dridex | 9a98089a9a05bf0abd6ba54247893308568db62c77f15834cc0774b8822429e3

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a98089a9a05bf0abd6ba54247893308568db62c77f15834cc0774b8822429e3.dll
Size

940KB
MD5

33542753fda57b6a2eb61fcf509298d3
SHA1

ae14ea0f0e01de7ef2f4ff2e60361f1065853616
SHA256

9a98089a9a05bf0abd6ba54247893308568db62c77f15834cc0774b8822429e3
SHA512

f664c54e9f1efe596219f4abb442d93eae6723dd377739323b619d229b4d8ded802c6b4e5a22227b8498692a4faed9c83bf4e5b82ba1e1644520140b18c6eec3
SSDEEP

12288:gPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:gtKTrsKSKBTSb6DUXWq8

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3560-3-0x0000000001640000-0x0000000001641000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/1760-2-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/3560-24-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/3560-35-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/1760-38-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/4400-45-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/4400-50-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/4108-62-0x0000000140000000-0x0000000140131000-memory.dmp	dridex_payload
behavioral2/memory/4108-65-0x0000000140000000-0x0000000140131000-memory.dmp	dridex_payload
behavioral2/memory/1972-80-0x0000000140000000-0x0000000140131000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
4400	rdpshell.exe
4108	CameraSettingsUIHost.exe
1972	dpapimig.exe

Loads dropped DLL 3 IoCs

pid	Process
4400	rdpshell.exe
4108	CameraSettingsUIHost.exe
1972	dpapimig.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Labelis = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\4nBrM3y5jNi\\CameraSettingsUIHost.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpshell.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CameraSettingsUIHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dpapimig.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1760	rundll32.exe
1760	rundll32.exe
1760	rundll32.exe
1760	rundll32.exe
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found
3560	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found
Token: SeShutdownPrivilege	3560	Process not Found
Token: SeCreatePagefilePrivilege	3560	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3560	Process not Found
3560	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 2800	3560	Process not Found	86
PID 3560 wrote to memory of 2800	3560	Process not Found	86
PID 3560 wrote to memory of 4400	3560	Process not Found	87
PID 3560 wrote to memory of 4400	3560	Process not Found	87
PID 3560 wrote to memory of 1836	3560	Process not Found	88
PID 3560 wrote to memory of 1836	3560	Process not Found	88
PID 3560 wrote to memory of 4108	3560	Process not Found	89
PID 3560 wrote to memory of 4108	3560	Process not Found	89
PID 3560 wrote to memory of 2864	3560	Process not Found	90
PID 3560 wrote to memory of 2864	3560	Process not Found	90
PID 3560 wrote to memory of 1972	3560	Process not Found	91
PID 3560 wrote to memory of 1972	3560	Process not Found	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9a98089a9a05bf0abd6ba54247893308568db62c77f15834cc0774b8822429e3.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1760

C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
1⤵
PID:2800

C:\Users\Admin\AppData\Local\zrI2d4mR\rdpshell.exe
C:\Users\Admin\AppData\Local\zrI2d4mR\rdpshell.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4400

C:\Windows\system32\CameraSettingsUIHost.exe
C:\Windows\system32\CameraSettingsUIHost.exe
1⤵
PID:1836

C:\Users\Admin\AppData\Local\9bExE\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Local\9bExE\CameraSettingsUIHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4108

C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
1⤵
PID:2864

C:\Users\Admin\AppData\Local\1XuF\dpapimig.exe
C:\Users\Admin\AppData\Local\1XuF\dpapimig.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1XuF\DUI70.dll

Filesize
1.2MB

MD5
c486787dc8a6c2da70ae7b5c0d561116

SHA1
ee3c3b7cd8725756421ceaedb2037a3e980eaa88

SHA256
540fb18233ba78d0af9bb4e2db3f4756b56768c9aff88020426a7a0c947ea8e6

SHA512
994ce2be2609fec2409416160d15d3e2404415ce661ee05473bc7407787f8eb51ecf77c1e8d73285072c01866ba92922dc213959c0e91d9dc001a492b4ec0449

Download Submit
C:\Users\Admin\AppData\Local\1XuF\dpapimig.exe

Filesize
76KB

MD5
b6d6477a0c90a81624c6a8548026b4d0

SHA1
e6eac6941d27f76bbd306c2938c0a962dbf1ced1

SHA256
a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb

SHA512
72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe

Download Submit
C:\Users\Admin\AppData\Local\9bExE\CameraSettingsUIHost.exe

Filesize
31KB

MD5
9e98636523a653c7a648f37be229cf69

SHA1
bd4da030e7cf4d55b7c644dfacd26b152e6a14c4

SHA256
3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717

SHA512
41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

Download Submit
C:\Users\Admin\AppData\Local\9bExE\DUI70.dll

Filesize
1.2MB

MD5
4c182d74d40f2ada08f8e5f2d11bad29

SHA1
8a68a3e6e5401410504b99bb18ed32983beca26f

SHA256
60cb896b3fd3a3ea7bd23736bd2c62d7ab979df5f44150f8a1e4fb4bc790eba2

SHA512
8e2adc81fbf0d9300dd3827a37bd9ae7d89600b40f2ab0d0c186448933e7418728e0c00a332bb0f8a396ff92f1222064a96d8ca96c332c3f3683b4513e53c7ea

Download Submit
C:\Users\Admin\AppData\Local\zrI2d4mR\dwmapi.dll

Filesize
944KB

MD5
da3ba3d0103d4e5f3e17f7e418098da4

SHA1
54f67d25b0dc35c254f2a13d9133adf08879e4a4

SHA256
4bfdffe9bc0568f57816ce0eddeb330db0ca5220a6d3071c58554a57ccab887d

SHA512
04b6f5b837eb5bea8a94fd30df4eefd79405429ce5b4d372f739f76f9b5e08d0819bf39c2204673d31109b4a033ba860544f3988ec60ab1ddb963888ee2d31f8

Download Submit
C:\Users\Admin\AppData\Local\zrI2d4mR\rdpshell.exe

Filesize
468KB

MD5
428066713f225bb8431340fa670671d4

SHA1
47f6878ff33317c3fc09c494df729a463bda174c

SHA256
da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd

SHA512
292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ltmfycbfnis.lnk

Filesize
1KB

MD5
2bb8e267da0368ee6d0af968263f6b6b

SHA1
bb437d4fcb3f23ff9d0411d1120baa6f2c202339

SHA256
6749607c7af7bdca2b48a36605ae6495996f6b5c4cdf7cc9c28eb988da044009

SHA512
220caec0b2ae25fa32a36cf5153235af747e02c8f8ddcbd18bdd2f1c6d23f848274965f04e36c3a754c0ab46e51bfff9061ee66939205405931201fd1b392dfe

Download Submit
memory/1760-0-0x000001C6A62C0000-0x000001C6A62C7000-memory.dmp

Filesize
28KB

Download
memory/1760-2-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1760-38-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1972-80-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/3560-26-0x00007FFECEBB0000-0x00007FFECEBC0000-memory.dmp

Filesize
64KB

Download
memory/3560-10-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3560-6-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3560-3-0x0000000001640000-0x0000000001641000-memory.dmp

Filesize
4KB

Download
memory/3560-24-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3560-8-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3560-25-0x00007FFECEBC0000-0x00007FFECEBD0000-memory.dmp

Filesize
64KB

Download
memory/3560-35-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3560-9-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3560-15-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3560-13-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3560-5-0x00007FFECDD2A000-0x00007FFECDD2B000-memory.dmp

Filesize
4KB

Download
memory/3560-11-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3560-12-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3560-14-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3560-23-0x0000000001650000-0x0000000001657000-memory.dmp

Filesize
28KB

Download
memory/3560-7-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/4108-63-0x000001E0D45E0000-0x000001E0D45E7000-memory.dmp

Filesize
28KB

Download
memory/4108-65-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4108-62-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/4400-50-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/4400-45-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/4400-47-0x000001D589870000-0x000001D589877000-memory.dmp

Filesize
28KB

Download