dridex | 6811fbd0b434eb5dc240aba573f8d5b39e52171d540b372841071d156328135b

Analysis

max time kernel
150s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6811fbd0b434eb5dc240aba573f8d5b39e52171d540b372841071d156328135b.dll
Size

1.1MB
MD5

e6d1c2e5b87a7ed6ba3589239a6f4df1
SHA1

23b73577254af4ca38171c0414b44bdee8980c50
SHA256

6811fbd0b434eb5dc240aba573f8d5b39e52171d540b372841071d156328135b
SHA512

9c6be91ff095cc8828ae4aff713ceb20e098f81e49ba3a2e61c16b9c06d99bfb14604e5074811d2a0de176748b96a06f72ad0a3d3e8b21827d43eb087b1ecae8
SSDEEP

12288:4kMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:4kMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3432-3-0x0000000002210000-0x0000000002211000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/1876-2-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral2/memory/3432-34-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral2/memory/3432-23-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral2/memory/1876-37-0x0000000140000000-0x000000014011C000-memory.dmp	dridex_payload
behavioral2/memory/2164-44-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/2164-49-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/3372-60-0x0000000140000000-0x0000000140162000-memory.dmp	dridex_payload
behavioral2/memory/3372-65-0x0000000140000000-0x0000000140162000-memory.dmp	dridex_payload
behavioral2/memory/3552-76-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/3552-80-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2164	sigverif.exe
3372	DmNotificationBroker.exe
3552	sessionmsg.exe

Loads dropped DLL 3 IoCs

pid	Process
2164	sigverif.exe
3372	DmNotificationBroker.exe
3552	sessionmsg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmqwm = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\TEMPLA~1\\LIVECO~1\\16\\Managed\\DOCUME~1\\0Q\\DMNOTI~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sigverif.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DmNotificationBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sessionmsg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1876	rundll32.exe
1876	rundll32.exe
1876	rundll32.exe
1876	rundll32.exe
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found
3432	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3432	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 2388	3432	Process not Found	86
PID 3432 wrote to memory of 2388	3432	Process not Found	86
PID 3432 wrote to memory of 2164	3432	Process not Found	87
PID 3432 wrote to memory of 2164	3432	Process not Found	87
PID 3432 wrote to memory of 4572	3432	Process not Found	88
PID 3432 wrote to memory of 4572	3432	Process not Found	88
PID 3432 wrote to memory of 3372	3432	Process not Found	89
PID 3432 wrote to memory of 3372	3432	Process not Found	89
PID 3432 wrote to memory of 4336	3432	Process not Found	90
PID 3432 wrote to memory of 4336	3432	Process not Found	90
PID 3432 wrote to memory of 3552	3432	Process not Found	91
PID 3432 wrote to memory of 3552	3432	Process not Found	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6811fbd0b434eb5dc240aba573f8d5b39e52171d540b372841071d156328135b.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1876

C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
1⤵
PID:2388

C:\Users\Admin\AppData\Local\J7OKE0o\sigverif.exe
C:\Users\Admin\AppData\Local\J7OKE0o\sigverif.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2164

C:\Windows\system32\DmNotificationBroker.exe
C:\Windows\system32\DmNotificationBroker.exe
1⤵
PID:4572

C:\Users\Admin\AppData\Local\I3LrkqXdC\DmNotificationBroker.exe
C:\Users\Admin\AppData\Local\I3LrkqXdC\DmNotificationBroker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3372

C:\Windows\system32\sessionmsg.exe
C:\Windows\system32\sessionmsg.exe
1⤵
PID:4336

C:\Users\Admin\AppData\Local\CLJ9\sessionmsg.exe
C:\Users\Admin\AppData\Local\CLJ9\sessionmsg.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CLJ9\DUser.dll

Filesize
1.1MB

MD5
f4a0b50aa3fba5e7f3ed8d26b7bfae5a

SHA1
198b1bb27bf70bf243e0ceb6c9cdb795aba5e220

SHA256
dd57978ae690bd31caea9fba1e3c25e356eb73041b73cb6105ad4a02cdee0267

SHA512
a2e20adafc38561a01792af8a52bf9984114a042e3dbbadc1effe90d78b615d2e247f443fa4a02c30577d8015489cdecc8206cf452a4aa7f116bf765c5497218

Download Submit
C:\Users\Admin\AppData\Local\CLJ9\sessionmsg.exe

Filesize
85KB

MD5
480f710806b68dfe478ca1ec7d7e79cc

SHA1
b4fc97fed2dbff9c4874cb65ede7b50699db37cd

SHA256
2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc

SHA512
29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

Download Submit
C:\Users\Admin\AppData\Local\I3LrkqXdC\DUI70.dll

Filesize
1.4MB

MD5
b4f5726821a972b36f530ce05ab9a8f3

SHA1
315ab2e01e1440d64d3dda458df0c75dd1d17628

SHA256
8859e6818aa58144ea774573fa9dd0e25527361edfec59122aa3b1ae0949dd10

SHA512
64e745f9e6a80b8fde6917380666b89b793d35bf3abad0e0a0106fd3023f4e08541bd57fb8f508d8fb881439341023c169ea0616e077a20bed15cfaf02cf9bd7

Download Submit
C:\Users\Admin\AppData\Local\I3LrkqXdC\DmNotificationBroker.exe

Filesize
32KB

MD5
f0bdc20540d314a2aad951c7e2c88420

SHA1
4ab344595a4a81ab5f31ed96d72f217b4cee790b

SHA256
f87537e5f26193a2273380f86cc9ac16d977f65b0eff2435e40be830fd99f7b5

SHA512
cb69e35b2954406735264a4ae8fe1eca1bd4575f553ab2178c70749ab997bda3c06496d2fce97872c51215a19093e51eea7cc8971af62ad9d5726f3a0d2730aa

Download Submit
C:\Users\Admin\AppData\Local\J7OKE0o\VERSION.dll

Filesize
1.1MB

MD5
ac9e02f3c491d0c132223d9db7a62eef

SHA1
c74f57c4ce0acb1e275e5b770e2395e550e5a64d

SHA256
edf67c23c4f0b95aaa92de2ab630bcfc8431d404c9f26434850caf9245b414e2

SHA512
91da1a3364473749be4d4b620974ad7a47c4d9ddf28ff3cf6513718fe71d0d5c086adb366449dbc2f1e49e51d48e03aae24113ddbe4e5d29d126f2686de2f45b

Download Submit
C:\Users\Admin\AppData\Local\J7OKE0o\sigverif.exe

Filesize
77KB

MD5
2151a535274b53ba8a728e542cbc07a8

SHA1
a2304c0f2616a7d12298540dce459dd9ccf07443

SHA256
064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd

SHA512
e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Womuvunldsugi.lnk

Filesize
1KB

MD5
802ce575ba69c1a4d95dc49ee451bfe3

SHA1
37bc27720a9ecd274fe7bb6487f4a44dc27cd626

SHA256
f89461770b847a0d86a7b472687879248ab39e1620f327de7bb0981df1bdae27

SHA512
9b79739b80e8872801e01f3f656ce4b8a4d1197d810d0e374d8854923d8cfaff030c560191c6f6d8b9456654d5bd1409079c21f32c79b254472232604aec1cbb

Download Submit
memory/1876-0-0x00000219734C0000-0x00000219734C7000-memory.dmp

Filesize
28KB

Download
memory/1876-37-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/1876-2-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2164-49-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2164-44-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2164-46-0x000001BF05BC0000-0x000001BF05BC7000-memory.dmp

Filesize
28KB

Download
memory/3372-62-0x000002318E030000-0x000002318E037000-memory.dmp

Filesize
28KB

Download
memory/3372-60-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3372-65-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/3432-11-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-25-0x00007FFCE8250000-0x00007FFCE8260000-memory.dmp

Filesize
64KB

Download
memory/3432-7-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-8-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-14-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-10-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-23-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-34-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-24-0x00007FFCE8260000-0x00007FFCE8270000-memory.dmp

Filesize
64KB

Download
memory/3432-6-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-13-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-22-0x00000000006D0000-0x00000000006D7000-memory.dmp

Filesize
28KB

Download
memory/3432-12-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-9-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3432-3-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/3432-5-0x00007FFCE7C6A000-0x00007FFCE7C6B000-memory.dmp

Filesize
4KB

Download
memory/3552-80-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3552-76-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download