dridex | f9be8ead8c0c0eea86e3b21724ca839e0d04bf09396be2d03785fbae593f771d

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9be8ead8c0c0eea86e3b21724ca839e0d04bf09396be2d03785fbae593f771d.dll
Size

1.3MB
MD5

81b54c092f50db01c43d91d689878cb6
SHA1

73994ee609cbf2d69e6aa97f01f0ee415182e622
SHA256

f9be8ead8c0c0eea86e3b21724ca839e0d04bf09396be2d03785fbae593f771d
SHA512

7b690f470d6ac288463649c040edd462b658e4c0e7de3c6e23bf97196389a1effabd01558fad3afbb23a8060d0302952ad5e7e34eda5e1ed229eee2d19319808
SSDEEP

12288:sZgJtlQepQn+NDo7nIgegQCLDF/B9wvj/cLvVZFuw:sZK6F7nVeRmDFJivohZFV

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/2900-4-0x0000000007770000-0x0000000007771000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

pid	Process
1352	rdpshell.exe
5116	Utilman.exe
1864	msinfo32.exe

Loads dropped DLL 3 IoCs

pid	Process
1352	rdpshell.exe
5116	Utilman.exe
1864	msinfo32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ghghuf = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\Managed\\SMARTA~1\\1033\\UFWAYY~1\\Utilman.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpshell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utilman.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4160	rundll32.exe
4160	rundll32.exe
4160	rundll32.exe
4160	rundll32.exe
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
1352	rdpshell.exe
1352	rdpshell.exe
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found
2900	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2900	Process not Found
Token: SeCreatePagefilePrivilege	2900	Process not Found
Token: SeShutdownPrivilege	2900	Process not Found
Token: SeCreatePagefilePrivilege	2900	Process not Found
Token: SeShutdownPrivilege	2900	Process not Found
Token: SeCreatePagefilePrivilege	2900	Process not Found
Token: SeShutdownPrivilege	2900	Process not Found
Token: SeCreatePagefilePrivilege	2900	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2900	Process not Found
2900	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2260	2900	Process not Found	88
PID 2900 wrote to memory of 2260	2900	Process not Found	88
PID 2900 wrote to memory of 1352	2900	Process not Found	89
PID 2900 wrote to memory of 1352	2900	Process not Found	89
PID 2900 wrote to memory of 4844	2900	Process not Found	90
PID 2900 wrote to memory of 4844	2900	Process not Found	90
PID 2900 wrote to memory of 5116	2900	Process not Found	93
PID 2900 wrote to memory of 5116	2900	Process not Found	93
PID 2900 wrote to memory of 4480	2900	Process not Found	97
PID 2900 wrote to memory of 4480	2900	Process not Found	97
PID 2900 wrote to memory of 1864	2900	Process not Found	98
PID 2900 wrote to memory of 1864	2900	Process not Found	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f9be8ead8c0c0eea86e3b21724ca839e0d04bf09396be2d03785fbae593f771d.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4160

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:2260

C:\Users\Admin\AppData\Local\mE2HR\rdpshell.exe
C:\Users\Admin\AppData\Local\mE2HR\rdpshell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1352

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:4844

C:\Users\Admin\AppData\Local\RsVf6Rl\Utilman.exe
C:\Users\Admin\AppData\Local\RsVf6Rl\Utilman.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5116

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:4480

C:\Users\Admin\AppData\Local\OdjBO65\msinfo32.exe
C:\Users\Admin\AppData\Local\OdjBO65\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\OdjBO65\MFC42u.dll

Filesize
1.3MB

MD5
36c6b62d08d122c782dfc4031ca3c080

SHA1
bd445ff69fbf9b86900256a17de14c8afec8a344

SHA256
0e2a1905d0c11236ad88591f8f7562a847595f5ebf90e7639d74bb82fb3761f8

SHA512
ad62c66f2d1052fb4b530163cb17c5e3fc1626eed84e3b0a7d91474ce7d6244e6ba1b1b816364fa25d182838d59d00c0df037e26f6a8ac0cdbcc586ad32f1ae8

Download Submit
C:\Users\Admin\AppData\Local\OdjBO65\msinfo32.exe

Filesize
376KB

MD5
0aed91da63713bf9f881b03a604a1c9d

SHA1
b1b2d292cb1a4c13dc243b5eab13afb316a28b9a

SHA256
5cf1604d2473661266e08fc0e4e144ea98f99b7584c43585eb2b01551130fd14

SHA512
04bca9b321d702122b6e72c2ad15b7cd98924e5dfc3b8dd0e907ea28fd7826d3f72b98c67242b6698594df648d3c2b6b0952bb52a2363b687bbe44a66e830c03

Download Submit
C:\Users\Admin\AppData\Local\RsVf6Rl\OLEACC.dll

Filesize
1.3MB

MD5
382e0097e13bcfc6fb5b2b4e89555809

SHA1
032f6125d321c6cb608000b2e5e28f3ba2a5bb89

SHA256
e15ce1bf8c5c191f0814515e659bca1b993c124999f6dc73afd5ec39d668437d

SHA512
4feb248e0d8926f80ac58ace106dfe3c5ac0292ae6d7fdee1c371faafb9087d536ea6aaef0e1a940e4d7a1884ce16a637e65afc6c970c0cce0d1c57a73eafe35

Download Submit
C:\Users\Admin\AppData\Local\RsVf6Rl\Utilman.exe

Filesize
123KB

MD5
a117edc0e74ab4770acf7f7e86e573f7

SHA1
5ceffb1a5e05e52aafcbc2d44e1e8445440706f3

SHA256
b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37

SHA512
72883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97

Download Submit
C:\Users\Admin\AppData\Local\mE2HR\dwmapi.dll

Filesize
1.3MB

MD5
68351643adb3a8e95a877050f391756b

SHA1
56fc2384030a3a7c124749d5cd6e4bad42f66fca

SHA256
758e389349124b47afa2984aafcc0f47ffb0d5fb3e592ceee1b2592523410942

SHA512
c59bb549cbb94b4edeab558098ca4b36fcaa39e690cd6c425dfc62ca22627b4f4e8c6f7ef0aaec8918b9b4d96a23fb2d8ded5ad531a4d464c2777cb7fb6c8b20

Download Submit
C:\Users\Admin\AppData\Local\mE2HR\rdpshell.exe

Filesize
468KB

MD5
428066713f225bb8431340fa670671d4

SHA1
47f6878ff33317c3fc09c494df729a463bda174c

SHA256
da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

SHA512
292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cbdmaotw.lnk

Filesize
1KB

MD5
02d89bc1a841ff614ba52aeb3c6fe92c

SHA1
902ad6d66de68cf89dad014ab7267bb20461e169

SHA256
6bff3100b1e7429b5b6f1bee747ce113a06c7a2b0d0c638f9266eb82a71e21ff

SHA512
03caf4ccfb73ee836efac77c9087c6d517a1b4b75b80b81bcb6d6a7233d62b21f1f503f00d451bbc4c3bf411969c12db7fc908f292d68ef62a856ad1798024be

Download Submit
memory/1352-61-0x0000021967490000-0x0000021967497000-memory.dmp

Filesize
28KB

Download
memory/1352-58-0x00007FF91C9C0000-0x00007FF91CB10000-memory.dmp

Filesize
1.3MB

Download
memory/1352-64-0x00007FF91C9C0000-0x00007FF91CB10000-memory.dmp

Filesize
1.3MB

Download
memory/1864-93-0x000002B6E3BB0000-0x000002B6E3BB7000-memory.dmp

Filesize
28KB

Download
memory/1864-92-0x00007FF91CEE0000-0x00007FF91D036000-memory.dmp

Filesize
1.3MB

Download
memory/1864-98-0x00007FF91CEE0000-0x00007FF91D036000-memory.dmp

Filesize
1.3MB

Download
memory/2900-16-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-9-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-29-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-28-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-26-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-25-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-24-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-22-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-21-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-19-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-17-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-4-0x0000000007770000-0x0000000007771000-memory.dmp

Filesize
4KB

Download
memory/2900-18-0x00007FF929C6A000-0x00007FF929C6B000-memory.dmp

Filesize
4KB

Download
memory/2900-15-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-13-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-12-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-11-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-6-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-7-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-23-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-20-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-14-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-10-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-8-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-36-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-45-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-47-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-27-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2900-53-0x0000000002B60000-0x0000000002B67000-memory.dmp

Filesize
28KB

Download
memory/2900-52-0x00007FF92B740000-0x00007FF92B750000-memory.dmp

Filesize
64KB

Download
memory/4160-33-0x00007FF91C9C0000-0x00007FF91CB0F000-memory.dmp

Filesize
1.3MB

Download
memory/4160-0-0x0000025CABCF0000-0x0000025CABCF7000-memory.dmp

Filesize
28KB

Download
memory/4160-1-0x00007FF91C9C0000-0x00007FF91CB0F000-memory.dmp

Filesize
1.3MB

Download
memory/5116-81-0x00007FF90C270000-0x00007FF90C3C0000-memory.dmp

Filesize
1.3MB

Download
memory/5116-75-0x00007FF90C270000-0x00007FF90C3C0000-memory.dmp

Filesize
1.3MB

Download
memory/5116-77-0x0000019CEF4D0000-0x0000019CEF4D7000-memory.dmp

Filesize
28KB

Download