dridex | 18b45bd4552f4f6ada10aaef4f131e845f9e39e20312f3fe6f67f243ce241eb3

Analysis

max time kernel
0s
max time network
46s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c620a9384a551d18ef1006fa2b89f15.dll
Size

1.6MB
MD5

4c620a9384a551d18ef1006fa2b89f15
SHA1

5fdc4e376461609c1848ae651ddaa15e53d47b7d
SHA256

18b45bd4552f4f6ada10aaef4f131e845f9e39e20312f3fe6f67f243ce241eb3
SHA512

b1c93e1d0600a4fb519a9dffc4007f1be4e44076c54d0cd1d76637d26d288f56ae975d9819286e7ccdee4655b5ade039404502a84d2fdc2f64d92a56d3677898
SSDEEP

12288:+VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:jfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3520-4-0x0000000002AC0000-0x0000000002AC1000-memory.dmp	dridex_stager_shellcode

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4980	rundll32.exe
4980	rundll32.exe
4980	rundll32.exe
4980	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c620a9384a551d18ef1006fa2b89f15.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4980

C:\Users\Admin\AppData\Local\4zbzZ\mfpmp.exe
C:\Users\Admin\AppData\Local\4zbzZ\mfpmp.exe
1⤵
PID:3268

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:4836

C:\Users\Admin\AppData\Local\ICwkGHu\mfpmp.exe
C:\Users\Admin\AppData\Local\ICwkGHu\mfpmp.exe
1⤵
PID:2716

C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
1⤵
PID:1000

C:\Users\Admin\AppData\Local\9Ucgyb\osk.exe
C:\Users\Admin\AppData\Local\9Ucgyb\osk.exe
1⤵
PID:3356

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4zbzZ\MFPlat.DLL

Filesize
19KB

MD5
70a4c926ba746a1407053ae2ea57663d

SHA1
c5c5b90671749a249415427ccdd52d83edbb8dc9

SHA256
0d1fa4e4f41c3b094e8e638f8e93b4bf47f15b336c273408672e83e3e85c2fc5

SHA512
22d47e5cdc3cd1dd08c159b95e052a198cc5929f88caffe8d4248b06967780d3144f034228fb4af28bf8632d1b5cff4119b5d61d4cfb2205d93b9e6422f465ed

Download Submit
C:\Users\Admin\AppData\Local\4zbzZ\MFPlat.DLL

Filesize
36KB

MD5
22c03ccaad67960200392a8ce7caaab7

SHA1
fd59b048f87d75d075f50e9a2b6356f7c7c197d1

SHA256
f9ec1efc59cee1285ae91452871e3d4727fcb4e74227aa3bc679d6ede73176c5

SHA512
df656ff730fad90cc00faa14218ff987e23c019bc74fa9b77d27d849d3632f1780d44819791625cbe9e292494638d3a1e04c573ef79b22e85c06cf6a0b5260da

Download Submit
C:\Users\Admin\AppData\Local\4zbzZ\mfpmp.exe

Filesize
46KB

MD5
8f8fd1988973bac0c5244431473b96a5

SHA1
ce81ea37260d7cafe27612606cf044921ad1304c

SHA256
27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e

SHA512
a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

Download Submit
C:\Users\Admin\AppData\Local\9Ucgyb\WMsgAPI.dll

Filesize
115KB

MD5
2319917cefbe898699dfc146b6ed2326

SHA1
b2aabaa20a25a85c86ab4512cc4eb742e9b81cb0

SHA256
4dd502bda4a0dd7c06bc12c797456c69ffd3620e052469d1da23449413cf1920

SHA512
8b4e77f45e8cef999445cb9430039b7ee5894b783afaddc9156b93923dcefbe6789443328ca4459642799e953f4bd596b459bd1a2efe4c910e863934edceb3ab

Download Submit
C:\Users\Admin\AppData\Local\9Ucgyb\WMsgAPI.dll

Filesize
12KB

MD5
5dae6a4439317b357cbc6e9d5b958030

SHA1
826f9d4eb25f3a75eb26d5e413c30b044a9037bf

SHA256
bc8a4d29d676bc10defb1549ed647e9ca84073f43e15fab3a30692bb012dcdaf

SHA512
0987d515e1547a231736c870a0cdf7a111799557a67cdfeeb78f81f3e97cecc613b4e2c377648a73c4037680e47260e6228a07e5544516f600feda81091fb8ec

Download Submit
C:\Users\Admin\AppData\Local\9Ucgyb\osk.exe

Filesize
25KB

MD5
354c4b62fbdda715cd79b633b9a15b00

SHA1
4aae1f64aac0d37f7030090b47455e664364f507

SHA256
e677c012bd32a1c897a1da9925380a1821e6ccc41b224e255ca3d0bba3f99de6

SHA512
284a8b4517764e5640971fcdab1d22fbef6c0147bf84aed2c6bd2367c63945140a1bc08be73501f12eab3d51c9b85bc3688823e600ae0dcf4b6963eab4b7958d

Download Submit
C:\Users\Admin\AppData\Local\9Ucgyb\osk.exe

Filesize
12KB

MD5
9eb1a083c26b73bec85b8a4ae6e6b2a3

SHA1
3d3d30f71bf45e3ef098e4762e769d6c14e75c7d

SHA256
20510314140e163a3bf062c581ed3f3ab53b14d5ec6f6a3017d9f8e9e4e4dbee

SHA512
aa23b57b2a9449e082fcdeca419d39a79a7b0667f2e4997c15a63f308e3712cf1dc9282995c5846c9c0f331e500874ecd039fa57b7367eb91d4c351c2b73a99b

Download Submit
C:\Users\Admin\AppData\Local\ICwkGHu\MFPlat.DLL

Filesize
36KB

MD5
7c585c58ad07e6354cc6cdbafb40267a

SHA1
2e5de3d13e09e1266e5d50822d77751109d54f58

SHA256
b5b6086fa5c7790f0cfb507fae32c51441bb4f501ba372892c58e667215cc3b5

SHA512
9ba154ee0740e4b8967d9e4ed1eb3b1443b56cb195a226f978b493e0729242110cab4b56290e00daa7c3aa74ac5a73ee131c5baa47c3a9c51543e27eb9d3af57

Download Submit
C:\Users\Admin\AppData\Local\ICwkGHu\MFPlat.DLL

Filesize
69KB

MD5
b647ffdb679c99464199939629a565d0

SHA1
01da3476f5c2d9fdc8f4812659266315d3edc477

SHA256
a5138c8ab40d5c9463173805422b0c58eaf52b27a501f94c650cc82c93eb9145

SHA512
f7913d91f7f20abbc0b1c86031be87515df5805c16d6276269c553f14c59c3a1e5e9557bc701d4f9d1e004c4085822b4903f23e6d862de7523d2d6cb962295bd

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Collab\TiYrJaX\MFPlat.DLL

Filesize
41KB

MD5
e29c3cff150b0856b01a2f299b19bd32

SHA1
b4e0ade0e77ed84f5ef0a187c9de07b9d10e00b4

SHA256
b3503b79dd527822070846b877d55211a686b1490323d1e1d2a3107706ebb1e3

SHA512
e735c973b1e228293b671ce86dcb86d87fed0bbcfc7d870fe582dc7d3251ca8196a175e070b13f0253a8fb27c893b327e6451db72c0694543e15b6e91f01c4bb

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\XUkO\WMsgAPI.dll

Filesize
11KB

MD5
ab1f86c5bc020afca8fdef3b6235923e

SHA1
1bc2470caf2a936c2e9689ba6467bc992af1ce7f

SHA256
bc13f7c3f9a3e3b496fdbaf8dc738a9b356041832708daea9ef063b37ae7836f

SHA512
0ef0548aacb5f6c86db3bd12e24a64be8aacf0b14dd77f26a43dc5c7e29cafeb30b6afec3ae8291a25f10fdf7cd40bc2c91d4ea7a992db0bd8d8af7a78bddcd3

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mkzwiunlad.lnk

Filesize
1KB

MD5
1839cf42ea1a7a7e439395d5eb5e3eab

SHA1
937486555c78cd124ab2c53e2d81bd920be69969

SHA256
595e02244a116bea2f693294314a99e5487126456cc441f4e2ecd98a995d21c5

SHA512
722925d60b88fa8401d4915cab6b5390519dbc24ee17cd0c63323104a5387259fe01e45c9661313245213a5ccca50a4997db589b834fa944f8ee075b2e128a0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\1GJv0w3JS\MFPlat.DLL

Filesize
32KB

MD5
fe324a36a747936ae563eb3fc93d1189

SHA1
574aff27e67204367a8b20b57a8546d1d02da23b

SHA256
777120ec04288fed58e22c5564d2c5ee002ce86b42b848b61df190518b0cd4b1

SHA512
a50fda6ce82c7973c5d87606f8655155647eedfefc1a4bea4746dbb03d00064832fddf2ef4be686b645b3e60c0a9f72cf4ffd36649b4437618a64c666a5d4a07

Download Submit
memory/2716-72-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2716-75-0x0000016772970000-0x0000016772977000-memory.dmp

Filesize
28KB

Download
memory/2716-78-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3268-95-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3268-92-0x0000016F57330000-0x0000016F57337000-memory.dmp

Filesize
28KB

Download
memory/3356-57-0x000001D968D80000-0x000001D968D87000-memory.dmp

Filesize
28KB

Download
memory/3356-55-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3356-61-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3520-20-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3520-15-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3520-35-0x00007FFE59260000-0x00007FFE59270000-memory.dmp

Filesize
64KB

Download
memory/3520-27-0x0000000000B80000-0x0000000000B87000-memory.dmp

Filesize
28KB

Download
memory/3520-44-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3520-34-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3520-26-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3520-24-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3520-23-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3520-22-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3520-21-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3520-9-0x00007FFE5895A000-0x00007FFE5895B000-memory.dmp

Filesize
4KB

Download
memory/3520-19-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3520-18-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3520-17-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3520-46-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3520-14-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3520-13-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3520-12-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3520-11-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3520-10-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3520-16-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3520-6-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3520-8-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3520-4-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

Filesize
4KB

Download
memory/3520-25-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/4980-7-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/4980-1-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/4980-0-0x0000020227FA0000-0x0000020227FA7000-memory.dmp

Filesize
28KB

Download