dridex | 548a21178bd299e07a0b0bb0957decd17f937a37b8fe4fbc8125e360bb1f0679

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-03-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b58179d2876272ed58a6e2d6c328be3c.dll
Size

848KB
MD5

b58179d2876272ed58a6e2d6c328be3c
SHA1

2d8a3a857491b3523f93b08e0611e741925be9ac
SHA256

548a21178bd299e07a0b0bb0957decd17f937a37b8fe4fbc8125e360bb1f0679
SHA512

ea4162f81987df295e7c1a568dc98ad440b34d2d17eaffa74250513199b33d873279a6b4af2c1df8805f61afadbc20c508b4bce3b7d6fcca239e89ac4dda24cc
SSDEEP

12288:4kbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/R:4kbHkWfzZ5adwLNGeStHntqN7v

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3416-3-0x0000000003300000-0x0000000003301000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/3216-0-0x00007FFC7E9C0000-0x00007FFC7EA94000-memory.dmp	dridex_payload
behavioral2/memory/3416-20-0x0000000140000000-0x00000001400D4000-memory.dmp	dridex_payload
behavioral2/memory/3416-27-0x0000000140000000-0x00000001400D4000-memory.dmp	dridex_payload
behavioral2/memory/3416-38-0x0000000140000000-0x00000001400D4000-memory.dmp	dridex_payload
behavioral2/memory/3216-41-0x00007FFC7E9C0000-0x00007FFC7EA94000-memory.dmp	dridex_payload
behavioral2/memory/1812-48-0x00007FFC6FE90000-0x00007FFC6FF65000-memory.dmp	dridex_payload
behavioral2/memory/1812-53-0x00007FFC6FE90000-0x00007FFC6FF65000-memory.dmp	dridex_payload
behavioral2/memory/60-69-0x00007FFC6FE90000-0x00007FFC6FF65000-memory.dmp	dridex_payload
behavioral2/memory/3368-80-0x00007FFC6FE30000-0x00007FFC6FF05000-memory.dmp	dridex_payload
behavioral2/memory/3368-85-0x00007FFC6FE30000-0x00007FFC6FF05000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
1812	MusNotificationUx.exe
60	wextract.exe
3368	usocoreworker.exe

Loads dropped DLL 3 IoCs

pid	Process
1812	MusNotificationUx.exe
60	wextract.exe
3368	usocoreworker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qsavrhocnbul = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\G91L9O~1\\wextract.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotificationUx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wextract.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	usocoreworker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3216	rundll32.exe
3216	rundll32.exe
3216	rundll32.exe
3216	rundll32.exe
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found
3416	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 2116	3416	Process not Found	99
PID 3416 wrote to memory of 2116	3416	Process not Found	99
PID 3416 wrote to memory of 1812	3416	Process not Found	100
PID 3416 wrote to memory of 1812	3416	Process not Found	100
PID 3416 wrote to memory of 2408	3416	Process not Found	101
PID 3416 wrote to memory of 2408	3416	Process not Found	101
PID 3416 wrote to memory of 60	3416	Process not Found	102
PID 3416 wrote to memory of 60	3416	Process not Found	102
PID 3416 wrote to memory of 4856	3416	Process not Found	103
PID 3416 wrote to memory of 4856	3416	Process not Found	103
PID 3416 wrote to memory of 3368	3416	Process not Found	104
PID 3416 wrote to memory of 3368	3416	Process not Found	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b58179d2876272ed58a6e2d6c328be3c.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3216

C:\Windows\system32\MusNotificationUx.exe
C:\Windows\system32\MusNotificationUx.exe
1⤵
PID:2116

C:\Users\Admin\AppData\Local\1Lt0h\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\1Lt0h\MusNotificationUx.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1812

C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
1⤵
PID:2408

C:\Users\Admin\AppData\Local\hMbzi3\wextract.exe
C:\Users\Admin\AppData\Local\hMbzi3\wextract.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:60

C:\Windows\system32\usocoreworker.exe
C:\Windows\system32\usocoreworker.exe
1⤵
PID:4856

C:\Users\Admin\AppData\Local\udgAo80Gf\usocoreworker.exe
C:\Users\Admin\AppData\Local\udgAo80Gf\usocoreworker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1Lt0h\MusNotificationUx.exe

Filesize
615KB

MD5
869a214114a81712199f3de5d69d9aad

SHA1
be973e4188eff0d53fdf0e9360106e8ad946d89f

SHA256
405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361

SHA512
befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

Download Submit
C:\Users\Admin\AppData\Local\1Lt0h\XmlLite.dll

Filesize
852KB

MD5
751b3a8d62c9e56a2d10fb51d360de97

SHA1
13cae12c6ac56fea3b71be9c2ef23b9f7e826491

SHA256
aa5f364def45176f0f0ca8af9c7fd29dea38e5f92083362237f3edee13c7031a

SHA512
44697e0530338159587ab0a43ea795d68e07b1924376a647eee4f3a474e48e387c2f10b9b74dae960f5f5b7df6c943b0b773463b3df1c0e6d51a5545e143dfde

Download Submit
C:\Users\Admin\AppData\Local\hMbzi3\VERSION.dll

Filesize
852KB

MD5
0fa1e3ed59d83977015efbb3b5a27b04

SHA1
d1bf71407d7f12899461fee0fe24d1dc0036bbbc

SHA256
e9da036d8eb9d1b180686ecf164c2af7cd6ab3bf5de9dc24f699928cf9b51f82

SHA512
a87b7c369cace6e5c12f2b80cbc8006443e71081ea8846367a34b7ed5b836b9d1a680a41e185c322f23599e862204a52e988e22abb2aa566d7747793485a3b0a

Download Submit
C:\Users\Admin\AppData\Local\hMbzi3\wextract.exe

Filesize
143KB

MD5
56e501e3e49cfde55eb1caabe6913e45

SHA1
ab2399cbf17dbee7b302bea49e40d4cee7caea76

SHA256
fbb6dc62abeeb222b49a63f43dc6eea96f3d7e9a8da55381c15d57a5d099f3e0

SHA512
2b536e86cbd8ab026529ba2c72c0fda97e9b6f0bc4fd96777024155852670cb41d17937cde372a44cdbad3e53b8cd3ef1a4a3ee9b34dfb3c2069822095f7a172

Download Submit
C:\Users\Admin\AppData\Local\udgAo80Gf\XmlLite.dll

Filesize
852KB

MD5
1cc81d305bd8a9b93b39e5ea73acbafb

SHA1
eae79cd890e84c9e2f56a9aae9916c5a2a0b3483

SHA256
88f1c7df4843cb0e14a4b2330475c8dd4563c14ffe3a85ec8c142f602f9591f8

SHA512
3019d103ac679a334360218e4e845962436b55557207da69d40b644bd651f6ad2b8d7306e5bddd086cd96c7a18f8017369e5f42c77db1ff742474c2284049d30

Download Submit
C:\Users\Admin\AppData\Local\udgAo80Gf\usocoreworker.exe

Filesize
1.3MB

MD5
2c5efb321aa64af37dedc6383ce3198e

SHA1
a06d7020dd43a57047a62bfb443091cd9de946ba

SHA256
0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

SHA512
5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mjigr.lnk

Filesize
1KB

MD5
60a6c1f038e308c8d01c9947f9d264f6

SHA1
7cd5d03dfee32fa2d08e92b863d6869f784fc105

SHA256
2f47fd71f3693ce4dc33642d4111027f14abfe47cfb5e2bc6544c868be3e4e9d

SHA512
87813dcaf3d12f2ccf979cb6683c04cb10211273a139bea45beb6fe43c4f03e611bb633aab8dc200f219d56ae649750cefd88f5ea226d5f8bac5b3441cadd1bb

Download Submit
memory/60-69-0x00007FFC6FE90000-0x00007FFC6FF65000-memory.dmp

Filesize
852KB

Download
memory/60-65-0x00000284766B0000-0x00000284766B7000-memory.dmp

Filesize
28KB

Download
memory/1812-53-0x00007FFC6FE90000-0x00007FFC6FF65000-memory.dmp

Filesize
852KB

Download
memory/1812-49-0x000001BFF0710000-0x000001BFF0717000-memory.dmp

Filesize
28KB

Download
memory/1812-48-0x00007FFC6FE90000-0x00007FFC6FF65000-memory.dmp

Filesize
852KB

Download
memory/3216-41-0x00007FFC7E9C0000-0x00007FFC7EA94000-memory.dmp

Filesize
848KB

Download
memory/3216-0-0x00007FFC7E9C0000-0x00007FFC7EA94000-memory.dmp

Filesize
848KB

Download
memory/3216-2-0x0000022A13840000-0x0000022A13847000-memory.dmp

Filesize
28KB

Download
memory/3368-80-0x00007FFC6FE30000-0x00007FFC6FF05000-memory.dmp

Filesize
852KB

Download
memory/3368-82-0x0000014CE4A00000-0x0000014CE4A07000-memory.dmp

Filesize
28KB

Download
memory/3368-85-0x00007FFC6FE30000-0x00007FFC6FF05000-memory.dmp

Filesize
852KB

Download
memory/3416-11-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3416-14-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3416-29-0x00007FFC8D590000-0x00007FFC8D5A0000-memory.dmp

Filesize
64KB

Download
memory/3416-28-0x00007FFC8D5A0000-0x00007FFC8D5B0000-memory.dmp

Filesize
64KB

Download
memory/3416-38-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3416-20-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3416-18-0x0000000001270000-0x0000000001277000-memory.dmp

Filesize
28KB

Download
memory/3416-19-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3416-17-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3416-16-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3416-15-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3416-27-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3416-13-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3416-12-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3416-9-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3416-10-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3416-5-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3416-7-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3416-8-0x00007FFC8B65A000-0x00007FFC8B65B000-memory.dmp

Filesize
4KB

Download
memory/3416-6-0x0000000140000000-0x00000001400D4000-memory.dmp

Filesize
848KB

Download
memory/3416-3-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download