dridex | c3a616358453e48019c7270c1c24c4788acbdbbd17eb1e8882da6670df99b096

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
17/07/2024, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3a616358453e48019c7270c1c24c4788acbdbbd17eb1e8882da6670df99b096.dll
Size

796KB
MD5

7c7ea66ba01a57d19668adafa7292f47
SHA1

987fc00ec5d2ec61ecf03b0181f6da93f74a6ab3
SHA256

c3a616358453e48019c7270c1c24c4788acbdbbd17eb1e8882da6670df99b096
SHA512

68e36af98094c40bf065d80594f1b70b225c42063af6e56532341f0ed0e45c7ef78166b3730c98765880d86b1b704094409aaed05845d7907b21a4d5864a2d00
SSDEEP

12288:yBim9Tnts08FbKuPcA8NAc1l/XkGaZKoRQIpRX2/0Ak2ng/Zi66wNdufAdN:e/nts0Q9K/0ooRQIxAk2wi0N/

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3404-3-0x0000000002F80000-0x0000000002F81000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/4596-0-0x00007FFF4A680000-0x00007FFF4A747000-memory.dmp	dridex_payload
behavioral2/memory/3404-28-0x0000000140000000-0x00000001400C7000-memory.dmp	dridex_payload
behavioral2/memory/3404-48-0x0000000140000000-0x00000001400C7000-memory.dmp	dridex_payload
behavioral2/memory/3404-37-0x0000000140000000-0x00000001400C7000-memory.dmp	dridex_payload
behavioral2/memory/4596-51-0x00007FFF4A680000-0x00007FFF4A747000-memory.dmp	dridex_payload
behavioral2/memory/1296-58-0x00007FFF3A730000-0x00007FFF3A7F8000-memory.dmp	dridex_payload
behavioral2/memory/1296-63-0x00007FFF3A730000-0x00007FFF3A7F8000-memory.dmp	dridex_payload
behavioral2/memory/2484-74-0x00007FFF3A920000-0x00007FFF3A9E8000-memory.dmp	dridex_payload
behavioral2/memory/2484-79-0x00007FFF3A920000-0x00007FFF3A9E8000-memory.dmp	dridex_payload
behavioral2/memory/404-94-0x00007FFF3A920000-0x00007FFF3A9E8000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
1296	osk.exe
2484	EhStorAuthn.exe
404	quickassist.exe

Loads dropped DLL 3 IoCs

pid	Process
1296	osk.exe
2484	EhStorAuthn.exe
404	quickassist.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Punckpak = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\WsEmKrnsM\\EhStorAuthn.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	quickassist.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4596	rundll32.exe
4596	rundll32.exe
4596	rundll32.exe
4596	rundll32.exe
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found
3404	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3404	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 4812	3404	Process not Found	94
PID 3404 wrote to memory of 4812	3404	Process not Found	94
PID 3404 wrote to memory of 1296	3404	Process not Found	95
PID 3404 wrote to memory of 1296	3404	Process not Found	95
PID 3404 wrote to memory of 1468	3404	Process not Found	96
PID 3404 wrote to memory of 1468	3404	Process not Found	96
PID 3404 wrote to memory of 2484	3404	Process not Found	97
PID 3404 wrote to memory of 2484	3404	Process not Found	97
PID 3404 wrote to memory of 1724	3404	Process not Found	98
PID 3404 wrote to memory of 1724	3404	Process not Found	98
PID 3404 wrote to memory of 404	3404	Process not Found	99
PID 3404 wrote to memory of 404	3404	Process not Found	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c3a616358453e48019c7270c1c24c4788acbdbbd17eb1e8882da6670df99b096.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4596

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:4812

C:\Users\Admin\AppData\Local\JoeXZmXaz\osk.exe
C:\Users\Admin\AppData\Local\JoeXZmXaz\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1296

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:1468

C:\Users\Admin\AppData\Local\X1C\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\X1C\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2484

C:\Windows\system32\quickassist.exe
C:\Windows\system32\quickassist.exe
1⤵
PID:1724

C:\Users\Admin\AppData\Local\JlvEjn\quickassist.exe
C:\Users\Admin\AppData\Local\JlvEjn\quickassist.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\JlvEjn\UxTheme.dll

Filesize
800KB

MD5
5ad824ab5aed9decf6ec63db6b0aafca

SHA1
8646738830b1c16baeee4050b7bcad6dc1cf64df

SHA256
53f96609ef57034b04b8d10c1517f85c617ebf4ba85858650b2a870d6eff7758

SHA512
288014b34eb247c01d74d5239390c53b940f206ec5a557850c267630ed60b5ec39ac14fa056249a16ab53d5ba362e6fa44d99c1c9a455727dd7750cd0dddaf76

Download Submit
C:\Users\Admin\AppData\Local\JlvEjn\quickassist.exe

Filesize
665KB

MD5
d1216f9b9a64fd943539cc2b0ddfa439

SHA1
6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c

SHA256
c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2

SHA512
c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567

Download Submit
C:\Users\Admin\AppData\Local\JoeXZmXaz\WMsgAPI.dll

Filesize
800KB

MD5
8bdf244691e608f6aa7746da9d76b8e3

SHA1
287f3d5d818ece015daccad033140b9a58672a74

SHA256
63fb4dd1c59dd09a29e4878d1fa9e7e18e40dfba1b05a8fc789c83c93333b7a2

SHA512
d36d90f2e2d47d47f13465574f19caa436484f5a46a2c8ad74ab3f57c30d665a5201e9d53ea7222e192d5c20ab349a38038809294c3a70544f16692adf2595ab

Download Submit
C:\Users\Admin\AppData\Local\JoeXZmXaz\osk.exe

Filesize
638KB

MD5
745f2df5beed97b8c751df83938cb418

SHA1
2f9fc33b1bf28e0f14fd75646a7b427ddbe14d25

SHA256
f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51

SHA512
2125d021e6f45a81bd75c9129f4b098ad9aa15c25d270051f4da42458a9737bff44d6adf17aa1f2547715d159fb621829f7cd3b9d42f1521c919549cc7deb228

Download Submit
C:\Users\Admin\AppData\Local\X1C\EhStorAuthn.exe

Filesize
128KB

MD5
d45618e58303edb4268a6cca5ec99ecc

SHA1
1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513

SHA256
d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c

SHA512
5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

Download Submit
C:\Users\Admin\AppData\Local\X1C\UxTheme.dll

Filesize
800KB

MD5
9cd0f5e5b9a8f18854b4a538c53d7ad7

SHA1
9d112c5af64a9ae36b93242682f068d6107ae3b7

SHA256
43fd94368a660534871285e8b0a5a573984ed28ad61f93d86418e0f89f138f79

SHA512
2e4bd2a55a80290b6f6178d2d4b142e44e44f7c8475e8872adc4cd8dbc977cec63f8caeeab866932e58ac52505a10588d2ab0a50197aae95d085c35b5c0fadb3

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Reuom.lnk

Filesize
1KB

MD5
b9f731fb04d6eb2da25f81fd6b57b5db

SHA1
62913b8f30e1179bf1c4ffe8690371027c2beff5

SHA256
4c995c960b9bdcd73be75a88ba63d04576be450f254096825d0b49a9c269f9e5

SHA512
5635f99ef9db36ca16174ed7c2e4b5a99aa4a039f2a80aa3cbb701783e097671d08c424a26148618816ae797ad8697b971530361ae320a65a7e25cfeef00740a

Download Submit
memory/404-94-0x00007FFF3A920000-0x00007FFF3A9E8000-memory.dmp

Filesize
800KB

Download
memory/1296-63-0x00007FFF3A730000-0x00007FFF3A7F8000-memory.dmp

Filesize
800KB

Download
memory/1296-60-0x00000239F5D10000-0x00000239F5D17000-memory.dmp

Filesize
28KB

Download
memory/1296-58-0x00007FFF3A730000-0x00007FFF3A7F8000-memory.dmp

Filesize
800KB

Download
memory/2484-79-0x00007FFF3A920000-0x00007FFF3A9E8000-memory.dmp

Filesize
800KB

Download
memory/2484-74-0x00007FFF3A920000-0x00007FFF3A9E8000-memory.dmp

Filesize
800KB

Download
memory/2484-76-0x00000218F6290000-0x00000218F6297000-memory.dmp

Filesize
28KB

Download
memory/3404-27-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-6-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-21-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-20-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-19-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-18-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-17-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-16-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-15-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-14-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-13-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-12-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-11-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-10-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-9-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-8-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-7-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-22-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-5-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-3-0x0000000002F80000-0x0000000002F81000-memory.dmp

Filesize
4KB

Download
memory/3404-24-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-25-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-23-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-37-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-48-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-38-0x00007FFF59200000-0x00007FFF59210000-memory.dmp

Filesize
64KB

Download
memory/3404-39-0x00007FFF591F0000-0x00007FFF59200000-memory.dmp

Filesize
64KB

Download
memory/3404-35-0x00007FFF5751A000-0x00007FFF5751B000-memory.dmp

Filesize
4KB

Download
memory/3404-36-0x00000000014C0000-0x00000000014C7000-memory.dmp

Filesize
28KB

Download
memory/3404-28-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/3404-26-0x0000000140000000-0x00000001400C7000-memory.dmp

Filesize
796KB

Download
memory/4596-0-0x00007FFF4A680000-0x00007FFF4A747000-memory.dmp

Filesize
796KB

Download
memory/4596-51-0x00007FFF4A680000-0x00007FFF4A747000-memory.dmp

Filesize
796KB

Download
memory/4596-2-0x00000246E73D0000-0x00000246E73D7000-memory.dmp

Filesize
28KB

Download