dridex | db9c18d05fd830f2f9e7cc0b5011f44a80277b3e298cee715587e8607542b49c

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
17-07-2024 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db9c18d05fd830f2f9e7cc0b5011f44a80277b3e298cee715587e8607542b49c.dll
Size

800KB
MD5

844f37f59e5af38fca800fb75c94a4b9
SHA1

8505caf8264a9a1cdd9a6f6cba608ef01e38a2d9
SHA256

db9c18d05fd830f2f9e7cc0b5011f44a80277b3e298cee715587e8607542b49c
SHA512

7c3130224a823be7271e9489497c979bae68836c3779f0028325a245ff2138ef21870c4d84fb1d7f8943a1bc1f497a2d63d95aeb8bb6a6893ad00fc4d4f55b7d
SSDEEP

12288:hBim9Tnts08FbKuPcA8NAc1l/XkGaZKoRQIpRX2/0Ak2ng/Zi66wNdufAdN:j/nts0Q9K/0ooRQIxAk2wi0N/

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3468-3-0x0000000002A50000-0x0000000002A51000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/952-1-0x00007FFC653D0000-0x00007FFC65498000-memory.dmp	dridex_payload
behavioral2/memory/3468-30-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral2/memory/3468-49-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral2/memory/3468-38-0x0000000140000000-0x00000001400C8000-memory.dmp	dridex_payload
behavioral2/memory/952-52-0x00007FFC653D0000-0x00007FFC65498000-memory.dmp	dridex_payload
behavioral2/memory/3368-59-0x00007FFC556A0000-0x00007FFC5576F000-memory.dmp	dridex_payload
behavioral2/memory/3368-64-0x00007FFC556A0000-0x00007FFC5576F000-memory.dmp	dridex_payload
behavioral2/memory/3920-75-0x00007FFC556A0000-0x00007FFC55769000-memory.dmp	dridex_payload
behavioral2/memory/3920-80-0x00007FFC556A0000-0x00007FFC55769000-memory.dmp	dridex_payload
behavioral2/memory/2284-91-0x00007FFC55660000-0x00007FFC5576E000-memory.dmp	dridex_payload
behavioral2/memory/2284-95-0x00007FFC55660000-0x00007FFC5576E000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
3368	eudcedit.exe
3920	msra.exe
2284	CameraSettingsUIHost.exe

Loads dropped DLL 3 IoCs

pid	Process
3368	eudcedit.exe
3920	msra.exe
2284	CameraSettingsUIHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jdvukccvumb = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\in\\msra.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eudcedit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msra.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CameraSettingsUIHost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
952	rundll32.exe
952	rundll32.exe
952	rundll32.exe
952	rundll32.exe
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3468	Process not Found
3468	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 4076	3468	Process not Found	93
PID 3468 wrote to memory of 4076	3468	Process not Found	93
PID 3468 wrote to memory of 3368	3468	Process not Found	94
PID 3468 wrote to memory of 3368	3468	Process not Found	94
PID 3468 wrote to memory of 4892	3468	Process not Found	96
PID 3468 wrote to memory of 4892	3468	Process not Found	96
PID 3468 wrote to memory of 3920	3468	Process not Found	97
PID 3468 wrote to memory of 3920	3468	Process not Found	97
PID 3468 wrote to memory of 5108	3468	Process not Found	98
PID 3468 wrote to memory of 5108	3468	Process not Found	98
PID 3468 wrote to memory of 2284	3468	Process not Found	99
PID 3468 wrote to memory of 2284	3468	Process not Found	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\db9c18d05fd830f2f9e7cc0b5011f44a80277b3e298cee715587e8607542b49c.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:952

C:\Windows\system32\eudcedit.exe
C:\Windows\system32\eudcedit.exe
1⤵
PID:4076

C:\Users\Admin\AppData\Local\tn5hoAx9\eudcedit.exe
C:\Users\Admin\AppData\Local\tn5hoAx9\eudcedit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3368

C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
1⤵
PID:4892

C:\Users\Admin\AppData\Local\IrXwPnBLy\msra.exe
C:\Users\Admin\AppData\Local\IrXwPnBLy\msra.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3920

C:\Windows\system32\CameraSettingsUIHost.exe
C:\Windows\system32\CameraSettingsUIHost.exe
1⤵
PID:5108

C:\Users\Admin\AppData\Local\KkonnwMWp\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Local\KkonnwMWp\CameraSettingsUIHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\IrXwPnBLy\UxTheme.dll

Filesize
804KB

MD5
e4cf72607890fd63a9930a95813340ef

SHA1
5a2808e2162f22a4b2d3cf674cd4247bbd85886f

SHA256
8dadd487ae3774ea5b37601106862a04364e80e19fe114e6209d176c6425af96

SHA512
2965b149d94477cc8a92ddaa54ddca9b3be18810540e21a829701df26e849bd48c2b7693370e135a190726cfa3ce3ac09c4c2725e60818084d32546eaaf04025

Download Submit
C:\Users\Admin\AppData\Local\IrXwPnBLy\msra.exe

Filesize
579KB

MD5
dcda3b7b8eb0bfbccb54b4d6a6844ad6

SHA1
316a2925e451f739f45e31bc233a95f91bf775fa

SHA256
011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae

SHA512
18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5

Download Submit
C:\Users\Admin\AppData\Local\KkonnwMWp\CameraSettingsUIHost.exe

Filesize
31KB

MD5
9e98636523a653c7a648f37be229cf69

SHA1
bd4da030e7cf4d55b7c644dfacd26b152e6a14c4

SHA256
3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717

SHA512
41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

Download Submit
C:\Users\Admin\AppData\Local\KkonnwMWp\DUI70.dll

Filesize
1.1MB

MD5
3660cbd919b5a43136d16548b63d26eb

SHA1
eccb205871d994919a1c493d5dab494ee2cc56e9

SHA256
b224631b0420fe65eeecfbd161189a4de6f2d6dcf9be3470c2c80332363f25bf

SHA512
5c0a2053081f6f629d202be2a884dbb8fe122198f8efa0e14d021a7ee529c432ce500d962d1a244b3464369f260ccde7c010f8e37ba4e769d6f806de4cff5e80

Download Submit
C:\Users\Admin\AppData\Local\tn5hoAx9\MFC42u.dll

Filesize
828KB

MD5
61f2ba6f90d30971d6b4fe4013576390

SHA1
90a6ca593c47b84d31025a38dc48eb744132082e

SHA256
b23574e0f5b911b4dee61f2f74d2416078f13597948433ddc807350c49c1bada

SHA512
94b8af5b39ad63e24200d251bc342ae8cb0680d42a652ea5372b6bf4da5cb241693c5d00bb4ba91352323ae024dbf5342cff89d7ccbfdb97132510fd71a79da5

Download Submit
C:\Users\Admin\AppData\Local\tn5hoAx9\eudcedit.exe

Filesize
365KB

MD5
a9de6557179d371938fbe52511b551ce

SHA1
def460b4028788ded82dc55c36cb0df28599fd5f

SHA256
83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe

SHA512
5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Igacdkfje.lnk

Filesize
1KB

MD5
e1ddb307a33f98d3c896bb8ccf3172b7

SHA1
1572cc73653cb550e2d7aba6e5eee4ae5d13e63a

SHA256
f5f296a522cc6d9bd8c2c58c7953fcf9c8f0644c6b410d484e2338a0124cc73b

SHA512
61c45f00b00a85c2b777cca8f76538cac2ebb973087a970e3a51bb3ba89c0c3b447c5c8fa209427ed02309bbf4269f309eea9433458f780520a1a76a22453ceb

Download Submit
memory/952-1-0x00007FFC653D0000-0x00007FFC65498000-memory.dmp

Filesize
800KB

Download
memory/952-2-0x000001F814370000-0x000001F814377000-memory.dmp

Filesize
28KB

Download
memory/952-52-0x00007FFC653D0000-0x00007FFC65498000-memory.dmp

Filesize
800KB

Download
memory/2284-95-0x00007FFC55660000-0x00007FFC5576E000-memory.dmp

Filesize
1.1MB

Download
memory/2284-91-0x00007FFC55660000-0x00007FFC5576E000-memory.dmp

Filesize
1.1MB

Download
memory/3368-61-0x000001EE336A0000-0x000001EE336A7000-memory.dmp

Filesize
28KB

Download
memory/3368-59-0x00007FFC556A0000-0x00007FFC5576F000-memory.dmp

Filesize
828KB

Download
memory/3368-64-0x00007FFC556A0000-0x00007FFC5576F000-memory.dmp

Filesize
828KB

Download
memory/3468-29-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-18-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-23-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-21-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-20-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-19-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-17-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-16-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-15-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-14-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-13-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-12-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-11-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-10-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-9-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-8-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-7-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-24-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-6-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-25-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-26-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-27-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-38-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-39-0x00007FFC739E0000-0x00007FFC739F0000-memory.dmp

Filesize
64KB

Download
memory/3468-49-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-40-0x00007FFC739D0000-0x00007FFC739E0000-memory.dmp

Filesize
64KB

Download
memory/3468-37-0x0000000002A00000-0x0000000002A07000-memory.dmp

Filesize
28KB

Download
memory/3468-5-0x00007FFC737EA000-0x00007FFC737EB000-memory.dmp

Filesize
4KB

Download
memory/3468-3-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/3468-22-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-30-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3468-28-0x0000000140000000-0x00000001400C8000-memory.dmp

Filesize
800KB

Download
memory/3920-80-0x00007FFC556A0000-0x00007FFC55769000-memory.dmp

Filesize
804KB

Download
memory/3920-77-0x000001F9E8C80000-0x000001F9E8C87000-memory.dmp

Filesize
28KB

Download
memory/3920-75-0x00007FFC556A0000-0x00007FFC55769000-memory.dmp

Filesize
804KB

Download