dridex | 1e4aed6e957b55dad4f63b7d5f44cb8ce6a7216b6ad4e51d971d307007ed3d2a

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-10-2024 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e4aed6e957b55dad4f63b7d5f44cb8ce6a7216b6ad4e51d971d307007ed3d2a.dll
Size

940KB
MD5

e6ffe9204f9d5606d662bf6f355c3863
SHA1

1632dfd22740045fad5a1fa5149cde3eb694ae7c
SHA256

1e4aed6e957b55dad4f63b7d5f44cb8ce6a7216b6ad4e51d971d307007ed3d2a
SHA512

e08cde0affdc24597bd0bbde592fb78afcba4b187d25d3bb0b72949b3a2825c5f8e62d1ef8cf23ce495167517f16516d7448909b538085101c317845b3159ea3
SSDEEP

12288:CPVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:CtKTrsKSKBTSb6DUXWq8

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1228-4-0x0000000002D70000-0x0000000002D71000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/296-1-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1228-24-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1228-35-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/1228-37-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/296-44-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral1/memory/2604-53-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/2604-58-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/1976-75-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral1/memory/852-91-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2604	BitLockerWizard.exe
1976	DWWIN.EXE
852	BitLockerWizard.exe

Loads dropped DLL 7 IoCs

pid	Process
1228	Process not Found
2604	BitLockerWizard.exe
1228	Process not Found
1976	DWWIN.EXE
1228	Process not Found
852	BitLockerWizard.exe
1228	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wtobeyey = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\ZoJWXjb\\DWWIN.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DWWIN.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizard.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
296	rundll32.exe
296	rundll32.exe
296	rundll32.exe
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2684	1228	Process not Found	30
PID 1228 wrote to memory of 2684	1228	Process not Found	30
PID 1228 wrote to memory of 2684	1228	Process not Found	30
PID 1228 wrote to memory of 2604	1228	Process not Found	31
PID 1228 wrote to memory of 2604	1228	Process not Found	31
PID 1228 wrote to memory of 2604	1228	Process not Found	31
PID 1228 wrote to memory of 1048	1228	Process not Found	32
PID 1228 wrote to memory of 1048	1228	Process not Found	32
PID 1228 wrote to memory of 1048	1228	Process not Found	32
PID 1228 wrote to memory of 1976	1228	Process not Found	33
PID 1228 wrote to memory of 1976	1228	Process not Found	33
PID 1228 wrote to memory of 1976	1228	Process not Found	33
PID 1228 wrote to memory of 2008	1228	Process not Found	34
PID 1228 wrote to memory of 2008	1228	Process not Found	34
PID 1228 wrote to memory of 2008	1228	Process not Found	34
PID 1228 wrote to memory of 852	1228	Process not Found	35
PID 1228 wrote to memory of 852	1228	Process not Found	35
PID 1228 wrote to memory of 852	1228	Process not Found	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e4aed6e957b55dad4f63b7d5f44cb8ce6a7216b6ad4e51d971d307007ed3d2a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:296

C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
1⤵
PID:2684

C:\Users\Admin\AppData\Local\IPmpGt\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\IPmpGt\BitLockerWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2604

C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
1⤵
PID:1048

C:\Users\Admin\AppData\Local\5XM3oKmYt\DWWIN.EXE
C:\Users\Admin\AppData\Local\5XM3oKmYt\DWWIN.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1976

C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
1⤵
PID:2008

C:\Users\Admin\AppData\Local\YRj\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\YRj\BitLockerWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\5XM3oKmYt\DWWIN.EXE

Filesize
149KB

MD5
25247e3c4e7a7a73baeea6c0008952b1

SHA1
8087adb7a71a696139ddc5c5abc1a84f817ab688

SHA256
c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

SHA512
bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

Download Submit
C:\Users\Admin\AppData\Local\5XM3oKmYt\wer.dll

Filesize
944KB

MD5
f8d9275c084b75ed74784522000bbda7

SHA1
160a4129f58550344fb256198acfccda694a2a39

SHA256
2f22978c487a72567165cdc62c860f7b3f958be2c73f35dfc53f0d7d3e438a96

SHA512
5ae96b420c44749234210512779a2c120acfae889e9a1c0b82c72c2622bb050ab012ecb2e079da00af302a344c63c2c15d9c5946dd6f6a57aeb0723f16bef8fa

Download Submit
C:\Users\Admin\AppData\Local\IPmpGt\BitLockerWizard.exe

Filesize
98KB

MD5
08a761595ad21d152db2417d6fdb239a

SHA1
d84c1bc2e8c9afce9fb79916df9bca169f93a936

SHA256
ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

SHA512
8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

Download Submit
C:\Users\Admin\AppData\Local\IPmpGt\FVEWIZ.dll

Filesize
944KB

MD5
aca1a87105e678364188679d4c3b7c5c

SHA1
0d8fd83c8f737a903c80792d60a848db97332e61

SHA256
0d72d706e206914f0116620717f0e9d47238561dc475f3f79395a88fc59c53bd

SHA512
6d3f2c27ec373a408c94aa3940a2ed53274a19fc57f2bf2ff038d5b2137f0c3e3ddbb7c62637d7bee359458b588829f52a00d6ff94073bc721383f2eadb3db7b

Download Submit
C:\Users\Admin\AppData\Local\YRj\FVEWIZ.dll

Filesize
944KB

MD5
8eed68a069ae2274f27b5a3655551871

SHA1
18ae1c9984e48c869bf7e430a8fa1991ededcfeb

SHA256
cc0a1cfb550294b652be27a676cff9d083dae968889d0103177f8c7f19542ef1

SHA512
f76252ba39227e015ba2769ec1f1000e702dd782598fae9b5f620cbb624bc7c5dbdb4b2d49ed2d50c867ccd0111be90d8a002a00dfae90ccb7a0dfeff16a3368

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ykefwsdudlbqds.lnk

Filesize
1KB

MD5
2fef252051be83c43a50f74275d526a6

SHA1
f3361ac7e399b3feaa84f51e33dc56ff6d2c0ca0

SHA256
1dd53faf5ce58efada16d956453f2a3b2586bfd09c20ed080035ee97d331e786

SHA512
3636cd8b998cb9151e0ce9844295d92179c979895f2362e8570803008770b95c50e3537d5b0d2ad769c9b8d87fe805aded7e01a1a992be07029a3b2a25282ad0

Download Submit
memory/296-2-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/296-1-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/296-44-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/852-91-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/1228-26-0x0000000077120000-0x0000000077122000-memory.dmp

Filesize
8KB

Download
memory/1228-45-0x0000000076D86000-0x0000000076D87000-memory.dmp

Filesize
4KB

Download
memory/1228-10-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1228-9-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1228-8-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1228-24-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1228-12-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1228-25-0x00000000770F0000-0x00000000770F2000-memory.dmp

Filesize
8KB

Download
memory/1228-35-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1228-37-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1228-14-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1228-11-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1228-15-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1228-13-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1228-3-0x0000000076D86000-0x0000000076D87000-memory.dmp

Filesize
4KB

Download
memory/1228-4-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/1228-6-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1228-23-0x0000000002A50000-0x0000000002A57000-memory.dmp

Filesize
28KB

Download
memory/1228-7-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/1976-72-0x0000000000200000-0x0000000000207000-memory.dmp

Filesize
28KB

Download
memory/1976-75-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2604-58-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/2604-55-0x0000000000210000-0x0000000000217000-memory.dmp

Filesize
28KB

Download
memory/2604-53-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download