dridex | 60b290310f67adb0ae186b4b938ca466a6b55653b2519261fa425127f5500a1f

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-09-2024 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stealers/Dridex.dll
Size

1.2MB
MD5

304109f9a5c3726818b4c3668fdb71fd
SHA1

2eb804e205d15d314e7f67d503940f69f5dc2ef8
SHA256

af26296c75ff26f7ee865df424522d75366ae3e2e80d7d9e89ef8c9398b0836d
SHA512

cf01fca33392dc40495f4c39eb1fd240b425018c7088ca9782d883bb135b5dd469a11941d0d680a69e881fa95c4147d70fe567aeba7e98ff6adfd5c0ca1a0e01
SSDEEP

24576:ZVHchfFcSTdS1ZikTqpaIJvzSqbY/0Z2ZlECMNXkTlzvmJL8:ZV8hf6STw1ZlQauvzSq01ICe6zvm

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral21/memory/1184-5-0x0000000002E50000-0x0000000002E51000-memory.dmp	dridex_stager_shellcode

Executes dropped EXE 3 IoCs

Processes:

Netplwiz.exeraserver.exeUtilman.exe

pid process

2628 Netplwiz.exe
492 raserver.exe
2364 Utilman.exe
Loads dropped DLL 7 IoCs

Processes:

Netplwiz.exeraserver.exeUtilman.exe

pid process

1184
2628 Netplwiz.exe
1184
492 raserver.exe
1184
2364 Utilman.exe
1184

pid	process
2628	Netplwiz.exe
492	raserver.exe
2364	Utilman.exe

pid	process
1184
2628	Netplwiz.exe
1184
492	raserver.exe
1184
2364	Utilman.exe
1184

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wtobeyey = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\df8tDUapIZ\\raserver.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeNetplwiz.exeraserver.exeUtilman.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utilman.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2100	rundll32.exe
2100	rundll32.exe
2100	rundll32.exe
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184
1184

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1184 wrote to memory of 2868	1184	Netplwiz.exe
PID 1184 wrote to memory of 2868	1184	Netplwiz.exe
PID 1184 wrote to memory of 2868	1184	Netplwiz.exe
PID 1184 wrote to memory of 2628	1184	Netplwiz.exe
PID 1184 wrote to memory of 2628	1184	Netplwiz.exe
PID 1184 wrote to memory of 2628	1184	Netplwiz.exe
PID 1184 wrote to memory of 2768	1184	raserver.exe
PID 1184 wrote to memory of 2768	1184	raserver.exe
PID 1184 wrote to memory of 2768	1184	raserver.exe
PID 1184 wrote to memory of 492	1184	raserver.exe
PID 1184 wrote to memory of 492	1184	raserver.exe
PID 1184 wrote to memory of 492	1184	raserver.exe
PID 1184 wrote to memory of 1576	1184	Utilman.exe
PID 1184 wrote to memory of 1576	1184	Utilman.exe
PID 1184 wrote to memory of 1576	1184	Utilman.exe
PID 1184 wrote to memory of 2364	1184	Utilman.exe
PID 1184 wrote to memory of 2364	1184	Utilman.exe
PID 1184 wrote to memory of 2364	1184	Utilman.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Stealers\Dridex.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2100

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:2868

C:\Users\Admin\AppData\Local\gfvCkUn\Netplwiz.exe
C:\Users\Admin\AppData\Local\gfvCkUn\Netplwiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2628

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:2768

C:\Users\Admin\AppData\Local\YY8ADviL\raserver.exe
C:\Users\Admin\AppData\Local\YY8ADviL\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:492

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:1576

C:\Users\Admin\AppData\Local\cIcWHMIp\Utilman.exe
C:\Users\Admin\AppData\Local\cIcWHMIp\Utilman.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\cIcWHMIp\DUI70.dll

Filesize
1.4MB

MD5
9dff1b529fd34033c28e82a43058add0

SHA1
3f6f08a887c4df609973449776dc187c7bebd248

SHA256
faee452246bfdcb19108539e406a3fd363c95d125895fbfb473a1110631ff286

SHA512
6ecafa055de63487cd9c4e327710207e4bf3c0f374129545fed0b95d66ff3cd1d690cbafbc8caf79ab31415c3500200069df68188202fa3dbd55c4edfbd91a70

Download Submit
C:\Users\Admin\AppData\Local\cIcWHMIp\Utilman.exe

Filesize
1.3MB

MD5
32c5ee55eadfc071e57851e26ac98477

SHA1
8f8d0aee344e152424143da49ce2c7badabb8f9d

SHA256
7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea

SHA512
e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

Download Submit
C:\Users\Admin\AppData\Local\gfvCkUn\Netplwiz.exe

Filesize
26KB

MD5
e43ec3c800d4c0716613392e81fba1d9

SHA1
37de6a235e978ecf3bb0fc2c864016c5b0134348

SHA256
636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c

SHA512
176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ykefwsdudlbqds.lnk

Filesize
1KB

MD5
fde463b37ab70594cc84ed69a861f70c

SHA1
09a03122589af2d5250ed9b6e40e7b311606c595

SHA256
4816c8ccda6bd5a22e4c0c4f8aa596a67ecad28c226126716e3178c6d75f71fa

SHA512
b9d2e107d1433479412314d2b3850b661cc8f0c230574ba87101b7d86276184e5d120cbc140bdb3abe2d81a123ce835deeba86a031e9cd57962eeea2f639b777

Download Submit
\Users\Admin\AppData\Local\YY8ADviL\WTSAPI32.dll

Filesize
1.2MB

MD5
4c43c09de18610c7ff548b08ec31ef0d

SHA1
45fb84f809fd102cab3839397f0589a7bf139842

SHA256
2a0bca2756420ddc197897bd0558e232cd5cf25f4f99205fbb51e11d051d35cd

SHA512
66b1a0e269ec5e8d5a323ae1e709bb4d5a3576f46e5eba6a662df1d5f7eb7e218130f0becae627bdbaaba3f41791fd0a8ccdb60bf1c5b45b457121a9af6ef398

Download Submit
\Users\Admin\AppData\Local\YY8ADviL\raserver.exe

Filesize
123KB

MD5
cd0bc0b6b8d219808aea3ecd4e889b19

SHA1
9f8f4071ce2484008e36fdfd963378f4ebad703f

SHA256
16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c

SHA512
84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

Download Submit
\Users\Admin\AppData\Local\gfvCkUn\NETPLWIZ.dll

Filesize
1.2MB

MD5
00b51a44a0fb9369aa57858ab6ecc637

SHA1
f60bbd089ffde5977e52a2eabf11520146777d31

SHA256
d85e383d2e6f2d7d1a0cdb55ac22ae4c84db2de8080d6d90946ed91514e4cc8e

SHA512
9f4f65eec36fe4531194c2e066aa5cf0eab6f1fb0bc7685663929752a8a90094f7a1b1d3bd293a8dc007a013337aae237cb426219ba7118bd5e9bdd99087f697

Download Submit
memory/492-74-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/492-69-0x00000000004A0000-0x00000000004A7000-memory.dmp

Filesize
28KB

Download
memory/1184-26-0x0000000002E30000-0x0000000002E37000-memory.dmp

Filesize
28KB

Download
memory/1184-13-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1184-33-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1184-29-0x0000000076EE1000-0x0000000076EE2000-memory.dmp

Filesize
4KB

Download
memory/1184-25-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1184-16-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1184-34-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1184-10-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1184-9-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1184-8-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1184-7-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1184-4-0x0000000076CD6000-0x0000000076CD7000-memory.dmp

Filesize
4KB

Download
memory/1184-43-0x0000000076CD6000-0x0000000076CD7000-memory.dmp

Filesize
4KB

Download
memory/1184-5-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/1184-15-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1184-14-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1184-30-0x0000000077070000-0x0000000077072000-memory.dmp

Filesize
8KB

Download
memory/1184-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/1184-12-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2100-0-0x0000000001E00000-0x0000000001E07000-memory.dmp

Filesize
28KB

Download
memory/2100-42-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2100-1-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/2364-91-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/2364-87-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/2364-86-0x0000000000290000-0x0000000000297000-memory.dmp

Filesize
28KB

Download
memory/2628-52-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2628-57-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/2628-51-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download