dridex | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
149s
max time network
144s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02-09-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stealers/Dridex.dll
Size

1.2MB
MD5

304109f9a5c3726818b4c3668fdb71fd
SHA1

2eb804e205d15d314e7f67d503940f69f5dc2ef8
SHA256

af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d
SHA512

cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01
SSDEEP

24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral13/memory/3392-7-0x0000000000CE0000-0x0000000000CE1000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

WMPDMC.exeFXSCOVER.exedialer.exe

pid process

2620 WMPDMC.exe
3488 FXSCOVER.exe
5088 dialer.exe
Loads dropped DLL 3 IoCs

Processes:

WMPDMC.exeFXSCOVER.exedialer.exe

pid process

2620 WMPDMC.exe
3488 FXSCOVER.exe
5088 dialer.exe

pid	process
2620	WMPDMC.exe
3488	FXSCOVER.exe
5088	dialer.exe

pid	process
2620	WMPDMC.exe
3488	FXSCOVER.exe
5088	dialer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rkdrqy = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\FbZX4c3N\\FXSCOVER.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeWMPDMC.exeFXSCOVER.exedialer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMPDMC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FXSCOVER.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dialer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2464	rundll32.exe
2464	rundll32.exe
2464	rundll32.exe
2464	rundll32.exe
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392
3392

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3392 wrote to memory of 196	3392	WMPDMC.exe
PID 3392 wrote to memory of 196	3392	WMPDMC.exe
PID 3392 wrote to memory of 2620	3392	WMPDMC.exe
PID 3392 wrote to memory of 2620	3392	WMPDMC.exe
PID 3392 wrote to memory of 4084	3392	FXSCOVER.exe
PID 3392 wrote to memory of 4084	3392	FXSCOVER.exe
PID 3392 wrote to memory of 3488	3392	FXSCOVER.exe
PID 3392 wrote to memory of 3488	3392	FXSCOVER.exe
PID 3392 wrote to memory of 1468	3392	dialer.exe
PID 3392 wrote to memory of 1468	3392	dialer.exe
PID 3392 wrote to memory of 5088	3392	dialer.exe
PID 3392 wrote to memory of 5088	3392	dialer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2464

C:\Windows\system32\WMPDMC.exe
C:\Windows\system32\WMPDMC.exe
1⤵
PID:196

C:\Users\Admin\AppData\Local\2CnLaz\WMPDMC.exe
C:\Users\Admin\AppData\Local\2CnLaz\WMPDMC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2620

C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
1⤵
PID:4084

C:\Users\Admin\AppData\Local\BvRNb\FXSCOVER.exe
C:\Users\Admin\AppData\Local\BvRNb\FXSCOVER.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3488

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
1⤵
PID:1468

C:\Users\Admin\AppData\Local\j5DC\dialer.exe
C:\Users\Admin\AppData\Local\j5DC\dialer.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2CnLaz\UxTheme.dll

Filesize
1.2MB

MD5
12be28c65ee592bdfa3a1f7b5777cf13

SHA1
9d1074200aa6c4d149efd35fbc16f94509a2c9e0

SHA256
2d22fe076b1feedb7caab017492e93014cb07fd04ca56b3151a6378580959fee

SHA512
ed598602ed71334e01f41f7d0b4665243606e2761df7d336e3858033c39a112ee0b81eb318e258a53630afe80095812f0d7e5d843922772d149adae804468fde

Download Submit
C:\Users\Admin\AppData\Local\2CnLaz\WMPDMC.exe

Filesize
1.4MB

MD5
0632f00532261c963595b8cbb5e8ebe6

SHA1
545792bc47d20f561770406b37c0e999a1d84fe1

SHA256
2d1e7220672aba2d404b6ae2e2f44b80d2fbc1ff73a4fb27b3a3b11f1b06dfbb

SHA512
6a8df7d6057d8da7fb28ad0a573f39cc990c21e138c28150661fdb74f6fd9778b3abb16bfc4d20489ce168fec7503c84397fdf6c2f1b88f8ca9c2d193fdca472

Download Submit
C:\Users\Admin\AppData\Local\BvRNb\FXSCOVER.exe

Filesize
232KB

MD5
fd8a15f70619a553acd265264c3e435d

SHA1
394f6a1db57b502eb5196d9276d1c00afc791663

SHA256
b9eec80e92a71b7405db190ac0d1fc177ba3d1f97411c43328a340d30a9d71a4

SHA512
af30027401e97a69aa57847c00c73ccafd4113e58349efd9addf5e7c3a5809f5ff35430d181844c5acd0abba947ff9acb450ff3e0383ef7c187bd9b7808a8799

Download Submit
C:\Users\Admin\AppData\Local\BvRNb\MFC42u.dll

Filesize
1.3MB

MD5
167108bed79f586ec3440d343f3ebef1

SHA1
302f3613f6b0ffd7ee065fabd21e6b03bbf0a95a

SHA256
8c149f9bc1f35620013c24d9ddd2167b5957d651e13d92509e3a7d3f5cb10cc1

SHA512
45c638488fe86aa33fb7d3744604e28bbf93cd37406cd7628b9dedbebcc67d6ab4d47db212eb9d80e3cba801ae21dd4ef9a1855237abed14747bc643929e54a4

Download Submit
C:\Users\Admin\AppData\Local\j5DC\TAPI32.dll

Filesize
1.2MB

MD5
4f648eae76417101db64aa65be59c281

SHA1
896de17e676cd16da7a7e316a26c6e68f0b90fde

SHA256
b3a35fe3dfa59ea5c98cfd22a43dbcd15300eebb264ce7649bb0e436e88e8132

SHA512
6767067d616769ee113f963a65e0e25afa5104e0b6ac48d2c2858f85626744bada4fab6dfdc3c8737fb8712fc0a4177641c0cfe467717022c3d8685e1b386d3c

Download Submit
C:\Users\Admin\AppData\Local\j5DC\dialer.exe

Filesize
36KB

MD5
e75f0a3bfcdb235c0c18d4774cdc93ef

SHA1
61051b9c38ec222dd35c3ceea706397e87d0f45a

SHA256
d4daee1f259b1071d380556ea220eec06fdfc7ad3acd18cc0509813f48e869ce

SHA512
4a7dd330e37483ecbfca9020fb7be08ee1f9e16d325358db57334aa78caff6be2e8fdbd538cc44da036f08755e269abaefa72f7cafb8ade4b1e44f36ea79d964

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ymwaoi.lnk

Filesize
1KB

MD5
5010e1571244631d75fbbc9b68c1d576

SHA1
69213767fdf20c77be700d4f8c8c186b979ce004

SHA256
2fc82465709151b99e9c3215dba44d15963b39f0652c8c544dc67a7ed9b3f71e

SHA512
cfab809402bd34a06bf4b9b99b0dfba5fb23a765a908b63f7d06ce8631c6e1bc20b85cb1787b2187f96b8a9be1b84faa4dc07c51f8399c9090d206c11a2266e0

Download Submit
memory/2464-37-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2464-0-0x0000023E83440000-0x0000023E83447000-memory.dmp

Filesize
28KB

Download
memory/2464-1-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2620-62-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2620-54-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2620-53-0x0000026BCEE30000-0x0000026BCEE37000-memory.dmp

Filesize
28KB

Download
memory/3392-35-0x00007FFAB03F5000-0x00007FFAB03F6000-memory.dmp

Filesize
4KB

Download
memory/3392-36-0x00007FFAB0540000-0x00007FFAB0542000-memory.dmp

Filesize
8KB

Download
memory/3392-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3392-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3392-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3392-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3392-45-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3392-16-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3392-17-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3392-18-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3392-31-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3392-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3392-32-0x00000000009C0000-0x00000000009C7000-memory.dmp

Filesize
28KB

Download
memory/3392-19-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3392-9-0x00007FFAADE63000-0x00007FFAADE64000-memory.dmp

Filesize
4KB

Download
memory/3392-7-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/3392-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/3488-81-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3488-73-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/5088-92-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/5088-100-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download