dridex | e24980b28ec5594c3d1a3d103fd47d1b143d0af8c5dd1209c05a92c5253a5900

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2024 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e24980b28ec5594c3d1a3d103fd47d1b143d0af8c5dd1209c05a92c5253a5900.dll
Size

940KB
MD5

e0b9356be4ee72141b4e5a8a3f3b6073
SHA1

053fd016717cb83924ae47970d162f6e818c5231
SHA256

e24980b28ec5594c3d1a3d103fd47d1b143d0af8c5dd1209c05a92c5253a5900
SHA512

45d8c614ac2a5872755b3e29f432c7b3eb07596c4acb07d3212e26f0f5e6746d5c32f0cc8b70966cf4a2d28c4bce1afd9c3b7d8a1c0c6d2a52313f9664a02874
SSDEEP

12288:wPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:wtKTrsKSKBTSb6DUXWq8

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3424-3-0x0000000002CB0000-0x0000000002CB1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/220-1-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/3424-24-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/3424-35-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/220-38-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/5104-45-0x0000000140000000-0x0000000140131000-memory.dmp	dridex_payload
behavioral2/memory/5104-50-0x0000000140000000-0x0000000140131000-memory.dmp	dridex_payload
behavioral2/memory/1052-62-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/1052-66-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/3992-77-0x0000000140000000-0x00000001400F2000-memory.dmp	dridex_payload
behavioral2/memory/3992-81-0x0000000140000000-0x00000001400F2000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
5104	SysResetErr.exe
1052	osk.exe
3992	DevicePairingWizard.exe

Loads dropped DLL 3 IoCs

pid	Process
5104	SysResetErr.exe
1052	osk.exe
3992	DevicePairingWizard.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gbrhc = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\Managed\\SMARTA~1\\QGR0Ng\\osk.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SysResetErr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DevicePairingWizard.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
220	rundll32.exe
220	rundll32.exe
220	rundll32.exe
220	rundll32.exe
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found
3424	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3424	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3424 wrote to memory of 1316	3424	Process not Found	86
PID 3424 wrote to memory of 1316	3424	Process not Found	86
PID 3424 wrote to memory of 5104	3424	Process not Found	87
PID 3424 wrote to memory of 5104	3424	Process not Found	87
PID 3424 wrote to memory of 4676	3424	Process not Found	88
PID 3424 wrote to memory of 4676	3424	Process not Found	88
PID 3424 wrote to memory of 1052	3424	Process not Found	89
PID 3424 wrote to memory of 1052	3424	Process not Found	89
PID 3424 wrote to memory of 2724	3424	Process not Found	90
PID 3424 wrote to memory of 2724	3424	Process not Found	90
PID 3424 wrote to memory of 3992	3424	Process not Found	91
PID 3424 wrote to memory of 3992	3424	Process not Found	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e24980b28ec5594c3d1a3d103fd47d1b143d0af8c5dd1209c05a92c5253a5900.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:220

C:\Windows\system32\SysResetErr.exe
C:\Windows\system32\SysResetErr.exe
1⤵
PID:1316

C:\Users\Admin\AppData\Local\mL4v9MJhh\SysResetErr.exe
C:\Users\Admin\AppData\Local\mL4v9MJhh\SysResetErr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5104

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:4676

C:\Users\Admin\AppData\Local\7DU\osk.exe
C:\Users\Admin\AppData\Local\7DU\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1052

C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
1⤵
PID:2724

C:\Users\Admin\AppData\Local\bKBWlmDgB\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\bKBWlmDgB\DevicePairingWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7DU\dwmapi.dll

Filesize
944KB

MD5
120034369d5d7da506ac3944f0b9328c

SHA1
09fe27900193a74de00ad385b48ba666b663caa8

SHA256
69194464184194fb8332406941757e8f62a77b15cd3bbd413508a581cfe2464b

SHA512
fa249cf20d2d4d34d156fd52c8910f7f8a36db93426813da6942dfbdf7a8aa374171aaacfbbfdb1cafe074e1cdd7a559e7330accf2f9b37abbebb5bcb9d223fd

Download Submit
C:\Users\Admin\AppData\Local\7DU\osk.exe

Filesize
638KB

MD5
745f2df5beed97b8c751df83938cb418

SHA1
2f9fc33b1bf28e0f14fd75646a7b427ddbe14d25

SHA256
f67ef6e31fa0eaed44bfbab5b908be06b56cbc7d5a16ab2a72334d91f2bb6a51

SHA512
2125d021e6f45a81bd75c9129f4b098ad9aa15c25d270051f4da42458a9737bff44d6adf17aa1f2547715d159fb621829f7cd3b9d42f1521c919549cc7deb228

Download Submit
C:\Users\Admin\AppData\Local\bKBWlmDgB\DevicePairingWizard.exe

Filesize
93KB

MD5
d0e40a5a0c7dad2d6e5040d7fbc37533

SHA1
b0eabbd37a97a1abcd90bd56394f5c45585699eb

SHA256
2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b

SHA512
1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

Download Submit
C:\Users\Admin\AppData\Local\bKBWlmDgB\MFC42u.dll

Filesize
968KB

MD5
275646a2d128a6dadaecad92352b251b

SHA1
88e6ffbb1c6add8b4a189bf2a7328666ee235471

SHA256
141b8931dd99f70b797705ce0a8ee67de3802dd3ddcca3f34f822aa175a7d23a

SHA512
e171b47c0b0da8c60f36ffb9848391aa5c67dbed1c8e26e57c44b875d46e851e6cdd70a3e7ef41100f2a9f4da41a99149bb26981818c973c3bc66031fbd4f684

Download Submit
C:\Users\Admin\AppData\Local\mL4v9MJhh\DUI70.dll

Filesize
1.2MB

MD5
dfae0d3d0cbc90b97eebc4dbdcfdc6f7

SHA1
d1ccd9863b1e4606a7234fd78ec10f8cebf81384

SHA256
818692c00d2a5c9c3aaa06a7293bb6bc1cb24810545e44cf0c6e690063e77103

SHA512
f82d5e350d04d08bee590a0f11f6c9a482ad4b5c1e80c93c110e94c300f97fddcc30fdb2fc1c00bdc83b3f6ed2709d01e14fcbda685a36acf897bcdf86bb5352

Download Submit
C:\Users\Admin\AppData\Local\mL4v9MJhh\SysResetErr.exe

Filesize
41KB

MD5
090c6f458d61b7ddbdcfa54e761b8b57

SHA1
c5a93e9d6eca4c3842156cc0262933b334113864

SHA256
a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd

SHA512
c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ehuvmtvuxjwd.lnk

Filesize
1KB

MD5
bf669e55bc2df29d6585fc0bcd4b56dc

SHA1
db308e8f239b50d375fdf1e792df627b163786d2

SHA256
d532d74859d92a79ca255686a8634915434b603b49362a00ee33e87904b7d4ca

SHA512
5681d65e6f9394f0a03cdfc61509c285750d442ab4e3561f3cfb9666af7a7bd9df5078d8aa5811f309ea0b2c8e11f6b26f65e82c2a70bb13fa3fdca952d11a69

Download Submit
memory/220-0-0x000001CDC5D10000-0x000001CDC5D17000-memory.dmp

Filesize
28KB

Download
memory/220-1-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/220-38-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1052-66-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1052-62-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1052-61-0x000001B53EDB0000-0x000001B53EDB7000-memory.dmp

Filesize
28KB

Download
memory/3424-7-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3424-14-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3424-8-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3424-11-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3424-6-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3424-35-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3424-10-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3424-12-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3424-23-0x0000000002C80000-0x0000000002C87000-memory.dmp

Filesize
28KB

Download
memory/3424-3-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/3424-4-0x00007FF9F96CA000-0x00007FF9F96CB000-memory.dmp

Filesize
4KB

Download
memory/3424-13-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3424-24-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3424-25-0x00007FF9FAC60000-0x00007FF9FAC70000-memory.dmp

Filesize
64KB

Download
memory/3424-26-0x00007FF9FAC50000-0x00007FF9FAC60000-memory.dmp

Filesize
64KB

Download
memory/3424-15-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3424-9-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3992-77-0x0000000140000000-0x00000001400F2000-memory.dmp

Filesize
968KB

Download
memory/3992-81-0x0000000140000000-0x00000001400F2000-memory.dmp

Filesize
968KB

Download
memory/5104-50-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/5104-45-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/5104-47-0x000001F5A6BD0000-0x000001F5A6BD7000-memory.dmp

Filesize
28KB

Download