dridex | e83967e75410b28a9ce51b667e754b0503df3d3e4861f56a1df8914d611a4c0b

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2024 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e83967e75410b28a9ce51b667e754b0503df3d3e4861f56a1df8914d611a4c0bN.dll
Size

1.3MB
MD5

3caab0352ba2d33f6e283006aa3349a0
SHA1

c88e6d554a0cf2f1f9d05867ff0a7607d683e486
SHA256

e83967e75410b28a9ce51b667e754b0503df3d3e4861f56a1df8914d611a4c0b
SHA512

ba8acba77d747dce3128da81e1b68f8352ba15e7b75beeee9e78922c3240acbc9348b1979b0f5ec819200c0d9ccbfbd3100e1a58fe0f1c524c5d5460d762527a
SSDEEP

12288:MdMIwS97wJs6tSKDXEabXaC+jhc1S8XXk7CZzHsZH9dq0T:+MIJxSDX3bqjhcfHk7MzH6z

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3444-3-0x0000000007A80000-0x0000000007A81000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/1612-1-0x0000000140000000-0x0000000140158000-memory.dmp	dridex_payload
behavioral2/memory/3444-46-0x0000000140000000-0x0000000140158000-memory.dmp	dridex_payload
behavioral2/memory/3444-57-0x0000000140000000-0x0000000140158000-memory.dmp	dridex_payload
behavioral2/memory/1612-60-0x0000000140000000-0x0000000140158000-memory.dmp	dridex_payload
behavioral2/memory/3312-68-0x0000000140000000-0x000000014019E000-memory.dmp	dridex_payload
behavioral2/memory/3312-72-0x0000000140000000-0x000000014019E000-memory.dmp	dridex_payload
behavioral2/memory/2228-89-0x0000000140000000-0x000000014019E000-memory.dmp	dridex_payload
behavioral2/memory/1576-101-0x0000000140000000-0x0000000140159000-memory.dmp	dridex_payload
behavioral2/memory/1576-105-0x0000000140000000-0x0000000140159000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

Utilman.exePasswordOnWakeSettingFlyout.exeApplicationFrameHost.exe

pid process

3312 Utilman.exe
2228 PasswordOnWakeSettingFlyout.exe
1576 ApplicationFrameHost.exe
Loads dropped DLL 3 IoCs

Processes:

Utilman.exePasswordOnWakeSettingFlyout.exeApplicationFrameHost.exe

pid process

3312 Utilman.exe
2228 PasswordOnWakeSettingFlyout.exe
1576 ApplicationFrameHost.exe

pid	process
3312	Utilman.exe
2228	PasswordOnWakeSettingFlyout.exe
1576	ApplicationFrameHost.exe

pid	process
3312	Utilman.exe
2228	PasswordOnWakeSettingFlyout.exe
1576	ApplicationFrameHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vogna = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\JgmfuKIR\\PasswordOnWakeSettingFlyout.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exeUtilman.exePasswordOnWakeSettingFlyout.exeApplicationFrameHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Utilman.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PasswordOnWakeSettingFlyout.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplicationFrameHost.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Modifies registry class 3 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1612	rundll32.exe
1612	rundll32.exe
1612	rundll32.exe
1612	rundll32.exe
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444
3444

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444
Token: SeShutdownPrivilege	3444
Token: SeCreatePagefilePrivilege	3444

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

3444
3444
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3444

pid	process
3444
3444

pid	process
3444

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3444 wrote to memory of 3864	3444	Utilman.exe
PID 3444 wrote to memory of 3864	3444	Utilman.exe
PID 3444 wrote to memory of 3312	3444	Utilman.exe
PID 3444 wrote to memory of 3312	3444	Utilman.exe
PID 3444 wrote to memory of 4884	3444	PasswordOnWakeSettingFlyout.exe
PID 3444 wrote to memory of 4884	3444	PasswordOnWakeSettingFlyout.exe
PID 3444 wrote to memory of 2228	3444	PasswordOnWakeSettingFlyout.exe
PID 3444 wrote to memory of 2228	3444	PasswordOnWakeSettingFlyout.exe
PID 3444 wrote to memory of 3688	3444	ApplicationFrameHost.exe
PID 3444 wrote to memory of 3688	3444	ApplicationFrameHost.exe
PID 3444 wrote to memory of 1576	3444	ApplicationFrameHost.exe
PID 3444 wrote to memory of 1576	3444	ApplicationFrameHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e83967e75410b28a9ce51b667e754b0503df3d3e4861f56a1df8914d611a4c0bN.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1612

C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
1⤵
PID:3864

C:\Users\Admin\AppData\Local\TTo7dJ\Utilman.exe
C:\Users\Admin\AppData\Local\TTo7dJ\Utilman.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3312

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
1⤵
PID:4884

C:\Users\Admin\AppData\Local\7H8j\PasswordOnWakeSettingFlyout.exe
C:\Users\Admin\AppData\Local\7H8j\PasswordOnWakeSettingFlyout.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2228

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe
1⤵
PID:3688

C:\Users\Admin\AppData\Local\2xntl\ApplicationFrameHost.exe
C:\Users\Admin\AppData\Local\2xntl\ApplicationFrameHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2xntl\ApplicationFrameHost.exe

Filesize
76KB

MD5
d58a8a987a8dafad9dc32a548cc061e7

SHA1
f79fc9e0ab066cad530b949c2153c532a5223156

SHA256
cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4

SHA512
93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265

Download Submit
C:\Users\Admin\AppData\Local\2xntl\dxgi.dll

Filesize
1.3MB

MD5
d0ab1cb8c36de5f567ceedbae0afc112

SHA1
bd7e13de661bbf6c25d4518586111621643f72f4

SHA256
a9cf183edbdd8604c1d0265a53e5f37ea84f79d2ccd06c3d13b1f71afd95c3fe

SHA512
923c115b88d1f928abfda749572333e9013e98146b7b54a9e3e666bfdc00bb840b87646061072c854b9043e2dca7f980a22c58ce244d504e545cd755a5faf780

Download Submit
C:\Users\Admin\AppData\Local\7H8j\DUI70.dll

Filesize
1.6MB

MD5
ea925ca3fca2d23e2df3e514ac54b109

SHA1
9095cc4b054936d605f0061d2c210262cd240db1

SHA256
47aac72ecd1b64fe4e9a2eb6bbf02f15fa91f7cfcf37a71ce789d384d463d661

SHA512
555bf774d4b935de1812c1069347aa48e316ef0325429e4a591258f002a63f1230c7829f07609ed80d0254f5242dd8d0c16fd5b7a5c7dddfb7d9b79fe5dd811f

Download Submit
C:\Users\Admin\AppData\Local\7H8j\PasswordOnWakeSettingFlyout.exe

Filesize
44KB

MD5
591a98c65f624c52882c2b238d6cd4c4

SHA1
c960d08c19d777069cf265dcc281807fbd8502d7

SHA256
5e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06

SHA512
1999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074

Download Submit
C:\Users\Admin\AppData\Local\TTo7dJ\DUI70.dll

Filesize
1.6MB

MD5
370a9421db3427373dae82b021fe76cc

SHA1
ac9fdba921b70501a818e03118de0ea121347002

SHA256
ba895e785fe1b3e33e4a29a45a17f5b62b097cbd3b9d8e229e5d8fae047e24c1

SHA512
a92181b40a6c9dd666ffde2b81b579546dfe8f71017422ceb749c2e62a2ecb3f67c37b3ff860125cd2c83be250a9abe1cd1eb41a1eb336724299a29ef233e94e

Download Submit
C:\Users\Admin\AppData\Local\TTo7dJ\Utilman.exe

Filesize
123KB

MD5
a117edc0e74ab4770acf7f7e86e573f7

SHA1
5ceffb1a5e05e52aafcbc2d44e1e8445440706f3

SHA256
b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37

SHA512
72883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Nqkmrrwxgzxnra.lnk

Filesize
1KB

MD5
40f5b7b611a02a0e39156c8cbebdc477

SHA1
d6d2c93f2993e4080c7fbabcb77e266c72aae72d

SHA256
d2c5ac32c626decd3cc1417bc7ab295f30d61b83e6d90b5a1b4ddf320266ce20

SHA512
03a44e4e618d91fcd0f0fee66527316804b1c4be44b8df07a0ad902d65cb9529bb1ed9520ded65a73ecc6090d002419337838269173a8e56ac6b5597bf6631a6

Download Submit
memory/1576-100-0x00000150B9200000-0x00000150B9207000-memory.dmp

Filesize
28KB

Download
memory/1576-101-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1576-105-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/1612-60-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1612-1-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/1612-2-0x00000226D2440000-0x00000226D2447000-memory.dmp

Filesize
28KB

Download
memory/2228-89-0x0000000140000000-0x000000014019E000-memory.dmp

Filesize
1.6MB

Download
memory/2228-84-0x000001EED4330000-0x000001EED4337000-memory.dmp

Filesize
28KB

Download
memory/3312-72-0x0000000140000000-0x000000014019E000-memory.dmp

Filesize
1.6MB

Download
memory/3312-68-0x0000000140000000-0x000000014019E000-memory.dmp

Filesize
1.6MB

Download
memory/3312-67-0x0000019779F60000-0x0000019779F67000-memory.dmp

Filesize
28KB

Download
memory/3312-73-0x0000019779F60000-0x0000019779F67000-memory.dmp

Filesize
28KB

Download
memory/3444-28-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-30-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-19-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-18-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-17-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-16-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-15-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-14-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-13-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-12-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-11-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-10-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-9-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-8-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-7-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-48-0x00007FFF34ED0000-0x00007FFF34EE0000-memory.dmp

Filesize
64KB

Download
memory/3444-47-0x00007FFF34EE0000-0x00007FFF34EF0000-memory.dmp

Filesize
64KB

Download
memory/3444-46-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-32-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-22-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-20-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-57-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-23-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-24-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-25-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-26-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-27-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-29-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-31-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-33-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-34-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-35-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-36-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-45-0x00000000032A0000-0x00000000032A7000-memory.dmp

Filesize
28KB

Download
memory/3444-37-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-21-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-6-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/3444-4-0x00007FFF3496A000-0x00007FFF3496B000-memory.dmp

Filesize
4KB

Download
memory/3444-3-0x0000000007A80000-0x0000000007A81000-memory.dmp

Filesize
4KB

Download