dridex | e83967e75410b28a9ce51b667e754b0503df3d3e4861f56a1df8914d611a4c0b

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-10-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e83967e75410b28a9ce51b667e754b0503df3d3e4861f56a1df8914d611a4c0bN.dll
Size

1.3MB
MD5

3caab0352ba2d33f6e283006aa3349a0
SHA1

c88e6d554a0cf2f1f9d05867ff0a7607d683e486
SHA256

e83967e75410b28a9ce51b667e754b0503df3d3e4861f56a1df8914d611a4c0b
SHA512

ba8acba77d747dce3128da81e1b68f8352ba15e7b75beeee9e78922c3240acbc9348b1979b0f5ec819200c0d9ccbfbd3100e1a58fe0f1c524c5d5460d762527a
SSDEEP

12288:MdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:+MIJxSDX3bqjhcfHk7MzH6z

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1204-4-0x0000000002890000-0x0000000002891000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1236-1-0x0000000140000000-0x0000000140158000-memory.dmp	dridex_payload
behavioral1/memory/1204-45-0x0000000140000000-0x0000000140158000-memory.dmp	dridex_payload
behavioral1/memory/1204-57-0x0000000140000000-0x0000000140158000-memory.dmp	dridex_payload
behavioral1/memory/1204-58-0x0000000140000000-0x0000000140158000-memory.dmp	dridex_payload
behavioral1/memory/1236-66-0x0000000140000000-0x0000000140158000-memory.dmp	dridex_payload
behavioral1/memory/2600-76-0x0000000140000000-0x000000014015A000-memory.dmp	dridex_payload
behavioral1/memory/2600-80-0x0000000140000000-0x000000014015A000-memory.dmp	dridex_payload
behavioral1/memory/2624-93-0x0000000140000000-0x0000000140159000-memory.dmp	dridex_payload
behavioral1/memory/2624-97-0x0000000140000000-0x0000000140159000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

dpnsvr.exerstrui.exedwm.exe

pid process

2600 dpnsvr.exe
2624 rstrui.exe
2560 dwm.exe
Loads dropped DLL 7 IoCs

Processes:

dpnsvr.exerstrui.exedwm.exe

pid process

1204
2600 dpnsvr.exe
1204
2624 rstrui.exe
1204
2560 dwm.exe
1204

pid	process
2600	dpnsvr.exe
2624	rstrui.exe
2560	dwm.exe

pid	process
1204
2600	dpnsvr.exe
1204
2624	rstrui.exe
1204
2560	dwm.exe
1204

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kccgsbu = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\FLASHP~1\\sys\\bjcHbkJ5\\rstrui.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exedpnsvr.exerstrui.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpnsvr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rstrui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dwm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1236	rundll32.exe
1236	rundll32.exe
1236	rundll32.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	target process
PID 1204 wrote to memory of 2764	1204	dpnsvr.exe
PID 1204 wrote to memory of 2764	1204	dpnsvr.exe
PID 1204 wrote to memory of 2764	1204	dpnsvr.exe
PID 1204 wrote to memory of 2600	1204	dpnsvr.exe
PID 1204 wrote to memory of 2600	1204	dpnsvr.exe
PID 1204 wrote to memory of 2600	1204	dpnsvr.exe
PID 1204 wrote to memory of 2156	1204	rstrui.exe
PID 1204 wrote to memory of 2156	1204	rstrui.exe
PID 1204 wrote to memory of 2156	1204	rstrui.exe
PID 1204 wrote to memory of 2624	1204	rstrui.exe
PID 1204 wrote to memory of 2624	1204	rstrui.exe
PID 1204 wrote to memory of 2624	1204	rstrui.exe
PID 1204 wrote to memory of 840	1204	dwm.exe
PID 1204 wrote to memory of 840	1204	dwm.exe
PID 1204 wrote to memory of 840	1204	dwm.exe
PID 1204 wrote to memory of 2560	1204	dwm.exe
PID 1204 wrote to memory of 2560	1204	dwm.exe
PID 1204 wrote to memory of 2560	1204	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e83967e75410b28a9ce51b667e754b0503df3d3e4861f56a1df8914d611a4c0bN.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1236

C:\Windows\system32\dpnsvr.exe
C:\Windows\system32\dpnsvr.exe
1⤵
PID:2764

C:\Users\Admin\AppData\Local\cgzWUT\dpnsvr.exe
C:\Users\Admin\AppData\Local\cgzWUT\dpnsvr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2600

C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
1⤵
PID:2156

C:\Users\Admin\AppData\Local\BYz\rstrui.exe
C:\Users\Admin\AppData\Local\BYz\rstrui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2624

C:\Windows\system32\dwm.exe
C:\Windows\system32\dwm.exe
1⤵
PID:840

C:\Users\Admin\AppData\Local\3rBVb\dwm.exe
C:\Users\Admin\AppData\Local\3rBVb\dwm.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3rBVb\UxTheme.dll

Filesize
1.3MB

MD5
00d05dbb354dc3fb32adead9959b17df

SHA1
a9c74e22e20fbf0326723cdf69d538c7f821adef

SHA256
888587026816d87ffdd7685b3cc1e6883cdf035243fc14d92bea70353abfe3a5

SHA512
909b153bf5f81fbc80408eca97b0eda65d17341b398a340b7faccc88b2c988a37d08ef14ed927709fe425c0c9c66386f5c28b4b914a1498070ef9c6d819114c8

Download Submit
C:\Users\Admin\AppData\Local\3rBVb\dwm.exe

Filesize
117KB

MD5
f162d5f5e845b9dc352dd1bad8cef1bc

SHA1
35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2

SHA256
8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7

SHA512
7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

Download Submit
C:\Users\Admin\AppData\Local\BYz\SPP.dll

Filesize
1.3MB

MD5
1bcf551dea08057616c75c5fa2db4e65

SHA1
0b181cd7c2eb648ca635255fb8b124326c15114d

SHA256
1293ee96d82bb3a897e6eb5d6dde4206eae3a459e521db824a4551280202d779

SHA512
e91984be2b6e7b7b5f25daf7c5c73a88144aa1bbbbc786d576a1dc716ce9861ed4c3ab464b0178c64270663cf193dcac502aa11e4576a6bdda21314ec4ffd3f5

Download Submit
C:\Users\Admin\AppData\Local\cgzWUT\WINMM.dll

Filesize
1.4MB

MD5
b0a827a0a08f473ba241441db7c4369e

SHA1
d5e5095569e011565b2ca52b5d354b9d69db25e1

SHA256
9a150f115e5f2b797423dd177167195a0ca4f3015ff422630ee18f572b0c84d0

SHA512
e6125947076bd7ada96c48738afd4a49be04bd61311ab7666f86f8728109eb8180dae0bd934c920a4a040f3d9f402ebd2641fa200901c3633f58ae50a19f808d

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lcuygmmobxhxaxh.lnk

Filesize
1KB

MD5
7993732a55eb6b36465e2522c2a5d36a

SHA1
9ccec6a33670c51ab4ecae40e6b6a6b833ca2ad9

SHA256
170cd96e675f3597a8cd2e9dfca3731a2b7972ebf3a1ffe9ef89b64e026750a2

SHA512
7c0d9a30cf59a34662f67a5ad2619b33ad79598bd82f9aa84dc075838b7f8540d1578c9181c076475b2c187bec45c0bfc0d9bf5fa48b7b392a1c5d34220377ad

Download Submit
\Users\Admin\AppData\Local\BYz\rstrui.exe

Filesize
290KB

MD5
3db5a1eace7f3049ecc49fa64461e254

SHA1
7dc64e4f75741b93804cbae365e10dc70592c6a9

SHA256
ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49

SHA512
ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025

Download Submit
\Users\Admin\AppData\Local\cgzWUT\dpnsvr.exe

Filesize
33KB

MD5
6806b72978f6bd27aef57899be68b93b

SHA1
713c246d0b0b8dcc298afaed4f62aed82789951c

SHA256
3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c

SHA512
43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

Download Submit
memory/1204-16-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-12-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-35-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-34-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-33-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-32-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-31-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-30-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-29-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-27-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-26-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-25-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-24-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-23-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-22-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-21-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-48-0x0000000077AC0000-0x0000000077AC2000-memory.dmp

Filesize
8KB

Download
memory/1204-47-0x0000000077A90000-0x0000000077A92000-memory.dmp

Filesize
8KB

Download
memory/1204-20-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-19-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-18-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-3-0x0000000077726000-0x0000000077727000-memory.dmp

Filesize
4KB

Download
memory/1204-15-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-14-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-13-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-45-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-10-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-9-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-8-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-37-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-28-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-17-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-6-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-57-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-58-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-4-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/1204-67-0x0000000077726000-0x0000000077727000-memory.dmp

Filesize
4KB

Download
memory/1204-46-0x0000000002870000-0x0000000002877000-memory.dmp

Filesize
28KB

Download
memory/1204-36-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-7-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1204-11-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1236-66-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1236-0-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/1236-1-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/2560-111-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2600-80-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2600-76-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/2600-75-0x0000000001B40000-0x0000000001B47000-memory.dmp

Filesize
28KB

Download
memory/2624-93-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2624-92-0x0000000000510000-0x0000000000517000-memory.dmp

Filesize
28KB

Download
memory/2624-97-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download