dridex | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
104s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stealers/Dridex.dll
Size

1.2MB
MD5

304109f9a5c3726818b4c3668fdb71fd
SHA1

2eb804e205d15d314e7f67d503940f69f5dc2ef8
SHA256

af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d
SHA512

cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01
SSDEEP

24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral11/memory/3460-4-0x00000000032E0000-0x00000000032E1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

msdt.exeSystemSettingsRemoveDevice.exewbengine.exe

pid process

1712 msdt.exe
2628 SystemSettingsRemoveDevice.exe
3732 wbengine.exe
Loads dropped DLL 3 IoCs

Processes:

msdt.exeSystemSettingsRemoveDevice.exewbengine.exe

pid process

1712 msdt.exe
2628 SystemSettingsRemoveDevice.exe
3732 wbengine.exe

pid	process
1712	msdt.exe
2628	SystemSettingsRemoveDevice.exe
3732	wbengine.exe

pid	process
1712	msdt.exe
2628	SystemSettingsRemoveDevice.exe
3732	wbengine.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eeaxmqtu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\5TxwZ\\SystemSettingsRemoveDevice.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SystemSettingsRemoveDevice.exewbengine.exerundll32.exemsdt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemSettingsRemoveDevice.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wbengine.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msdt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1936	rundll32.exe
1936	rundll32.exe
1936	rundll32.exe
1936	rundll32.exe
1936	rundll32.exe
1936	rundll32.exe
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460
3460

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3460 wrote to memory of 888	3460	msdt.exe
PID 3460 wrote to memory of 888	3460	msdt.exe
PID 3460 wrote to memory of 1712	3460	msdt.exe
PID 3460 wrote to memory of 1712	3460	msdt.exe
PID 3460 wrote to memory of 1672	3460	SystemSettingsRemoveDevice.exe
PID 3460 wrote to memory of 1672	3460	SystemSettingsRemoveDevice.exe
PID 3460 wrote to memory of 2628	3460	SystemSettingsRemoveDevice.exe
PID 3460 wrote to memory of 2628	3460	SystemSettingsRemoveDevice.exe
PID 3460 wrote to memory of 4476	3460	wbengine.exe
PID 3460 wrote to memory of 4476	3460	wbengine.exe
PID 3460 wrote to memory of 3732	3460	wbengine.exe
PID 3460 wrote to memory of 3732	3460	wbengine.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1936

C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
1⤵
PID:888

C:\Users\Admin\AppData\Local\Y27\msdt.exe
C:\Users\Admin\AppData\Local\Y27\msdt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1712

C:\Windows\system32\SystemSettingsRemoveDevice.exe
C:\Windows\system32\SystemSettingsRemoveDevice.exe
1⤵
PID:1672

C:\Users\Admin\AppData\Local\Pdb\SystemSettingsRemoveDevice.exe
C:\Users\Admin\AppData\Local\Pdb\SystemSettingsRemoveDevice.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2628

C:\Windows\system32\wbengine.exe
C:\Windows\system32\wbengine.exe
1⤵
PID:4476

C:\Users\Admin\AppData\Local\fZYaYPA74\wbengine.exe
C:\Users\Admin\AppData\Local\fZYaYPA74\wbengine.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Pdb\DUI70.dll

Filesize
1.5MB

MD5
93479063b445cf633378e83b8d6226c9

SHA1
8152f982ab38e4f941a836fcd351f48e5c771769

SHA256
a0daf2069afe24b03f74a02695284d89d8f1d9cb33909467eee561d4cb7c709d

SHA512
5c876fc5045e46c52851b4c0251f6b97d6f995f444f679220a25be117d7a58ef83abf9379ccc0e1f3ccf315577ab84eec970107f8dda63136b4e7669079c1811

Download Submit
C:\Users\Admin\AppData\Local\Pdb\SystemSettingsRemoveDevice.exe

Filesize
39KB

MD5
7853f1c933690bb7c53c67151cbddeb0

SHA1
d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6

SHA256
9500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d

SHA512
831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304

Download Submit
C:\Users\Admin\AppData\Local\Y27\DUI70.dll

Filesize
1.5MB

MD5
3b89c4e5e0216deb8f1d638f5e610111

SHA1
c1f9b5ceced10e44a5631531df21da27b966ab0e

SHA256
9405935b3136d0e0769fed93bf3539935e5c985a32e3beab7f89ff85992b6640

SHA512
99f593b1effa744f23d57b45e7af4d4daff1249661ba8393f886826a7dd06fb79c77ed29e0d8d93426d31f685d3e31189747b55082b77ee5940a440a9bc218c8

Download Submit
C:\Users\Admin\AppData\Local\Y27\msdt.exe

Filesize
421KB

MD5
992c3f0cc8180f2f51156671e027ae75

SHA1
942ec8c2ccfcacd75a1cd86cbe8873aee5115e29

SHA256
6859d1b5d1beaa2985b298f3fcee67f0aac747687a9dec2b4376585e99e9756f

SHA512
1f1b8d39e29274cfc87a9ef1510adb9c530086a421c121523376731c8933c6e234e9146310d3767ce888a8dce7a5713221f4d25e5b7b6398d06ae2be2b99eadf

Download Submit
C:\Users\Admin\AppData\Local\fZYaYPA74\XmlLite.dll

Filesize
1.2MB

MD5
c2ab43433ab3a27fc55e657e53236cd0

SHA1
daccd0b92fff8c2d995ca48923e8226b223cdc87

SHA256
f9adc0a1521a7db27201830bcca7c7f37f66d06203cedcf656e539e77bf3b206

SHA512
3e73d3b919ba067c6e318a181febf3815309743104bcbffa6063d7ed07a5c169920af4a8f403ea95544cdaee194ee65f95ef43fb96357a46af69bc2bfaec7b20

Download Submit
C:\Users\Admin\AppData\Local\fZYaYPA74\wbengine.exe

Filesize
1.5MB

MD5
17270a354a66590953c4aac1cf54e507

SHA1
715babcc8e46b02ac498f4f06df7937904d9798d

SHA256
9954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4

SHA512
6be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rkjap.lnk

Filesize
1KB

MD5
4715df8c55fca059262d2039fc53ea51

SHA1
9023e60c867ec3a253550a0b1839acb8c16c545d

SHA256
1aeb4c061d053dbbab222e471a58e441727033d790e781cc708784208c3642c2

SHA512
d672d1c8c7e8952b4cf97bb44b63ae07d7a787f4251267cdd076bbbcd307581c1c515516d5c9f9981100fb539379516dc5a1dd087396b3b6fb7bad8ef9f222d3

Download Submit
memory/1712-46-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1712-52-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1712-49-0x0000027442760000-0x0000027442767000-memory.dmp

Filesize
28KB

Download
memory/1936-3-0x0000026F7B9B0000-0x0000026F7B9B7000-memory.dmp

Filesize
28KB

Download
memory/1936-39-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1936-0-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2628-66-0x000002615EAB0000-0x000002615EAB7000-memory.dmp

Filesize
28KB

Download
memory/2628-69-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3460-24-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3460-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3460-36-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3460-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3460-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3460-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3460-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3460-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3460-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3460-6-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3460-28-0x00007FFB4077A000-0x00007FFB4077B000-memory.dmp

Filesize
4KB

Download
memory/3460-29-0x0000000001260000-0x0000000001267000-memory.dmp

Filesize
28KB

Download
memory/3460-30-0x00007FFB40B50000-0x00007FFB40B60000-memory.dmp

Filesize
64KB

Download
memory/3460-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3460-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3460-4-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/3732-85-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3732-80-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download