dridex | 75c4e5ea34c5b7bce8151ef2a04337e6c6657acec991fff8b3a6a9f23e216903

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
17/07/2024, 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75c4e5ea34c5b7bce8151ef2a04337e6c6657acec991fff8b3a6a9f23e216903.dll
Size

800KB
MD5

5df0b4b0381cc82c174e4175011a5904
SHA1

767c88a86cacfa66aa8f8715225adc9156624bf8
SHA256

75c4e5ea34c5b7bce8151ef2a04337e6c6657acec991fff8b3a6a9f23e216903
SHA512

e679183963c66596592670ee8c210a068c8aca15bfb8e2607c066a6da8b4c455f5ec885a2b36c17e4e2d858cf175aa13eea797884692bd686b599ac6005396c4
SSDEEP

12288:hBim9Tnts08FbKuPcA8NAc1l/XkGaZKoRQIpRX2/0Ak2ng/Zi66wNdufAdN:j/nts0Q9K/0ooRQIxAk2wi0N/

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3444-3-0x0000000001490000-0x0000000001491000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/1336-0-0x00007FFAE4BD0000-0x00007FFAE4C98000-memory.dmp	dridex_payload
behavioral2/memory/3444-29-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral2/memory/3444-49-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral2/memory/3444-38-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral2/memory/1336-52-0x00007FFAE4BD0000-0x00007FFAE4C98000-memory.dmp	dridex_payload
behavioral2/memory/3776-60-0x00007FFAD59E0000-0x00007FFAD5AA9000-memory.dmp	dridex_payload
behavioral2/memory/3776-64-0x00007FFAD59E0000-0x00007FFAD5AA9000-memory.dmp	dridex_payload
behavioral2/memory/804-76-0x00007FFAD59E0000-0x00007FFAD5AAF000-memory.dmp	dridex_payload
behavioral2/memory/804-79-0x00007FFAD59E0000-0x00007FFAD5AAF000-memory.dmp	dridex_payload
behavioral2/memory/4904-88-0x00007FFAD59A0000-0x00007FFAD5AAE000-memory.dmp	dridex_payload
behavioral2/memory/4904-92-0x00007FFAD59A0000-0x00007FFAD5AAE000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
3776	rdpinit.exe
804	mspaint.exe
4904	bdechangepin.exe

Loads dropped DLL 3 IoCs

pid	Process
3776	rdpinit.exe
804	mspaint.exe
4904	bdechangepin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Punckpak = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Java\\Deployment\\HftHM1al\\mspaint.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdechangepin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1336	regsvr32.exe
1336	regsvr32.exe
1336	regsvr32.exe
1336	regsvr32.exe
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3444	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 2540	3444	Process not Found	96
PID 3444 wrote to memory of 2540	3444	Process not Found	96
PID 3444 wrote to memory of 3776	3444	Process not Found	97
PID 3444 wrote to memory of 3776	3444	Process not Found	97
PID 3444 wrote to memory of 4320	3444	Process not Found	98
PID 3444 wrote to memory of 4320	3444	Process not Found	98
PID 3444 wrote to memory of 804	3444	Process not Found	99
PID 3444 wrote to memory of 804	3444	Process not Found	99
PID 3444 wrote to memory of 2604	3444	Process not Found	100
PID 3444 wrote to memory of 2604	3444	Process not Found	100
PID 3444 wrote to memory of 4904	3444	Process not Found	101
PID 3444 wrote to memory of 4904	3444	Process not Found	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\75c4e5ea34c5b7bce8151ef2a04337e6c6657acec991fff8b3a6a9f23e216903.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1336

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:2540

C:\Users\Admin\AppData\Local\LY8n\rdpinit.exe
C:\Users\Admin\AppData\Local\LY8n\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3776

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:4320

C:\Users\Admin\AppData\Local\B9Bzpkhj\mspaint.exe
C:\Users\Admin\AppData\Local\B9Bzpkhj\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:804

C:\Windows\system32\bdechangepin.exe
C:\Windows\system32\bdechangepin.exe
1⤵
PID:2604

C:\Users\Admin\AppData\Local\lClq1xGL\bdechangepin.exe
C:\Users\Admin\AppData\Local\lClq1xGL\bdechangepin.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\B9Bzpkhj\MFC42u.dll

Filesize
828KB

MD5
eff03e10688be76ff28d868f485f448d

SHA1
ef63c007bccc0bd9b017c84fb202c4e90ec63752

SHA256
3a35825260b13a2c046084110cfd00bd4adaedc2196dbc07c9051147f23e2c20

SHA512
1954f1bcecbd068e6b41ce1492a0f9109e24893c8027227d7a047d1add0f79c91f7cf46220a9e7b9cf11eacd1625536d1ba814ec5627a82c955b4bfc98c1c4e8

Download Submit
C:\Users\Admin\AppData\Local\B9Bzpkhj\mspaint.exe

Filesize
965KB

MD5
f221a4ccafec690101c59f726c95b646

SHA1
2098e4b62eaab213cbee73ba40fe4f1b8901a782

SHA256
94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709

SHA512
8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf

Download Submit
C:\Users\Admin\AppData\Local\LY8n\WTSAPI32.dll

Filesize
804KB

MD5
f4ae931d7f00095754cb5875d6a0cab6

SHA1
857556bf6330c86bdc674ca4348d77d35421300b

SHA256
2a3fb3184e0737ea7f636297b5fcb8e46e9b48a7a3ad49c8d017833e252c311f

SHA512
59952dd317ce0a37917ef05401f0859ad10f2f75ab38df2e0ff84554b71587c211a02522580b13b09b5afd4c55ff9d98c428eec0e5656ba788ce213968846b4c

Download Submit
C:\Users\Admin\AppData\Local\LY8n\rdpinit.exe

Filesize
343KB

MD5
b0ecd76d99c5f5134aeb52460add6f80

SHA1
51462078092c9d6b7fa2b9544ffe0a49eb258106

SHA256
51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

SHA512
16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

Download Submit
C:\Users\Admin\AppData\Local\lClq1xGL\DUI70.dll

Filesize
1.1MB

MD5
6cba2b8041157683cd9e4010356d77f7

SHA1
36a99273ead08e7d4b68e8e487e783ed9b1d1ab3

SHA256
404f65fe8a5c9d579f743aec49f4046bfdbd0861a38605d1abf15ea98f5fdeb0

SHA512
8d479798e2112b34546f457ccfb57eb1c1006a8815266f1a7ca46a3ceecc9356e593a12de850e8310260379f95e059fca8dedaafd87e69de6532319d05e611ab

Download Submit
C:\Users\Admin\AppData\Local\lClq1xGL\bdechangepin.exe

Filesize
373KB

MD5
601a28eb2d845d729ddd7330cbae6fd6

SHA1
5cf9f6f9135c903d42a7756c638333db8621e642

SHA256
4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

SHA512
1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Reuom.lnk

Filesize
1KB

MD5
a7d01e35c4fa52a5491290f0d8d2148c

SHA1
16c0191fcc6ed92fc4a57f5e39c467dc9295d4f6

SHA256
7a6d3eadcdd85446d73fcff3dee4c8164be1f10735bd2b4462a3d8337c58b260

SHA512
add315a0c23bd647c7eb55fcc07e942a390b0c37e219d027e4d42855533bf027252751f1ffe0e3fb2d13833d0678844bcc73dfc300292c66e6db75e959a6d17b

Download Submit
memory/804-79-0x00007FFAD59E0000-0x00007FFAD5AAF000-memory.dmp

Filesize
828KB

Download
memory/804-76-0x00007FFAD59E0000-0x00007FFAD5AAF000-memory.dmp

Filesize
828KB

Download
memory/804-78-0x000001C891E20000-0x000001C891E27000-memory.dmp

Filesize
28KB

Download
memory/1336-52-0x00007FFAE4BD0000-0x00007FFAE4C98000-memory.dmp

Filesize
800KB

Download
memory/1336-2-0x0000000002200000-0x0000000002207000-memory.dmp

Filesize
28KB

Download
memory/1336-0-0x00007FFAE4BD0000-0x00007FFAE4C98000-memory.dmp

Filesize
800KB

Download
memory/3444-27-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-10-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-24-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-23-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-22-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-21-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-20-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-18-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-17-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-16-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-15-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-14-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-13-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-12-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-9-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-8-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-7-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-6-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-28-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-25-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-5-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-26-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-36-0x00007FFAF2F1A000-0x00007FFAF2F1B000-memory.dmp

Filesize
4KB

Download
memory/3444-38-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-3-0x0000000001490000-0x0000000001491000-memory.dmp

Filesize
4KB

Download
memory/3444-11-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-19-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-39-0x00007FFAF33E0000-0x00007FFAF33F0000-memory.dmp

Filesize
64KB

Download
memory/3444-49-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3444-40-0x00007FFAF33D0000-0x00007FFAF33E0000-memory.dmp

Filesize
64KB

Download
memory/3444-37-0x0000000001240000-0x0000000001247000-memory.dmp

Filesize
28KB

Download
memory/3444-29-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3776-64-0x00007FFAD59E0000-0x00007FFAD5AA9000-memory.dmp

Filesize
804KB

Download
memory/3776-60-0x00007FFAD59E0000-0x00007FFAD5AA9000-memory.dmp

Filesize
804KB

Download
memory/3776-59-0x0000024BD2740000-0x0000024BD2747000-memory.dmp

Filesize
28KB

Download
memory/4904-88-0x00007FFAD59A0000-0x00007FFAD5AAE000-memory.dmp

Filesize
1.1MB

Download
memory/4904-92-0x00007FFAD59A0000-0x00007FFAD5AAE000-memory.dmp

Filesize
1.1MB

Download