dridex | 4839189e4054f17776f8d3b668a5ee8e2bcdf4439a057a3c32b481de3e3a2f0f

Analysis

max time kernel
72s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56aab8ab8148757ed3d270d8333be525.dll
Size

3.2MB
MD5

56aab8ab8148757ed3d270d8333be525
SHA1

f237bd80c955fa89473ed0c52438853ff59787e3
SHA256

4839189e4054f17776f8d3b668a5ee8e2bcdf4439a057a3c32b481de3e3a2f0f
SHA512

a16cf852e96eb14cf7f0036fab87cca980887af5072bd38f3a2cb64753a8a69b5dc14059e2d035a28b0cb9cebd3821248880b83eb9915fa96cb5f87a70c0b330
SSDEEP

12288:fVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1HX:WfP7fWsK5z9A+WGAW+V5SB6Ct4bnbH

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3348-4-0x0000000001120000-0x0000000001121000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
3960	osk.exe
4900	SystemPropertiesComputerName.exe
848	dxgiadaptercache.exe

Loads dropped DLL 4 IoCs

pid	Process
3960	osk.exe
4900	SystemPropertiesComputerName.exe
848	dxgiadaptercache.exe
848	dxgiadaptercache.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\Zwf\\SystemPropertiesComputerName.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dxgiadaptercache.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
388	rundll32.exe
388	rundll32.exe
388	rundll32.exe
388	rundll32.exe
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found
3348	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 2560	3348	Process not Found	89
PID 3348 wrote to memory of 2560	3348	Process not Found	89
PID 3348 wrote to memory of 3960	3348	Process not Found	90
PID 3348 wrote to memory of 3960	3348	Process not Found	90
PID 3348 wrote to memory of 1432	3348	Process not Found	95
PID 3348 wrote to memory of 1432	3348	Process not Found	95
PID 3348 wrote to memory of 4900	3348	Process not Found	96
PID 3348 wrote to memory of 4900	3348	Process not Found	96
PID 3348 wrote to memory of 1808	3348	Process not Found	97
PID 3348 wrote to memory of 1808	3348	Process not Found	97
PID 3348 wrote to memory of 848	3348	Process not Found	99
PID 3348 wrote to memory of 848	3348	Process not Found	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\56aab8ab8148757ed3d270d8333be525.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:388

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:2560

C:\Users\Admin\AppData\Local\rsCvb1\osk.exe
C:\Users\Admin\AppData\Local\rsCvb1\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3960

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:1432

C:\Users\Admin\AppData\Local\ij9\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\ij9\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4900

C:\Windows\system32\dxgiadaptercache.exe
C:\Windows\system32\dxgiadaptercache.exe
1⤵
PID:1808

C:\Users\Admin\AppData\Local\ztgGjNC\dxgiadaptercache.exe
C:\Users\Admin\AppData\Local\ztgGjNC\dxgiadaptercache.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ij9\SYSDM.CPL

Filesize
101KB

MD5
5dacef32fff8e34c82cdddf3e470b0f3

SHA1
44c25fa1502a8901e67a43bcb9127333c88f5ba5

SHA256
f9e2892e05fded00036eb6949a3b21faa072c3a311035d67e4fece16315b28f5

SHA512
fabd9b506113224ce72a64cab05c32bb19e329d497065022b46ec8ee369ab5912e43dae234058094ea421fb4926e613584a8f290045231e1c2fb7ebbc33063e6

Download Submit
C:\Users\Admin\AppData\Local\ij9\SYSDM.CPL

Filesize
58KB

MD5
cc2a4b42779d6c3e98722403a322ca50

SHA1
56158d6a42d6f109ef3eb6dfb284bfa4c4666956

SHA256
a20ce4c6f4a8f1b52d4b31daef49895df5c115e8017c3c405b964e1b8750ba37

SHA512
021e2fe24d8139d5b94666eaa0902064d58a7b9d0cfa225d6f89856335471831545a1f50d588729039bd574fd95c36ec092e6b62824ac3a7b8732f11ddbac1f5

Download Submit
C:\Users\Admin\AppData\Local\ij9\SystemPropertiesComputerName.exe

Filesize
82KB

MD5
6711765f323289f5008a6a2a04b6f264

SHA1
d8116fdf73608b4b254ad83c74f2232584d24144

SHA256
bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e

SHA512
438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

Download Submit
C:\Users\Admin\AppData\Local\rsCvb1\dwmapi.dll

Filesize
18KB

MD5
ea930fa381ce4ed40edf1a750f0f3ab0

SHA1
6a8f5cb46d30fdd729dbb095e526ca7aa4b00a07

SHA256
8dd46ddddbdfecde846b8b538a23f0cdc5ee9efa73ed587773707d08cbb5cf38

SHA512
61391c1964d8c1006cc66fefb339a589bcb77e107821bc298d0c366636666ed1cc0aaf9f48155a536c2aabe7ef7961367e2834d1d0c0485178fb861f50d6db40

Download Submit
C:\Users\Admin\AppData\Local\rsCvb1\dwmapi.dll

Filesize
75KB

MD5
927cc08eeecd1639efee5c21d58d082f

SHA1
a7bbbbe52e5087922140027564b612428bb518c5

SHA256
e3f6b6343faee838102ad6a7117ac23097cf72ec8f1f4a88147c52f4ea7f7222

SHA512
4192c8928c3922d294ab20f9bce1dd7849b8ed24265e7106a87614f0c4b386102a7cc3a27543e18154f48760de5d3707748e76f74f8343ec1b3020293bebe213

Download Submit
C:\Users\Admin\AppData\Local\rsCvb1\osk.exe

Filesize
33KB

MD5
69e998938069b60bfded8e019804aa12

SHA1
5e737bc5785c2fc6a48402b126eebbb0df28e3b1

SHA256
6b24088aac27835c1214e4525edba821026459d682823839e6256745520663b0

SHA512
714ed5024d19add7f98c02f26b6552c54a7285e0d609df8a3b49826dea42abbafffd7375213d3dbb590e5beaa771aa78e8ddcc5a9e3eca19c8769396c7a37137

Download Submit
C:\Users\Admin\AppData\Local\rsCvb1\osk.exe

Filesize
92KB

MD5
569c48141990626428209c214e313627

SHA1
ea2bf0464947fc5117276e90994105f13af4df0a

SHA256
9df47235ce9935eafafda14b872916d7e62e5286125bba0c29f30e97eac18cf7

SHA512
0e177d21a83d3b8890e94567c5dc8b1613dac918cff9cbbec437e6145208ac799e1371f0df535320db2be07051f1b6715a5b62ec715b50b5ff4f2861a25712e5

Download Submit
C:\Users\Admin\AppData\Local\ztgGjNC\dxgi.dll

Filesize
67KB

MD5
4f3c8cba3cfa7f314ce22eb733292c36

SHA1
758fbda8921fbcaf5a899ee612249b7dd6aada2b

SHA256
e7f408e8e444f112ddd4efda759f126b3bbefae7728d8fee8526632277c4a84a

SHA512
8b46c85f11bd80c477cb7a8ce6686598e869655bf7b96945127830d7f0407029060de1d07ca87000bb556024be2a3b3f5326593470fe025962d4b2d30f3ce723

Download Submit
C:\Users\Admin\AppData\Local\ztgGjNC\dxgi.dll

Filesize
13KB

MD5
922c3352d2693f4be4bfff879f0e6e24

SHA1
98b09a31be38a1149f97372ebc3841e6b5768242

SHA256
c616a07ebb2861cbf1a755e710faeed62ab0dbd7367dd457699c9083b50398a5

SHA512
d2791919d7c910a55de8e9e3f25269ebecf8bffa6fa7a03ea1a02f6d99eab286575c5e69d64268d67d244982454fd77efdfe9f4936e57a848015620ab606ca39

Download Submit
C:\Users\Admin\AppData\Local\ztgGjNC\dxgi.dll

Filesize
18KB

MD5
c2c3d8ecb301ed97c63c00cf678843b4

SHA1
67aef38675ba807602926ce2e3b833d8c48552c5

SHA256
b4cfd89512ec97dfedc30c924e069f554eac0bb8e65197c574224ea936ae3d0d

SHA512
d15568cf59c2aa8218327f9886639cf66677914ce2317d46803c6e6da91a99bc14ba8c8c45c3ed896d597983a446c63f3c7dd4b5210149b6e76f96cfd7a0ca14

Download Submit
C:\Users\Admin\AppData\Local\ztgGjNC\dxgiadaptercache.exe

Filesize
74KB

MD5
a936c07fd03bb0633c3ca046ad67b9ba

SHA1
046c34b38496c7e2befcfe04a68b2de109e3f1a1

SHA256
d5ee7a041bb5b07767b79aa8aac418d496e007dd532b7af9abb6997775aef338

SHA512
6e0afc6484c18bc2e73a2e684fb48028f98d055e4a7fd24281fb3081f27cd9413066bd0a63f9f81bdcb72f7e9c79b5ba1662f47fc75f56717ac3ada3b669b8cf

Download Submit
C:\Users\Admin\AppData\Local\ztgGjNC\dxgiadaptercache.exe

Filesize
59KB

MD5
7e71dc3511c68ad6d4df49dae87e2e33

SHA1
6b52f565662670ab55eb0c9d228d7cc0566548f4

SHA256
5a65db3b22a18a5a9a863bb283a55cfa8de6c4f697e7a7e5ded2fa3d67b7b4c9

SHA512
0096e924eaa2979e468e41606e666087089872cd4f9ec35ba28ed6d3bd118df0d593be947803573ed841f7e98e88c058eb87c670f4c73972a7050399f621057e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

Filesize
1KB

MD5
6f59798781b9bafbac6e797da246d5da

SHA1
351797a970943f55e88e10761581465d0f41a332

SHA256
7c62732f5e0b14cd608fa1b639407a57dfd6ed71a5223e31e10df3def22b95dc

SHA512
c6d4b73784234f7c31918c8acbeeadf4abddee08917db2af10f60b7fbe1b835558ee38564ce9dc01f2374b4e6f983a878d763511b6b898e73de3caef8ecc5912

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\Zwf\SYSDM.CPL

Filesize
7KB

MD5
1b976e1d52e05dba43c55d1d7d93b7e4

SHA1
083d1f0ea707ff05efdabe09f38c9507e085cd1f

SHA256
aca120687c04b444b714fe6a497d55e3af2ea791470ae6d05489148a7a58e198

SHA512
32893b004dcb2f79b109198bea79f3ffce971238401217fef4981662de19f9eeade7efdc22047a75dc9bd1d1b6b4eb031c23fdb94d6da0a8053c0aa4d43106c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\23hG\dwmapi.dll

Filesize
53KB

MD5
0fa9fe3cf1783a9db864f87e14fe7bf1

SHA1
a381097f9c1f18baedcd97bb6d77440554f23286

SHA256
3c5f0c7b76d308bcbd8d75eb154ee5525ff6be6eda62022144f17dfb90d1db5b

SHA512
b1f42f6fb0696188d8a4abd5f275cb28001b714198a5f4da8baac6d65f00586562e22ef2fd4fbd81f19b2c525c5378cdf7a806a1ecfb1a7ec6f94c6da0573788

Download Submit
memory/388-1-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/388-62-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/388-0-0x00000272D79F0000-0x00000272D79F7000-memory.dmp

Filesize
28KB

Download
memory/848-138-0x0000016718BB0000-0x0000016718BB7000-memory.dmp

Filesize
28KB

Download
memory/3348-61-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-37-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-35-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-36-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-38-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-40-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-41-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-42-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-45-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-48-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-46-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-51-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-53-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-54-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-57-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-59-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-58-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-60-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-56-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-55-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-52-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-50-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-30-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-63-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-65-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-64-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-49-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-47-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-44-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-43-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-39-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-33-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-34-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-32-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-31-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-29-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-27-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-25-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-23-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-21-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-20-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-17-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-16-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-14-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-13-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-11-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-8-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-75-0x00000000010E0000-0x00000000010E7000-memory.dmp

Filesize
28KB

Download
memory/3348-83-0x00007FF86F720000-0x00007FF86F730000-memory.dmp

Filesize
64KB

Download
memory/3348-28-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-4-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/3348-7-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-26-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-24-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-22-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-19-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-18-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-15-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-12-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-10-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-9-0x0000000140000000-0x000000014032C000-memory.dmp

Filesize
3.2MB

Download
memory/3348-6-0x00007FF86EFAA000-0x00007FF86EFAB000-memory.dmp

Filesize
4KB

Download
memory/3960-103-0x000001E127990000-0x000001E127997000-memory.dmp

Filesize
28KB

Download
memory/4900-120-0x0000029B2B4A0000-0x0000029B2B4A7000-memory.dmp

Filesize
28KB

Download