dridex | 9ab41214f6da199b862e32c80e37be8276ba4c54452ad4ce541b3663168f8997

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ab41214f6da199b862e32c80e37be8276ba4c54452ad4ce541b3663168f8997.dll
Size

1.1MB
MD5

cf827ba49ebc6808cdc2946c97e697ae
SHA1

79f5163acc6e05138b311d3cc74d4c3cd3dc3d73
SHA256

9ab41214f6da199b862e32c80e37be8276ba4c54452ad4ce541b3663168f8997
SHA512

d3f7bff530fd6e18144eb544f7ce46e61a178bebe4d0625989f8a50c51ee076f0b41a07d6c5c9da0acf120027173fa18a30571dbe78ad45036410e357ac91af2
SSDEEP

12288:akMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:akMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3372-3-0x0000000001300000-0x0000000001301000-memory.dmp	dridex_stager_shellcode

Dridex payload 8 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/1528-2-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/3372-35-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/3372-24-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/1528-38-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/4660-45-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral2/memory/4660-50-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral2/memory/2368-65-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral2/memory/856-80-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
4660	sdclt.exe
2368	GamePanel.exe
856	omadmclient.exe

Loads dropped DLL 3 IoCs

pid	Process
4660	sdclt.exe
2368	GamePanel.exe
856	omadmclient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gbrhc = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\3Mpx9hrew\\GamePanel.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdclt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GamePanel.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	omadmclient.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1528	rundll32.exe
1528	rundll32.exe
1528	rundll32.exe
1528	rundll32.exe
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3372	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 4556	3372	Process not Found	86
PID 3372 wrote to memory of 4556	3372	Process not Found	86
PID 3372 wrote to memory of 4660	3372	Process not Found	87
PID 3372 wrote to memory of 4660	3372	Process not Found	87
PID 3372 wrote to memory of 1108	3372	Process not Found	88
PID 3372 wrote to memory of 1108	3372	Process not Found	88
PID 3372 wrote to memory of 2368	3372	Process not Found	89
PID 3372 wrote to memory of 2368	3372	Process not Found	89
PID 3372 wrote to memory of 2828	3372	Process not Found	90
PID 3372 wrote to memory of 2828	3372	Process not Found	90
PID 3372 wrote to memory of 856	3372	Process not Found	91
PID 3372 wrote to memory of 856	3372	Process not Found	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9ab41214f6da199b862e32c80e37be8276ba4c54452ad4ce541b3663168f8997.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1528

C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
1⤵
PID:4556

C:\Users\Admin\AppData\Local\72oR\sdclt.exe
C:\Users\Admin\AppData\Local\72oR\sdclt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4660

C:\Windows\system32\GamePanel.exe
C:\Windows\system32\GamePanel.exe
1⤵
PID:1108

C:\Users\Admin\AppData\Local\f4U\GamePanel.exe
C:\Users\Admin\AppData\Local\f4U\GamePanel.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2368

C:\Windows\system32\omadmclient.exe
C:\Windows\system32\omadmclient.exe
1⤵
PID:2828

C:\Users\Admin\AppData\Local\2LaD\omadmclient.exe
C:\Users\Admin\AppData\Local\2LaD\omadmclient.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2LaD\XmlLite.dll

Filesize
1.1MB

MD5
d4c394fa7a52144207c8fd5d48ca0a9a

SHA1
72acb45917d4a6c8e96ffaceb5126af8f74d3f41

SHA256
3cb0cb977b16948ac21fd13666737bdf2e6b788ccc7e371e442adcc9e9be51b4

SHA512
972f4cb8c17fcd23f65d5763289e5e30a2900a9f08ebdc787084838f3349ff6584232af5ce5c97e8c998725cf6c469b23fd42cca9e2cae6e76ae52beb48f65ad

Download Submit
C:\Users\Admin\AppData\Local\2LaD\omadmclient.exe

Filesize
425KB

MD5
8992b5b28a996eb83761dafb24959ab4

SHA1
697ecb33b8ff5b0e73ef29ce471153b368b1b729

SHA256
e0c6c1b082c5d61be95b7fad95155b7cb2e516d6dcd51b8e1554a176876699e7

SHA512
4ab0d71f6f9e5a5d0870d8e6eaa4b5db74ea6148de0a00603e3e56303d0fec4722172e0207b9678a5bd0136f2d43d43b9d34907183369ab3b9b9c1484034fe3d

Download Submit
C:\Users\Admin\AppData\Local\72oR\ReAgent.dll

Filesize
1.1MB

MD5
1037679752a39329d95323e9e7b7bcb8

SHA1
f4eb96176149ccb2b281ab592261aa91e3ee45e0

SHA256
e1def73a4d040edb15bad125fdb532375463b4952e335f9c56c6214f382bb0da

SHA512
bb936602704599279c0b9af190697792522fbc8ef386241072c8a779a58fc9b8add851cdbfe61c0d16f1c97e1ef5d8ee9d51aa79db149970c31b92d5af764af8

Download Submit
C:\Users\Admin\AppData\Local\72oR\sdclt.exe

Filesize
1.2MB

MD5
e09d48f225e7abcab14ebd3b8a9668ec

SHA1
1c5b9322b51c09a407d182df481609f7cb8c425d

SHA256
efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3

SHA512
384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4

Download Submit
C:\Users\Admin\AppData\Local\f4U\GamePanel.exe

Filesize
1.2MB

MD5
266f6a62c16f6a889218800762b137be

SHA1
31b9bd85a37bf0cbb38a1c30147b83671458fa72

SHA256
71f8f11f26f3a7c1498373f20f0f4cc960513d0383fe24906eeb1bc9678beecd

SHA512
b21d9b0656ab6bd3b158922722a332f07096ddd4215c802776c5807c9cf6ece40082dd986ea6867bdc8d22878ce035a5c8dfcc26cfae94aeee059701b6bf1e68

Download Submit
C:\Users\Admin\AppData\Local\f4U\dwmapi.dll

Filesize
1.1MB

MD5
64f3408ea79447495a3693f08f731cdd

SHA1
45ff3d2aa02262af6cc8685f07e6b3bbadfce9c5

SHA256
22e60c48cad788649d4a6db3b9151fac830939ad4e3ff8ef9806fa879aeaf9a6

SHA512
af5c6e2081e0204122c98a053f73726d6334a3ad49d1f2458c8fb40e947a05e3ddce53cedc3b66b8f19b2d47adf36d2e8fb3ef0cb27240fb02485079721b568f

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ehuvmtvuxjwd.lnk

Filesize
1KB

MD5
5345fe2ec7016353ec5de533c468c89b

SHA1
82a8f37e11577411177f7f558bdf9b76d1109f8a

SHA256
f154309a618916a7d0ab5181f2966a703cfd4a31bd49eeb2002adebfb83d31a7

SHA512
ac4c18b281f526ad61e0caa8c496e9c58643752c0f15341f9e3cb618ebc83a76fd5da7a42b401aa6e66df2eff65e17324984ce2de682a7574886cb3291f281da

Download Submit
memory/856-80-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/1528-0-0x000002C529220000-0x000002C529227000-memory.dmp

Filesize
28KB

Download
memory/1528-2-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1528-38-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/2368-65-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/3372-9-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3372-26-0x00007FF969EB0000-0x00007FF969EC0000-memory.dmp

Filesize
64KB

Download
memory/3372-11-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3372-10-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3372-24-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3372-8-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3372-7-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3372-25-0x00007FF969EC0000-0x00007FF969ED0000-memory.dmp

Filesize
64KB

Download
memory/3372-35-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3372-12-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3372-3-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/3372-4-0x00007FF968A9A000-0x00007FF968A9B000-memory.dmp

Filesize
4KB

Download
memory/3372-6-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3372-15-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3372-23-0x0000000001180000-0x0000000001187000-memory.dmp

Filesize
28KB

Download
memory/3372-14-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3372-13-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/4660-50-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/4660-45-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/4660-47-0x0000023A70670000-0x0000023A70677000-memory.dmp

Filesize
28KB

Download