dridex | a114e0e03c47c4454ae6ba29cd7c4f75fab7c570f8c68b606b1d3e5c3e126f15

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a114e0e03c47c4454ae6ba29cd7c4f75fab7c570f8c68b606b1d3e5c3e126f15.dll
Size

792KB
MD5

f0c81fc68f26ad2a4feddcef90a4c72a
SHA1

bee31aa6f4f439691ec630bff371492deb96db01
SHA256

a114e0e03c47c4454ae6ba29cd7c4f75fab7c570f8c68b606b1d3e5c3e126f15
SHA512

430bb5329eafaf4c414df4637d319b08fcccb43a2015d8888b96d140620b0716dac145283e57e62753cfe1ce9e4210a33bdf77d27664edff3df2821da608ff6f
SSDEEP

12288:EBim9Tnts08FbKuPcA8NAc1l/XkGaZKoRQIpRX2/0Ak2ng/Zi66wNdufAdN:g/nts0Q9K/0ooRQIxAk2wi0N/

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3500-3-0x00000000049A0000-0x00000000049A1000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/5048-0-0x00007FF972490000-0x00007FF972556000-memory.dmp	dridex_payload
behavioral2/memory/3500-28-0x0000000140000000-0x00000001400C6000-memory.dmp	dridex_payload
behavioral2/memory/3500-36-0x0000000140000000-0x00000001400C6000-memory.dmp	dridex_payload
behavioral2/memory/3500-47-0x0000000140000000-0x00000001400C6000-memory.dmp	dridex_payload
behavioral2/memory/5048-50-0x00007FF972490000-0x00007FF972556000-memory.dmp	dridex_payload
behavioral2/memory/2588-58-0x00007FF962F30000-0x00007FF962FF7000-memory.dmp	dridex_payload
behavioral2/memory/2588-62-0x00007FF962F30000-0x00007FF962FF7000-memory.dmp	dridex_payload
behavioral2/memory/2940-82-0x00007FF9639E0000-0x00007FF963AA7000-memory.dmp	dridex_payload
behavioral2/memory/2940-86-0x00007FF9639E0000-0x00007FF963AA7000-memory.dmp	dridex_payload
behavioral2/memory/2468-98-0x00007FF9639A0000-0x00007FF963AAC000-memory.dmp	dridex_payload
behavioral2/memory/2468-102-0x00007FF9639A0000-0x00007FF963AAC000-memory.dmp	dridex_payload

Executes dropped EXE 4 IoCs

pid	Process
2588	CustomShellHost.exe
4836	Narrator.exe
2940	cmstp.exe
2468	bdechangepin.exe

Loads dropped DLL 3 IoCs

pid	Process
2588	CustomShellHost.exe
2940	cmstp.exe
2468	bdechangepin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vdtkrnjrcdvlvc = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\rlT475t\\cmstp.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdechangepin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CustomShellHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmstp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5048	rundll32.exe
5048	rundll32.exe
5048	rundll32.exe
5048	rundll32.exe
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found
3500	Process not Found

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3500	Process not Found
Token: SeCreatePagefilePrivilege	3500	Process not Found
Token: SeShutdownPrivilege	3500	Process not Found
Token: SeCreatePagefilePrivilege	3500	Process not Found
Token: SeShutdownPrivilege	3500	Process not Found
Token: SeCreatePagefilePrivilege	3500	Process not Found
Token: SeShutdownPrivilege	3500	Process not Found
Token: SeCreatePagefilePrivilege	3500	Process not Found
Token: SeShutdownPrivilege	3500	Process not Found
Token: SeCreatePagefilePrivilege	3500	Process not Found
Token: SeShutdownPrivilege	3500	Process not Found
Token: SeCreatePagefilePrivilege	3500	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3500	Process not Found
3500	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3500	Process not Found

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 3024	3500	Process not Found	94
PID 3500 wrote to memory of 3024	3500	Process not Found	94
PID 3500 wrote to memory of 2588	3500	Process not Found	95
PID 3500 wrote to memory of 2588	3500	Process not Found	95
PID 3500 wrote to memory of 1272	3500	Process not Found	96
PID 3500 wrote to memory of 1272	3500	Process not Found	96
PID 3500 wrote to memory of 864	3500	Process not Found	98
PID 3500 wrote to memory of 864	3500	Process not Found	98
PID 3500 wrote to memory of 2940	3500	Process not Found	99
PID 3500 wrote to memory of 2940	3500	Process not Found	99
PID 3500 wrote to memory of 1000	3500	Process not Found	100
PID 3500 wrote to memory of 1000	3500	Process not Found	100
PID 3500 wrote to memory of 2468	3500	Process not Found	101
PID 3500 wrote to memory of 2468	3500	Process not Found	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a114e0e03c47c4454ae6ba29cd7c4f75fab7c570f8c68b606b1d3e5c3e126f15.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5048

C:\Windows\system32\CustomShellHost.exe
C:\Windows\system32\CustomShellHost.exe
1⤵
PID:3024

C:\Users\Admin\AppData\Local\kQJ\CustomShellHost.exe
C:\Users\Admin\AppData\Local\kQJ\CustomShellHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2588

C:\Windows\system32\Narrator.exe
C:\Windows\system32\Narrator.exe
1⤵
PID:1272

C:\Users\Admin\AppData\Local\PLAp\Narrator.exe
C:\Users\Admin\AppData\Local\PLAp\Narrator.exe
1⤵
- Executes dropped EXE
PID:4836

C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
1⤵
PID:864

C:\Users\Admin\AppData\Local\UZFyqSD\cmstp.exe
C:\Users\Admin\AppData\Local\UZFyqSD\cmstp.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2940

C:\Windows\system32\bdechangepin.exe
C:\Windows\system32\bdechangepin.exe
1⤵
PID:1000

C:\Users\Admin\AppData\Local\llmfoQ\bdechangepin.exe
C:\Users\Admin\AppData\Local\llmfoQ\bdechangepin.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\PLAp\Narrator.exe

Filesize
521KB

MD5
d92defaa4d346278480d2780325d8d18

SHA1
6494d55b2e5064ffe8add579edfcd13c3e69fffe

SHA256
69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83

SHA512
b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

Download Submit
C:\Users\Admin\AppData\Local\UZFyqSD\VERSION.dll

Filesize
796KB

MD5
45218e5a35a045f5ac0835f7f650a9a6

SHA1
824eec20f7e6bcccb6a3d280cf6067ab3b436695

SHA256
138ff83f9eba2ba6b83eb7dcec1ca734b87897fdbf4920b853782e3fbf0c921c

SHA512
284c2da93b7fca02b38ade73c291b39bf2363d06513b92fea57743f91b6acc5ad69d2f3d8190becb602be5556929a4a5524e028dc22fabc974e15efb3e7c2c06

Download Submit
C:\Users\Admin\AppData\Local\UZFyqSD\cmstp.exe

Filesize
96KB

MD5
4cc43fe4d397ff79fa69f397e016df52

SHA1
8fd6cf81ad40c9b123cd75611860a8b95c72869c

SHA256
f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c

SHA512
851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157

Download Submit
C:\Users\Admin\AppData\Local\kQJ\CustomShellHost.exe

Filesize
835KB

MD5
70400e78b71bc8efdd063570428ae531

SHA1
cd86ecd008914fdd0389ac2dc00fe92d87746096

SHA256
91333f3282a2420359ae9d3adf537688741d21e964f021e2b152ab293447f289

SHA512
53005dda237fb23af79f54779c74a09835ad4cad3ca7b9dcec80e3793a60dd262f45b910bef96ab9c8e69d0c6990fea6ca5fee85d7f8425db523ae658372959e

Download Submit
C:\Users\Admin\AppData\Local\kQJ\WTSAPI32.dll

Filesize
796KB

MD5
e84ee9f878ca7dbebd83989a9cf89db3

SHA1
c4ce360619fc378ecfc3fdf47fb3bf479a849ab7

SHA256
20e8e6a3be3fb7e8a48cf7913063ffcd294ddbfece0dfeae992b0f0ab1dfb419

SHA512
5709cb7783e2ccc57c1291f76a2332f1e9371e08bc0ae1e0994adb41d548c097997937b7a70b3e8f62e154b9180a2375a5950974c3dcf15eb79161deeac1d5e9

Download Submit
C:\Users\Admin\AppData\Local\llmfoQ\DUI70.dll

Filesize
1.0MB

MD5
c5fb93e3cea408e5bc74f32b5377d5ba

SHA1
e21bbb5db2e6d4972448864a9e9df2b9f758b1f6

SHA256
eada10276f0026d1f42b5e52ab0203c0a9407b1f9ebf740e022f595cbe6abe5d

SHA512
61e11a3268d0b1b55e131547f7cf0a1a9fc7bb3e9fa8f4f2a48b819d95c8aeadfea21c7f837aa505cba62cf2a1fa793d9f5739d0c053b943ac58adb8e09dd844

Download Submit
C:\Users\Admin\AppData\Local\llmfoQ\bdechangepin.exe

Filesize
373KB

MD5
601a28eb2d845d729ddd7330cbae6fd6

SHA1
5cf9f6f9135c903d42a7756c638333db8621e642

SHA256
4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

SHA512
1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Txagdzatgusg.lnk

Filesize
1KB

MD5
0d78f79d4ccdf5edbc55ab6933af475c

SHA1
d000a6430fea1d116f01c3f89e50611ab2f2ffdb

SHA256
4dd2742f79438e7bf581fb9625942b9c5563e0282985a6e46d24394872e29cec

SHA512
ff14f3481a9573f3b41f23b39ce675d4e3ee8afa1422b2122125b5ee778f143a8f7ec4425c3e9bbddf7d07b7033c7dec4b34320fc7980735a22bb83e7361d3b1

Download Submit
memory/2468-98-0x00007FF9639A0000-0x00007FF963AAC000-memory.dmp

Filesize
1.0MB

Download
memory/2468-97-0x0000029B5DEE0000-0x0000029B5DEE7000-memory.dmp

Filesize
28KB

Download
memory/2468-102-0x00007FF9639A0000-0x00007FF963AAC000-memory.dmp

Filesize
1.0MB

Download
memory/2588-62-0x00007FF962F30000-0x00007FF962FF7000-memory.dmp

Filesize
796KB

Download
memory/2588-57-0x000001A590D40000-0x000001A590D47000-memory.dmp

Filesize
28KB

Download
memory/2588-58-0x00007FF962F30000-0x00007FF962FF7000-memory.dmp

Filesize
796KB

Download
memory/2940-81-0x000001BA5FE50000-0x000001BA5FE57000-memory.dmp

Filesize
28KB

Download
memory/2940-82-0x00007FF9639E0000-0x00007FF963AA7000-memory.dmp

Filesize
796KB

Download
memory/2940-86-0x00007FF9639E0000-0x00007FF963AA7000-memory.dmp

Filesize
796KB

Download
memory/3500-25-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-37-0x00007FF980FA0000-0x00007FF980FB0000-memory.dmp

Filesize
64KB

Download
memory/3500-27-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-26-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-23-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-24-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-22-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-21-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-19-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-20-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-18-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-17-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-16-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-15-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-14-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-4-0x00007FF97F22A000-0x00007FF97F22B000-memory.dmp

Filesize
4KB

Download
memory/3500-36-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-47-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-38-0x00007FF980F90000-0x00007FF980FA0000-memory.dmp

Filesize
64KB

Download
memory/3500-28-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-30-0x0000000004980000-0x0000000004987000-memory.dmp

Filesize
28KB

Download
memory/3500-3-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/3500-12-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-13-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-11-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-10-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-9-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-8-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-7-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3500-6-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5048-0-0x00007FF972490000-0x00007FF972556000-memory.dmp

Filesize
792KB

Download
memory/5048-50-0x00007FF972490000-0x00007FF972556000-memory.dmp

Filesize
792KB

Download
memory/5048-1-0x0000023FE6F50000-0x0000023FE6F57000-memory.dmp

Filesize
28KB

Download