dridex | 8348572110a99fe14e9b92ed34dfd3b5ae924110a02d9baed3061a23955c310d

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8348572110a99fe14e9b92ed34dfd3b5ae924110a02d9baed3061a23955c310d.dll
Size

1.1MB
MD5

d21a8a43c577339b6a431daa03dfe6c1
SHA1

010199366ab7b43d93df5e690e72c8e62b2efd99
SHA256

8348572110a99fe14e9b92ed34dfd3b5ae924110a02d9baed3061a23955c310d
SHA512

d73918a13b8705d3b37eb2adf36eb11c1243517d8aee3b479d2bb00bd4bf96001f6f8b006ab1db6221e2082b02ed14545ece1e7cbbf8d773eb0083caba4e0b4e
SSDEEP

12288:hkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:hkMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1388-4-0x0000000001DD0000-0x0000000001DD1000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/2108-0-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1388-24-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1388-35-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1388-36-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/2108-44-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/2804-53-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/2804-58-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/2180-75-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/2380-88-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral1/memory/2380-92-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2804	cttune.exe
2180	SystemPropertiesHardware.exe
2380	rrinstaller.exe

Loads dropped DLL 7 IoCs

pid	Process
1388	Process not Found
2804	cttune.exe
1388	Process not Found
2180	SystemPropertiesHardware.exe
1388	Process not Found
2380	rrinstaller.exe
1388	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kgvptlq = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\k6oE5f\\SYSTEM~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cttune.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesHardware.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rrinstaller.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2108	rundll32.exe
2108	rundll32.exe
2108	rundll32.exe
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found
1388	Process not Found

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 2752	1388	Process not Found	30
PID 1388 wrote to memory of 2752	1388	Process not Found	30
PID 1388 wrote to memory of 2752	1388	Process not Found	30
PID 1388 wrote to memory of 2804	1388	Process not Found	31
PID 1388 wrote to memory of 2804	1388	Process not Found	31
PID 1388 wrote to memory of 2804	1388	Process not Found	31
PID 1388 wrote to memory of 3040	1388	Process not Found	32
PID 1388 wrote to memory of 3040	1388	Process not Found	32
PID 1388 wrote to memory of 3040	1388	Process not Found	32
PID 1388 wrote to memory of 2180	1388	Process not Found	33
PID 1388 wrote to memory of 2180	1388	Process not Found	33
PID 1388 wrote to memory of 2180	1388	Process not Found	33
PID 1388 wrote to memory of 1940	1388	Process not Found	34
PID 1388 wrote to memory of 1940	1388	Process not Found	34
PID 1388 wrote to memory of 1940	1388	Process not Found	34
PID 1388 wrote to memory of 2380	1388	Process not Found	35
PID 1388 wrote to memory of 2380	1388	Process not Found	35
PID 1388 wrote to memory of 2380	1388	Process not Found	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8348572110a99fe14e9b92ed34dfd3b5ae924110a02d9baed3061a23955c310d.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2108

C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
1⤵
PID:2752

C:\Users\Admin\AppData\Local\N70BU\cttune.exe
C:\Users\Admin\AppData\Local\N70BU\cttune.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2804

C:\Windows\system32\SystemPropertiesHardware.exe
C:\Windows\system32\SystemPropertiesHardware.exe
1⤵
PID:3040

C:\Users\Admin\AppData\Local\AnivIfLC\SystemPropertiesHardware.exe
C:\Users\Admin\AppData\Local\AnivIfLC\SystemPropertiesHardware.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2180

C:\Windows\system32\rrinstaller.exe
C:\Windows\system32\rrinstaller.exe
1⤵
PID:1940

C:\Users\Admin\AppData\Local\teMj\rrinstaller.exe
C:\Users\Admin\AppData\Local\teMj\rrinstaller.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AnivIfLC\SYSDM.CPL

Filesize
1.1MB

MD5
2b369afd320be72e8dd0f45927aeb6c6

SHA1
eb3db3b59a10079738157fc611d96b9510abada7

SHA256
bd91465ea2b23a043c5fe4576cb28b89793c0c580115bebaf7c28e485ab75075

SHA512
8e2aa61b9154a1d50e0801eae0091ba7f2cc8162d91c133a7154818b2d5c605ba57c5b71b6a646a0b27a32486f8112ce4738b5f52d98166a65bc82005643eda4

Download Submit
C:\Users\Admin\AppData\Local\N70BU\UxTheme.dll

Filesize
1.1MB

MD5
03161f8be18f4e2e8e6a007d935eab89

SHA1
52d3238c1b2b855f07f1e923606769cab233d931

SHA256
da4b2f8ae07db3df379b95807f86b10667ba103d400384ec4eeb656d75248952

SHA512
1798d6065e5a81dbab3333284f89061108e99f82c42dfcf0d2be7c26a74b7bbc74757e0a303c26aa1a23414ecb272a284c57fb7314139615286d84a10348207f

Download Submit
C:\Users\Admin\AppData\Local\teMj\MFPlat.DLL

Filesize
1.1MB

MD5
d14410c9e019960947b9f6049d05aef9

SHA1
d137f9e8b8f2c8b073b5309a160433b252a78d32

SHA256
02949c0c28c24df8d78b81599cc11bf9ccb9bfbafb3e0ce6a2cc7977a4d89ac8

SHA512
9c7e1dc91aed06916d68bc3b29b823ebba96c380ea435b1cc745b9416e9b8ee6947d4073dcd03f5142fa012eab23ff9d96005dd12425c8998eac65f160796e1f

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wkybhziu.lnk

Filesize
1KB

MD5
e02a7a643b57bdc1b31c6853a5d98fe1

SHA1
fd28fae936f286447c802eb81670f870bd9f2be2

SHA256
25bf0ee8826928c093a58c7afee7eddcfca05f69ab7d5dc95bd7033c07264bd3

SHA512
6947bbc07ce5e657d603e601dfbe47acb153c536aaa3a2ae55d8bebfac75c7d0ba905e2aad60a9dc910e0b1b3e179c35b3e03076d684ee191140f5950d68882f

Download Submit
\Users\Admin\AppData\Local\AnivIfLC\SystemPropertiesHardware.exe

Filesize
80KB

MD5
c63d722641c417764247f683f9fb43be

SHA1
948ec61ebf241c4d80efca3efdfc33fe746e3b98

SHA256
4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2

SHA512
7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

Download Submit
\Users\Admin\AppData\Local\N70BU\cttune.exe

Filesize
314KB

MD5
7116848fd23e6195fcbbccdf83ce9af4

SHA1
35fb16a0b68f8a84d5dfac8c110ef5972f1bee93

SHA256
39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6

SHA512
e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

Download Submit
\Users\Admin\AppData\Local\teMj\rrinstaller.exe

Filesize
54KB

MD5
0d3a73b0b30252680b383532f1758649

SHA1
9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931

SHA256
fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc

SHA512
a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

Download Submit
memory/1388-12-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1388-14-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1388-3-0x0000000077B26000-0x0000000077B27000-memory.dmp

Filesize
4KB

Download
memory/1388-10-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1388-9-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1388-8-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1388-6-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1388-11-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1388-24-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1388-25-0x0000000077D90000-0x0000000077D92000-memory.dmp

Filesize
8KB

Download
memory/1388-26-0x0000000077DC0000-0x0000000077DC2000-memory.dmp

Filesize
8KB

Download
memory/1388-35-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1388-36-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1388-4-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/1388-45-0x0000000077B26000-0x0000000077B27000-memory.dmp

Filesize
4KB

Download
memory/1388-13-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1388-15-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1388-7-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1388-23-0x0000000001DB0000-0x0000000001DB7000-memory.dmp

Filesize
28KB

Download
memory/2108-44-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2108-2-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/2108-0-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2180-70-0x0000000000080000-0x0000000000087000-memory.dmp

Filesize
28KB

Download
memory/2180-75-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/2380-88-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/2380-91-0x00000000FF670000-0x00000000FF681000-memory.dmp

Filesize
68KB

Download
memory/2380-92-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/2804-58-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/2804-55-0x0000000000190000-0x0000000000197000-memory.dmp

Filesize
28KB

Download
memory/2804-53-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download