dridex | 2c95150a2a42eb2f3393614566c343be1775ec323f2e468cef069e91a6feb7de

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c95150a2a42eb2f3393614566c343be1775ec323f2e468cef069e91a6feb7deN.dll
Size

1.2MB
MD5

19bc6fec7b7314abf0768d9d7164a4d0
SHA1

36c9ef09c516d62c1b1bc07062764c7cf4619e43
SHA256

2c95150a2a42eb2f3393614566c343be1775ec323f2e468cef069e91a6feb7de
SHA512

0f229a6c8546871b01e8ebb60720bc037a4d31bab95d49d843afdbc45d532f201fe0406550f74cc900eb8b3eadbcd2a0024529a2c223147f346f52c4b663b8ac
SSDEEP

12288:qxE0waBckFdlxVRZ1hcyknDb3PTdcGvnx10k2d2Y6q2mQpx:aZLVJxVHfcLnDTZcG/xmk2d2qZw

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1236-4-0x0000000002550000-0x0000000002551000-memory.dmp	dridex_stager_shellcode

Dridex payload 11 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2432-0-0x000007FEF62E0000-0x000007FEF6419000-memory.dmp	dridex_payload
behavioral1/memory/1236-33-0x0000000140000000-0x0000000140139000-memory.dmp	dridex_payload
behavioral1/memory/1236-26-0x0000000140000000-0x0000000140139000-memory.dmp	dridex_payload
behavioral1/memory/1236-45-0x0000000140000000-0x0000000140139000-memory.dmp	dridex_payload
behavioral1/memory/1236-46-0x0000000140000000-0x0000000140139000-memory.dmp	dridex_payload
behavioral1/memory/2432-54-0x000007FEF62E0000-0x000007FEF6419000-memory.dmp	dridex_payload
behavioral1/memory/2808-64-0x000007FEF6850000-0x000007FEF698A000-memory.dmp	dridex_payload
behavioral1/memory/2808-68-0x000007FEF6850000-0x000007FEF698A000-memory.dmp	dridex_payload
behavioral1/memory/1332-80-0x000007FEF62E0000-0x000007FEF641A000-memory.dmp	dridex_payload
behavioral1/memory/1332-85-0x000007FEF62E0000-0x000007FEF641A000-memory.dmp	dridex_payload
behavioral1/memory/2392-101-0x000007FEF62E0000-0x000007FEF641A000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

fveprompt.exerdrleakdiag.exerdpinit.exe

pid	Process
2808	fveprompt.exe
1332	rdrleakdiag.exe
2392	rdpinit.exe

Loads dropped DLL 7 IoCs

Processes:

fveprompt.exerdrleakdiag.exerdpinit.exe

pid	Process
1236
2808	fveprompt.exe
1236
1332	rdrleakdiag.exe
1236
2392	rdpinit.exe
1236

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wtobeyey = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\U1bQj\\rdrleakdiag.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exefveprompt.exerdrleakdiag.exerdpinit.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fveprompt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdrleakdiag.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exefveprompt.exe

pid	Process
2432	rundll32.exe
2432	rundll32.exe
2432	rundll32.exe
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
1236
2808	fveprompt.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1236 wrote to memory of 2544	1236	31
PID 1236 wrote to memory of 2544	1236	31
PID 1236 wrote to memory of 2544	1236	31
PID 1236 wrote to memory of 2808	1236	32
PID 1236 wrote to memory of 2808	1236	32
PID 1236 wrote to memory of 2808	1236	32
PID 1236 wrote to memory of 3040	1236	33
PID 1236 wrote to memory of 3040	1236	33
PID 1236 wrote to memory of 3040	1236	33
PID 1236 wrote to memory of 1332	1236	34
PID 1236 wrote to memory of 1332	1236	34
PID 1236 wrote to memory of 1332	1236	34
PID 1236 wrote to memory of 1624	1236	35
PID 1236 wrote to memory of 1624	1236	35
PID 1236 wrote to memory of 1624	1236	35
PID 1236 wrote to memory of 2392	1236	36
PID 1236 wrote to memory of 2392	1236	36
PID 1236 wrote to memory of 2392	1236	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2c95150a2a42eb2f3393614566c343be1775ec323f2e468cef069e91a6feb7deN.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2432

C:\Windows\system32\fveprompt.exe
C:\Windows\system32\fveprompt.exe
1⤵
PID:2544

C:\Users\Admin\AppData\Local\5ek5JW7Jh\fveprompt.exe
C:\Users\Admin\AppData\Local\5ek5JW7Jh\fveprompt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2808

C:\Windows\system32\rdrleakdiag.exe
C:\Windows\system32\rdrleakdiag.exe
1⤵
PID:3040

C:\Users\Admin\AppData\Local\ndMc\rdrleakdiag.exe
C:\Users\Admin\AppData\Local\ndMc\rdrleakdiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1332

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:1624

C:\Users\Admin\AppData\Local\V5BJZEgsZ\rdpinit.exe
C:\Users\Admin\AppData\Local\V5BJZEgsZ\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5ek5JW7Jh\slc.dll

Filesize
1.2MB

MD5
e294a8a43199d43fcd15dd6dd7aaa37d

SHA1
1ee6361cdc454ce9b474a8ff44dd4a219c9e59a8

SHA256
0646f30baf3c425ccbac314231d6e6f2bba02ae93b1955e90663c21291ac802d

SHA512
a06085af43db11e71bf826f8d07a877da9e9240fea06a6ec56ca79e4b26ac208d7b45438d9af4357e8476a7a882aa9e2f133da6e0975a87cde7b86ac94e9a9df

Download Submit
C:\Users\Admin\AppData\Local\V5BJZEgsZ\slc.dll

Filesize
1.2MB

MD5
8606b6d9566dda425b1c892b617d2425

SHA1
39d5511c74e964c1ea09aa6d4ae170f70203437c

SHA256
f9b9bf8b3bfba9e2038e007cca62213ad4b416666cf7852e0d4484fac6af9646

SHA512
681daec89cffe1693d26d09ef0de59b0c9697f6035374493fae7cb79ce7ff526fc69c106d5b0c4014296c6cbc4612ce57db6a77ba0a1d1a05f3b67f5f34629c2

Download Submit
C:\Users\Admin\AppData\Local\ndMc\rdrleakdiag.exe

Filesize
39KB

MD5
5e058566af53848541fa23fba4bb5b81

SHA1
769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6

SHA256
ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409

SHA512
352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

Download Submit
C:\Users\Admin\AppData\Local\ndMc\wer.dll

Filesize
1.2MB

MD5
9ec862a48dedabe37429c665a473bced

SHA1
e1d613a5e92cdbbb477042a7f0ba2ebe9e41ba94

SHA256
1a074e8cf426a9881b803f4d73f8d829102d00d0a91ed21158171db55b28d352

SHA512
134bcd1e2d12c4af87e50913473dc3e718826c7c7f59f7b806b166a893d128ef759286812467d9c305fb17806bd48ced2044767752b72faca6044301769ff948

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ykefwsdudlbqds.lnk

Filesize
1KB

MD5
b9e283fa27d32e048b61b2e37647d9bd

SHA1
be65db787d304991e80583c1f4b5f83e65ebcda3

SHA256
0ce7501ef128f0c574d0ebdb7e0f879984e0bbe2c93ba96d86e0fae5bc0990e9

SHA512
c2cef4e07381c6fcf4d93eba342ca6a0b6466f27124d1b63359d53e05e536de13e5bd7f91ead3af8da207b6ea2b455f719c9b6c9884605b4205d7efb673de4d5

Download Submit
\Users\Admin\AppData\Local\5ek5JW7Jh\fveprompt.exe

Filesize
104KB

MD5
dc2c44a23b2cd52bd53accf389ae14b2

SHA1
e36c7b6f328aa2ab2f52478169c52c1916f04b5f

SHA256
7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921

SHA512
ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

Download Submit
\Users\Admin\AppData\Local\V5BJZEgsZ\rdpinit.exe

Filesize
174KB

MD5
664e12e0ea009cc98c2b578ff4983c62

SHA1
27b302c0108851ac6cc37e56590dd9074b09c3c9

SHA256
00bd9c3c941a5a9b4fc8594d7b985f5f1ac48f0ba7495a728b8fa42b4b48a332

SHA512
f5eee4e924dcc3cf5e82eff36543e9d0e9c17dc2272b403cf30f8d2da42312821f5566249a98a952f5441b1f0d6d61a86b5c5198bc598d65ea9d4fb35822505d

Download Submit
memory/1236-23-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-6-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-33-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-24-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-3-0x0000000076FC6000-0x0000000076FC7000-memory.dmp

Filesize
4KB

Download
memory/1236-22-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-21-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-20-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-19-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-18-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-17-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-16-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-15-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-14-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-13-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-12-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-11-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-26-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-10-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-34-0x0000000002530000-0x0000000002537000-memory.dmp

Filesize
28KB

Download
memory/1236-36-0x0000000077360000-0x0000000077362000-memory.dmp

Filesize
8KB

Download
memory/1236-35-0x0000000077330000-0x0000000077332000-memory.dmp

Filesize
8KB

Download
memory/1236-45-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-46-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-4-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1236-55-0x0000000076FC6000-0x0000000076FC7000-memory.dmp

Filesize
4KB

Download
memory/1236-25-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-9-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-8-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1236-7-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/1332-82-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/1332-80-0x000007FEF62E0000-0x000007FEF641A000-memory.dmp

Filesize
1.2MB

Download
memory/1332-85-0x000007FEF62E0000-0x000007FEF641A000-memory.dmp

Filesize
1.2MB

Download
memory/2392-101-0x000007FEF62E0000-0x000007FEF641A000-memory.dmp

Filesize
1.2MB

Download
memory/2432-54-0x000007FEF62E0000-0x000007FEF6419000-memory.dmp

Filesize
1.2MB

Download
memory/2432-2-0x0000000000330000-0x0000000000337000-memory.dmp

Filesize
28KB

Download
memory/2432-0-0x000007FEF62E0000-0x000007FEF6419000-memory.dmp

Filesize
1.2MB

Download
memory/2808-68-0x000007FEF6850000-0x000007FEF698A000-memory.dmp

Filesize
1.2MB

Download
memory/2808-63-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2808-64-0x000007FEF6850000-0x000007FEF698A000-memory.dmp

Filesize
1.2MB

Download