dridex | 82327bfb11e761ca805df5a092ba2ee85eb43c3a7dbd78201a0e807899f6b91d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82327bfb11e761ca805df5a092ba2ee85eb43c3a7dbd78201a0e807899f6b91d.dll
Size

1.1MB
MD5

a7c11f9f36da43856f66e495b91c872e
SHA1

6f91468a4e72bc1e07d9016b24c2427c41de5188
SHA256

82327bfb11e761ca805df5a092ba2ee85eb43c3a7dbd78201a0e807899f6b91d
SHA512

84c59a7cda2989deeeba7a229edd23181ce6aec1928580e10ad015e9c9cdce071aef242b956c9a6504435e8c7f026cb6a33a46942a92cd0cd12ff923033e68d3
SSDEEP

12288:9kMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:9kMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3508-4-0x0000000000500000-0x0000000000501000-memory.dmp	dridex_stager_shellcode

Dridex payload 8 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/1704-1-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/3508-24-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/3508-35-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/1704-38-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/4612-46-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/4612-50-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/5040-66-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/2776-81-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
4612	systemreset.exe
5040	RecoveryDrive.exe
2776	SystemPropertiesComputerName.exe

Loads dropped DLL 3 IoCs

pid	Process
4612	systemreset.exe
5040	RecoveryDrive.exe
2776	SystemPropertiesComputerName.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tsrvevdpr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\vnL\\RecoveryDrive.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	systemreset.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RecoveryDrive.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
1704	rundll32.exe
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3508	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 2832	3508	Process not Found	86
PID 3508 wrote to memory of 2832	3508	Process not Found	86
PID 3508 wrote to memory of 4612	3508	Process not Found	87
PID 3508 wrote to memory of 4612	3508	Process not Found	87
PID 3508 wrote to memory of 1264	3508	Process not Found	88
PID 3508 wrote to memory of 1264	3508	Process not Found	88
PID 3508 wrote to memory of 5040	3508	Process not Found	89
PID 3508 wrote to memory of 5040	3508	Process not Found	89
PID 3508 wrote to memory of 2340	3508	Process not Found	90
PID 3508 wrote to memory of 2340	3508	Process not Found	90
PID 3508 wrote to memory of 2776	3508	Process not Found	91
PID 3508 wrote to memory of 2776	3508	Process not Found	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\82327bfb11e761ca805df5a092ba2ee85eb43c3a7dbd78201a0e807899f6b91d.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1704

C:\Windows\system32\systemreset.exe
C:\Windows\system32\systemreset.exe
1⤵
PID:2832

C:\Users\Admin\AppData\Local\skp0zsIfY\systemreset.exe
C:\Users\Admin\AppData\Local\skp0zsIfY\systemreset.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4612

C:\Windows\system32\RecoveryDrive.exe
C:\Windows\system32\RecoveryDrive.exe
1⤵
PID:1264

C:\Users\Admin\AppData\Local\hnkvFjI\RecoveryDrive.exe
C:\Users\Admin\AppData\Local\hnkvFjI\RecoveryDrive.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5040

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:2340

C:\Users\Admin\AppData\Local\H5ICv2X\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\H5ICv2X\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\H5ICv2X\SYSDM.CPL

Filesize
1.1MB

MD5
fb47350dd527857b25d934672452322f

SHA1
688f81e00b4e9a838f9e3e974fa3b17b0cfb7e8d

SHA256
ed9b0cab84f9439519402177ad550dbe4f7bc40e427c948fa9436f6c50a9bd07

SHA512
f3593b0a82f1369de2d50eaa9b657ce9e4fe46386edfc20f5a28bf84df4baaa56a4892da0bb71c575a2049304e2e3bf0482af29020322226607a815080b5323c

Download Submit
C:\Users\Admin\AppData\Local\H5ICv2X\SystemPropertiesComputerName.exe

Filesize
82KB

MD5
6711765f323289f5008a6a2a04b6f264

SHA1
d8116fdf73608b4b254ad83c74f2232584d24144

SHA256
bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e

SHA512
438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

Download Submit
C:\Users\Admin\AppData\Local\hnkvFjI\ReAgent.dll

Filesize
1.1MB

MD5
9a46b866ea9da43003a5ef538b10ee5c

SHA1
fea67880acc0fbe795d9dadb63368d2d5c609826

SHA256
a2a2aa194d003c23b754ef93230303070a55fea08d5c3db4115d2784bb7d903b

SHA512
342e786b12f9d7094704f82c225d537b557d1872280fd40de4baf129b097ada4603b554047e6904931174cad5e05c10c4842aecaba2845de1a929757615074be

Download Submit
C:\Users\Admin\AppData\Local\hnkvFjI\RecoveryDrive.exe

Filesize
911KB

MD5
b9b3dc6f2eb89e41ff27400952602c74

SHA1
24ae07e0db3ace0809d08bbd039db3a9d533e81b

SHA256
630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

SHA512
7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

Download Submit
C:\Users\Admin\AppData\Local\skp0zsIfY\ReAgent.dll

Filesize
1.1MB

MD5
89e94b1ad967ab0152f2dcaa09fd067d

SHA1
253cc30fe7c8570c56241559a5cc55b0db155772

SHA256
0ab26498233874fb09533f3972a539e76df984e38e10bf81645c618d8fa9a9d2

SHA512
e2426239b76649435288bfd7afc8202dca1f06a6aa8f75700c06fe97a8e806082bfc41d2fed5279d44dbbdb19145f06a2fdb5c864e10ded19be5433c9d23fa61

Download Submit
C:\Users\Admin\AppData\Local\skp0zsIfY\systemreset.exe

Filesize
508KB

MD5
325ff647506adb89514defdd1c372194

SHA1
84234ff97d6ddc8a4ea21303ea842aa76a74e0ea

SHA256
ebff6159a7627234f94f606afa2e55e98e1548fd197d22779a5fcff24aa477ad

SHA512
8a9758f4af0264be08d684125827ef11efe651138059f6b463c52476f8a8e1bed94d093042f85893cb3e37c5f3ba7b55c6ce9394595001e661bccbc578da3868

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ybgihhkn.lnk

Filesize
1KB

MD5
1777e25985a8fcd6975bae52fbf3e77e

SHA1
11b55edaadb7c00c7b9224d1fdb6ce19947e1497

SHA256
c5513af0e368693ab8ba787af9ba3f62c234afe84cb2691a0a206f41f4de1d30

SHA512
cb54545ffbb6e83ac3ae95b289bad564f00b588af683f2db3dc2ed3e5f17e8bd246da87daee9715ce560eaf78e14ba969b9d04497230bda5e73a0599b150fcc4

Download Submit
memory/1704-0-0x000001A25C0F0000-0x000001A25C0F7000-memory.dmp

Filesize
28KB

Download
memory/1704-1-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1704-38-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2776-81-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3508-7-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3508-26-0x00007FF9C01B0000-0x00007FF9C01C0000-memory.dmp

Filesize
64KB

Download
memory/3508-10-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3508-9-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3508-8-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3508-24-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3508-15-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3508-35-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3508-25-0x00007FF9C01C0000-0x00007FF9C01D0000-memory.dmp

Filesize
64KB

Download
memory/3508-14-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3508-12-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3508-11-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3508-4-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/3508-3-0x00007FF9BFB3A000-0x00007FF9BFB3B000-memory.dmp

Filesize
4KB

Download
memory/3508-13-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3508-23-0x0000000002140000-0x0000000002147000-memory.dmp

Filesize
28KB

Download
memory/3508-6-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/4612-45-0x0000029242E70000-0x0000029242E77000-memory.dmp

Filesize
28KB

Download
memory/4612-50-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/4612-46-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/5040-66-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/5040-61-0x0000028E71040000-0x0000028E71047000-memory.dmp

Filesize
28KB

Download