dridex | 92b4e93c7a975815e2adc790967b59c283aec15614dd14ef1cb1f3b9de5575d1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92b4e93c7a975815e2adc790967b59c283aec15614dd14ef1cb1f3b9de5575d1.dll
Size

1.1MB
MD5

15815247242b43059aebf26e60e3256b
SHA1

35b9b6fc8eac16bf80665da6a3fbd4aca140c494
SHA256

92b4e93c7a975815e2adc790967b59c283aec15614dd14ef1cb1f3b9de5575d1
SHA512

d937b72eed31749bada0d69dbefcd27c528d05254369f174ce928f31b82dfb6fa5d54905d3e72d0b8825346423cba71d631de1903cbd7ca9f83e12c822fa2ed7
SSDEEP

12288:5kMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64CR:5kMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3408-3-0x0000000002450000-0x0000000002451000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/4932-0-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/3408-24-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/3408-35-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/4932-38-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/4136-46-0x0000000140000000-0x0000000140125000-memory.dmp	dridex_payload
behavioral2/memory/4136-49-0x0000000140000000-0x0000000140125000-memory.dmp	dridex_payload
behavioral2/memory/4460-58-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral2/memory/4460-63-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral2/memory/3832-74-0x0000000140000000-0x0000000140164000-memory.dmp	dridex_payload
behavioral2/memory/3832-78-0x0000000140000000-0x0000000140164000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
4136	mspaint.exe
4460	EaseOfAccessDialog.exe
3832	wlrmdr.exe

Loads dropped DLL 3 IoCs

pid	Process
4136	mspaint.exe
4460	EaseOfAccessDialog.exe
3832	wlrmdr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sarxmtvezib = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\7VVZRV~1\\EASEOF~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wlrmdr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EaseOfAccessDialog.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4932	rundll32.exe
4932	rundll32.exe
4932	rundll32.exe
4932	rundll32.exe
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found
3408	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3408	Process not Found
Token: SeCreatePagefilePrivilege	3408	Process not Found
Token: SeShutdownPrivilege	3408	Process not Found
Token: SeCreatePagefilePrivilege	3408	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3408	Process not Found
3408	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3408 wrote to memory of 3752	3408	Process not Found	86
PID 3408 wrote to memory of 3752	3408	Process not Found	86
PID 3408 wrote to memory of 4136	3408	Process not Found	87
PID 3408 wrote to memory of 4136	3408	Process not Found	87
PID 3408 wrote to memory of 4676	3408	Process not Found	88
PID 3408 wrote to memory of 4676	3408	Process not Found	88
PID 3408 wrote to memory of 4460	3408	Process not Found	89
PID 3408 wrote to memory of 4460	3408	Process not Found	89
PID 3408 wrote to memory of 2252	3408	Process not Found	90
PID 3408 wrote to memory of 2252	3408	Process not Found	90
PID 3408 wrote to memory of 3832	3408	Process not Found	91
PID 3408 wrote to memory of 3832	3408	Process not Found	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\92b4e93c7a975815e2adc790967b59c283aec15614dd14ef1cb1f3b9de5575d1.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4932

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:3752

C:\Users\Admin\AppData\Local\CQt\mspaint.exe
C:\Users\Admin\AppData\Local\CQt\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4136

C:\Windows\system32\EaseOfAccessDialog.exe
C:\Windows\system32\EaseOfAccessDialog.exe
1⤵
PID:4676

C:\Users\Admin\AppData\Local\3iZ\EaseOfAccessDialog.exe
C:\Users\Admin\AppData\Local\3iZ\EaseOfAccessDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4460

C:\Windows\system32\wlrmdr.exe
C:\Windows\system32\wlrmdr.exe
1⤵
PID:2252

C:\Users\Admin\AppData\Local\wZrb\wlrmdr.exe
C:\Users\Admin\AppData\Local\wZrb\wlrmdr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\3iZ\EaseOfAccessDialog.exe

Filesize
123KB

MD5
e75ee992c1041341f709a517c8723c87

SHA1
471021260055eac0021f0abffa2d0ba77a2f380e

SHA256
0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc

SHA512
48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a

Download Submit
C:\Users\Admin\AppData\Local\3iZ\OLEACC.dll

Filesize
1.1MB

MD5
01bdc26c3b7946ddfa7080d00798ac4e

SHA1
2f0dcb7498624e10501bffb5175183ed2b0218f2

SHA256
7377bb017d135a20476889fe1c99dfd74b4a65e392e70114e280da38ff60d146

SHA512
992ae9d9ab2c87daaa50643fea1bb6030b5a84826056e3996ce0a7036387b41a92dcea9f212276afb5d2ca5ad319e98be5b4708890426b05192156e988fc4613

Download Submit
C:\Users\Admin\AppData\Local\CQt\MFC42u.dll

Filesize
1.1MB

MD5
57381f722364a79e283b8e6a0efa1f2e

SHA1
5b9ec8fe0f7bb40fc26d2db04aa2fede8db16ad9

SHA256
2470ed3d1cb6245f93eed0f93748a995f3e0bc0f3268947c6c01d59a48a44cd9

SHA512
59030a038b12dab620e3a43a4834a3f31cf62e8071064493d0fa765e1d058fa84a8bd5578ac6e7c477b81c6e1ec9eedcc5a4ed922f17b9b98c9b381a43657a3a

Download Submit
C:\Users\Admin\AppData\Local\CQt\mspaint.exe

Filesize
965KB

MD5
f221a4ccafec690101c59f726c95b646

SHA1
2098e4b62eaab213cbee73ba40fe4f1b8901a782

SHA256
94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709

SHA512
8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf

Download Submit
C:\Users\Admin\AppData\Local\wZrb\DUI70.dll

Filesize
1.4MB

MD5
f7b5c0020239acc875ce537d69656899

SHA1
4924f3ba64b69657b329e7c373acaed0b8b00c91

SHA256
805ca617026fd1fa2d8a67219c898810d0f0cdf42b69118c6418e6c9e82f9c47

SHA512
7aa0ca428c7c8eab9ed844f6ff0858e4efd7e5ed1f46c36fb964fa280a8a4af48617227376ce8076e388ff4d8a63b07073d79b2ed334a227d47e418ad9990e10

Download Submit
C:\Users\Admin\AppData\Local\wZrb\wlrmdr.exe

Filesize
66KB

MD5
ef9bba7a637a11b224a90bf90a8943ac

SHA1
4747ec6efd2d41e049159249c2d888189bb33d1d

SHA256
2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1

SHA512
4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rasxaa.lnk

Filesize
1KB

MD5
2a9f9293ab74f0dbba7b432e77897a4c

SHA1
2ea35edacc1c3eaac243e1019d6576f20a45d3ff

SHA256
57a3dee2831710a49a61b0cae781bf76cb338fc550e2f665877fcd43d7089a1d

SHA512
444d024d41f757615974b5e739fcdf63cc52a9122bcc44ac13931e7daa2d1a637b942721aaea5544af2486369243c9d90b2cd831c0834287d5ac2a64930a140b

Download Submit
memory/3408-7-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3408-15-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3408-25-0x00007FF834A20000-0x00007FF834A30000-memory.dmp

Filesize
64KB

Download
memory/3408-24-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3408-12-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3408-11-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3408-10-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3408-9-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3408-8-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3408-5-0x00007FF8341CA000-0x00007FF8341CB000-memory.dmp

Filesize
4KB

Download
memory/3408-6-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3408-35-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3408-3-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/3408-26-0x00007FF834A10000-0x00007FF834A20000-memory.dmp

Filesize
64KB

Download
memory/3408-23-0x00000000007A0000-0x00000000007A7000-memory.dmp

Filesize
28KB

Download
memory/3408-13-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3408-14-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3832-74-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/3832-78-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/4136-49-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4136-48-0x00000220486D0000-0x00000220486D7000-memory.dmp

Filesize
28KB

Download
memory/4136-46-0x0000000140000000-0x0000000140125000-memory.dmp

Filesize
1.1MB

Download
memory/4460-60-0x0000021C1E450000-0x0000021C1E457000-memory.dmp

Filesize
28KB

Download
memory/4460-58-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/4460-63-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/4932-38-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/4932-0-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/4932-2-0x0000021DD8040000-0x0000021DD8047000-memory.dmp

Filesize
28KB

Download