dridex | a3575f530f130fc338946c0c6c4ac822007a36b4a860671383ce565cb77cbea0

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/02/2024, 11:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

97013513eec319a4402a818111b261c0.dll
Size

1.8MB
MD5

97013513eec319a4402a818111b261c0
SHA1

fd02ea2d8ff8c99ccaf35124b49c20894e92df82
SHA256

a3575f530f130fc338946c0c6c4ac822007a36b4a860671383ce565cb77cbea0
SHA512

f6d3924530ddb3dc5e1fbb7c864dbbdc517da5610248bde8f2c8628a135d89ad87654b90bde30cc94fe1e7ad0c31ab8e2556ccc4f9e4cc0684ffe5ab2c540901
SSDEEP

12288:BVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1Q:wfP7fWsK5z9A+WGAW+V5SB6Ct4bnbQ

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3440-4-0x0000000002830000-0x0000000002831000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
3380	Taskmgr.exe
2000	msra.exe
3784	wbengine.exe

Loads dropped DLL 3 IoCs

pid	Process
3380	Taskmgr.exe
2000	msra.exe
3784	wbengine.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddiqrdu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\5fFT\\msra.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wbengine.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2108	rundll32.exe
2108	rundll32.exe
2108	rundll32.exe
2108	rundll32.exe
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found
3440	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 1264	3440	Process not Found	84
PID 3440 wrote to memory of 1264	3440	Process not Found	84
PID 3440 wrote to memory of 3380	3440	Process not Found	85
PID 3440 wrote to memory of 3380	3440	Process not Found	85
PID 3440 wrote to memory of 1880	3440	Process not Found	86
PID 3440 wrote to memory of 1880	3440	Process not Found	86
PID 3440 wrote to memory of 2000	3440	Process not Found	87
PID 3440 wrote to memory of 2000	3440	Process not Found	87
PID 3440 wrote to memory of 3424	3440	Process not Found	88
PID 3440 wrote to memory of 3424	3440	Process not Found	88
PID 3440 wrote to memory of 3784	3440	Process not Found	91
PID 3440 wrote to memory of 3784	3440	Process not Found	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\97013513eec319a4402a818111b261c0.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2108

C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\Taskmgr.exe
1⤵
PID:1264

C:\Users\Admin\AppData\Local\GeYjwkZH\Taskmgr.exe
C:\Users\Admin\AppData\Local\GeYjwkZH\Taskmgr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3380

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:1880

C:\Users\Admin\AppData\Local\ouVG\msra.exe
C:\Users\Admin\AppData\Local\ouVG\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2000

C:\Windows\system32\wbengine.exe
C:\Windows\system32\wbengine.exe
1⤵
PID:3424

C:\Users\Admin\AppData\Local\0WAJz\wbengine.exe
C:\Users\Admin\AppData\Local\0WAJz\wbengine.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0WAJz\wbengine.exe

Filesize
240KB

MD5
39205c6175bc9a14816ee1b7e3f04c42

SHA1
b1d3694f6f5f137b2e84f555d8e7ed63f40f2d32

SHA256
346ed692879ed6f17a5db626078d177b2b17525f87ea0fede5449c31f5d0f5b3

SHA512
cc700aad925f109a5e639fcda14b44fb242c3f91547d9d05f1ee45e604c3b50887addc0260aa6f89f7116c00dfff87f46b00d461632efb98feee4e53d4fb676a

Download Submit
C:\Users\Admin\AppData\Local\0WAJz\wbengine.exe

Filesize
116KB

MD5
7a9ec9d60aa03647fd6536a975b611fb

SHA1
c157ad4fac371a4f76c5452181b78af8f1edf94d

SHA256
10c47c4be2d0bfb7ce9df984a78f8a71528f7cc7534a4205e5f8d129fdf4691e

SHA512
23a21f41b78797fec598923fe57da9ddb31a6538a6356a9a3907a1bebb447418d39db7f780ecc2436488a7048330cc507321dac82887faf7cef4d68e8725c717

Download Submit
C:\Users\Admin\AppData\Local\0WAJz\wer.dll

Filesize
57KB

MD5
ca1a509b27dd793e4934cf4bc90bacf9

SHA1
3d2cdc14c17227892dfb59246844e2db12e83730

SHA256
7c371fccbcf2ab97ddb891c980d5c4d086310f6858b42eb95be152bf2ab670d4

SHA512
7f1da1f9ea16cdcf867d92503b2cc20254285375a7dde51660957afa601e7020ebdfc4139191bb090699f27596df7a9f97f9450292fec1be07900a381b710ba9

Download Submit
C:\Users\Admin\AppData\Local\0WAJz\wer.dll

Filesize
250KB

MD5
3a28f78e636b94fedeccb1ca81c5f936

SHA1
c197808436328190c08ae4d8378ad0f5ad523bb9

SHA256
73414f9cf597fcd380f763636be0afac48fffb8a8d4d341ff7e8fdac9c1dbb5a

SHA512
2ae91de76bdd0940c94cfdfe73fb94de9b87d2d422c55d89f046a912ed71d3f606721e8256a47a1865a5add8b3d83a4916dafac71393d75ada7958b394ff62f7

Download Submit
C:\Users\Admin\AppData\Local\GeYjwkZH\Taskmgr.exe

Filesize
75KB

MD5
216466f2f56342838e66395659694ba6

SHA1
f6d52a7891ea2b8c042dcda43c79ea958a3f8e76

SHA256
d1fbfbfa0b1000e2e95f84250e1f5e3d3e49060b68c07ce90b712cc414fc840f

SHA512
8726b1530dc1fe14ebcb18d2991c2e09b29251ade1a5851bf422d5568c153013bd2785a5c4aa75b66231fe74db09d66a73d5130792483a213c58a089612a9786

Download Submit
C:\Users\Admin\AppData\Local\GeYjwkZH\credui.dll

Filesize
1KB

MD5
31afe11191e851f9d75918d5f8ef335f

SHA1
dc78d55ca0afda490cc39fd5aeb29856f6f85846

SHA256
993960875f1c7cebd0dea23ec79451f59087bd3eb09048eb9d7e0725cfe70515

SHA512
0ed8ba4e25b49876ce6c1b2f838f054aca50014097dec4ed92f01c1607817d0bfdc0b22d84355c7f2939031988f7a94b681d55b71dc1fb5274980877024642fa

Download Submit
C:\Users\Admin\AppData\Local\GeYjwkZH\credui.dll

Filesize
30KB

MD5
09eb7df31cd63705142ff7dfe4b65fb5

SHA1
25168614d53476e881bd67eaefa22abb9fe1fae7

SHA256
6a3120759fb4c7966d2e702c1c16a5dff1b2e059cf0551219030c5ca1b4976bf

SHA512
ee6294889afb06b5700e4ea77bf0b8b76f51a87ae247815ac8710ae20e24c58a9055db959c32f3ef5a385c8b6aa4f2d5da17d760fbd391927d8b277aec0bbc1e

Download Submit
C:\Users\Admin\AppData\Local\ouVG\NDFAPI.DLL

Filesize
108KB

MD5
821f7458e51ffe52010865110c5d685a

SHA1
b4d62f0f61ebe0af24be7fb9c40ca5fa9893a21a

SHA256
8e3a071983da0f39cd3831994dedad3ce6ad7ef3ce88e084583c3e1023d8990a

SHA512
8146634db3e7d25c70186baf9866063f5c26e7a9b5a653ffd46399e5c467340949e7a80351c82314362f25c3bb707ef71b59a11085708b3ad165e7e72816de30

Download Submit
C:\Users\Admin\AppData\Local\ouVG\NDFAPI.DLL

Filesize
188KB

MD5
c8fbed9c48954f14b323f32689d7cf09

SHA1
d8b7ef45ac65af40b772825c928102c4b03abdba

SHA256
d32fc338858d711f55c8d7f20bbacafa38bed49307092200e8f36ee63ba05b6a

SHA512
419e959e33ab38e286d46ed571f3c77011ae093f3975d219a48f86b066c7c8ad7b9755fab95ea30d7d09d85a51326e90201b3e9b185d3fa79a8d42f426be31d4

Download Submit
C:\Users\Admin\AppData\Local\ouVG\msra.exe

Filesize
90KB

MD5
d7876792188d450174eca72c8707eea9

SHA1
25f452900e365a6033064e12313912f09ca97227

SHA256
8d2316f931e7e862a1690db132beee524152f0611a1a9af98830218698f93a56

SHA512
70765adffa730684d6990527a7409c5b43973f3a50baa4722f2620aecb3aaa818ce4c6530f1207b25e2c7927010d09f2bf36304cdf0ea4870e8fd624f9c61842

Download Submit
C:\Users\Admin\AppData\Local\ouVG\msra.exe

Filesize
364KB

MD5
2ffa6651a1c2cc600d22c5794f468831

SHA1
7d1b2f39bc42cf15080743a3456c8f621896d49b

SHA256
badd9b546b5ec1b59248d9fcc850b7db550f0c0b155ba77a0abd98e204a3279a

SHA512
20df27c1f61168f87a5ff951c88e202961d48e71c34e9adf7642a26a8df3c329edb712fae821da1051adc21de0c60fcf7888089c502ced0d5e07547a47cf4011

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Udjzqp.lnk

Filesize
1KB

MD5
ee3944e20d3dbfe1ff9f51ca7bc1de75

SHA1
c11bea26ff3b62e6d4f6a5f60cd257204b7200fe

SHA256
084dd1db9f9b090fb5ef6e050997aa7571433942993a9d7f65298112c849e60e

SHA512
89af29d14193d217dc7d285e65673c9af53bb356c9dacebec18d5c81c6b4f21ffa71424a2eb6ec1d026a5893a9a60baaa45c037e54981d004ad09ca147584348

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\5fFT\NDFAPI.DLL

Filesize
1.8MB

MD5
8f3bbb2f08529dd65620302d3fa2f227

SHA1
ce0d378b0ac19d3e26e8da9ba75a6856e0c23d6c

SHA256
7a1edd5a8ace23d712fa8e741d6368582661498a24da83c03820b895dd2b6cf9

SHA512
666f7171d20a6627c812e90b90028c5ccf671b8c04fff9e6391ab6c471f7925b33d95a2d1d4cc7dbb6b5c50140810a013d0c0b0c6629ef2f3d99e220b37dacd3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\B7\wer.dll

Filesize
1.8MB

MD5
7e114cfc9a3ac734d76b51d58ed9baca

SHA1
d5cd5714b761b6ead45874bb0ddb86b8fb2401c5

SHA256
4b565c0193fdb52abe1deb6280c9ed0eabf8ec693178305379f3ebcdc463e259

SHA512
f4005cca33d6571652a6cc1a2d2e57753c6eb353a591e459ec5095209e3ce7c8d8dbb9e5fb2615c305150334ab67dd49f4ac87e807706564aca8fb52d8a6eb8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\qhEVz\credui.dll

Filesize
1.8MB

MD5
28285d5ea093344e0fe24abd176977e4

SHA1
7c335410fc547ab821ebfc2575a73543b9506ade

SHA256
a59ab69e683495022da399de0f3231211d5c4a804527a9835a1ba5c5898b7f00

SHA512
7113725f88dc9c6ceab8a0e1d536c7e7fe45d1dd44f4d8d8694e588055c30eeb00efa5207184fc6629ac907f245de01d17d0838a14468c8fd482d256de32c8d2

Download Submit
memory/2000-96-0x0000020346B50000-0x0000020346B57000-memory.dmp

Filesize
28KB

Download
memory/2108-7-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/2108-1-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/2108-0-0x000001CE3AB00000-0x000001CE3AB07000-memory.dmp

Filesize
28KB

Download
memory/3380-79-0x0000000140000000-0x00000001401C5000-memory.dmp

Filesize
1.8MB

Download
memory/3380-84-0x0000000140000000-0x00000001401C5000-memory.dmp

Filesize
1.8MB

Download
memory/3380-78-0x0000024057BE0000-0x0000024057BE7000-memory.dmp

Filesize
28KB

Download
memory/3440-22-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-57-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-27-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-30-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-31-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-29-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-33-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-34-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-36-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-37-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-38-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-39-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-40-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-35-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-32-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-41-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-42-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-43-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-45-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-44-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-46-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-47-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-50-0x0000000000D80000-0x0000000000D87000-memory.dmp

Filesize
28KB

Download
memory/3440-49-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-48-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-28-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-58-0x00007FFE6E000000-0x00007FFE6E010000-memory.dmp

Filesize
64KB

Download
memory/3440-67-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-69-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-26-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-16-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-25-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-24-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-23-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-19-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-20-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-21-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-18-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-17-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-15-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-14-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-13-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-4-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/3440-12-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-11-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-9-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-10-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-6-0x0000000140000000-0x00000001401C4000-memory.dmp

Filesize
1.8MB

Download
memory/3440-8-0x00007FFE6DC2A000-0x00007FFE6DC2B000-memory.dmp

Filesize
4KB

Download
memory/3784-112-0x0000026861EF0000-0x0000026861EF7000-memory.dmp

Filesize
28KB

Download