dridex | bb17e954d051478ae93df3251a7c0aac723ba6d07fbbd1da9e4172d08041b774

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2024 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb17e954d051478ae93df3251a7c0aac723ba6d07fbbd1da9e4172d08041b774.dll
Size

936KB
MD5

401f84a3215161405db7ecf1f1d0b6f4
SHA1

7b2517a60daac43ab7d5f12f3c5f10c40221c46d
SHA256

bb17e954d051478ae93df3251a7c0aac723ba6d07fbbd1da9e4172d08041b774
SHA512

3b4598da32edd45909e44067d8fd0aa65a30d21deb908c2ba0a7e2ee1f1d9b4e362161238c47305fecfd36f38a99da9d39d0f1e242ae337d8fc4525eac96b183
SSDEEP

12288:3PVKLvdxQPKSoVXxTaGcb68Uzx2TBeOWhZJpK8:3tKTrsKSKBTSb6DUXWq8

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3512-3-0x0000000002520000-0x0000000002521000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/1544-0-0x0000000140000000-0x00000001400EA000-memory.dmp	dridex_payload
behavioral2/memory/3512-34-0x0000000140000000-0x00000001400EA000-memory.dmp	dridex_payload
behavioral2/memory/3512-23-0x0000000140000000-0x00000001400EA000-memory.dmp	dridex_payload
behavioral2/memory/1544-37-0x0000000140000000-0x00000001400EA000-memory.dmp	dridex_payload
behavioral2/memory/4936-45-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/4936-49-0x0000000140000000-0x00000001400EC000-memory.dmp	dridex_payload
behavioral2/memory/4044-61-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/4044-65-0x0000000140000000-0x00000001400EB000-memory.dmp	dridex_payload
behavioral2/memory/2528-77-0x0000021BAE380000-0x0000021BAE46B000-memory.dmp	dridex_payload
behavioral2/memory/2528-81-0x0000021BAE380000-0x0000021BAE46B000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

RdpSaUacHelper.exeApplicationFrameHost.exePresentationHost.exe

pid	Process
4936	RdpSaUacHelper.exe
4044	ApplicationFrameHost.exe
2528	PresentationHost.exe

Loads dropped DLL 4 IoCs

Processes:

RdpSaUacHelper.exeApplicationFrameHost.exePresentationHost.exe

pid	Process
4936	RdpSaUacHelper.exe
4044	ApplicationFrameHost.exe
2528	PresentationHost.exe
2528	PresentationHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qhmytabp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\kKkhppWN\\ApplicationFrameHost.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ApplicationFrameHost.exePresentationHost.exerundll32.exeRdpSaUacHelper.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ApplicationFrameHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RdpSaUacHelper.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
1544	rundll32.exe
1544	rundll32.exe
1544	rundll32.exe
1544	rundll32.exe
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512
3512

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3512

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3512 wrote to memory of 4292	3512	86
PID 3512 wrote to memory of 4292	3512	86
PID 3512 wrote to memory of 4936	3512	87
PID 3512 wrote to memory of 4936	3512	87
PID 3512 wrote to memory of 2724	3512	88
PID 3512 wrote to memory of 2724	3512	88
PID 3512 wrote to memory of 4044	3512	89
PID 3512 wrote to memory of 4044	3512	89
PID 3512 wrote to memory of 4228	3512	90
PID 3512 wrote to memory of 4228	3512	90
PID 3512 wrote to memory of 2528	3512	91
PID 3512 wrote to memory of 2528	3512	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb17e954d051478ae93df3251a7c0aac723ba6d07fbbd1da9e4172d08041b774.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1544

C:\Windows\system32\RdpSaUacHelper.exe
C:\Windows\system32\RdpSaUacHelper.exe
1⤵
PID:4292

C:\Users\Admin\AppData\Local\Uu39fD\RdpSaUacHelper.exe
C:\Users\Admin\AppData\Local\Uu39fD\RdpSaUacHelper.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4936

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe
1⤵
PID:2724

C:\Users\Admin\AppData\Local\SAr\ApplicationFrameHost.exe
C:\Users\Admin\AppData\Local\SAr\ApplicationFrameHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4044

C:\Windows\system32\PresentationHost.exe
C:\Windows\system32\PresentationHost.exe
1⤵
PID:4228

C:\Users\Admin\AppData\Local\F4s6sASLf\PresentationHost.exe
C:\Users\Admin\AppData\Local\F4s6sASLf\PresentationHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\F4s6sASLf\PresentationHost.exe

Filesize
276KB

MD5
ef27d65b92d89e8175e6751a57ed9d93

SHA1
7279b58e711b459434f047e9098f9131391c3778

SHA256
17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

SHA512
40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

Download Submit
C:\Users\Admin\AppData\Local\F4s6sASLf\VERSION.dll

Filesize
940KB

MD5
e6cab2e3695bae1ae353a3619092654e

SHA1
700f14617d382a31a9b796a359db3992974d6778

SHA256
a752f9d2e8691556d67bdec103318e4122e4c398dd95f595869e8725ad995b8c

SHA512
08b9366c9d473939af54e5ae9316ddda51bd628ac417fc8496fff829558a6d8dfd82db19f789a6724c9fbf40ead01206b8a1f3c23e6f167c280d74ab4f6db200

Download Submit
C:\Users\Admin\AppData\Local\SAr\ApplicationFrameHost.exe

Filesize
76KB

MD5
d58a8a987a8dafad9dc32a548cc061e7

SHA1
f79fc9e0ab066cad530b949c2153c532a5223156

SHA256
cf58e424b86775e6f2354291052126a646f842fff811b730714dfbbd8ebc71a4

SHA512
93df28b65af23a5f82124ba644e821614e2e2074c98dbb2bd7319d1dfe9e2179b9d660d7720913c79a8e7b2f8560440789ad5e170b9d94670589885060c14265

Download Submit
C:\Users\Admin\AppData\Local\SAr\dxgi.dll

Filesize
940KB

MD5
78e62e820324cb07f62af86aa13d9e83

SHA1
54efce99ee032a4e06f70fcd059bc66b1cc7e9a4

SHA256
0c099ce7b2add64dbd39ce7697af3250d15941c72748ceb2bc5c4e45c7d7d043

SHA512
d4b10856ac319e0bf761524986f9f575646797988f983eab3fd8c49d9dd0dbc860a92b699fafafd562b3ed995d807b560dc342a363b53fc44e8d3dff00accadf

Download Submit
C:\Users\Admin\AppData\Local\Uu39fD\RdpSaUacHelper.exe

Filesize
33KB

MD5
0d5b016ac7e7b6257c069e8bb40845de

SHA1
5282f30e90cbd1be8da95b73bc1b6a7d041e43c2

SHA256
6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067

SHA512
cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

Download Submit
C:\Users\Admin\AppData\Local\Uu39fD\WINSTA.dll

Filesize
944KB

MD5
ee707e2dfd09c428f2c2e2c104930951

SHA1
c25d8385d226e31d60512b7ce9bf4f43d445c4e5

SHA256
c8cc558906666cb9643357d437e9c519d3b329fc9cbef7749a7c2983e92411e5

SHA512
44c9751bcbe91f80a0d7b7266a69ecd5a07d789638a1fb3e451756f20dc71b11a6c6277e8f1058dcc0e327a1c682b6555b0e3340d96f3f443624347a0665b2b4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fkasxldymr.lnk

Filesize
1KB

MD5
2196f8c80a5c1394b68e9bdc0d1a9315

SHA1
90feb300aa5cc45f3d232511856e387242522821

SHA256
97946e2730d4dfd09d2901602a7fee35491b3f70f29055a27882db02ad425b11

SHA512
7298972801305062fdbcc2c1e54f227640981d8dd7f4b7e03248c737d8450840e53c5dd976cc5d51452d81b8501c52e7fbaf4799f82e37c7c0a032936253d860

Download Submit
memory/1544-37-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/1544-2-0x000001F9AB3D0000-0x000001F9AB3D7000-memory.dmp

Filesize
28KB

Download
memory/1544-0-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/2528-81-0x0000021BAE380000-0x0000021BAE46B000-memory.dmp

Filesize
940KB

Download
memory/2528-77-0x0000021BAE380000-0x0000021BAE46B000-memory.dmp

Filesize
940KB

Download
memory/3512-12-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/3512-25-0x00007FFE76810000-0x00007FFE76820000-memory.dmp

Filesize
64KB

Download
memory/3512-23-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/3512-8-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/3512-7-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/3512-6-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/3512-24-0x00007FFE76820000-0x00007FFE76830000-memory.dmp

Filesize
64KB

Download
memory/3512-34-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/3512-9-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/3512-4-0x00007FFE74F5A000-0x00007FFE74F5B000-memory.dmp

Filesize
4KB

Download
memory/3512-3-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/3512-10-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/3512-11-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/3512-14-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/3512-13-0x0000000140000000-0x00000001400EA000-memory.dmp

Filesize
936KB

Download
memory/3512-22-0x0000000000690000-0x0000000000697000-memory.dmp

Filesize
28KB

Download
memory/4044-65-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/4044-61-0x0000000140000000-0x00000001400EB000-memory.dmp

Filesize
940KB

Download
memory/4044-60-0x000001A846FF0000-0x000001A846FF7000-memory.dmp

Filesize
28KB

Download
memory/4936-49-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/4936-45-0x0000000140000000-0x00000001400EC000-memory.dmp

Filesize
944KB

Download
memory/4936-44-0x000001A702230000-0x000001A702237000-memory.dmp

Filesize
28KB

Download