dridex | 9b2a6a5b076828f7f0a821e254c49bf74abed0b9974f3fe6f74414210e71ac8c

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b2a6a5b076828f7f0a821e254c49bf74abed0b9974f3fe6f74414210e71ac8c.dll
Size

936KB
MD5

8eef978c00b27044f919df7c554d5520
SHA1

cebd31232222956453ec07290acf6acd42bf1ba7
SHA256

9b2a6a5b076828f7f0a821e254c49bf74abed0b9974f3fe6f74414210e71ac8c
SHA512

1be501d0c1770bc5cb35ef26afb8d7670983888b2d7ce9ab26b3cbbd9d9d582437111ec43b060d6b378df3af9888501e81f03b5506d13e775ae2172d3d84bd41
SSDEEP

12288:bPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8y1:btKTrsKSKBTSb6DUXWq8y1

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3516-3-0x00000000025A0000-0x00000000025A1000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/1404-1-0x0000000140000000-0x00000001400EA000-memory.dmp	dridex_payload
behavioral2/memory/3516-34-0x0000000140000000-0x00000001400EA000-memory.dmp	dridex_payload
behavioral2/memory/3516-23-0x0000000140000000-0x00000001400EA000-memory.dmp	dridex_payload
behavioral2/memory/1404-37-0x0000000140000000-0x00000001400EA000-memory.dmp	dridex_payload
behavioral2/memory/4596-44-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/4596-48-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/1440-59-0x0000000140000000-0x0000000140130000-memory.dmp	dridex_payload
behavioral2/memory/1440-64-0x0000000140000000-0x0000000140130000-memory.dmp	dridex_payload
behavioral2/memory/4172-79-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
4596	raserver.exe
1440	wlrmdr.exe
4172	cttune.exe

Loads dropped DLL 3 IoCs

pid	Process
4596	raserver.exe
1440	wlrmdr.exe
4172	cttune.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tsrvevdpr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\w277\\wlrmdr.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cttune.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	raserver.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wlrmdr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1404	rundll32.exe
1404	rundll32.exe
1404	rundll32.exe
1404	rundll32.exe
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found
3516	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found
Token: SeShutdownPrivilege	3516	Process not Found
Token: SeCreatePagefilePrivilege	3516	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3516	Process not Found
3516	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 2844	3516	Process not Found	86
PID 3516 wrote to memory of 2844	3516	Process not Found	86
PID 3516 wrote to memory of 4596	3516	Process not Found	87
PID 3516 wrote to memory of 4596	3516	Process not Found	87
PID 3516 wrote to memory of 3956	3516	Process not Found	88
PID 3516 wrote to memory of 3956	3516	Process not Found	88
PID 3516 wrote to memory of 1440	3516	Process not Found	89
PID 3516 wrote to memory of 1440	3516	Process not Found	89
PID 3516 wrote to memory of 4552	3516	Process not Found	90
PID 3516 wrote to memory of 4552	3516	Process not Found	90
PID 3516 wrote to memory of 4172	3516	Process not Found	91
PID 3516 wrote to memory of 4172	3516	Process not Found	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9b2a6a5b076828f7f0a821e254c49bf74abed0b9974f3fe6f74414210e71ac8c.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1404

C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
1⤵
PID:2844

C:\Users\Admin\AppData\Local\16i\raserver.exe
C:\Users\Admin\AppData\Local\16i\raserver.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4596

C:\Windows\system32\wlrmdr.exe
C:\Windows\system32\wlrmdr.exe
1⤵
PID:3956

C:\Users\Admin\AppData\Local\Wl3l3Qz\wlrmdr.exe
C:\Users\Admin\AppData\Local\Wl3l3Qz\wlrmdr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1440

C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
1⤵
PID:4552

C:\Users\Admin\AppData\Local\gGQ4u\cttune.exe
C:\Users\Admin\AppData\Local\gGQ4u\cttune.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\16i\WTSAPI32.dll

Filesize
940KB

MD5
8550261899ce82881426464e77b10e36

SHA1
4a66c3360d180fadb3f35820e733760a52d3d6c5

SHA256
d1e80abf0bb5e11f048ae86dc50f20e7e9005ecc258ea3e1b10ca6210d5e8626

SHA512
477b65b595afc93f8f36b2e12caef07596de95830766b42bd9aa06a9e77796aa081e77b64542156321827ad8d87d46f47cb264d9d3d8e4b6e620e8e2fe5322c7

Download Submit
C:\Users\Admin\AppData\Local\16i\raserver.exe

Filesize
132KB

MD5
d1841c6ee4ea45794ced131d4b68b60e

SHA1
4be6d2116060d7c723ac2d0b5504efe23198ea01

SHA256
38732626242988cc5b8f97fe8d3b030d483046ef66ea90d7ea3607f1adc0600d

SHA512
d8bad215872c5956c6e8acac1cd3ad19b85f72b224b068fb71cfd1493705bc7d3390853ba923a1aa461140294f8793247df018484a378e4f026c2a12cb3fa5c9

Download Submit
C:\Users\Admin\AppData\Local\Wl3l3Qz\DUI70.dll

Filesize
1.2MB

MD5
b5db816968aed84c73ffc637cadaa238

SHA1
b81fead3c5329367e69e4feb858ac39f219c1eaf

SHA256
eb76043a93352069bfd4536e2c61f2111b3ebfecf8f0c9c383e9683053f002b4

SHA512
04dc6473427daea3015dc941671278cf0cb731ac075c12fbb8f1485aeb24fa57092bcb9d8729e6c3c3ea1bad843ba9eb3737c5b9373d464d41b6416cdf53f1bf

Download Submit
C:\Users\Admin\AppData\Local\Wl3l3Qz\wlrmdr.exe

Filesize
66KB

MD5
ef9bba7a637a11b224a90bf90a8943ac

SHA1
4747ec6efd2d41e049159249c2d888189bb33d1d

SHA256
2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

SHA512
4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

Download Submit
C:\Users\Admin\AppData\Local\gGQ4u\OLEACC.dll

Filesize
940KB

MD5
9cad800ae91b963d24d7b25473b03b6c

SHA1
dcdf330d0cf405db39d1e2e882212529cd8c145f

SHA256
c93841b6a31864ad9a67a8337f638743632e10847c38d096848bbb6d106aeeb9

SHA512
64ccfc10b5da932f4b9d75efa688d19cc8c1d6b48bb6720919a24caba4f91ef23c142bdc53ad97be56609427c938a2bdb9ec401bcc7c87319ed72f628b7b75ff

Download Submit
C:\Users\Admin\AppData\Local\gGQ4u\cttune.exe

Filesize
90KB

MD5
fa924465a33833f41c1a39f6221ba460

SHA1
801d505d81e49d2b4ffa316245ca69ff58c523c3

SHA256
de2d871afe2c071cf305fc488875563b778e7279e57030ba1a1c9f7e360748da

SHA512
eef91316e1a679cc2183d4fe9f8f40b5efa6d06f7d1246fd399292e14952053309b6891059da88134a184d9bd0298a45a1bf4bc9f27140b1a31b9523acbf3757

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ybgihhkn.lnk

Filesize
1KB

MD5
0ffb6373a735e0b41dba9cccf126a3ce

SHA1
2f974ad25b6965c11425eb69ee2fc0a4f16afb78

SHA256
3526679c043d7658278f56efdae9ac84f17a8eec101053d0d959c08a53de9012

SHA512
e16f07b06807b0dae3e1d5f917525dc8bcbbe9224027e035c83630ea77c6b57bb26843e702515d6290bc0509f9b0356f89122bbaf35f829d2ecf4a9c9cc26311

Download Submit
memory/1404-0-0x000001DB922D0000-0x000001DB922D7000-memory.dmp

Filesize
28KB

Download
memory/1404-37-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/1404-1-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/1440-64-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/1440-61-0x0000011C88620000-0x0000011C88627000-memory.dmp

Filesize
28KB

Download
memory/1440-59-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3516-12-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/3516-22-0x00000000006E0000-0x00000000006E7000-memory.dmp

Filesize
28KB

Download
memory/3516-8-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/3516-7-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/3516-6-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/3516-10-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/3516-23-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/3516-24-0x00007FFD5FBE0000-0x00007FFD5FBF0000-memory.dmp

Filesize
64KB

Download
memory/3516-5-0x00007FFD5DC9A000-0x00007FFD5DC9B000-memory.dmp

Filesize
4KB

Download
memory/3516-3-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/3516-11-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/3516-34-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/3516-25-0x00007FFD5FBD0000-0x00007FFD5FBE0000-memory.dmp

Filesize
64KB

Download
memory/3516-9-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/3516-14-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/3516-13-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/4172-79-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/4596-48-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/4596-44-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/4596-46-0x00000171C9FA0000-0x00000171C9FA7000-memory.dmp

Filesize
28KB

Download