+WGAW+V5SB6Ct4bnbV

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3336-4-0x0000000000700000-0x0000000000701000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 2 IoCs

pid	Process
3632	MusNotificationUx.exe
3392	wermgr.exe

Loads dropped DLL 2 IoCs

pid	Process
3632	MusNotificationUx.exe
3392	wermgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fidpgamyc = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\i4Rfkq\\wermgr.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotificationUx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wermgr.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
4328	rundll32.exe
4328	rundll32.exe
4328	rundll32.exe
4328	rundll32.exe
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 2288	3336	Process not Found	89
PID 3336 wrote to memory of 2288	3336	Process not Found	89
PID 3336 wrote to memory of 3632	3336	Process not Found	90
PID 3336 wrote to memory of 3632	3336	Process not Found	90
PID 3336 wrote to memory of 2252	3336	Process not Found	91
PID 3336 wrote to memory of 2252	3336	Process not Found	91
PID 3336 wrote to memory of 3392	3336	Process not Found	92
PID 3336 wrote to memory of 3392	3336	Process not Found	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fb0650833a45e6b7611fd961af6cc8f.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4328

C:\Windows\system32\MusNotificationUx.exe
C:\Windows\system32\MusNotificationUx.exe
1⤵
PID:2288

C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3632

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
1⤵
PID:2252

C:\Users\Admin\AppData\Local\vCI\wermgr.exe
C:\Users\Admin\AppData\Local\vCI\wermgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3392

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:4988

C:\Users\Admin\AppData\Local\Ef206GJD\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\Ef206GJD\SystemPropertiesPerformance.exe
1⤵
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Ef206GJD\SYSDM.CPL

Filesize
98KB

MD5
dfe51efd96de2a1db9031aad765f4dab

SHA1
582b53662a0e728b874579f1632f0f03ba7b3469

SHA256
3d24c3448460f3d396077fcaaa4bdbee3d1d177215e33db9fd43611a65aee09a

SHA512
6c0bfc29d9eca574b708f38d42ed48b03b43ed4d8eb57d5194b9e9db742264f2f10b90c444c519968656bdc381e6b34e1e4a700444b961bbdfde0f09c02daf02

Download Submit
C:\Users\Admin\AppData\Local\Ef206GJD\SYSDM.CPL

Filesize
74KB

MD5
a477ae8e0f5bb5b4f15c201812595047

SHA1
90741c4b4cb5f8754413c146366e909c3849e81a

SHA256
2e116998d458c83c8173409f31160528794568dd5a8d83226f049d73b37461dd

SHA512
3e787242ed3ea12498d9a55beac12208ba43112b41eb4295b8fb9541f084ddb448bea40552200589fd9b3f895cb3568345a2d7c0cb23b33437273764e1e45132

Download Submit
C:\Users\Admin\AppData\Local\Ef206GJD\SystemPropertiesPerformance.exe

Filesize
53KB

MD5
f72dcda4b59d9873598d5ad01bf7897b

SHA1
204858b39b4e5c6a2890e66215bf657ad62267ff

SHA256
4815331bccda6bef12322595b58ee2061bffa42595597ec5e36f28322dd868ad

SHA512
8170029208136446ca40905e7a7ecca78045fa124fed2b8e7f8874258a1d0f6bfc9be72e33012cc6d076d03b5d6789249de9dbcbcc1f0bd627cdcb39d54ccb6b

Download Submit
C:\Users\Admin\AppData\Local\Ef206GJD\SystemPropertiesPerformance.exe

Filesize
33KB

MD5
bce579e5b02f2550a17a35639a67ac9c

SHA1
4e54af9dfa9a2bb5f0dafc05f450d42cc8c32a2a

SHA256
03417b3faddb6a2757865b6ffcf3fdd55bed95672eaa79ab21bc2df36115dc09

SHA512
dc142310fa864a231abcaaa6c77e0943fe88aa2696b4928aeaad069a5fec9dd7751d23812a965761419299a80463fd0c6b20bb7477f1c25524d7845142788663

Download Submit
C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe

Filesize
81KB

MD5
7a31787344fb42f3ebb6213234b9163d

SHA1
0ab871f4730494d46450deb3028c13a7135bcff5

SHA256
db6a2d66afe8583fa470ad5882a44414c9b2bf528471ad5e36fd4e9d7d1571ca

SHA512
7ca4844242c0fc20392cb556d6b0b39c243b55d6f2be569a3b7c0abc8feb9de60a7cd7c6176744299e175f3a956e6bc6671b0a2052298ab930998c96800f3fc3

Download Submit
C:\Users\Admin\AppData\Local\M0QKKqY\MusNotificationUx.exe

Filesize
32KB

MD5
3815a5801797addbeb7b5e4a4b578d6c

SHA1
1f4298e81ed85be43aaa496b059e3e4b4eafd8a6

SHA256
e1b5c5ab44701088bc0d1ac389194cad94701d645ff1080f56f94b09a3f488ff

SHA512
e56ed4c94bc544776da0b851b8d518a53c89bbd32be5a20b4b45d8438291a9feb6a6312f5c176a40ccdcd39b7b0a3397113b431d3c3ee4b85c976df70db3c400

Download Submit
C:\Users\Admin\AppData\Local\M0QKKqY\XmlLite.dll

Filesize
112KB

MD5
47e65da3d878a6a6f8a3c7ad0842d646

SHA1
5191c540a030120da4ff7d5519f216fbb50efea5

SHA256
cb67e0a7fcbab06254b1c126c6cdd19663c6fff3c799cb91488dadf37f2d3968

SHA512
18a2484491f373450fac37ba85ddad98efb14044e4c24433a8eabb0c436e41cf0765f8d5695380b2b95d067646913cf4ceaa987987e071d571ef69e9e557ac7e

Download Submit
C:\Users\Admin\AppData\Local\M0QKKqY\XmlLite.dll

Filesize
43KB

MD5
ce73339ff37518c0442db849f109546e

SHA1
2f4fd5a9a8f658e9453aeb792f6c5fdf28c69738

SHA256
bec4c0e0f0b361bb07b62c0056b607346ec50998c3e55bf39760818524e9b2c0

SHA512
ab804d0ab718ebc15fea12d870eae6dfa3bdd1b40169b1e0c9bf9da9c2e93bb2af24b5935bd239a5036a91d158389b85cc693692fcb421a4e6df21d4e3a23cf1

Download Submit
C:\Users\Admin\AppData\Local\vCI\wer.dll

Filesize
17KB

MD5
c9d071391a24c522ccc93e48c7179ee2

SHA1
57913aa826acac98a97fbdb4feecd7b4f3968b07

SHA256
4594710891b1592b89d44016c1b6564a2249f250e502508b349d5adf7d57a010

SHA512
9f36a01459df0ac376eb80e91d5bb5be6da7e4d2c0af8c56141e28b1e28a560e72eabccb001070320c079caaa0dbdd41a9b939e7a801bbdf01b3e5e5b41bea72

Download Submit
C:\Users\Admin\AppData\Local\vCI\wer.dll

Filesize
1KB

MD5
845c1424cd32a09f530d87081dcc9a1a

SHA1
7277091da04702cc7c6e74ea5fe52590759320cf

SHA256
1f40236122b6d1ebe103e78f0ceee44c9f523ac8a96eee7b5e3b033cce1707d9

SHA512
79015097bf05aa6baf6e946ff524a1770de28939bc810f819a23f73a28740debeeb20d0f84c2533ee2ff89a700914311bcb9aa82002cedfc7cd3cead76bbdc17

Download Submit
C:\Users\Admin\AppData\Local\vCI\wermgr.exe

Filesize
5KB

MD5
747dd906853c7bd607566832904cbe67

SHA1
937269abc6a01141f884d5420b1b1ba7f034c136

SHA256
04228d8e6840e924488197cc119a5d16ee83038d282f3a39c8b72f6ad2fb241e

SHA512
4ed5afd9fb52fadd7e466a02895a95e001dea1ec250ba7c8635639bb428996eb40b54830c09ff9ac3d33dc54fa616a56a1ba355e9714b985d71ac3a7f0765770

Download Submit
C:\Users\Admin\AppData\Local\vCI\wermgr.exe

Filesize
3KB

MD5
b97eadca12ccce0a2b6a0038d349b037

SHA1
8fcfa6c00068c4ba78056d5ece5755b4026b2e41

SHA256
f0256f61f6ac84ff62379b7c9e92d46a253e2c9a13648df1130f8de8890e4bc7

SHA512
72f90170d800ea8959db1a6ebf6d068399ea6f8be66769ac8c599466d2f6e2042f9e189e02cd3b2fee44108fb79425d20f0582955a57f6fe3f26f30025b98358

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Enpllr.lnk

Filesize
1KB

MD5
cbf527564aa2b481dcdb43abe7a28aeb

SHA1
a8eacbf4f452376e3ceb50a364caad4349720e85

SHA256
73cd546213269a6688070b822a88a7c8063c67fe201ae7783435f646edd6b3f6

SHA512
22be767c3104f8d5c2d13c33c48d3835f1813a2658df0594fe686a0f5409c5abac4f15e2eb294ce13a6a1741aab1c0f0c35259dcb8af60496ffef95d55938c57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\4UN60eAaF\SYSDM.CPL

Filesize
307KB

MD5
43dcc32764d35f83ef58bab42e6fac86

SHA1
6acbd360149633c0e221af299ae0282cd5b77b4d

SHA256
2776387a4cc37c228e6cc08a71a56f8e5e2731b743d869fed58d22ddc095afc3

SHA512
37c916f3b87970199cda7fabf21e274675bbe0ad3a3aeb720b3a272a70122a2ba9c553295ca3c10340a17e435008f9f2ed11562b73607d00eb1612215ffcfde2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\i4Rfkq\wer.dll

Filesize
149KB

MD5
4e3a069e24e9bb86fa0a8c131bf7c680

SHA1
c9b480a935894c2f209590e7840f61b95a5ea767

SHA256
ead29818704e3bf69a74486bd3a797b33505b8cdf6cc1e59b267cdf4f3bf5517

SHA512
dcca7056c016db4b7aa6e396d75d8c253d6fab23a55bb02aa954658be70f676fee5866c97f6eb4f016370e1a224815078cb94ba97adceb4ebb5c5f2f159346fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\u6UGYkMK\XmlLite.dll

Filesize
92KB

MD5
178672f7ca742a6e4fdf2573fbd4cc21

SHA1
b87da911fef0f4768852574fd100f4fe321a18ba

SHA256
3497c900bdc9449c9b8e6c00aab0a6d1fa9cb017db3fc37e72c0da4516b67a4d

SHA512
3274470c3b8885510975018a2d940a0c2ca09ed9b4a6141b6c73cdb372124ce469818704d85a42788178f288c08a039debef70ae13662c35e1e9b9ad17cd9af5

Download Submit
memory/2816-109-0x000001710CA00000-0x000001710CA07000-memory.dmp

Filesize
28KB

Download
memory/3336-18-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-53-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-26-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-28-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-27-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-25-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-17-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-16-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-15-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-29-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-30-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-32-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-31-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-34-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-35-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-37-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-33-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-36-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-39-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-42-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-44-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-45-0x00000000006B0000-0x00000000006B7000-memory.dmp

Filesize
28KB

Download
memory/3336-43-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-41-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-40-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-38-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-4-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/3336-55-0x00007FFCC19C0000-0x00007FFCC19D0000-memory.dmp

Filesize
64KB

Download
memory/3336-24-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-64-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-66-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-6-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-8-0x00007FFCC011A000-0x00007FFCC011B000-memory.dmp

Filesize
4KB

Download
memory/3336-7-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-9-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-23-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-22-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-21-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-10-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-11-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-20-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-19-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-14-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-13-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3336-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3392-93-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/3392-92-0x0000013788260000-0x0000013788267000-memory.dmp

Filesize
28KB

Download
memory/3632-81-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3632-76-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3632-75-0x00000224CEC50000-0x00000224CEC57000-memory.dmp

Filesize
28KB

Download
memory/4328-1-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4328-52-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4328-0-0x000002792DC10000-0x000002792DC17000-memory.dmp

Filesize
28KB

Download