dridex | 8018d5e151a11dbaa1472e251fa5af0f73c0365e7aaef8a65a43e636c19f0278

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 08:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

be2022cc704ee9381e821864f1e942e0.dll
Size

2.0MB
MD5

be2022cc704ee9381e821864f1e942e0
SHA1

0566000064f220347470864f54b0007c15eeb31e
SHA256

8018d5e151a11dbaa1472e251fa5af0f73c0365e7aaef8a65a43e636c19f0278
SHA512

66dd9eb4c6a3796339a4fd7b992ddad42f537f6a8083cdf06b478ca97dec9f4579049923b323980a692003a50f104b308b0c45559ca96e94da7afe10a845cf77
SSDEEP

12288:2VI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:rfP7fWsK5z9A+WGAW+V5SB6Ct4bnb

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3360-5-0x0000000002CA0000-0x0000000002CA1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
3392	sessionmsg.exe
4592	SystemPropertiesProtection.exe
4624	rdpinit.exe

Loads dropped DLL 3 IoCs

pid	Process
3392	sessionmsg.exe
4592	SystemPropertiesProtection.exe
4624	rdpinit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Domyyfn = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\cfBUYc1rF\\SystemPropertiesProtection.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sessionmsg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1764	rundll32.exe
1764	rundll32.exe
1764	rundll32.exe
1764	rundll32.exe
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found
3360	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3360 wrote to memory of 388	3360	Process not Found	94
PID 3360 wrote to memory of 388	3360	Process not Found	94
PID 3360 wrote to memory of 3392	3360	Process not Found	95
PID 3360 wrote to memory of 3392	3360	Process not Found	95
PID 3360 wrote to memory of 1312	3360	Process not Found	96
PID 3360 wrote to memory of 1312	3360	Process not Found	96
PID 3360 wrote to memory of 4592	3360	Process not Found	97
PID 3360 wrote to memory of 4592	3360	Process not Found	97
PID 3360 wrote to memory of 2064	3360	Process not Found	101
PID 3360 wrote to memory of 2064	3360	Process not Found	101
PID 3360 wrote to memory of 4624	3360	Process not Found	102
PID 3360 wrote to memory of 4624	3360	Process not Found	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\be2022cc704ee9381e821864f1e942e0.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1764

C:\Windows\system32\sessionmsg.exe
C:\Windows\system32\sessionmsg.exe
1⤵
PID:388

C:\Users\Admin\AppData\Local\dhjuVI\sessionmsg.exe
C:\Users\Admin\AppData\Local\dhjuVI\sessionmsg.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3392

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:1312

C:\Users\Admin\AppData\Local\ZvDeG4W\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\ZvDeG4W\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4592

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:2064

C:\Users\Admin\AppData\Local\ICXL\rdpinit.exe
C:\Users\Admin\AppData\Local\ICXL\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ICXL\WTSAPI32.dll

Filesize
91KB

MD5
23d61646440390cef0f9dd2b22f633ae

SHA1
c7a419f92859177cef79dbf3b16bb162843de310

SHA256
f0eb2417cbe5ab6c4c48cbda328a810fd1a57983e19fda4b2449c6132f86e4f5

SHA512
15d68097b953e42764d3576453da311b75c6cf6fe0185d90e3ec59478ad4a348007655ace52500683c625e87be88a17492ae1872cc769108e8c97d466b0dba91

Download Submit
C:\Users\Admin\AppData\Local\ICXL\WTSAPI32.dll

Filesize
1.5MB

MD5
d5a9003aa71c37e8c65d6b30a0783c00

SHA1
c94d9ac379d284a36625ac2c7d4c98db447d27f5

SHA256
9849a51b7f788afb852dffad57bd0f211cb6bb0dba32b8bc442e8eb5f1c05508

SHA512
6501c75fc2481e1c5b7ea8a5b6554fd008fa414eb3e8a924576faf65e17bb283a4b7190f41b02bab25d0ddf9ffb6cddeb403b3d31b5886749fcc4fefc145ee71

Download Submit
C:\Users\Admin\AppData\Local\ICXL\rdpinit.exe

Filesize
139KB

MD5
1a1158130775a435ff1bbbc3a607edc7

SHA1
a43a6773b7a02919aa3bfd25c28f0612c58c55e5

SHA256
ebd96d1d77e75ce33e081ef5f598baa8c4577143fe903c7dbc6e4d81ab562baf

SHA512
38fde7cd19402b9a957fbe52d4a2291e3f91118c0b40aec001a591697938a7e4d6c5bb8e49f99ce35c2048b81681dc8de60973344c458d10f3a336b270c43f1e

Download Submit
C:\Users\Admin\AppData\Local\ICXL\rdpinit.exe

Filesize
343KB

MD5
b0ecd76d99c5f5134aeb52460add6f80

SHA1
51462078092c9d6b7fa2b9544ffe0a49eb258106

SHA256
51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

SHA512
16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

Download Submit
C:\Users\Admin\AppData\Local\ZvDeG4W\SYSDM.CPL

Filesize
680KB

MD5
762f956c360d2806ee59ef706f4410fd

SHA1
87fc7bb8b3f2fe1bb05a9f67e76cf20bb4391793

SHA256
bc72b634d35a1c85411282a743f6d9f0ed37ba3d4ec6e5072f77af53d58f3b09

SHA512
7d02445ae4f486451379a45dfaa4610b5eeadd27ecaae15c162a324810c8e285e37f20f7877bb2a5e0c5761a6ba728aa6445a1ec6f96fffd61d189bd43ff85b5

Download Submit
C:\Users\Admin\AppData\Local\ZvDeG4W\SYSDM.CPL

Filesize
452KB

MD5
eaea8c52aea6b0887ae6bbba6302c791

SHA1
db1eb8f672411895da4119d71c901fef6d5b7871

SHA256
4935945af1c41f6180e99b3a6459a4bc9094689d3ce7a64c0f05260d5650e5d1

SHA512
1131bf101fa82e19b1af5a0a92bdedf99552cd11d46089ed918a6e09dedec9083ed6bfa6fd5fac7733f6ed5fc1acd94ecc4dfdfb4b19a41a820c1ba67f66efd7

Download Submit
C:\Users\Admin\AppData\Local\ZvDeG4W\SystemPropertiesProtection.exe

Filesize
82KB

MD5
26640d2d4fa912fc9a354ef6cfe500ff

SHA1
a343fd82659ce2d8de3beb587088867cf2ab8857

SHA256
a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37

SHA512
26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

Download Submit
C:\Users\Admin\AppData\Local\dhjuVI\DUser.dll

Filesize
580KB

MD5
c5846ba21bbed26c3979423cd9f305d0

SHA1
12c5b06ed9d1c8698de5da28df5a873e57e24b7c

SHA256
9046e802f591f4b4be2520b9658217f6a0db9f21c65229cc5eedf3e7fa97cd78

SHA512
0f52e229b9c7dd2805489e5f2d229be032295fd4cb8c0778cdc86807a0f7a70106685c2af61c9e40bf7d5c1b763fb055b5c4555c5503d43d21e3ef4df29dced3

Download Submit
C:\Users\Admin\AppData\Local\dhjuVI\DUser.dll

Filesize
618KB

MD5
ad48cf98aadc557a41c08397c83a7fcd

SHA1
b4213c3f7ce352aa2905c0ef0fdb5d44c7ff9783

SHA256
6dc89a92089dc929325a2416c6bb8d24f3c0159319fe9b6fdc8a46631d8cdd71

SHA512
2aeb10627f9761c36648f5efa9331793b5585cc008848e5a3bf1b43df26477552d1f7f7ed76b0e82dbddb1523d8810ec496f788a15681509df54d4523aa849b1

Download Submit
C:\Users\Admin\AppData\Local\dhjuVI\sessionmsg.exe

Filesize
85KB

MD5
480f710806b68dfe478ca1ec7d7e79cc

SHA1
b4fc97fed2dbff9c4874cb65ede7b50699db37cd

SHA256
2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc

SHA512
29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\xUv\DUser.dll

Filesize
2.0MB

MD5
fc29c4bd0390d4d3513ce3a32e6a457b

SHA1
2bc65f1cdb078c20f3f233636610cc8c2b6ca037

SHA256
69f4ab5b567da348aa6650349f5ad0eb3dc1635493679dac0e9a95f35914515e

SHA512
dce28a871a3a892faffc097e14b43b64f473ffd0fbae68deb7b327ded24898346dd4dd1c50fdf6f58d3a1f6af33d302b02f12cb314691e3cfa108d8b92288168

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Qoupr.lnk

Filesize
1KB

MD5
88e0228b5753bd977bc228c172c55c13

SHA1
ec30eb9b7faabce2209c70717806477b44ad384c

SHA256
8ba68bde7dabefc1fd94f4071aa6155a503b651c914c941f9e1ad44e9e9f2b41

SHA512
9ed07d4e41b8ac46456f1270a75f4fe7b1646d2f280152c943cb592827244cb82071777a2eb53a1dbb3ddc5bbfff919359ca10fcecc6276df8a90b6f3a517a0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\cfBUYc1rF\SYSDM.CPL

Filesize
2.0MB

MD5
f09ad434e92b043b4893355517d4aa8a

SHA1
4b3f86408ce71884e44f980aabd5a2e853b43646

SHA256
be797b5f248f18b45f5c2b95adf1f28490421d882a13e4fe56b73fa99ffe96e8

SHA512
0e829c1945bcd2489bf22240c683006e876f6aa620f968ec48c072aeddd2c91636bdbe3164448136d01a78f2ec326e9519b8ad9d92ea4b2303488c4d8fd6461c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\q85kH\WTSAPI32.dll

Filesize
2.0MB

MD5
dbd0b3faf81312dfc57d5cbc434c7dc2

SHA1
7521ec8b3a8af8b596c0d4a12fc102263c5ea9b4

SHA256
60d7fcff92767ba6f61a3386b7761bbead0e57448c0d07eec2f1542dc680d545

SHA512
891ab4faa414db14ea081695cbcd0a6395de24fb108a3c59e73813bc93b46bdd84e852ce2f9efece52ec4bf98160e45b3051dcb2173ea47419151889ced174a5

Download Submit
memory/1764-9-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1764-4-0x000002A6E48A0000-0x000002A6E48A7000-memory.dmp

Filesize
28KB

Download
memory/1764-0-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/1764-1-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-20-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-61-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-22-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-24-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-25-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-26-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-28-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-27-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-29-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-30-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-32-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-34-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-31-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-33-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-36-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-35-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-37-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-38-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-39-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-40-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-41-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-43-0x0000000000B90000-0x0000000000B97000-memory.dmp

Filesize
28KB

Download
memory/3360-49-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-50-0x00007FFCED860000-0x00007FFCED870000-memory.dmp

Filesize
64KB

Download
memory/3360-59-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-23-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-21-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-19-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-6-0x00007FFCEB91A000-0x00007FFCEB91B000-memory.dmp

Filesize
4KB

Download
memory/3360-5-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/3360-8-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-10-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-18-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-17-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-11-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-12-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-13-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-14-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-16-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3360-15-0x0000000140000000-0x00000001401FA000-memory.dmp

Filesize
2.0MB

Download
memory/3392-77-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3392-70-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3392-72-0x000001816DA00000-0x000001816DA07000-memory.dmp

Filesize
28KB

Download
memory/3392-71-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4592-89-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/4592-95-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/4592-91-0x0000022D30FD0000-0x0000022D30FD7000-memory.dmp

Filesize
28KB

Download
memory/4592-88-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/4624-109-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download
memory/4624-110-0x0000025831810000-0x0000025831817000-memory.dmp

Filesize
28KB

Download
memory/4624-115-0x0000000140000000-0x00000001401FB000-memory.dmp

Filesize
2.0MB

Download