dridex | e9e528ce64fe548d5315d36d4ae765585f2c28f58104c3d579377e79862cd6b8

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-10-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9e528ce64fe548d5315d36d4ae765585f2c28f58104c3d579377e79862cd6b8.dll
Size

940KB
MD5

d63ff00d75923760db3db59ad66520ee
SHA1

698ef541cd9d32955422d8af16fdbc2437039bd0
SHA256

e9e528ce64fe548d5315d36d4ae765585f2c28f58104c3d579377e79862cd6b8
SHA512

347238b6dbe7c5a1b9e4610a5d3b2b9f93ca34a3999c21b1257ccec507bcb1a4d792164f6461fde911147b1cff20e817d575e7c7e10406b9c00fabaf0372b1e2
SSDEEP

12288:gPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:gtKTrsKSKBTSb6DUXWq8

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1188-4-0x0000000002BA0000-0x0000000002BA1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/3012-1-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1188-24-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1188-36-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1188-35-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/3012-44-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/2740-54-0x0000000140000000-0x00000001400F2000-memory.dmp	dridex_payload
behavioral1/memory/2740-58-0x0000000140000000-0x00000001400F2000-memory.dmp	dridex_payload
behavioral1/memory/1300-71-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/1300-75-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/2828-91-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

msinfo32.exeperfmon.exepsr.exe

pid	Process
2740	msinfo32.exe
1300	perfmon.exe
2828	psr.exe

Loads dropped DLL 7 IoCs

Processes:

msinfo32.exeperfmon.exepsr.exe

pid	Process
1188
2740	msinfo32.exe
1188
1300	perfmon.exe
1188
2828	psr.exe
1188

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kgvptlq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\tbAg\\perfmon.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

perfmon.exepsr.exerundll32.exemsinfo32.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	perfmon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msinfo32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
3012	rundll32.exe
3012	rundll32.exe
3012	rundll32.exe
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188
1188

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1188 wrote to memory of 2900	1188	29
PID 1188 wrote to memory of 2900	1188	29
PID 1188 wrote to memory of 2900	1188	29
PID 1188 wrote to memory of 2740	1188	30
PID 1188 wrote to memory of 2740	1188	30
PID 1188 wrote to memory of 2740	1188	30
PID 1188 wrote to memory of 540	1188	31
PID 1188 wrote to memory of 540	1188	31
PID 1188 wrote to memory of 540	1188	31
PID 1188 wrote to memory of 1300	1188	32
PID 1188 wrote to memory of 1300	1188	32
PID 1188 wrote to memory of 1300	1188	32
PID 1188 wrote to memory of 2660	1188	33
PID 1188 wrote to memory of 2660	1188	33
PID 1188 wrote to memory of 2660	1188	33
PID 1188 wrote to memory of 2828	1188	34
PID 1188 wrote to memory of 2828	1188	34
PID 1188 wrote to memory of 2828	1188	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9e528ce64fe548d5315d36d4ae765585f2c28f58104c3d579377e79862cd6b8.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3012

C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
1⤵
PID:2900

C:\Users\Admin\AppData\Local\zSwv3\msinfo32.exe
C:\Users\Admin\AppData\Local\zSwv3\msinfo32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2740

C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
1⤵
PID:540

C:\Users\Admin\AppData\Local\Zw9o\perfmon.exe
C:\Users\Admin\AppData\Local\Zw9o\perfmon.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1300

C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
1⤵
PID:2660

C:\Users\Admin\AppData\Local\4qGcDxSvx\psr.exe
C:\Users\Admin\AppData\Local\4qGcDxSvx\psr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4qGcDxSvx\VERSION.dll

Filesize
944KB

MD5
127258ff8141437579f1779e3e6ee16c

SHA1
c52571796578ded9bac6682666f716ae7f296e0f

SHA256
64f0f4229b8d113871cb0571e1d122d2c6020512eb1530334ba72cb184c564cc

SHA512
4bfd43ea471a3ba9cad5fb0399d6d420b23aaf43eab854c27d599203cc2d88280e56daab17cc12212c662098d64e5dd72609f77fb0d84bf04e173e253d3c9700

Download Submit
C:\Users\Admin\AppData\Local\Zw9o\credui.dll

Filesize
944KB

MD5
ef66e1910fed38ea6cba89e6e8355f62

SHA1
4cd9dece7a83959a6edc9a01bd630aa3b2d333f5

SHA256
4c382d7d82bcc4f8a3dd30067d5a3be5727076ec09526841e0a1216ea7c873e0

SHA512
db858427ec0d8547deea0b13d9698f37b9d05c56aa70734c85a8b7851ff6cce9cbf96eb8da2b855924d477843cee0e3b9e4df1b052e2f8504dfcdbdaa08439d1

Download Submit
C:\Users\Admin\AppData\Local\zSwv3\MFC42u.dll

Filesize
968KB

MD5
f01d3427ce921e16d4885309d00e1334

SHA1
f95771a8ecf554ecee55b7ccf42c67410f301404

SHA256
3b29f80bb595b4ced957e4e1375c14e4d3d564773a9100e6de1f1773c829facf

SHA512
4b3e383d8f191ec4fe17595cb32fb9ae95b0a78c2a79735dd079262d7312e68dd184d596b658b8c7eb7590fe64e690e7d50179fbe338ec5ebd32eef8f6f6bc18

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk

Filesize
1KB

MD5
f6a8c1dd480b13813ceaae136c4585dc

SHA1
01d3449dcdf9263c4f265e22639f110fcf917c08

SHA256
ecfd4817d3f428522af98b6f63cb4f1d1c26cd80e727b2bd1624c29579d2c2f2

SHA512
90eab8a92315cb73df9d4424381c3b570070b7b6255fcaea25a3a8cd8e711028e11165b38598bcf1910800e9bc509368b8429a9a5a1fc271afb89bff4fca1e2f

Download Submit
\Users\Admin\AppData\Local\4qGcDxSvx\psr.exe

Filesize
715KB

MD5
a80527109d75cba125d940b007eea151

SHA1
facf32a9ede6abfaa09368bfdfcfec8554107272

SHA256
68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495

SHA512
77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

Download Submit
\Users\Admin\AppData\Local\Zw9o\perfmon.exe

Filesize
168KB

MD5
3eb98cff1c242167df5fdbc6441ce3c5

SHA1
730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

SHA256
6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

SHA512
f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

Download Submit
\Users\Admin\AppData\Local\zSwv3\msinfo32.exe

Filesize
370KB

MD5
d291620d4c51c5f5ffa62ccdc52c5c13

SHA1
2081c97f15b1c2a2eadce366baf3c510da553cc7

SHA256
76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae

SHA512
75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

Download Submit
memory/1188-13-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-15-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-3-0x0000000077A56000-0x0000000077A57000-memory.dmp

Filesize
4KB

Download
memory/1188-11-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-10-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-9-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-8-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-7-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-24-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-26-0x0000000077CF0000-0x0000000077CF2000-memory.dmp

Filesize
8KB

Download
memory/1188-25-0x0000000077CC0000-0x0000000077CC2000-memory.dmp

Filesize
8KB

Download
memory/1188-36-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-35-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-4-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/1188-45-0x0000000077A56000-0x0000000077A57000-memory.dmp

Filesize
4KB

Download
memory/1188-14-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-23-0x0000000001D00000-0x0000000001D07000-memory.dmp

Filesize
28KB

Download
memory/1188-6-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1188-12-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1300-70-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/1300-71-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1300-75-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2740-58-0x0000000140000000-0x00000001400F2000-memory.dmp

Filesize
968KB

Download
memory/2740-54-0x0000000140000000-0x00000001400F2000-memory.dmp

Filesize
968KB

Download
memory/2740-53-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2828-91-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/3012-44-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3012-1-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/3012-0-0x0000000000320000-0x0000000000327000-memory.dmp

Filesize
28KB

Download