dridex | c993b31ce40179bd8997e6a298875c02744cc7d07225dad945a88d7ac755515f

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c993b31ce40179bd8997e6a298875c02744cc7d07225dad945a88d7ac755515f.dll
Size

940KB
MD5

eac9db11159f94acffc10b94097debea
SHA1

c2b90ec31a8ba440f14131e5598cecdc65db300a
SHA256

c993b31ce40179bd8997e6a298875c02744cc7d07225dad945a88d7ac755515f
SHA512

4c33638e34a9dcd5f05dab7f212c3dd8c0f293f5f61eb582420171712b27474fa043f1649a6e35c07f1c32afeb981027d14c6fae1361d788c29bb5144e109911
SSDEEP

12288:H0YTYL6Mqi7W8xto9OpWswk1GNup1XhBmsUqOZEYUANgBomHGe0zcPTP3E:H0CYZWgtWkEuHXhBmLHeuWBomaiP

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3428-3-0x00000000073C0000-0x00000000073C1000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/2376-0-0x00007FFF5AAB0000-0x00007FFF5AB9B000-memory.dmp	dridex_payload
behavioral2/memory/3428-16-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/3428-36-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/3428-25-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/2376-39-0x00007FFF5AAB0000-0x00007FFF5AB9B000-memory.dmp	dridex_payload
behavioral2/memory/2180-47-0x00007FFF4A690000-0x00007FFF4A77C000-memory.dmp	dridex_payload
behavioral2/memory/2180-51-0x00007FFF4A690000-0x00007FFF4A77C000-memory.dmp	dridex_payload
behavioral2/memory/3024-67-0x00007FFF4A690000-0x00007FFF4A77C000-memory.dmp	dridex_payload
behavioral2/memory/4596-83-0x00007FFF4A690000-0x00007FFF4A77C000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2180	WMPDMC.exe
3024	ie4ushowIE.exe
4596	SystemPropertiesProtection.exe

Loads dropped DLL 3 IoCs

pid	Process
2180	WMPDMC.exe
3024	ie4ushowIE.exe
4596	SystemPropertiesProtection.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wbdoaalrz = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~2\\ij\\IE4USH~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesProtection.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WMPDMC.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ie4ushowIE.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
2376	rundll32.exe
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3428	Process not Found
Token: SeCreatePagefilePrivilege	3428	Process not Found
Token: SeShutdownPrivilege	3428	Process not Found
Token: SeCreatePagefilePrivilege	3428	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3428	Process not Found
3428	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3428	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 2608	3428	Process not Found	96
PID 3428 wrote to memory of 2608	3428	Process not Found	96
PID 3428 wrote to memory of 2180	3428	Process not Found	97
PID 3428 wrote to memory of 2180	3428	Process not Found	97
PID 3428 wrote to memory of 848	3428	Process not Found	98
PID 3428 wrote to memory of 848	3428	Process not Found	98
PID 3428 wrote to memory of 3024	3428	Process not Found	99
PID 3428 wrote to memory of 3024	3428	Process not Found	99
PID 3428 wrote to memory of 2340	3428	Process not Found	100
PID 3428 wrote to memory of 2340	3428	Process not Found	100
PID 3428 wrote to memory of 4596	3428	Process not Found	101
PID 3428 wrote to memory of 4596	3428	Process not Found	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c993b31ce40179bd8997e6a298875c02744cc7d07225dad945a88d7ac755515f.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2376

C:\Windows\system32\WMPDMC.exe
C:\Windows\system32\WMPDMC.exe
1⤵
PID:2608

C:\Users\Admin\AppData\Local\5ht7dk\WMPDMC.exe
C:\Users\Admin\AppData\Local\5ht7dk\WMPDMC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2180

C:\Windows\system32\ie4ushowIE.exe
C:\Windows\system32\ie4ushowIE.exe
1⤵
PID:848

C:\Users\Admin\AppData\Local\DJveWAIk\ie4ushowIE.exe
C:\Users\Admin\AppData\Local\DJveWAIk\ie4ushowIE.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3024

C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
1⤵
PID:2340

C:\Users\Admin\AppData\Local\lPN4c\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\lPN4c\SystemPropertiesProtection.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5ht7dk\WMPDMC.exe

Filesize
1.5MB

MD5
59ce6e554da0a622febce19eb61c4d34

SHA1
176a4a410cb97b3d4361d2aea0edbf17e15d04c7

SHA256
c36eba7186f7367fe717595f3372a49503c9613893c2ab2eff38b625a50d04ba

SHA512
e9b0d310416b66e0055381391bb6b0c19ee26bbcf0e3bb9ea7d696d5851e6efbdd9bdeb250c74638b7d73b20528ea1dfb718e75ad5977aaad77aae36cc7b7e18

Download Submit
C:\Users\Admin\AppData\Local\5ht7dk\dwmapi.dll

Filesize
944KB

MD5
eae1ae0afb5e5bfc7a0499d188286a0d

SHA1
20f2e3b391447176dab61734e170d9b5c0416818

SHA256
f3c3107f4a48794fd8b91aa0e0a238d909c1604c6c26edbe54d90e42e8268f2a

SHA512
6db34ee8cf82cec331b6a693e0c26903e04296dc1f2ae21453424c38c93cc4a93f5ab881e028d00b936d24da8365e3e8031e564a81c5996c696e13c84b678d9b

Download Submit
C:\Users\Admin\AppData\Local\DJveWAIk\VERSION.dll

Filesize
944KB

MD5
47af5cf973b701545119c6b52b2c8a17

SHA1
4d92a0378ba76b7233f028190873c325d211bb52

SHA256
968d9b14e98e2b074ff36b184fe95280687de799cb5b035f00cb7f10065b1db2

SHA512
531d0747183c9f999cba0f83ab297c2b6799c09511f34a3e884e7eca9dee3c2d7183d2aa283f932488086a1991b8e70ebcc52602f7078213a3006d8ebc762d75

Download Submit
C:\Users\Admin\AppData\Local\DJveWAIk\ie4ushowIE.exe

Filesize
76KB

MD5
9de952f476abab0cd62bfd81e20a3deb

SHA1
109cc4467b78dad4b12a3225020ea590bccee3e6

SHA256
e9cb6336359ac6f71ac75af2836efb28daa3bafd10a1f0b775dcdc2ec8850a6b

SHA512
3cbe50a146ca50b0657a78a2d89a34630c69823005668906785b2d2015cc6139c8dbbf7aefa5fe55957ef55ae06e758933b3b41eaf822e49dba3b7700582e2c9

Download Submit
C:\Users\Admin\AppData\Local\lPN4c\SYSDM.CPL

Filesize
944KB

MD5
0d13c367a5d240ff4c10f80e836ff758

SHA1
f210e18e4d1b576ec641bf5f9c956411e8bc214f

SHA256
29ab5593345650b26887ec71d45bf2dd595117a39bc23cc171b98488fce94e40

SHA512
1bce1fd0fcb1d782e4e7fe936675dd5eaa4cb893ef3440efbb53689c04f29b2713e5a6635c72ecba983f32a9adf82145d6da8d5fbb70912fb690536896d04a60

Download Submit
C:\Users\Admin\AppData\Local\lPN4c\SystemPropertiesProtection.exe

Filesize
82KB

MD5
26640d2d4fa912fc9a354ef6cfe500ff

SHA1
a343fd82659ce2d8de3beb587088867cf2ab8857

SHA256
a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37

SHA512
26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mihblavoyj.lnk

Filesize
1KB

MD5
b15ec27caa15599e58b95624e9c35fbf

SHA1
deab014e92363f12bc4c686c1d1c3214b5da63b3

SHA256
aed34adcfea2453a93767cd0e825fd40ef950945f2da23c77ecd2f59e7de3916

SHA512
f16149350be6f2660b69f7eb56e1cc37ac16dc704603f598f3cf4937ed7955a8883dacf602e6499f878dec48e238deb320523cd364dc34a69d6dc795ba90528f

Download Submit
memory/2180-51-0x00007FFF4A690000-0x00007FFF4A77C000-memory.dmp

Filesize
944KB

Download
memory/2180-46-0x0000022D43DB0000-0x0000022D43DB7000-memory.dmp

Filesize
28KB

Download
memory/2180-47-0x00007FFF4A690000-0x00007FFF4A77C000-memory.dmp

Filesize
944KB

Download
memory/2376-2-0x0000019DE7F30000-0x0000019DE7F37000-memory.dmp

Filesize
28KB

Download
memory/2376-39-0x00007FFF5AAB0000-0x00007FFF5AB9B000-memory.dmp

Filesize
940KB

Download
memory/2376-0-0x00007FFF5AAB0000-0x00007FFF5AB9B000-memory.dmp

Filesize
940KB

Download
memory/3024-62-0x00000242005B0000-0x00000242005B7000-memory.dmp

Filesize
28KB

Download
memory/3024-67-0x00007FFF4A690000-0x00007FFF4A77C000-memory.dmp

Filesize
944KB

Download
memory/3428-26-0x00007FFF68DE0000-0x00007FFF68DF0000-memory.dmp

Filesize
64KB

Download
memory/3428-25-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3428-8-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3428-7-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3428-5-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3428-3-0x00000000073C0000-0x00000000073C1000-memory.dmp

Filesize
4KB

Download
memory/3428-10-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3428-11-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3428-12-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3428-13-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3428-14-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3428-9-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3428-36-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3428-27-0x00007FFF68DD0000-0x00007FFF68DE0000-memory.dmp

Filesize
64KB

Download
memory/3428-15-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3428-16-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3428-24-0x0000000007390000-0x0000000007397000-memory.dmp

Filesize
28KB

Download
memory/3428-23-0x00007FFF68B9A000-0x00007FFF68B9B000-memory.dmp

Filesize
4KB

Download
memory/3428-6-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/4596-83-0x00007FFF4A690000-0x00007FFF4A77C000-memory.dmp

Filesize
944KB

Download
memory/4596-80-0x00000213CFCB0000-0x00000213CFCB7000-memory.dmp

Filesize
28KB

Download