dridex | a52f659bb3d1b5cf058752c904488078b1dab05992f21b858129a829429c279c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a52f659bb3d1b5cf058752c904488078b1dab05992f21b858129a829429c279c.dll
Size

1.1MB
MD5

a44d3f9481fa8b38391601fee76a5809
SHA1

60308d0829cf769f88725debddb0c89bbe296e11
SHA256

a52f659bb3d1b5cf058752c904488078b1dab05992f21b858129a829429c279c
SHA512

304af4426f721ed5fc5bc982a120e07b108a31317f67683de5997fbc3cc87b5d34e74662aaffce1ae0d7c86a8613eb152de71c3fd8d069cc209fe990bf42c3c4
SSDEEP

12288:IkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64Cdw:IkMZ+gf4ltGd8H1fYO0q2G1AhW9

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3484-4-0x0000000000A60000-0x0000000000A61000-memory.dmp	dridex_stager_shellcode

Dridex payload 10 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/1624-1-0x0000000140000000-0x0000000140122000-memory.dmp	dridex_payload
behavioral2/memory/3484-23-0x0000000140000000-0x0000000140122000-memory.dmp	dridex_payload
behavioral2/memory/3484-34-0x0000000140000000-0x0000000140122000-memory.dmp	dridex_payload
behavioral2/memory/1624-37-0x0000000140000000-0x0000000140122000-memory.dmp	dridex_payload
behavioral2/memory/2944-48-0x0000021982F90000-0x00000219830B3000-memory.dmp	dridex_payload
behavioral2/memory/2944-51-0x0000021982F90000-0x00000219830B3000-memory.dmp	dridex_payload
behavioral2/memory/1048-63-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload
behavioral2/memory/1048-66-0x0000000140000000-0x0000000140168000-memory.dmp	dridex_payload
behavioral2/memory/5044-78-0x0000000140000000-0x0000000140123000-memory.dmp	dridex_payload
behavioral2/memory/5044-81-0x0000000140000000-0x0000000140123000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
2944	ie4uinit.exe
1048	SystemSettingsAdminFlows.exe
5044	iexpress.exe

Loads dropped DLL 5 IoCs

pid	Process
2944	ie4uinit.exe
2944	ie4uinit.exe
2944	ie4uinit.exe
1048	SystemSettingsAdminFlows.exe
5044	iexpress.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rrsphmonwo = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\paVxSNJ\\SYSTEM~1.EXE"	Process not Found

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ie4uinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemSettingsAdminFlows.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexpress.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1624	regsvr32.exe
1624	regsvr32.exe
1624	regsvr32.exe
1624	regsvr32.exe
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found
3484	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3484	Process not Found
3484	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 3880	3484	Process not Found	87
PID 3484 wrote to memory of 3880	3484	Process not Found	87
PID 3484 wrote to memory of 2944	3484	Process not Found	88
PID 3484 wrote to memory of 2944	3484	Process not Found	88
PID 3484 wrote to memory of 4392	3484	Process not Found	89
PID 3484 wrote to memory of 4392	3484	Process not Found	89
PID 3484 wrote to memory of 1048	3484	Process not Found	90
PID 3484 wrote to memory of 1048	3484	Process not Found	90
PID 3484 wrote to memory of 1880	3484	Process not Found	91
PID 3484 wrote to memory of 1880	3484	Process not Found	91
PID 3484 wrote to memory of 5044	3484	Process not Found	92
PID 3484 wrote to memory of 5044	3484	Process not Found	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\a52f659bb3d1b5cf058752c904488078b1dab05992f21b858129a829429c279c.dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1624

C:\Windows\system32\ie4uinit.exe
C:\Windows\system32\ie4uinit.exe
1⤵
PID:3880

C:\Users\Admin\AppData\Local\HCoZ\ie4uinit.exe
C:\Users\Admin\AppData\Local\HCoZ\ie4uinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2944

C:\Windows\system32\SystemSettingsAdminFlows.exe
C:\Windows\system32\SystemSettingsAdminFlows.exe
1⤵
PID:4392

C:\Users\Admin\AppData\Local\I4vDLz6\SystemSettingsAdminFlows.exe
C:\Users\Admin\AppData\Local\I4vDLz6\SystemSettingsAdminFlows.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1048

C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
1⤵
PID:1880

C:\Users\Admin\AppData\Local\ntVZS2lJ\iexpress.exe
C:\Users\Admin\AppData\Local\ntVZS2lJ\iexpress.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HCoZ\VERSION.dll

Filesize
1.1MB

MD5
b009d34804d98b837d1353cc93f3cb8a

SHA1
4d27ba6a6bbb92aed917d2bb4904ba11bd618b2b

SHA256
4de95dd94e8197d706cd6a93bf9aba6cc871307c087b778a224af06611a7c7c8

SHA512
c503cc4a47296449406c6c4de9ea4c69c84993b013e12b62c09ea117c6b5b068518d4e3ad9ef5b1673bd67a13963275b3a94e652e26a82f9460d0ea96b6887a0

Download Submit
C:\Users\Admin\AppData\Local\HCoZ\ie4uinit.exe

Filesize
262KB

MD5
a2f0104edd80ca2c24c24356d5eacc4f

SHA1
8269b9fd9231f04ed47419bd565c69dc677fab56

SHA256
5d85c4d62cc26996826b9d96a9153f7e05a2260342bd913b3730610a1809203c

SHA512
e7bb87f9f6c82cb945b95f62695be98b3fa827a24fa8c4187fe836d4e7d3e7ae3b95101edd3c41d65f6cb684910f5954a67307d450072acd8d475212db094390

Download Submit
C:\Users\Admin\AppData\Local\I4vDLz6\DUI70.dll

Filesize
1.4MB

MD5
63a1619d6805b8e3ea889fef4c234c1b

SHA1
802d4f9ba1154afd164c20b9255056e6a5cde86a

SHA256
24dcdeb7f92bc7981f7c8baf079e58293958587bca42d0e8789eabfd5658bc6c

SHA512
cdcec43535631efba7d74f17d1f08f62d4c5204e8fe2d01dc538d8bc011f50a177085c342ddafbcc11e33fbe80215938c14c35ffb9807a1a9bbf6c9ab2ec4e41

Download Submit
C:\Users\Admin\AppData\Local\I4vDLz6\SystemSettingsAdminFlows.exe

Filesize
506KB

MD5
50adb2c7c145c729b9de8b7cf967dd24

SHA1
a31757f08da6f95156777c1132b6d5f1db3d8f30

SHA256
a7a2e7122d27308df37b7ab718ef3ac239e4216669f51331e34e205f59fb0aec

SHA512
715b4c93e79e896da1cf86cf4455a84cba1aeac34b6fd72d2afdf203a2034f6f8fac1d6501f0dd277a17bd1d7ab73ddd1887e01a99f2d26f39efeb94d0aac9b0

Download Submit
C:\Users\Admin\AppData\Local\ntVZS2lJ\VERSION.dll

Filesize
1.1MB

MD5
145e3f24aac0187498e6b50b63e9fb3c

SHA1
cfce7c64f444300928c7fc866deb6319e4db8144

SHA256
c927423552943630ed3b2523ada240b2022a387721ab90cd0bb86d7b6d690f77

SHA512
549698a7e15d665963c7fac627d201cfcf03ad62ce0482f1d3cf5b8930fdc0daedbd8e17cf26c75c7435d33c5c2b57e6bb0ba29b994e9cf529920d950222143c

Download Submit
C:\Users\Admin\AppData\Local\ntVZS2lJ\iexpress.exe

Filesize
166KB

MD5
17b93a43e25d821d01af40ba6babcc8c

SHA1
97c978d78056d995f751dfef1388d7cce4cc404a

SHA256
d070b79fa254c528babb73d607a7a8fd53db89795d751f42fc0a283b61a76fd3

SHA512
6b5743b37a3be8ae9ee2ab84e0749c32c60544298a7cce396470aa40bbd13f2e838d5d98159f21d500d20817c51ebce4b1d2f554e3e05f6c7fc97bc9d70ea391

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yxuzhivmkyvewy.lnk

Filesize
1KB

MD5
394cb632a22b7df8e61f09631497b308

SHA1
f387198d9b659e715276f5f67bf3d38528e71d87

SHA256
adae18ff3eb27c18caca0819d45b7153dbfe642d7016bbb3f7e974ee590ba02f

SHA512
504769ee104ac8c29206b5028096014d2743cb585dc420d994cd1767922cebecb6671fceee787b2fd8124a3b388928e5a29d95ce6f7dbb788d35c0ccf4ab764e

Download Submit
memory/1048-66-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/1048-63-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/1624-0-0x0000000000F20000-0x0000000000F27000-memory.dmp

Filesize
28KB

Download
memory/1624-37-0x0000000140000000-0x0000000140122000-memory.dmp

Filesize
1.1MB

Download
memory/1624-1-0x0000000140000000-0x0000000140122000-memory.dmp

Filesize
1.1MB

Download
memory/2944-51-0x0000021982F90000-0x00000219830B3000-memory.dmp

Filesize
1.1MB

Download
memory/2944-48-0x0000021982F90000-0x00000219830B3000-memory.dmp

Filesize
1.1MB

Download
memory/2944-46-0x0000021982E70000-0x0000021982E77000-memory.dmp

Filesize
28KB

Download
memory/3484-25-0x00007FF8EC2B0000-0x00007FF8EC2C0000-memory.dmp

Filesize
64KB

Download
memory/3484-24-0x00007FF8EC2C0000-0x00007FF8EC2D0000-memory.dmp

Filesize
64KB

Download
memory/3484-34-0x0000000140000000-0x0000000140122000-memory.dmp

Filesize
1.1MB

Download
memory/3484-7-0x0000000140000000-0x0000000140122000-memory.dmp

Filesize
1.1MB

Download
memory/3484-9-0x0000000140000000-0x0000000140122000-memory.dmp

Filesize
1.1MB

Download
memory/3484-10-0x0000000140000000-0x0000000140122000-memory.dmp

Filesize
1.1MB

Download
memory/3484-11-0x0000000140000000-0x0000000140122000-memory.dmp

Filesize
1.1MB

Download
memory/3484-12-0x0000000140000000-0x0000000140122000-memory.dmp

Filesize
1.1MB

Download
memory/3484-23-0x0000000140000000-0x0000000140122000-memory.dmp

Filesize
1.1MB

Download
memory/3484-6-0x0000000140000000-0x0000000140122000-memory.dmp

Filesize
1.1MB

Download
memory/3484-14-0x0000000140000000-0x0000000140122000-memory.dmp

Filesize
1.1MB

Download
memory/3484-22-0x0000000000350000-0x0000000000357000-memory.dmp

Filesize
28KB

Download
memory/3484-13-0x0000000140000000-0x0000000140122000-memory.dmp

Filesize
1.1MB

Download
memory/3484-8-0x0000000140000000-0x0000000140122000-memory.dmp

Filesize
1.1MB

Download
memory/3484-4-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/3484-3-0x00007FF8EB53A000-0x00007FF8EB53B000-memory.dmp

Filesize
4KB

Download
memory/5044-81-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download
memory/5044-78-0x0000000140000000-0x0000000140123000-memory.dmp

Filesize
1.1MB

Download