dridex | a63124e1c689fd3a1bed990b4faf822fcd0a0797b2b2b68609e7d169b494fa13

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a63124e1c689fd3a1bed990b4faf822fcd0a0797b2b2b68609e7d169b494fa13.dll
Size

1.1MB
MD5

a4b1c110a484ba5ca47588ea117ce092
SHA1

82f5efbb7fe1cb100d0521e64311c97ac771a875
SHA256

a63124e1c689fd3a1bed990b4faf822fcd0a0797b2b2b68609e7d169b494fa13
SHA512

fd2bfa5c05f51a8aa9ad3602ec9a6fabfb1178d42f80113bf19700260107415dacc1b7e6d7dbf3b7e2a65665f3b3776b30403f791040430c632224bb3d889309
SSDEEP

12288:nkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:nkMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3452-3-0x0000000002B30000-0x0000000002B31000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/2388-1-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/3452-24-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/3452-35-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/2388-38-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/3056-46-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/3056-50-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/760-61-0x0000000140000000-0x0000000140163000-memory.dmp	dridex_payload
behavioral2/memory/760-66-0x0000000140000000-0x0000000140163000-memory.dmp	dridex_payload
behavioral2/memory/4948-81-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
3056	SndVol.exe
760	DisplaySwitch.exe
4948	cttune.exe

Loads dropped DLL 3 IoCs

pid	Process
3056	SndVol.exe
760	DisplaySwitch.exe
4948	cttune.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rrsphmonwo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\Recent\\I5S6Ps\\DisplaySwitch.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SndVol.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cttune.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2388	regsvr32.exe
2388	regsvr32.exe
2388	regsvr32.exe
2388	regsvr32.exe
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found
3452	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 2668	3452	Process not Found	86
PID 3452 wrote to memory of 2668	3452	Process not Found	86
PID 3452 wrote to memory of 3056	3452	Process not Found	87
PID 3452 wrote to memory of 3056	3452	Process not Found	87
PID 3452 wrote to memory of 4820	3452	Process not Found	88
PID 3452 wrote to memory of 4820	3452	Process not Found	88
PID 3452 wrote to memory of 760	3452	Process not Found	89
PID 3452 wrote to memory of 760	3452	Process not Found	89
PID 3452 wrote to memory of 2960	3452	Process not Found	90
PID 3452 wrote to memory of 2960	3452	Process not Found	90
PID 3452 wrote to memory of 4948	3452	Process not Found	91
PID 3452 wrote to memory of 4948	3452	Process not Found	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a63124e1c689fd3a1bed990b4faf822fcd0a0797b2b2b68609e7d169b494fa13.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2388

C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
1⤵
PID:2668

C:\Users\Admin\AppData\Local\Tri\SndVol.exe
C:\Users\Admin\AppData\Local\Tri\SndVol.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3056

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:4820

C:\Users\Admin\AppData\Local\tuBvnMQB\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\tuBvnMQB\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:760

C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
1⤵
PID:2960

C:\Users\Admin\AppData\Local\8UKwaF\cttune.exe
C:\Users\Admin\AppData\Local\8UKwaF\cttune.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8UKwaF\OLEACC.dll

Filesize
1.1MB

MD5
92c2adbfa28657df469ab3fccb550e6d

SHA1
dc729619ecf9cb15f41b97457120e355108d0e33

SHA256
1c96069eeb5666ac2e7443452f11c635d9fdb635b8b2af576cb64cfa1b4eba11

SHA512
3998a5608138ddecb2cb906d601d0b59defa8286c125aac8736a45741ccaf6fbd59a07dfa4d9ae59cc06be70d0c0f7572e52d846f53621148f04390b0d08bdd9

Download Submit
C:\Users\Admin\AppData\Local\8UKwaF\cttune.exe

Filesize
90KB

MD5
fa924465a33833f41c1a39f6221ba460

SHA1
801d505d81e49d2b4ffa316245ca69ff58c523c3

SHA256
de2d871afe2c071cf305fc488875563b778e7279e57030ba1a1c9f7e360748da

SHA512
eef91316e1a679cc2183d4fe9f8f40b5efa6d06f7d1246fd399292e14952053309b6891059da88134a184d9bd0298a45a1bf4bc9f27140b1a31b9523acbf3757

Download Submit
C:\Users\Admin\AppData\Local\Tri\SndVol.exe

Filesize
269KB

MD5
c5d939ac3f9d885c8355884199e36433

SHA1
b8f277549c23953e8683746e225e7af1c193ad70

SHA256
68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605

SHA512
8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0

Download Submit
C:\Users\Admin\AppData\Local\Tri\dwmapi.dll

Filesize
1.1MB

MD5
38edeb141c4fb8ce9f034af795149c7a

SHA1
f7f0907344592859eafcc52a2c05ab1c32549015

SHA256
89f34699e63501a66b7628f33195de1b1a9f05d2db034ebce29d828f9d87df2b

SHA512
faa1ca9e33c07890c8cd1749c8a3d0992bc2652c8b8b89e782e8c2f20f95c2c9fef5d8eb137e4005331a7d65175418cc01656b313acc635dc11493cd8340e4a0

Download Submit
C:\Users\Admin\AppData\Local\tuBvnMQB\DUI70.dll

Filesize
1.4MB

MD5
ecf00929ffcc148f80d15b69bd8106b0

SHA1
79b90e52b9f243addd336c572cf45faa8c5d55bb

SHA256
0bdf0f209a054f388327a1dddca3dca152fd3cf1680b67a20a3e7ff0ff80001d

SHA512
450eae42fb8f356980f9646080f0db4bf538f96c0f6aa6022c1b9b9adbec1c0cac9c38a080ea117f8fca2dab8de3a172436d57715c660558914fbe4fd2a5e0a3

Download Submit
C:\Users\Admin\AppData\Local\tuBvnMQB\DisplaySwitch.exe

Filesize
1.8MB

MD5
5338d4beddf23db817eb5c37500b5735

SHA1
1b5c56f00b53fca3205ff24770203af46cbc7c54

SHA256
8b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e

SHA512
173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yxuzhivmkyvewy.lnk

Filesize
1KB

MD5
b9b543af325343fb236589f2a9b91f36

SHA1
a8291689d4be578cc5b2ba1cdb6ed42cafc7abbd

SHA256
8cd41dd4c5445c63388c5c58903c2de95908ce49b89e46e84c7b5f2801106a46

SHA512
1a68070223dd2ab093aff931bc8e8de853abead3cf881e54d7995948e7870c6d24ffe7e75ea330067adf0592fe4f64303d72621a822491ca273c3ae598ae1179

Download Submit
memory/760-66-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/760-61-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/760-63-0x00000294C66A0000-0x00000294C66A7000-memory.dmp

Filesize
28KB

Download
memory/2388-0-0x00000000006D0000-0x00000000006D7000-memory.dmp

Filesize
28KB

Download
memory/2388-38-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2388-1-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3056-50-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3056-46-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3056-47-0x000001EDCB620000-0x000001EDCB627000-memory.dmp

Filesize
28KB

Download
memory/3452-24-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3452-25-0x00007FFA9A2A0000-0x00007FFA9A2B0000-memory.dmp

Filesize
64KB

Download
memory/3452-6-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3452-8-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3452-15-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3452-9-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3452-10-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3452-12-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3452-35-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3452-7-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3452-26-0x00007FFA9A290000-0x00007FFA9A2A0000-memory.dmp

Filesize
64KB

Download
memory/3452-14-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3452-23-0x0000000001280000-0x0000000001287000-memory.dmp

Filesize
28KB

Download
memory/3452-13-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3452-11-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3452-4-0x00007FFA9A20A000-0x00007FFA9A20B000-memory.dmp

Filesize
4KB

Download
memory/3452-3-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/4948-81-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download