dridex | 67ddb4eca1cdf94729d513e5acbb1d2b61362b9b1824afb8c3682a9b021c9579

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67ddb4eca1cdf94729d513e5acbb1d2b61362b9b1824afb8c3682a9b021c9579.dll
Size

1.1MB
MD5

edb00c9b061bf3a926d1b0c3274f556a
SHA1

b87a8d763f02967934771530826d716998a7bc8a
SHA256

67ddb4eca1cdf94729d513e5acbb1d2b61362b9b1824afb8c3682a9b021c9579
SHA512

e0997a744143db3b611519aac784ecec3cab29600f3cd16ec243450333d445698c9b0dcdd1e43fd89bab898d26e65fcf45b3bb6b81d9e13ae4cbf033e15f2a8a
SSDEEP

12288:WkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:WkMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3468-3-0x0000000001560000-0x0000000001561000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/4780-1-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/3468-24-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/3468-35-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/4780-38-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/1180-47-0x0000000140000000-0x0000000140124000-memory.dmp	dridex_payload
behavioral2/memory/1180-49-0x0000000140000000-0x0000000140124000-memory.dmp	dridex_payload
behavioral2/memory/1320-58-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/1320-63-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/2896-74-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload
behavioral2/memory/2896-78-0x0000000140000000-0x000000014011F000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
1180	mspaint.exe
1320	sigverif.exe
2896	RdpSaUacHelper.exe

Loads dropped DLL 3 IoCs

pid	Process
1180	mspaint.exe
1320	sigverif.exe
2896	RdpSaUacHelper.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qiqbxsgjw = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\taF\\sigverif.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RdpSaUacHelper.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mspaint.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4780	rundll32.exe
4780	rundll32.exe
4780	rundll32.exe
4780	rundll32.exe
4780	rundll32.exe
4780	rundll32.exe
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found
3468	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3468	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 2068	3468	Process not Found	86
PID 3468 wrote to memory of 2068	3468	Process not Found	86
PID 3468 wrote to memory of 1180	3468	Process not Found	87
PID 3468 wrote to memory of 1180	3468	Process not Found	87
PID 3468 wrote to memory of 4676	3468	Process not Found	88
PID 3468 wrote to memory of 4676	3468	Process not Found	88
PID 3468 wrote to memory of 1320	3468	Process not Found	89
PID 3468 wrote to memory of 1320	3468	Process not Found	89
PID 3468 wrote to memory of 1840	3468	Process not Found	90
PID 3468 wrote to memory of 1840	3468	Process not Found	90
PID 3468 wrote to memory of 2896	3468	Process not Found	91
PID 3468 wrote to memory of 2896	3468	Process not Found	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\67ddb4eca1cdf94729d513e5acbb1d2b61362b9b1824afb8c3682a9b021c9579.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4780

C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
1⤵
PID:2068

C:\Users\Admin\AppData\Local\UMa5Z\mspaint.exe
C:\Users\Admin\AppData\Local\UMa5Z\mspaint.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1180

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:4676

C:\Users\Admin\AppData\Local\xQ7d7\sigverif.exe
C:\Users\Admin\AppData\Local\xQ7d7\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1320

C:\Windows\system32\RdpSaUacHelper.exe
C:\Windows\system32\RdpSaUacHelper.exe
1⤵
PID:1840

C:\Users\Admin\AppData\Local\CsNdN98e\RdpSaUacHelper.exe
C:\Users\Admin\AppData\Local\CsNdN98e\RdpSaUacHelper.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CsNdN98e\RdpSaUacHelper.exe

Filesize
33KB

MD5
0d5b016ac7e7b6257c069e8bb40845de

SHA1
5282f30e90cbd1be8da95b73bc1b6a7d041e43c2

SHA256
6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067

SHA512
cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

Download Submit
C:\Users\Admin\AppData\Local\CsNdN98e\WINSTA.dll

Filesize
1.1MB

MD5
98e89de72ad3f01cd896ca371ad06433

SHA1
3ef4727ceb48b36d7f2887a470069536d77cff31

SHA256
722a47e0a4632bd1d17450c10745f328a4ba70f3714707d96fa6411cde59dfc9

SHA512
744e9eae45f9f094554342a78de6a569c63f826ee49502cda518425a70fbe4dea7cbc79caa542862d1d74f3138905d8b25414c5b043e6e41072ab85f6d1ed0fb

Download Submit
C:\Users\Admin\AppData\Local\UMa5Z\MFC42u.dll

Filesize
1.1MB

MD5
af790b4ca1483f45a842fe319d8ae2ca

SHA1
7358a3c7292b957904067386f71d2591105df1c6

SHA256
6774c9993bcf5535d7314b3659320a034075f57387fae7673df50ca25d94c756

SHA512
2c338fa6899c4730e26b130787d63c1f37fbd915332f992d9af636d8c739f08c5d1eb1457ca008e4918f6452936f7c48eeeb6a37999932565afca423838979c4

Download Submit
C:\Users\Admin\AppData\Local\UMa5Z\mspaint.exe

Filesize
965KB

MD5
f221a4ccafec690101c59f726c95b646

SHA1
2098e4b62eaab213cbee73ba40fe4f1b8901a782

SHA256
94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709

SHA512
8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf

Download Submit
C:\Users\Admin\AppData\Local\xQ7d7\VERSION.dll

Filesize
1.1MB

MD5
c9483b6fed4bb36e41a6b74848515505

SHA1
407c54aa0e24556f74cbae6d9ffa4514fbad9b38

SHA256
7990b9ab206d73bb689fcdd5cff27125f17af939ea6d01862a8f5c960e569353

SHA512
aedb66287e94ed012080ffb86e7547a9c209f4b841fa33c6f529354f57944f18efc3643c16e4d2a2cf50c0154d12d17889ba14c7068873f277d1fe39766cfff3

Download Submit
C:\Users\Admin\AppData\Local\xQ7d7\sigverif.exe

Filesize
77KB

MD5
2151a535274b53ba8a728e542cbc07a8

SHA1
a2304c0f2616a7d12298540dce459dd9ccf07443

SHA256
064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

SHA512
e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zcgcwwxuxxxcbkn.lnk

Filesize
1KB

MD5
4a0a424e161c2525c2b5ac13bb7992ce

SHA1
4c805c6b2a4a534b50b830184658b79fadd4fc51

SHA256
f81b70da8b96f2e1ad53429d2650a827451214bc8685b87dfa2635dd89093258

SHA512
d8fc4314a505a0fa7dd80e489554a28edf74ce286dd148074d7f1595764b7f6b543cc020e54eabfd5c44a064f80f5a1ad27bd92caa65be523170519dc48ad2e1

Download Submit
memory/1180-47-0x0000000140000000-0x0000000140124000-memory.dmp

Filesize
1.1MB

Download
memory/1180-46-0x00000188363D0000-0x00000188363D7000-memory.dmp

Filesize
28KB

Download
memory/1180-49-0x0000000140000000-0x0000000140124000-memory.dmp

Filesize
1.1MB

Download
memory/1320-63-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1320-58-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1320-60-0x000001B16E2C0000-0x000001B16E2C7000-memory.dmp

Filesize
28KB

Download
memory/2896-74-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/2896-78-0x0000000140000000-0x000000014011F000-memory.dmp

Filesize
1.1MB

Download
memory/3468-24-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3468-25-0x00007FFAA6820000-0x00007FFAA6830000-memory.dmp

Filesize
64KB

Download
memory/3468-7-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3468-6-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3468-3-0x0000000001560000-0x0000000001561000-memory.dmp

Filesize
4KB

Download
memory/3468-9-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3468-15-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3468-10-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3468-11-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3468-8-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3468-26-0x00007FFAA6810000-0x00007FFAA6820000-memory.dmp

Filesize
64KB

Download
memory/3468-35-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3468-5-0x00007FFAA610A000-0x00007FFAA610B000-memory.dmp

Filesize
4KB

Download
memory/3468-23-0x0000000001470000-0x0000000001477000-memory.dmp

Filesize
28KB

Download
memory/3468-12-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3468-14-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3468-13-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/4780-0-0x000002CC01B20000-0x000002CC01B27000-memory.dmp

Filesize
28KB

Download
memory/4780-38-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/4780-1-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download