dridex | 872d31c55af7ef65984d53b590f849b6d9d361a90b474ff4456fb1d0c5fa8f76

Analysis

max time kernel
150s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100.dll
Size

768KB
MD5

bd5cfa593ed87901f8184eaa44c0a8b8
SHA1

963a57fb83ca6361624fb057058ea4fb538015dc
SHA256

86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100
SHA512

f6235abb0503db5a7cc7a0f6d2a4682db1491127a4f5700d3f68e15535b838651e1df8a8292643e46febb678e16abe9f36f6990db57db3f58c60ceae186ae489
SSDEEP

12288:4lORVEAueQmTmQKO2nMlqVaSEwzH7YxiCyJ86azEZy1f11pNx:8ORVEVNmaDznMlqVNE27dJ8J2inNx

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3540-4-0x0000000002640000-0x0000000002641000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1540	sigverif.exe
3804	PresentationHost.exe
5100	psr.exe

Loads dropped DLL 3 IoCs

pid	Process
1540	sigverif.exe
3804	PresentationHost.exe
5100	psr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zmupasrg = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\2xINWwcUj\\PresentationHost.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3548	rundll32.exe
3548	rundll32.exe
3548	rundll32.exe
3548	rundll32.exe
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
3540	Process not Found
1540	sigverif.exe
1540	sigverif.exe
3540	Process not Found
3540	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3540	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 1968	3540	Process not Found	88
PID 3540 wrote to memory of 1968	3540	Process not Found	88
PID 3540 wrote to memory of 1540	3540	Process not Found	89
PID 3540 wrote to memory of 1540	3540	Process not Found	89
PID 3540 wrote to memory of 1176	3540	Process not Found	90
PID 3540 wrote to memory of 1176	3540	Process not Found	90
PID 3540 wrote to memory of 3804	3540	Process not Found	91
PID 3540 wrote to memory of 3804	3540	Process not Found	91
PID 3540 wrote to memory of 2388	3540	Process not Found	92
PID 3540 wrote to memory of 2388	3540	Process not Found	92
PID 3540 wrote to memory of 5100	3540	Process not Found	93
PID 3540 wrote to memory of 5100	3540	Process not Found	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\86bcfce2dd342e9a1c04cfc65731d40ed1c397a4ec47bd9f5b41771297d81100.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3548

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:1968

C:\Users\Admin\AppData\Local\gQRbmGI\sigverif.exe
C:\Users\Admin\AppData\Local\gQRbmGI\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1540

C:\Windows\system32\PresentationHost.exe
C:\Windows\system32\PresentationHost.exe
1⤵
PID:1176

C:\Users\Admin\AppData\Local\dkvahgvA\PresentationHost.exe
C:\Users\Admin\AppData\Local\dkvahgvA\PresentationHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3804

C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
1⤵
PID:2388

C:\Users\Admin\AppData\Local\btkoMSOg\psr.exe
C:\Users\Admin\AppData\Local\btkoMSOg\psr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\btkoMSOg\XmlLite.dll

Filesize
768KB

MD5
fc7e35df2fdc6af4dbb840c4089a0e3a

SHA1
191633a031e31909e4119521e9909b026308d099

SHA256
10ec05041b289ecb3987cf93ead7eac390ded7cec2ddae16c17231b78cd18306

SHA512
ac6373651f4e7fe494904c3b8228791f6f66ab268dcd0c1454116732a4bb39429daab77451cc9a31da6199c902f41eb7ae2ae821ae3d92d8ee717f93aa759c3a

Download Submit
C:\Users\Admin\AppData\Local\btkoMSOg\psr.exe

Filesize
232KB

MD5
ad53ead5379985081b7c3f1f357e545a

SHA1
6f5aa32c1d15fbf073558fadafd046d97b60184e

SHA256
4f0144f0e3e721b44babbf41b513942e4117f730546105480571f9c8fce56a1f

SHA512
433098bd74c34fbadfa447ef45cfa9dc076aef4cf7f2a0a6fe79d5e67f2504eebe8aa31fc1b7a4c5eeb20ede2c5485f75ad0fd77b4ecba3d68ca63313e6f6ea0

Download Submit
C:\Users\Admin\AppData\Local\dkvahgvA\PresentationHost.exe

Filesize
276KB

MD5
ef27d65b92d89e8175e6751a57ed9d93

SHA1
7279b58e711b459434f047e9098f9131391c3778

SHA256
17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

SHA512
40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

Download Submit
C:\Users\Admin\AppData\Local\dkvahgvA\VERSION.dll

Filesize
768KB

MD5
f7bbe30cbed46177e8d7c05a5007388c

SHA1
a1b9260702ba825cc3c3facdb7391f0fccdfff79

SHA256
0c2a44ed1457b5fe0a551b0657a4d371531364bce8e30e4c116e69af224dc036

SHA512
ecb57e06b1d6b0ea70082fd4ed9cd78edea838b9c376b7b8afbab3d39bd0fb4df9f392d7d72232f581c309d8a289071ea89d062c35ec82141e7a01c6d21bd797

Download Submit
C:\Users\Admin\AppData\Local\gQRbmGI\VERSION.dll

Filesize
768KB

MD5
86d385b3a67f3de49681865011e057f0

SHA1
186aba5c5e5884b1d3dbd83edcfb6823646b8e71

SHA256
8ed2716500d67b954d8ed11d3d64d91197ae2cb888b1df96865cbf252b298f2d

SHA512
f5a0c9983ccda7450aba87c1bebcaeeb90905e15ea42adc6fd1245e1934b616a0e231c2d76b959707ddfdef94839b74072d679c46b4cf6ca529fb514353c77aa

Download Submit
C:\Users\Admin\AppData\Local\gQRbmGI\sigverif.exe

Filesize
77KB

MD5
2151a535274b53ba8a728e542cbc07a8

SHA1
a2304c0f2616a7d12298540dce459dd9ccf07443

SHA256
064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

SHA512
e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxqqcbifk.lnk

Filesize
1KB

MD5
5a2c3d5ff853ad62af56a05da0238559

SHA1
d7bda89ad01f84987af262bded67c5c1e3a52f9b

SHA256
cbefbd0d1537147cc1f7a9a232b88e89164e5e9e2a3e36f4c4bcda7519151aea

SHA512
7214dc018df2fbf3daf88fa70e89f5b9a235865eee8ce6f9968608b9e77d4d2708a929817d61a432fbd62ea7cfe9a567d809e8d6c190a0629789b276228b07a2

Download Submit
memory/1540-49-0x00007FFFE54C0000-0x00007FFFE5580000-memory.dmp

Filesize
768KB

Download
memory/1540-43-0x00007FFFE54C0000-0x00007FFFE5580000-memory.dmp

Filesize
768KB

Download
memory/1540-44-0x000001A499B20000-0x000001A499B27000-memory.dmp

Filesize
28KB

Download
memory/3540-10-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3540-12-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3540-14-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3540-16-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3540-22-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3540-23-0x00007FF803B20000-0x00007FF803B30000-memory.dmp

Filesize
64KB

Download
memory/3540-32-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3540-34-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3540-13-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3540-4-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/3540-5-0x00007FF80271A000-0x00007FF80271B000-memory.dmp

Filesize
4KB

Download
memory/3540-15-0x0000000000730000-0x0000000000737000-memory.dmp

Filesize
28KB

Download
memory/3540-11-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3540-7-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3540-8-0x0000000140000000-0x00000001400C0000-memory.dmp

Filesize
768KB

Download
memory/3548-9-0x00007FFFF5260000-0x00007FFFF5320000-memory.dmp

Filesize
768KB

Download
memory/3548-0-0x000001FBC5FA0000-0x000001FBC5FA7000-memory.dmp

Filesize
28KB

Download
memory/3548-1-0x00007FFFF5260000-0x00007FFFF5320000-memory.dmp

Filesize
768KB

Download
memory/3804-61-0x000001FD23AE0000-0x000001FD23AE7000-memory.dmp

Filesize
28KB

Download
memory/3804-60-0x00007FFFF4B00000-0x00007FFFF4BC0000-memory.dmp

Filesize
768KB

Download
memory/3804-66-0x00007FFFF4B00000-0x00007FFFF4BC0000-memory.dmp

Filesize
768KB

Download
memory/5100-78-0x000002321AE70000-0x000002321AE77000-memory.dmp

Filesize
28KB

Download
memory/5100-83-0x00007FFFF4B00000-0x00007FFFF4BC0000-memory.dmp

Filesize
768KB

Download