dridex | 39c60c6c9f0757516684c5667be66d03e241ac56e792e570398e91781a85865e

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2024, 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3fa6fcc3a459eecd5f814bd57b697ae.dll
Size

1004KB
MD5

d3fa6fcc3a459eecd5f814bd57b697ae
SHA1

62d3d9e4786e08e375dd4b3129ffffa8a1094c3f
SHA256

39c60c6c9f0757516684c5667be66d03e241ac56e792e570398e91781a85865e
SHA512

f1e30751409d71eddb8a60eb6b7b51efa0d70671482a35a93a8b8d023cf76dd05eb259fc751d634e0a589b09c5a2ae5bcb8d995d5b35195bda35218c6e9ed5f3
SSDEEP

12288:d6BBWGJW6eC85Df97+yXUj7SncCxj8iHGo59S1WQSCtEdFO7YKJf6:d6BQBjlc728jo7S1bl6FbK

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3160-4-0x0000000003520000-0x0000000003521000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
4476	DisplaySwitch.exe
2552	sethc.exe
4868	SystemPropertiesComputerName.exe

Loads dropped DLL 3 IoCs

pid	Process
4476	DisplaySwitch.exe
2552	sethc.exe
4868	SystemPropertiesComputerName.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gvuuxctctfhbiie = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\Recent\\U3q\\sethc.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sethc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4000	rundll32.exe
4000	rundll32.exe
4000	rundll32.exe
4000	rundll32.exe
4000	rundll32.exe
4000	rundll32.exe
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found
3160	Process not Found

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3160	Process not Found
Token: SeCreatePagefilePrivilege	3160	Process not Found
Token: SeShutdownPrivilege	3160	Process not Found
Token: SeCreatePagefilePrivilege	3160	Process not Found
Token: SeShutdownPrivilege	3160	Process not Found
Token: SeCreatePagefilePrivilege	3160	Process not Found
Token: SeShutdownPrivilege	3160	Process not Found
Token: SeCreatePagefilePrivilege	3160	Process not Found
Token: SeShutdownPrivilege	3160	Process not Found
Token: SeCreatePagefilePrivilege	3160	Process not Found
Token: SeShutdownPrivilege	3160	Process not Found
Token: SeCreatePagefilePrivilege	3160	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3160	Process not Found
3160	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3160	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 4332	3160	Process not Found	101
PID 3160 wrote to memory of 4332	3160	Process not Found	101
PID 3160 wrote to memory of 4476	3160	Process not Found	102
PID 3160 wrote to memory of 4476	3160	Process not Found	102
PID 3160 wrote to memory of 1824	3160	Process not Found	103
PID 3160 wrote to memory of 1824	3160	Process not Found	103
PID 3160 wrote to memory of 2552	3160	Process not Found	104
PID 3160 wrote to memory of 2552	3160	Process not Found	104
PID 3160 wrote to memory of 4824	3160	Process not Found	105
PID 3160 wrote to memory of 4824	3160	Process not Found	105
PID 3160 wrote to memory of 4868	3160	Process not Found	106
PID 3160 wrote to memory of 4868	3160	Process not Found	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3fa6fcc3a459eecd5f814bd57b697ae.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4000

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:4332

C:\Users\Admin\AppData\Local\N5ir\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\N5ir\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4476

C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
1⤵
PID:1824

C:\Users\Admin\AppData\Local\uumA5\sethc.exe
C:\Users\Admin\AppData\Local\uumA5\sethc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2552

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:4824

C:\Users\Admin\AppData\Local\xlDc\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\xlDc\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\N5ir\DUser.dll

Filesize
1012KB

MD5
27bd2390f04f9995e33fef5428c5fe08

SHA1
ac7afb3d620946a643b41fbb9559ab618fcdcac7

SHA256
9bc9f0f39cf20e926967fec5de9616a1a35a383a3af1cc65c822f9634c2806b7

SHA512
c715d7e781b30a3cf0a2e9348ba6f5333eb58a0ea45c33b5ca606d9a56219c8b56bef5e330e0390e3520397542d0865610a6778d902408894a3bd8ec483a4c7f

Download Submit
C:\Users\Admin\AppData\Local\N5ir\DisplaySwitch.exe

Filesize
1.8MB

MD5
5338d4beddf23db817eb5c37500b5735

SHA1
1b5c56f00b53fca3205ff24770203af46cbc7c54

SHA256
8b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e

SHA512
173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c

Download Submit
C:\Users\Admin\AppData\Local\uumA5\UxTheme.dll

Filesize
1008KB

MD5
929af66079d66616379986e3a2966bb1

SHA1
a946a9190692aa0a8ffe95725a0aaf22cb904026

SHA256
09b59524e0fa6d379f02591885dcc4ac18011e03633bc761bf23a34756dd38cd

SHA512
5e78dab6e5ddc9de886a202aab03ba52f6403b525ca20f49e8c1b9a6f42a3438f76f23af3ce3395f9a6e62e838074944de663911300e094d56ae74d5fba04924

Download Submit
C:\Users\Admin\AppData\Local\uumA5\UxTheme.dll

Filesize
896KB

MD5
bf875fbc9fffafe69c826bb26979e79a

SHA1
a88ebb1b1cb42bf8f9fcb8faed7a485c7bc8251a

SHA256
d8f2bf1f3d67a4841bf79fea6916d87c22d07fe449ec809c7bbfd919a9e40dbf

SHA512
9c5d6e46d33ff2a9fcf6450a90d320acf94b87335dceb1517c42dd714f9f726534caa42a449b9b8f582782c933014fda9344f0f251d81661f8091c4fd916105e

Download Submit
C:\Users\Admin\AppData\Local\uumA5\sethc.exe

Filesize
104KB

MD5
8ba3a9702a3f1799431cad6a290223a6

SHA1
9c7dc9b6830297c8f759d1f46c8b36664e26c031

SHA256
615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8

SHA512
680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746

Download Submit
C:\Users\Admin\AppData\Local\xlDc\SYSDM.CPL

Filesize
1008KB

MD5
33caf2f808daa7ae4b8e56f87e6e6d83

SHA1
e91bd2fd194942a7a2984dfdec777f36e252b1d9

SHA256
e045d05d54ec0efa0e683e3154c624937e71719c59ec4122e56490e1d5d4cc3e

SHA512
95099bb97e08ee9eeb568309c1fd075cfe9a08d6264b76b79dda7fdfdc0cbd4a069075069cff33c39452c2c68d147e881fa7b5d76855f5c8ac5855ecfbcdbbe0

Download Submit
C:\Users\Admin\AppData\Local\xlDc\SystemPropertiesComputerName.exe

Filesize
82KB

MD5
6711765f323289f5008a6a2a04b6f264

SHA1
d8116fdf73608b4b254ad83c74f2232584d24144

SHA256
bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e

SHA512
438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Vuzdvithyifjda.lnk

Filesize
1KB

MD5
9cb4d936ef55d63aeab0f2485679a736

SHA1
0987fc341359439a4416b24468705583e84455ad

SHA256
6de82c5a8ee013c79b61ac3953ae1deb76156dcd5d0fb4fe181a92dfcb39acb3

SHA512
24d5088a6839179139c1efa02c8189a98efbc52d5af257cfc9718b7bf8e35388f0fde860b863dc01830ecce4f2b9d4f25f87063974c7f1303a06e1a8e218b338

Download Submit
memory/2552-74-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2552-69-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download
memory/2552-68-0x000001B77C380000-0x000001B77C387000-memory.dmp

Filesize
28KB

Download
memory/3160-23-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/3160-13-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/3160-17-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/3160-18-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/3160-16-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/3160-20-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/3160-19-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/3160-21-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/3160-22-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/3160-5-0x00007FF9BD77A000-0x00007FF9BD77B000-memory.dmp

Filesize
4KB

Download
memory/3160-24-0x0000000003500000-0x0000000003507000-memory.dmp

Filesize
28KB

Download
memory/3160-31-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/3160-35-0x00007FF9BDA30000-0x00007FF9BDA40000-memory.dmp

Filesize
64KB

Download
memory/3160-41-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/3160-4-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/3160-15-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/3160-14-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/3160-8-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/3160-7-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/3160-9-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/3160-12-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/3160-11-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/3160-10-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/4000-44-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/4000-0-0x0000000140000000-0x00000001400FB000-memory.dmp

Filesize
1004KB

Download
memory/4000-2-0x000001771BDF0000-0x000001771BDF7000-memory.dmp

Filesize
28KB

Download
memory/4476-57-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4476-52-0x0000000140000000-0x00000001400FD000-memory.dmp

Filesize
1012KB

Download
memory/4476-51-0x0000020B79CB0000-0x0000020B79CB7000-memory.dmp

Filesize
28KB

Download
memory/4868-87-0x000001E5F5D40000-0x000001E5F5D47000-memory.dmp

Filesize
28KB

Download
memory/4868-90-0x0000000140000000-0x00000001400FC000-memory.dmp

Filesize
1008KB

Download