dridex | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
150s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-06-2024 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stealers/Dridex.dll
Size

1.2MB
MD5

304109f9a5c3726818b4c3668fdb71fd
SHA1

2eb804e205d15d314e7f67d503940f69f5dc2ef8
SHA256

af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d
SHA512

cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01
SSDEEP

24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral21/memory/3332-7-0x0000000000D50000-0x0000000000D51000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

BdeUISrv.exeprintfilterpipelinesvc.exepwcreator.exe

pid process

912 BdeUISrv.exe
652 printfilterpipelinesvc.exe
4440 pwcreator.exe
Loads dropped DLL 5 IoCs

Processes:

BdeUISrv.exeprintfilterpipelinesvc.exepwcreator.exe

pid process

912 BdeUISrv.exe
652 printfilterpipelinesvc.exe
652 printfilterpipelinesvc.exe
652 printfilterpipelinesvc.exe
4440 pwcreator.exe

pid	process
912	BdeUISrv.exe
652	printfilterpipelinesvc.exe
4440	pwcreator.exe

pid	process
912	BdeUISrv.exe
652	printfilterpipelinesvc.exe
652	printfilterpipelinesvc.exe
652	printfilterpipelinesvc.exe
4440	pwcreator.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tfuhhiozesvy = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\0Wws6Q\\printfilterpipelinesvc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeBdeUISrv.exeprintfilterpipelinesvc.exepwcreator.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BdeUISrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	printfilterpipelinesvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pwcreator.exe

Modifies registry class 2 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4692	rundll32.exe
4692	rundll32.exe
4692	rundll32.exe
4692	rundll32.exe
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332
3332

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332
Token: SeShutdownPrivilege	3332
Token: SeCreatePagefilePrivilege	3332

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3332 wrote to memory of 708	3332	BdeUISrv.exe
PID 3332 wrote to memory of 708	3332	BdeUISrv.exe
PID 3332 wrote to memory of 912	3332	BdeUISrv.exe
PID 3332 wrote to memory of 912	3332	BdeUISrv.exe
PID 3332 wrote to memory of 224	3332	printfilterpipelinesvc.exe
PID 3332 wrote to memory of 224	3332	printfilterpipelinesvc.exe
PID 3332 wrote to memory of 652	3332	printfilterpipelinesvc.exe
PID 3332 wrote to memory of 652	3332	printfilterpipelinesvc.exe
PID 3332 wrote to memory of 3308	3332	pwcreator.exe
PID 3332 wrote to memory of 3308	3332	pwcreator.exe
PID 3332 wrote to memory of 4440	3332	pwcreator.exe
PID 3332 wrote to memory of 4440	3332	pwcreator.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4692

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:708

C:\Users\Admin\AppData\Local\u980bSE5\BdeUISrv.exe
C:\Users\Admin\AppData\Local\u980bSE5\BdeUISrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:912

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe
1⤵
PID:224

C:\Users\Admin\AppData\Local\M9d\printfilterpipelinesvc.exe
C:\Users\Admin\AppData\Local\M9d\printfilterpipelinesvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:652

C:\Windows\system32\pwcreator.exe
C:\Windows\system32\pwcreator.exe
1⤵
PID:3308

C:\Users\Admin\AppData\Local\3fG8MPWI\pwcreator.exe
C:\Users\Admin\AppData\Local\3fG8MPWI\pwcreator.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3fG8MPWI\pwcreator.exe

Filesize
775KB

MD5
5a9ef500a0436e893542fca5e8876c9c

SHA1
bf8f802f67cf5f42ad6375b5159b4b2d8c5759a4

SHA256
a0af92d50e18376d996a3bfeb9e43cc8d2ea8385646542ea850c777850d588df

SHA512
ffda4df212242e87d399ddcd72fa99b14f0d18abcfdb6c69df65ce345e8c94f2c1fccb323252af5cb18a28abeef0b148c106631ec778a522f82b392c0547fdc8

Download Submit
C:\Users\Admin\AppData\Local\M9d\XmlLite.dll

Filesize
1.2MB

MD5
f0e87f0b1d33e68a66581664b3c429ff

SHA1
6a4ac3530949095ae4416cffe6de58204b37019f

SHA256
30e56c881dc31da731008a9f0645dcb947608008d6d204989ef0269c72fa5f4f

SHA512
c69e99e7711c053c38f6540c9f6e30f16c00bdc9f577aef50189140e85654aed40625e7b73b9288909efdacb0a457e0698ccf144f4b28b34b933a2aac55abdff

Download Submit
C:\Users\Admin\AppData\Local\M9d\printfilterpipelinesvc.exe

Filesize
812KB

MD5
3f759db69d6016c286bd25f10e4b6e0c

SHA1
e2243c1e27b9a0b68e550e1775aa75f3bafd5286

SHA256
eeb432af61d3157153cc6683ae4ffbb44b306ed0b980911be2891358048dc7c7

SHA512
67f0cf128a048139b5ceb0b6fb88498076b60d5822fe807fe1ab0d1856e74096d3625cb824a80066b6a27ae0929c44164fc6e8e56cfc18b04e25ebcd51d948ac

Download Submit
C:\Users\Admin\AppData\Local\u980bSE5\BdeUISrv.exe

Filesize
51KB

MD5
bbdabce7ba28eb67c325fa99125d56e0

SHA1
332ea58882149d629057e8a8004a48d1bb1d6180

SHA256
9c3fe14fc4ab8e385c3baae1d5a04a66c3ee645d278b182039fa45a6c99b4994

SHA512
fd3a22baac2689f8e009cb7845aa6ca7dd4a7ba4f1956758945cdd68dfc7045e4da62cf846a4a0b507d9be3753eb68b94fe375bf01dc698017b107ff26ebd93e

Download Submit
C:\Users\Admin\AppData\Local\u980bSE5\WTSAPI32.dll

Filesize
1.2MB

MD5
825fb39dda754426572db43c5ba7cef6

SHA1
baeeed076da5da30d028b3d8e8a802bc1ba65282

SHA256
3e58aab5d5fcaac173f7d096573043b3efbe087a1cee0712d3f60e85236d89b2

SHA512
ece294fee1ca35868d2c6f5251eac8d5d824e68ffd3f46774d9520a92b44f1732bf61ccc1b2861ca23fbda99d424d18bbfe70689d4809153b36d363fe3b565d7

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rjiuzralirfk.lnk

Filesize
1KB

MD5
9778b6f5f85d8d9b7bea037e294c472c

SHA1
371edd4af4abbc93dcb9a9850433e274cc112454

SHA256
ebbcdae2ee4262dfcd0178f851cc87fc281e52bfb098ac8107067bba6209e80a

SHA512
5a0890ed335c7c840e226ad393ff948a94006b03dd6b20fd8de145af0c84d06c2bc7f78434be784b87948efeb8e06bd9eb26c747b5d74dd169a8453019f2756b

Download Submit
\Users\Admin\AppData\Local\3fG8MPWI\WINBRAND.dll

Filesize
1.2MB

MD5
825374260e66fcfaea485c3e7dd7b5f4

SHA1
2469822575c4dba1d75758edc938726f071d09eb

SHA256
2dff5b5fbebb7c6f105ba3fa98af1a4038026785ba25f258b377307642252add

SHA512
9a473d4d62d73776f935caa0102ea582ad8fd593c10c9bf713ed7142e7958a456b303d247f9e28f2a5458448e65848e5c5d9c57137e14de55a93087c148b39b2

Download Submit
memory/652-83-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/912-53-0x000001C757920000-0x000001C757927000-memory.dmp

Filesize
28KB

Download
memory/912-62-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/912-54-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3332-33-0x00007FF8BF2F5000-0x00007FF8BF2F6000-memory.dmp

Filesize
4KB

Download
memory/3332-32-0x0000000000D10000-0x0000000000D17000-memory.dmp

Filesize
28KB

Download
memory/3332-16-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3332-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3332-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3332-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3332-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3332-43-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3332-7-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3332-30-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3332-31-0x00007FF8BC9D3000-0x00007FF8BC9D4000-memory.dmp

Filesize
4KB

Download
memory/3332-17-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3332-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3332-34-0x00007FF8BF1A0000-0x00007FF8BF1B0000-memory.dmp

Filesize
64KB

Download
memory/3332-18-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3332-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3332-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4440-102-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4692-0-0x000002B708480000-0x000002B708487000-memory.dmp

Filesize
28KB

Download
memory/4692-46-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4692-1-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download