dridex | 95e951126f8b7bbc7efe78abad5a9d6db1a53675843cb48847377b8cbfbdc67f

Analysis

max time kernel
119s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-08-2024 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c3a8e39caaba9e165b6efabcc252390N.dll
Size

1.2MB
MD5

7c3a8e39caaba9e165b6efabcc252390
SHA1

60d37686a60274736af35b4c2b925d02fe78b551
SHA256

95e951126f8b7bbc7efe78abad5a9d6db1a53675843cb48847377b8cbfbdc67f
SHA512

e08a4c05041bbc83772e31d472547ee0ddb0c246e9eaa271952d40410cc8a573b920e7d1375d6708598a3b7ca9846b152466d4451bc16a3555ea36c84679f66d
SSDEEP

12288:mZgJtlQepQn+NDo7nIgegQCLDF/B9wvj/cLvVZFuw:mZK6F7nVeRmDFJivohZFV

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3396-4-0x00000000028C0000-0x00000000028C1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 4 IoCs

pid	Process
3084	RdpSaUacHelper.exe
4004	BitLockerWizardElev.exe
628	Narrator.exe
1384	isoburn.exe

Loads dropped DLL 3 IoCs

pid	Process
3084	RdpSaUacHelper.exe
4004	BitLockerWizardElev.exe
1384	isoburn.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ygssokoticw = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-786284298-625481688-3210388970-1000\\kCUpsBgmOd\\BitLockerWizardElev.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RdpSaUacHelper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizardElev.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	isoburn.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4572	rundll32.exe
4572	rundll32.exe
4572	rundll32.exe
4572	rundll32.exe
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3084	RdpSaUacHelper.exe
3084	RdpSaUacHelper.exe
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found
3396	Process not Found

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 3328	3396	Process not Found	89
PID 3396 wrote to memory of 3328	3396	Process not Found	89
PID 3396 wrote to memory of 3084	3396	Process not Found	90
PID 3396 wrote to memory of 3084	3396	Process not Found	90
PID 3396 wrote to memory of 4332	3396	Process not Found	93
PID 3396 wrote to memory of 4332	3396	Process not Found	93
PID 3396 wrote to memory of 4004	3396	Process not Found	94
PID 3396 wrote to memory of 4004	3396	Process not Found	94
PID 3396 wrote to memory of 3884	3396	Process not Found	97
PID 3396 wrote to memory of 3884	3396	Process not Found	97
PID 3396 wrote to memory of 2840	3396	Process not Found	99
PID 3396 wrote to memory of 2840	3396	Process not Found	99
PID 3396 wrote to memory of 1384	3396	Process not Found	100
PID 3396 wrote to memory of 1384	3396	Process not Found	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c3a8e39caaba9e165b6efabcc252390N.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4572

C:\Windows\system32\RdpSaUacHelper.exe
C:\Windows\system32\RdpSaUacHelper.exe
1⤵
PID:3328

C:\Users\Admin\AppData\Local\mdJd59I\RdpSaUacHelper.exe
C:\Users\Admin\AppData\Local\mdJd59I\RdpSaUacHelper.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3084

C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
1⤵
PID:4332

C:\Users\Admin\AppData\Local\tMhWoe1\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\tMhWoe1\BitLockerWizardElev.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4004

C:\Windows\system32\Narrator.exe
C:\Windows\system32\Narrator.exe
1⤵
PID:3884

C:\Users\Admin\AppData\Local\wy65KMgIG\Narrator.exe
C:\Users\Admin\AppData\Local\wy65KMgIG\Narrator.exe
1⤵
- Executes dropped EXE
PID:628

C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
1⤵
PID:2840

C:\Users\Admin\AppData\Local\Cgty\isoburn.exe
C:\Users\Admin\AppData\Local\Cgty\isoburn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Cgty\UxTheme.dll

Filesize
1.2MB

MD5
bcbb47c3a5756a55068e46b3e4de40e6

SHA1
29f4db8d3a3e11356b51584e44d8595a5a65d56a

SHA256
19c5fa8dd870daebf4e7ecf880ce4049311319178363c06018b57877f4714a60

SHA512
a0759231719da1684d0d211f71259b32924863dba99fcae524640020b5376f2d895451c71937ef715e4165dd605f1762c90450477b1f070edeb514661c910bf4

Download Submit
C:\Users\Admin\AppData\Local\Cgty\isoburn.exe

Filesize
119KB

MD5
68078583d028a4873399ae7f25f64bad

SHA1
a3c928fe57856a10aed7fee17670627fe663e6fe

SHA256
9478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567

SHA512
25503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1

Download Submit
C:\Users\Admin\AppData\Local\mdJd59I\RdpSaUacHelper.exe

Filesize
33KB

MD5
0d5b016ac7e7b6257c069e8bb40845de

SHA1
5282f30e90cbd1be8da95b73bc1b6a7d041e43c2

SHA256
6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067

SHA512
cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

Download Submit
C:\Users\Admin\AppData\Local\mdJd59I\WINSTA.dll

Filesize
1.2MB

MD5
8a1a6754b14f6bf6225475b5557da175

SHA1
3c035daba56b47185d05810a2ac949d0fa40e29d

SHA256
3b305d2979924e4fd7967eb57555b6edeee9f9d77f5133a9591077e75b0c4625

SHA512
451221adf1f008e18f6c9e1b9c580ecb7d799ba075575b30ccdb9d48209da2f15a8be7c7d692389f9ade464d03855f456733fa4bd324ed82002944be4dbbf004

Download Submit
C:\Users\Admin\AppData\Local\tMhWoe1\BitLockerWizardElev.exe

Filesize
100KB

MD5
8ac5a3a20cf18ae2308c64fd707eeb81

SHA1
31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544

SHA256
803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5

SHA512
85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

Download Submit
C:\Users\Admin\AppData\Local\tMhWoe1\FVEWIZ.dll

Filesize
1.2MB

MD5
c463e4d1c5d11e536ac30d4792cc3250

SHA1
372bae4b0300d87c7c458153d10e25eecf1054db

SHA256
bc07e0f29727a03d80e937c4dafdb8b95cb0c432b5f4166b729a0e7f67462ff7

SHA512
04be2143af7e23bf5d6ad5ffbc2ede1113dfac0513b333e4aa1b32813130e562f36881a0531d5eaf14622d5a3875513fcdd9d4d63016c8da62ee7d215588244c

Download Submit
C:\Users\Admin\AppData\Local\wy65KMgIG\Narrator.exe

Filesize
521KB

MD5
d92defaa4d346278480d2780325d8d18

SHA1
6494d55b2e5064ffe8add579edfcd13c3e69fffe

SHA256
69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83

SHA512
b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Nszgn.lnk

Filesize
1KB

MD5
b402595f32d0e6ac651b5fd32642975c

SHA1
3a7faaba216e36e3b83c12a7db378791b9d7c38d

SHA256
25f03c9ea666c763829655bdd615172d2d6c5bdcc7fabef36bb4292592b4aefd

SHA512
39b71f88828d630525db09fe342c03886365b035d07c34dd17076c96ad65a581720fb2fa0ff421351b18a3ca679abda46c7298b5ceaf9febcb6f9a7bd4fe5d5a

Download Submit
memory/1384-106-0x000001CECF080000-0x000001CECF087000-memory.dmp

Filesize
28KB

Download
memory/1384-109-0x00007FFABC340000-0x00007FFABC47F000-memory.dmp

Filesize
1.2MB

Download
memory/3084-61-0x00007FFABC340000-0x00007FFABC480000-memory.dmp

Filesize
1.2MB

Download
memory/3084-64-0x00000182F5F30000-0x00000182F5F37000-memory.dmp

Filesize
28KB

Download
memory/3084-67-0x00007FFABC340000-0x00007FFABC480000-memory.dmp

Filesize
1.2MB

Download
memory/3396-20-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-14-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-31-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-30-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-29-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-28-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-27-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-26-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-25-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-24-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-23-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-22-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-21-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-6-0x00007FFACABFA000-0x00007FFACABFB000-memory.dmp

Filesize
4KB

Download
memory/3396-19-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-18-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-17-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-4-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/3396-15-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-33-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-13-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-11-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-10-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-48-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-9-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-8-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-32-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-51-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-55-0x0000000000EA0000-0x0000000000EA7000-memory.dmp

Filesize
28KB

Download
memory/3396-56-0x00007FFACB160000-0x00007FFACB170000-memory.dmp

Filesize
64KB

Download
memory/3396-7-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-12-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/3396-39-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/4004-84-0x00007FFABC340000-0x00007FFABC47F000-memory.dmp

Filesize
1.2MB

Download
memory/4004-79-0x00007FFABC340000-0x00007FFABC47F000-memory.dmp

Filesize
1.2MB

Download
memory/4004-78-0x00000266B6EB0000-0x00000266B6EB7000-memory.dmp

Filesize
28KB

Download
memory/4572-16-0x00007FFABC340000-0x00007FFABC47E000-memory.dmp

Filesize
1.2MB

Download
memory/4572-0-0x00007FFABC340000-0x00007FFABC47E000-memory.dmp

Filesize
1.2MB

Download
memory/4572-3-0x0000025A93090000-0x0000025A93097000-memory.dmp

Filesize
28KB

Download