dridex | 67ddb4eca1cdf94729d513e5acbb1d2b61362b9b1824afb8c3682a9b021c9579

Analysis

max time kernel
149s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67ddb4eca1cdf94729d513e5acbb1d2b61362b9b1824afb8c3682a9b021c9579.dll
Size

1.1MB
MD5

edb00c9b061bf3a926d1b0c3274f556a
SHA1

b87a8d763f02967934771530826d716998a7bc8a
SHA256

67ddb4eca1cdf94729d513e5acbb1d2b61362b9b1824afb8c3682a9b021c9579
SHA512

e0997a744143db3b611519aac784ecec3cab29600f3cd16ec243450333d445698c9b0dcdd1e43fd89bab898d26e65fcf45b3bb6b81d9e13ae4cbf033e15f2a8a
SSDEEP

12288:WkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:WkMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3500-4-0x0000000002380000-0x0000000002381000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral2/memory/3524-1-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/3500-24-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/3500-35-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/3524-38-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/4860-45-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral2/memory/4860-50-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral2/memory/3440-63-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/3440-66-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/4724-77-0x0000000140000000-0x0000000140163000-memory.dmp	dridex_payload
behavioral2/memory/4724-81-0x0000000140000000-0x0000000140163000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

rdpinput.exeprintfilterpipelinesvc.exeEaseOfAccessDialog.exe

pid	Process
4860	rdpinput.exe
3440	printfilterpipelinesvc.exe
4724	EaseOfAccessDialog.exe

Loads dropped DLL 3 IoCs

Processes:

rdpinput.exeprintfilterpipelinesvc.exeEaseOfAccessDialog.exe

pid	Process
4860	rdpinput.exe
3440	printfilterpipelinesvc.exe
4724	EaseOfAccessDialog.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sarxmtvezib = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\4u8\\printfilterpipelinesvc.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

EaseOfAccessDialog.exerundll32.exerdpinput.exeprintfilterpipelinesvc.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EaseOfAccessDialog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinput.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	printfilterpipelinesvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
3524	rundll32.exe
3524	rundll32.exe
3524	rundll32.exe
3524	rundll32.exe
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500
3500

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
3500

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	procid_target
PID 3500 wrote to memory of 2360	3500	86
PID 3500 wrote to memory of 2360	3500	86
PID 3500 wrote to memory of 4860	3500	87
PID 3500 wrote to memory of 4860	3500	87
PID 3500 wrote to memory of 3144	3500	88
PID 3500 wrote to memory of 3144	3500	88
PID 3500 wrote to memory of 3440	3500	89
PID 3500 wrote to memory of 3440	3500	89
PID 3500 wrote to memory of 848	3500	90
PID 3500 wrote to memory of 848	3500	90
PID 3500 wrote to memory of 4724	3500	91
PID 3500 wrote to memory of 4724	3500	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\67ddb4eca1cdf94729d513e5acbb1d2b61362b9b1824afb8c3682a9b021c9579.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3524

C:\Windows\system32\rdpinput.exe
C:\Windows\system32\rdpinput.exe
1⤵
PID:2360

C:\Users\Admin\AppData\Local\H1hse8\rdpinput.exe
C:\Users\Admin\AppData\Local\H1hse8\rdpinput.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4860

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe
1⤵
PID:3144

C:\Users\Admin\AppData\Local\8QYoSojOP\printfilterpipelinesvc.exe
C:\Users\Admin\AppData\Local\8QYoSojOP\printfilterpipelinesvc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3440

C:\Windows\system32\EaseOfAccessDialog.exe
C:\Windows\system32\EaseOfAccessDialog.exe
1⤵
PID:848

C:\Users\Admin\AppData\Local\pq3a7fe\EaseOfAccessDialog.exe
C:\Users\Admin\AppData\Local\pq3a7fe\EaseOfAccessDialog.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8QYoSojOP\XmlLite.dll

Filesize
1.1MB

MD5
7da589547de4b4a5d3030da72badba8f

SHA1
34f56051e62aa7b6fc12088bb01e5384115fe5bf

SHA256
377fc0a2f568fbe62f1597c72e1f91c0a89727abdb182f8156a85f8066795ec0

SHA512
db47721e0dfbe303a276847c183d93ffcb15cf3b2e940247300236ef268bfabc95dd0adef32117459f73326a870c97eecec945cc37d60eed6eeb14c3c82f791f

Download Submit
C:\Users\Admin\AppData\Local\8QYoSojOP\printfilterpipelinesvc.exe

Filesize
813KB

MD5
331a40eabaa5870e316b401bd81c4861

SHA1
ddff65771ca30142172c0d91d5bfff4eb1b12b73

SHA256
105099819555ed87ef3dab70a2eaf2cb61076f453266cec57ffccb8f4c00df88

SHA512
29992dbf10f327d77865af5e6ebbe66b937a5b4ad04c68cafbf4e6adbd6c6532c8a82ac7e638d97c1f053353a7c8a6d7e379f389af15443c94a1e8f9b16be5f8

Download Submit
C:\Users\Admin\AppData\Local\H1hse8\WINSTA.dll

Filesize
1.1MB

MD5
298349d922f9ab07fbd614bf7bb56207

SHA1
c19ab37f8a82a62b839910d59c4dfe7b230c42af

SHA256
939a47db94eff04384790e769d3f30c30f1d2bdb348531e4e56ef2a369f6172c

SHA512
bfa76eda42fddab6310824b715dc1993145df6c880f2d2116c930b63d4285548853c7f4a9023214161d91bbe254b8edb3bc9b069d5f42063490fa31f35d7261d

Download Submit
C:\Users\Admin\AppData\Local\H1hse8\rdpinput.exe

Filesize
180KB

MD5
bd99eeca92869f9a3084d689f335c734

SHA1
a2839f6038ea50a4456cd5c2a3ea003e7b77688c

SHA256
39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143

SHA512
355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

Download Submit
C:\Users\Admin\AppData\Local\pq3a7fe\DUI70.dll

Filesize
1.4MB

MD5
e2017393ba968102e5b33a35e8e77f0d

SHA1
a84e65bac97d63a74357ec46c572867ada56c5ab

SHA256
1d5a0c4b626c479f7bb3d8d66fab7261619bf6c54296ff92afd48699af1c39bf

SHA512
4f36cea6be7a9b833696dba15f726f75ec68d1a5baf75415d80a17734bde9d46e2f4db1a84079d53b22a101a50a97b7423ad00436d9617c962aa8a271b51e563

Download Submit
C:\Users\Admin\AppData\Local\pq3a7fe\EaseOfAccessDialog.exe

Filesize
123KB

MD5
e75ee992c1041341f709a517c8723c87

SHA1
471021260055eac0021f0abffa2d0ba77a2f380e

SHA256
0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc

SHA512
48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rasxaa.lnk

Filesize
1KB

MD5
5596d4defe6db75f994cb32e860637b5

SHA1
1715dab4a5c8feaa9a1ac8d7809718fba59dec0e

SHA256
1dcb581651bab018fdd88e4c6e8f664bc1068f7781bd5d2cc3a3636851865304

SHA512
4f20302572beb21d3aef827317b3ccc8bdbc5fba917fbf1f8b3b21678f0f3b66d5d09e3c44a395b70bd31d96c632007a82154642a4f0240173dbb3bab19da983

Download Submit
memory/3440-66-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3440-63-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3440-61-0x000001F629CF0000-0x000001F629CF7000-memory.dmp

Filesize
28KB

Download
memory/3500-7-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3500-10-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3500-12-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3500-11-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3500-9-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3500-8-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3500-3-0x00007FFFEF0EA000-0x00007FFFEF0EB000-memory.dmp

Filesize
4KB

Download
memory/3500-6-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3500-35-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3500-4-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/3500-25-0x00007FFFF01E0000-0x00007FFFF01F0000-memory.dmp

Filesize
64KB

Download
memory/3500-26-0x00007FFFF01D0000-0x00007FFFF01E0000-memory.dmp

Filesize
64KB

Download
memory/3500-13-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3500-14-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3500-23-0x00000000021F0000-0x00000000021F7000-memory.dmp

Filesize
28KB

Download
memory/3500-24-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3500-15-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3524-38-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3524-1-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3524-2-0x0000021889620000-0x0000021889627000-memory.dmp

Filesize
28KB

Download
memory/4724-77-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/4724-81-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/4860-50-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/4860-45-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/4860-47-0x000002B19E400000-0x000002B19E407000-memory.dmp

Filesize
28KB

Download