dridex | 4bc9550e00f42cfe69cc3750a41fc7d91ddcf9a48017301742fb8f4ba472e1e3

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bc9550e00f42cfe69cc3750a41fc7d91ddcf9a48017301742fb8f4ba472e1e3.dll
Size

1.1MB
MD5

406c44e26b3195a9d4fdc75506e5d5ef
SHA1

28abcfeeda814a917380d166fcd0aa8671fc4628
SHA256

4bc9550e00f42cfe69cc3750a41fc7d91ddcf9a48017301742fb8f4ba472e1e3
SHA512

80f7ea16ae8b1c674c80f87da2ebfbac1b4f952eb382e6ff2b7e2ebf53a7088ef13df3d92dad5aa15d698f0370138b784dc38f3ba3d02211bfc6eb42e6e780f6
SSDEEP

12288:hkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:hkMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3344-3-0x0000000000980000-0x0000000000981000-memory.dmp	dridex_stager_shellcode

Dridex payload 8 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/1964-2-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/3344-24-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/3344-36-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/1964-38-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/4056-45-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/4056-50-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/3964-66-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/2024-81-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
4056	SystemPropertiesDataExecutionPrevention.exe
3964	wusa.exe
2024	SystemPropertiesComputerName.exe

Loads dropped DLL 3 IoCs

pid	Process
4056	SystemPropertiesDataExecutionPrevention.exe
3964	wusa.exe
2024	SystemPropertiesComputerName.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Husvxt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\1X\\wusa.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesDataExecutionPrevention.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	wusa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemPropertiesComputerName.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1964	rundll32.exe
1964	rundll32.exe
1964	rundll32.exe
1964	rundll32.exe
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found
3344	Process not Found

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3344	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 2560	3344	Process not Found	86
PID 3344 wrote to memory of 2560	3344	Process not Found	86
PID 3344 wrote to memory of 4056	3344	Process not Found	87
PID 3344 wrote to memory of 4056	3344	Process not Found	87
PID 3344 wrote to memory of 744	3344	Process not Found	88
PID 3344 wrote to memory of 744	3344	Process not Found	88
PID 3344 wrote to memory of 3964	3344	Process not Found	89
PID 3344 wrote to memory of 3964	3344	Process not Found	89
PID 3344 wrote to memory of 860	3344	Process not Found	90
PID 3344 wrote to memory of 860	3344	Process not Found	90
PID 3344 wrote to memory of 2024	3344	Process not Found	91
PID 3344 wrote to memory of 2024	3344	Process not Found	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4bc9550e00f42cfe69cc3750a41fc7d91ddcf9a48017301742fb8f4ba472e1e3.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1964

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
1⤵
PID:2560

C:\Users\Admin\AppData\Local\WKw7\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\WKw7\SystemPropertiesDataExecutionPrevention.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4056

C:\Windows\system32\wusa.exe
C:\Windows\system32\wusa.exe
1⤵
PID:744

C:\Users\Admin\AppData\Local\r4aYxhf\wusa.exe
C:\Users\Admin\AppData\Local\r4aYxhf\wusa.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3964

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:860

C:\Users\Admin\AppData\Local\uKoyQr\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\uKoyQr\SystemPropertiesComputerName.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WKw7\SYSDM.CPL

Filesize
1.1MB

MD5
9d7ded2d756506828823708c0113d73c

SHA1
493531b18f4a8566e985a84e6694cf37fde9e8a3

SHA256
136288179008e3ad9a8bb71b78067476d03b7b7c5bac9969743e62af2caa805e

SHA512
2c9c9319f9e2884eed2c26165ab0bea990cf4380bdba8d92937bd371b8d9239897c5bdad89f63226577d9011166da2ae786f587ddc58a4b624503046dc40e114

Download Submit
C:\Users\Admin\AppData\Local\WKw7\SystemPropertiesDataExecutionPrevention.exe

Filesize
82KB

MD5
de58532954c2704f2b2309ffc320651d

SHA1
0a9fc98f4d47dccb0b231edf9a63309314f68e3b

SHA256
1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3

SHA512
d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed

Download Submit
C:\Users\Admin\AppData\Local\r4aYxhf\dpx.dll

Filesize
1.1MB

MD5
4a851b5a3a09457e6e90bd03d65dd8bd

SHA1
0eac753028b5c76530cba984a28d598cb629e0af

SHA256
190b7de1ba8a7bf30d040b27753a99dab4c632e18060626c3214d565438df172

SHA512
c0ad9abfebdd6697acba25a8aaa6c366e802e6aa2cfdb0eb4630eaf937996920262a4f6859dcee04a747120ca7555484063bfe1228675e2d0a1b9a8999eb7954

Download Submit
C:\Users\Admin\AppData\Local\r4aYxhf\wusa.exe

Filesize
309KB

MD5
e43499ee2b4cf328a81bace9b1644c5d

SHA1
b2b55641f2799e3fdb3bea709c9532017bbac59d

SHA256
3e30230bbf3ceee3e58162b61eed140e9616210833a6ad7df3e106bc7492d2fb

SHA512
04823764520871f9202d346b08a194bdd5f5929db6d5c2f113911f84aece7471c8d3bd2c4256119a303dbe18a0c055dbc5034d80b1f27a43744104544731f52b

Download Submit
C:\Users\Admin\AppData\Local\uKoyQr\SYSDM.CPL

Filesize
1.1MB

MD5
67bbaabb41cc6867bf03ce812788717c

SHA1
8e9d0dd330898eee3143516a1b40aab0415648f6

SHA256
497b829d52c963321f27d5d9da7a2bc0c26af9137d42680c5f16e0bdebe36461

SHA512
c2076ff5683cf3c58c5ef9c44b4ed377a67e8b87a27c9cbb8940fdc71f3fcd1f074d8c341def53cb3470aeb637048522486d61fc3ca06c36e1bb28d4cd9a1187

Download Submit
C:\Users\Admin\AppData\Local\uKoyQr\SystemPropertiesComputerName.exe

Filesize
82KB

MD5
6711765f323289f5008a6a2a04b6f264

SHA1
d8116fdf73608b4b254ad83c74f2232584d24144

SHA256
bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e

SHA512
438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zugrajzkhopu.lnk

Filesize
1KB

MD5
543ef64e490af68525d9659b2cc1f790

SHA1
b8ab07192c4b98f26c73c36db2663c3f6abb2169

SHA256
50b2ffa4a9bd34deeb07b281d9f4d0287a4ed00a8986037e156a616ebffbd471

SHA512
9adbccb66e004c26fe2b8396827fd61e51acdc46ade203ef11f1e575e8da7fad157dc387cce3e39ae9c056b0a13427c1683e3a3dee20bd530f15aa0824c73133

Download Submit
memory/1964-0-0x0000028AD22D0000-0x0000028AD22D7000-memory.dmp

Filesize
28KB

Download
memory/1964-2-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/1964-38-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2024-81-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/3344-26-0x00007FFCDA1F0000-0x00007FFCDA200000-memory.dmp

Filesize
64KB

Download
memory/3344-12-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3344-7-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3344-6-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3344-24-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3344-9-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3344-25-0x00007FFCDA200000-0x00007FFCDA210000-memory.dmp

Filesize
64KB

Download
memory/3344-36-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3344-10-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3344-13-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3344-15-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3344-5-0x00007FFCD9A5A000-0x00007FFCD9A5B000-memory.dmp

Filesize
4KB

Download
memory/3344-3-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/3344-11-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3344-14-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3344-23-0x0000000000800000-0x0000000000807000-memory.dmp

Filesize
28KB

Download
memory/3344-8-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3964-61-0x0000021335440000-0x0000021335447000-memory.dmp

Filesize
28KB

Download
memory/3964-66-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/4056-50-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/4056-47-0x000001E9E5CB0000-0x000001E9E5CB7000-memory.dmp

Filesize
28KB

Download
memory/4056-45-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download