dridex | 8cdb94adc9b5bafd4c4098348f8b287ccbf9259ad9d5c1d72d4313d00aeeeb00

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-02-2024 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa3f916282e7191e443b2c11431b159a.dll
Size

2.1MB
MD5

aa3f916282e7191e443b2c11431b159a
SHA1

96abbb8c4808d8176b3f9cd15bf97a2f030f3380
SHA256

8cdb94adc9b5bafd4c4098348f8b287ccbf9259ad9d5c1d72d4313d00aeeeb00
SHA512

18141cc27bc29b6f4c5795ab8e5e0475dedbba5307d1e25cde1ff2e7146040787ff9140a18467b874ff1005695d7ca33d7b0f3869395a3bac1b70ef49443b32a
SSDEEP

12288:fVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1dx94:WfP7fWsK5z9A+WGAW+V5SB6Ct4bnbdn

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3472-4-0x0000000002D60000-0x0000000002D61000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
4108	msra.exe
1780	ie4ushowIE.exe
4492	WMPDMC.exe

Loads dropped DLL 3 IoCs

pid	Process
4108	msra.exe
1780	ie4ushowIE.exe
4492	WMPDMC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vdtkrnjrcdvlvc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\Xaq0\\ie4ushowIE.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMPDMC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ie4ushowIE.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4524	regsvr32.exe
4524	regsvr32.exe
4524	regsvr32.exe
4524	regsvr32.exe
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found
3472	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3472	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 2336	3472	Process not Found	93
PID 3472 wrote to memory of 2336	3472	Process not Found	93
PID 3472 wrote to memory of 4108	3472	Process not Found	94
PID 3472 wrote to memory of 4108	3472	Process not Found	94
PID 3472 wrote to memory of 1792	3472	Process not Found	95
PID 3472 wrote to memory of 1792	3472	Process not Found	95
PID 3472 wrote to memory of 1780	3472	Process not Found	96
PID 3472 wrote to memory of 1780	3472	Process not Found	96
PID 3472 wrote to memory of 612	3472	Process not Found	97
PID 3472 wrote to memory of 612	3472	Process not Found	97
PID 3472 wrote to memory of 4492	3472	Process not Found	98
PID 3472 wrote to memory of 4492	3472	Process not Found	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\aa3f916282e7191e443b2c11431b159a.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4524

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:2336

C:\Users\Admin\AppData\Local\UJIkif7qQ\msra.exe
C:\Users\Admin\AppData\Local\UJIkif7qQ\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4108

C:\Windows\system32\ie4ushowIE.exe
C:\Windows\system32\ie4ushowIE.exe
1⤵
PID:1792

C:\Users\Admin\AppData\Local\Itr3n6WnC\ie4ushowIE.exe
C:\Users\Admin\AppData\Local\Itr3n6WnC\ie4ushowIE.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1780

C:\Windows\system32\WMPDMC.exe
C:\Windows\system32\WMPDMC.exe
1⤵
PID:612

C:\Users\Admin\AppData\Local\PpN8GnKdS\WMPDMC.exe
C:\Users\Admin\AppData\Local\PpN8GnKdS\WMPDMC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Itr3n6WnC\VERSION.dll

Filesize
2.1MB

MD5
996bb461bd56820899867dde466b4d9e

SHA1
f4a2082b97f0601ec785fa4f1693d737c9048774

SHA256
61bb82dea9e7f5e1dc978b53fa8b9a8147698875ed76ff281e56f819c3086510

SHA512
46d34892a04047dbe7fc8cf95287419135df1f6e7f5c21c54c849a90637f544a27d01ccad5057449695ef74a831911cd219546a3f81ef10610944e24e9c35d65

Download Submit
C:\Users\Admin\AppData\Local\Itr3n6WnC\ie4ushowIE.exe

Filesize
76KB

MD5
9de952f476abab0cd62bfd81e20a3deb

SHA1
109cc4467b78dad4b12a3225020ea590bccee3e6

SHA256
e9cb6336359ac6f71ac75af2836efb28daa3bafd10a1f0b775dcdc2ec8850a6b

SHA512
3cbe50a146ca50b0657a78a2d89a34630c69823005668906785b2d2015cc6139c8dbbf7aefa5fe55957ef55ae06e758933b3b41eaf822e49dba3b7700582e2c9

Download Submit
C:\Users\Admin\AppData\Local\PpN8GnKdS\UxTheme.dll

Filesize
2.1MB

MD5
a9d17dcddfbfed029f8785448bfe784f

SHA1
15dc3956bc3236131e046c27f1b06c255be5d724

SHA256
2d0a66b19f683c3036fcc7c2bb07d176ca5334ad4c0c1c440d85707b7824f6d4

SHA512
d65dc9dc9e01992821e82471e8c10c46dc56d0d8c91f54930bd7fcef73307708949c216ba99c87b49940267709df8cf70c08a930262c471cbb525200d5e1639a

Download Submit
C:\Users\Admin\AppData\Local\PpN8GnKdS\WMPDMC.exe

Filesize
1.5MB

MD5
59ce6e554da0a622febce19eb61c4d34

SHA1
176a4a410cb97b3d4361d2aea0edbf17e15d04c7

SHA256
c36eba7186f7367fe717595f3372a49503c9613893c2ab2eff38b625a50d04ba

SHA512
e9b0d310416b66e0055381391bb6b0c19ee26bbcf0e3bb9ea7d696d5851e6efbdd9bdeb250c74638b7d73b20528ea1dfb718e75ad5977aaad77aae36cc7b7e18

Download Submit
C:\Users\Admin\AppData\Local\UJIkif7qQ\NDFAPI.DLL

Filesize
2.1MB

MD5
4f7dccfeabd59fce758dc678496b7650

SHA1
d451732079d19b76252b2891a423ac308d9f4011

SHA256
d165625389fa3d43a62ab596feacea8d578aa6c5f150304f6eaa86bcda4c08c3

SHA512
051d3c785ae809174e729f48097bf583772d540b435e4aedb847c9e0e8c519309c15f6dc32e43747c6b27a0322406fb3358fe615df7091b5e9be8c7d930b7819

Download Submit
C:\Users\Admin\AppData\Local\UJIkif7qQ\msra.exe

Filesize
579KB

MD5
dcda3b7b8eb0bfbccb54b4d6a6844ad6

SHA1
316a2925e451f739f45e31bc233a95f91bf775fa

SHA256
011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae

SHA512
18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Txagdzatgusg.lnk

Filesize
1003B

MD5
7d0da97116ed32a0732921d151f77cda

SHA1
977f3915b9575a9572be28aca41b56d865d4bb32

SHA256
c4fec46f0b744c0a551a82261bc529d7a4fe7e39815439aaea957fa5ef03e2aa

SHA512
c2c094937eac04855a4d8769c4fb90ef530406c480bd81e393c2941fb90a8eecf8066eca57473af4bf745dab2b401222f18424842a3c6fdf38eedaa355035a8d

Download Submit
memory/1780-101-0x0000024942300000-0x0000024942307000-memory.dmp

Filesize
28KB

Download
memory/3472-37-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-42-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-16-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-17-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-13-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-18-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-19-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-20-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-21-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-22-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-23-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-24-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-26-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-27-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-28-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-29-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-30-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-25-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-31-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-32-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-33-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-34-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-35-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-36-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-12-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-38-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-39-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-40-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-41-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-15-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-43-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-44-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-46-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-45-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-47-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-48-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-51-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-53-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-54-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-55-0x0000000000E00000-0x0000000000E07000-memory.dmp

Filesize
28KB

Download
memory/3472-52-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-50-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-49-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-62-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-72-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-66-0x00007FFB60E40000-0x00007FFB60E50000-memory.dmp

Filesize
64KB

Download
memory/3472-14-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-74-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-4-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/3472-10-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-9-0x00007FFB5EEFA000-0x00007FFB5EEFB000-memory.dmp

Filesize
4KB

Download
memory/3472-11-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-6-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/3472-8-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/4108-84-0x0000021182AD0000-0x0000021182AD7000-memory.dmp

Filesize
28KB

Download
memory/4492-120-0x0000022C8BDC0000-0x0000022C8BDC7000-memory.dmp

Filesize
28KB

Download
memory/4524-0-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download
memory/4524-1-0x0000000000CA0000-0x0000000000CA7000-memory.dmp

Filesize
28KB

Download
memory/4524-7-0x0000000140000000-0x000000014021B000-memory.dmp

Filesize
2.1MB

Download