dridex | 67ddb4eca1cdf94729d513e5acbb1d2b61362b9b1824afb8c3682a9b021c9579

Analysis

max time kernel
150s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67ddb4eca1cdf94729d513e5acbb1d2b61362b9b1824afb8c3682a9b021c9579.dll
Size

1.1MB
MD5

edb00c9b061bf3a926d1b0c3274f556a
SHA1

b87a8d763f02967934771530826d716998a7bc8a
SHA256

67ddb4eca1cdf94729d513e5acbb1d2b61362b9b1824afb8c3682a9b021c9579
SHA512

e0997a744143db3b611519aac784ecec3cab29600f3cd16ec243450333d445698c9b0dcdd1e43fd89bab898d26e65fcf45b3bb6b81d9e13ae4cbf033e15f2a8a
SSDEEP

12288:WkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:WkMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1080-4-0x0000000002580000-0x0000000002581000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/2080-0-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1080-24-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1080-35-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/1080-36-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/2080-44-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral1/memory/2500-54-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/2500-58-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/708-75-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral1/memory/2964-91-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2500	BitLockerWizard.exe
708	osk.exe
2964	osk.exe

Loads dropped DLL 7 IoCs

pid	Process
1080	Process not Found
2500	BitLockerWizard.exe
1080	Process not Found
708	osk.exe
1080	Process not Found
2964	osk.exe
1080	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtunysabu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\Recent\\x6NMX6Wd\\osk.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BitLockerWizard.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
1080	Process not Found
2500	BitLockerWizard.exe
2500	BitLockerWizard.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2468	1080	Process not Found	28
PID 1080 wrote to memory of 2468	1080	Process not Found	28
PID 1080 wrote to memory of 2468	1080	Process not Found	28
PID 1080 wrote to memory of 2500	1080	Process not Found	29
PID 1080 wrote to memory of 2500	1080	Process not Found	29
PID 1080 wrote to memory of 2500	1080	Process not Found	29
PID 1080 wrote to memory of 600	1080	Process not Found	30
PID 1080 wrote to memory of 600	1080	Process not Found	30
PID 1080 wrote to memory of 600	1080	Process not Found	30
PID 1080 wrote to memory of 708	1080	Process not Found	31
PID 1080 wrote to memory of 708	1080	Process not Found	31
PID 1080 wrote to memory of 708	1080	Process not Found	31
PID 1080 wrote to memory of 2916	1080	Process not Found	32
PID 1080 wrote to memory of 2916	1080	Process not Found	32
PID 1080 wrote to memory of 2916	1080	Process not Found	32
PID 1080 wrote to memory of 2964	1080	Process not Found	33
PID 1080 wrote to memory of 2964	1080	Process not Found	33
PID 1080 wrote to memory of 2964	1080	Process not Found	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\67ddb4eca1cdf94729d513e5acbb1d2b61362b9b1824afb8c3682a9b021c9579.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2080

C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
1⤵
PID:2468

C:\Users\Admin\AppData\Local\uLi1Wy4H\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\uLi1Wy4H\BitLockerWizard.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2500

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:600

C:\Users\Admin\AppData\Local\hACPsL\osk.exe
C:\Users\Admin\AppData\Local\hACPsL\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:708

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:2916

C:\Users\Admin\AppData\Local\xVJ\osk.exe
C:\Users\Admin\AppData\Local\xVJ\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\hACPsL\dwmapi.dll

Filesize
1.1MB

MD5
bde5e428430c4d5a765ec716054ef830

SHA1
043624c401a7f39f487fd5d6368783ae14aa15a0

SHA256
ada51ca3f48d4a84b618a6f73b94aa8a7076e73c7f6a00a7713ffae9c85ab490

SHA512
e06e57236fee4f43f5e92b5320756155ed34c05c3300c17ad23069293664005f4395f0e39fc2b0ca7e8ec31e96e01c285f12027cecc0a161a0a5c354b93f5d04

Download Submit
C:\Users\Admin\AppData\Local\uLi1Wy4H\FVEWIZ.dll

Filesize
1.1MB

MD5
ed5606d32e7aa4ac9b19747493127e7a

SHA1
6f47b7e3ed4f8d2eb9a642834aa4aa86e52eaed8

SHA256
b9d0e3449a87674d2d5572f545771d2c65cd09930286bf83a0d34a615f7ba30a

SHA512
f8ccefd8553fc7949eda55464222a54a89b8e3901f10dd7f3938c34b152a69dff86bc88355d281a1836ec2509bd643f07cc8bce4ab1156193b450b65fde28d93

Download Submit
C:\Users\Admin\AppData\Local\xVJ\MSSWCH.dll

Filesize
1.1MB

MD5
423c8617f835545290dddfc2ffd70ec2

SHA1
b8ebeef871f6a3fa6a27b45fea033c3b7ef1b7ae

SHA256
324103ee1433f17cb74e348603f937f86b6ee0e8e76517db70410a40d443bf00

SHA512
f3478d8658f65d734fbb06d33689e39fa169574c2f9874db2bdde2b1335d6c390f1cdde85cf8b1b797c8f33b8c2629173744315132b3a1cd800b755fb4384323

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gwifj.lnk

Filesize
1KB

MD5
81a41062b280a6aaf02eb91a184fd442

SHA1
53f34243fc199baf77c258c08341ded537fc70f0

SHA256
b72a2a4f66040d0983fc750c908c375fc9dcfbf2194abdeaa498907bdc8ba896

SHA512
e5b7a90373fddf954f123358e1bf2cc255a3da5c3ba7f31cd2d0b46c60f33bd5961a24561f7de9eaf6343490ba2d7e5d1e2c8bedd07662432676ed6f0e76c5d7

Download Submit
\Users\Admin\AppData\Local\hACPsL\osk.exe

Filesize
676KB

MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
\Users\Admin\AppData\Local\uLi1Wy4H\BitLockerWizard.exe

Filesize
98KB

MD5
08a761595ad21d152db2417d6fdb239a

SHA1
d84c1bc2e8c9afce9fb79916df9bca169f93a936

SHA256
ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620

SHA512
8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

Download Submit
memory/708-75-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/708-70-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/1080-25-0x0000000077E40000-0x0000000077E42000-memory.dmp

Filesize
8KB

Download
memory/1080-45-0x0000000077AD6000-0x0000000077AD7000-memory.dmp

Filesize
4KB

Download
memory/1080-14-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1080-24-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1080-11-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1080-10-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1080-9-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1080-8-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1080-3-0x0000000077AD6000-0x0000000077AD7000-memory.dmp

Filesize
4KB

Download
memory/1080-26-0x0000000077E70000-0x0000000077E72000-memory.dmp

Filesize
8KB

Download
memory/1080-35-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1080-36-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1080-4-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1080-23-0x0000000002560000-0x0000000002567000-memory.dmp

Filesize
28KB

Download
memory/1080-13-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1080-12-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1080-6-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1080-7-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1080-15-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2080-44-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2080-0-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2080-2-0x0000000000120000-0x0000000000127000-memory.dmp

Filesize
28KB

Download
memory/2500-58-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/2500-54-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/2500-53-0x0000000001F10000-0x0000000001F17000-memory.dmp

Filesize
28KB

Download
memory/2964-91-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download