dridex | 8348572110a99fe14e9b92ed34dfd3b5ae924110a02d9baed3061a23955c310d

Analysis

max time kernel
150s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8348572110a99fe14e9b92ed34dfd3b5ae924110a02d9baed3061a23955c310d.dll
Size

1.1MB
MD5

d21a8a43c577339b6a431daa03dfe6c1
SHA1

010199366ab7b43d93df5e690e72c8e62b2efd99
SHA256

8348572110a99fe14e9b92ed34dfd3b5ae924110a02d9baed3061a23955c310d
SHA512

d73918a13b8705d3b37eb2adf36eb11c1243517d8aee3b479d2bb00bd4bf96001f6f8b006ab1db6221e2082b02ed14545ece1e7cbbf8d773eb0083caba4e0b4e
SSDEEP

12288:hkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:hkMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3368-3-0x00000000024A0000-0x00000000024A1000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/2480-2-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/3368-24-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/3368-35-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/2480-38-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/4564-45-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/4564-50-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/4132-63-0x0000014760BA0000-0x0000014760CBE000-memory.dmp	dridex_payload
behavioral2/memory/4132-67-0x0000014760BA0000-0x0000014760CBE000-memory.dmp	dridex_payload
behavioral2/memory/1848-82-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
4564	Netplwiz.exe
4132	PresentationHost.exe
1848	SndVol.exe

Loads dropped DLL 4 IoCs

pid	Process
4564	Netplwiz.exe
4132	PresentationHost.exe
4132	PresentationHost.exe
1848	SndVol.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Labelis = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\1hF\\PresentationHost.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Netplwiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PresentationHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2480	rundll32.exe
2480	rundll32.exe
2480	rundll32.exe
2480	rundll32.exe
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found
3368	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3368	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 4204	3368	Process not Found	86
PID 3368 wrote to memory of 4204	3368	Process not Found	86
PID 3368 wrote to memory of 4564	3368	Process not Found	87
PID 3368 wrote to memory of 4564	3368	Process not Found	87
PID 3368 wrote to memory of 1820	3368	Process not Found	88
PID 3368 wrote to memory of 1820	3368	Process not Found	88
PID 3368 wrote to memory of 4132	3368	Process not Found	89
PID 3368 wrote to memory of 4132	3368	Process not Found	89
PID 3368 wrote to memory of 2336	3368	Process not Found	90
PID 3368 wrote to memory of 2336	3368	Process not Found	90
PID 3368 wrote to memory of 1848	3368	Process not Found	91
PID 3368 wrote to memory of 1848	3368	Process not Found	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8348572110a99fe14e9b92ed34dfd3b5ae924110a02d9baed3061a23955c310d.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2480

C:\Windows\system32\Netplwiz.exe
C:\Windows\system32\Netplwiz.exe
1⤵
PID:4204

C:\Users\Admin\AppData\Local\iKtYqUa0\Netplwiz.exe
C:\Users\Admin\AppData\Local\iKtYqUa0\Netplwiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4564

C:\Windows\system32\PresentationHost.exe
C:\Windows\system32\PresentationHost.exe
1⤵
PID:1820

C:\Users\Admin\AppData\Local\IA5pK4R\PresentationHost.exe
C:\Users\Admin\AppData\Local\IA5pK4R\PresentationHost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4132

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:2336

C:\Users\Admin\AppData\Local\NXy\SndVol.exe
C:\Users\Admin\AppData\Local\NXy\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\IA5pK4R\PresentationHost.exe

Filesize
276KB

MD5
ef27d65b92d89e8175e6751a57ed9d93

SHA1
7279b58e711b459434f047e9098f9131391c3778

SHA256
17d6dcfaced6873a4ac0361ff14f48313f270ac9c465e9f02b5c12b5a5274c48

SHA512
40f46c3a131bb0388b8a3f7aee422936f6e2aa8d2cda547c43c4e7979c163d06c5aa20033a5156d3eeee5d455eeb929cbce89bcc8bb1766cbb65d7f03dd23e2e

Download Submit
C:\Users\Admin\AppData\Local\IA5pK4R\VERSION.dll

Filesize
1.1MB

MD5
e8f9c13775e240dbeb6a65e4664013ff

SHA1
5e8a7cb4abc71d2a36fe9762961bd552f6057553

SHA256
c72b96210bb3e22c07fceb5c82ff6fde8e5028a63ca713696a2c954590bc095d

SHA512
9f6c3456024c955d6473fccdc6027cfd9d2b93ad4063a5b5d6c393fcd8bafff257e75eb5d31177e22e3872aebf1123bae9e798805a55c5e51f6d7a3acef65df7

Download Submit
C:\Users\Admin\AppData\Local\NXy\SndVol.exe

Filesize
269KB

MD5
c5d939ac3f9d885c8355884199e36433

SHA1
b8f277549c23953e8683746e225e7af1c193ad70

SHA256
68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605

SHA512
8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0

Download Submit
C:\Users\Admin\AppData\Local\NXy\dwmapi.dll

Filesize
1.1MB

MD5
eb293b47a95a4e9de673bdaff91fda5e

SHA1
dd3767a9bdb052a082e12feed1af2c21296e9762

SHA256
0dd3983061851d7021f019fc82a38f98ffb584ed00bae9d132dcfd4208db418b

SHA512
6f8e8d0736fc8378e8746c6c14a97bfef44eac1b901850b485d4e2fddaad3e7f6e5e97cc63162770c534c7beb48465b7afa8b23f17561ebddc54ba1fd778176f

Download Submit
C:\Users\Admin\AppData\Local\iKtYqUa0\NETPLWIZ.dll

Filesize
1.1MB

MD5
c4dee206518adf95273e34ce58c28f04

SHA1
c1d974d89c2a1019661bd901b9fcc1a182536b9c

SHA256
cc1b1a0817cfb7888f07d993722b3f3d822c3be189fa81fd8a3d818c78e01dd1

SHA512
48ef1ff0faa7a076b163a5447f5a8b819f3c51b3dc980aa44cebaf09b7d88d65d95e68808bad9941a90b783db6174de185877491e7f94c602ee4b91b26a51241

Download Submit
C:\Users\Admin\AppData\Local\iKtYqUa0\Netplwiz.exe

Filesize
40KB

MD5
520a7b7065dcb406d7eca847b81fd4ec

SHA1
d1b3b046a456630f65d482ff856c71dfd2f335c8

SHA256
8323b44b6e69f02356a5ab0d03a4fc87b953edcbd85c2b6281bf92bc0a3b224d

SHA512
7aea2810f38d1640d4aa87efbbe20783fe7b8e7f588864a3a384a37c91108d906abd89b235672608c98c46ed76db2b0039462098a1064ebe4108ec37b6087914

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ltmfycbfnis.lnk

Filesize
1KB

MD5
3abc3ec6704e8170956ed4f07cf1fcf3

SHA1
f6f1f4185cfa9c0641fe6cd63eb0337ee5217e5a

SHA256
155873dd262adc0d6f18d0093c9cfe35e90d43ebb0c945f3f830067f7c2e9de0

SHA512
d0d85323a5e9ae73c83605991dcc5f0939d8fee018f7d1ece7647a2d2a97327a593642f2523925c051097c412d4803dcc5da49d3caef8add0c3cf6507d944226

Download Submit
memory/1848-82-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/2480-0-0x000002096B820000-0x000002096B827000-memory.dmp

Filesize
28KB

Download
memory/2480-2-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2480-38-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3368-7-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3368-24-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3368-10-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3368-11-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3368-8-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3368-26-0x00007FFB5F270000-0x00007FFB5F280000-memory.dmp

Filesize
64KB

Download
memory/3368-9-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3368-6-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3368-35-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3368-14-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3368-12-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3368-3-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/3368-5-0x00007FFB5EF4A000-0x00007FFB5EF4B000-memory.dmp

Filesize
4KB

Download
memory/3368-13-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3368-15-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3368-23-0x0000000000610000-0x0000000000617000-memory.dmp

Filesize
28KB

Download
memory/3368-25-0x00007FFB5F280000-0x00007FFB5F290000-memory.dmp

Filesize
64KB

Download
memory/4132-62-0x0000014760A50000-0x0000014760A57000-memory.dmp

Filesize
28KB

Download
memory/4132-67-0x0000014760BA0000-0x0000014760CBE000-memory.dmp

Filesize
1.1MB

Download
memory/4132-63-0x0000014760BA0000-0x0000014760CBE000-memory.dmp

Filesize
1.1MB

Download
memory/4564-50-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/4564-47-0x000002125E010000-0x000002125E017000-memory.dmp

Filesize
28KB

Download
memory/4564-45-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download