dridex | 4bc9550e00f42cfe69cc3750a41fc7d91ddcf9a48017301742fb8f4ba472e1e3

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bc9550e00f42cfe69cc3750a41fc7d91ddcf9a48017301742fb8f4ba472e1e3.dll
Size

1.1MB
MD5

406c44e26b3195a9d4fdc75506e5d5ef
SHA1

28abcfeeda814a917380d166fcd0aa8671fc4628
SHA256

4bc9550e00f42cfe69cc3750a41fc7d91ddcf9a48017301742fb8f4ba472e1e3
SHA512

80f7ea16ae8b1c674c80f87da2ebfbac1b4f952eb382e6ff2b7e2ebf53a7088ef13df3d92dad5aa15d698f0370138b784dc38f3ba3d02211bfc6eb42e6e780f6
SSDEEP

12288:hkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:hkMZ+gf4ltGd8H1fYO0q2G1Ah

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3476-4-0x00000000007E0000-0x00000000007E1000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/2728-0-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/3476-35-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/3476-24-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/2728-38-0x0000000140000000-0x000000014011D000-memory.dmp	dridex_payload
behavioral2/memory/4836-46-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/4836-50-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload
behavioral2/memory/1584-61-0x0000000140000000-0x0000000140163000-memory.dmp	dridex_payload
behavioral2/memory/1584-66-0x0000000140000000-0x0000000140163000-memory.dmp	dridex_payload
behavioral2/memory/1380-81-0x0000000140000000-0x000000014011E000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

pid	Process
4836	shrpubw.exe
1584	bdeunlock.exe
1380	ddodiag.exe

Loads dropped DLL 3 IoCs

pid	Process
4836	shrpubw.exe
1584	bdeunlock.exe
1380	ddodiag.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Husvxt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\Recent\\zWNjIbP\\bdeunlock.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	shrpubw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bdeunlock.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ddodiag.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
2728	rundll32.exe
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found
3476	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3476	Process not Found
Token: SeCreatePagefilePrivilege	3476	Process not Found
Token: SeShutdownPrivilege	3476	Process not Found
Token: SeCreatePagefilePrivilege	3476	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3476	Process not Found
3476	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 1568	3476	Process not Found	86
PID 3476 wrote to memory of 1568	3476	Process not Found	86
PID 3476 wrote to memory of 4836	3476	Process not Found	87
PID 3476 wrote to memory of 4836	3476	Process not Found	87
PID 3476 wrote to memory of 4748	3476	Process not Found	88
PID 3476 wrote to memory of 4748	3476	Process not Found	88
PID 3476 wrote to memory of 1584	3476	Process not Found	89
PID 3476 wrote to memory of 1584	3476	Process not Found	89
PID 3476 wrote to memory of 220	3476	Process not Found	90
PID 3476 wrote to memory of 220	3476	Process not Found	90
PID 3476 wrote to memory of 1380	3476	Process not Found	91
PID 3476 wrote to memory of 1380	3476	Process not Found	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4bc9550e00f42cfe69cc3750a41fc7d91ddcf9a48017301742fb8f4ba472e1e3.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2728

C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
1⤵
PID:1568

C:\Users\Admin\AppData\Local\1lCAYEQ\shrpubw.exe
C:\Users\Admin\AppData\Local\1lCAYEQ\shrpubw.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4836

C:\Windows\system32\bdeunlock.exe
C:\Windows\system32\bdeunlock.exe
1⤵
PID:4748

C:\Users\Admin\AppData\Local\JvHx8gcP\bdeunlock.exe
C:\Users\Admin\AppData\Local\JvHx8gcP\bdeunlock.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1584

C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
1⤵
PID:220

C:\Users\Admin\AppData\Local\W3iVJsR\ddodiag.exe
C:\Users\Admin\AppData\Local\W3iVJsR\ddodiag.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1lCAYEQ\shrpubw.exe

Filesize
59KB

MD5
9910d5c62428ec5f92b04abf9428eec9

SHA1
05f27d7515e8ae1fa3bc974ec65b864ec4c9ac8b

SHA256
6b84e6e55d8572d7edf0b6243d00abb651fcb0cddddac8461de5f9bb80035a2e

SHA512
01be043f7ff879a683e53962eec58456ba200d6787ea66581bb62669ae65d5e58a5577cdf23441165f7a535fce1dec933e3ad2465c72172b4a1488b24ce722cb

Download Submit
C:\Users\Admin\AppData\Local\1lCAYEQ\srvcli.dll

Filesize
1.1MB

MD5
c98791109886203635d1ee1643cfdbd3

SHA1
a7adb43f98640f6a413b69065a0965ec8337b153

SHA256
67c9b8bdac8c95f40860f04210c100d5c9d6f77a4d4b6df03d27a8393bf57e5c

SHA512
404dcd7682b03ba98d98b8a122005e9a2083ecd6083a542c4febf669caa06173a2c7cfe998c0152fd8cdf1743fd4dc802431ce262c9726a8a4e27c0842cae1d9

Download Submit
C:\Users\Admin\AppData\Local\JvHx8gcP\DUI70.dll

Filesize
1.4MB

MD5
4e563469e10f7031b6c763afaf2e9662

SHA1
5a35daf09d0e2295964f869f89301909dedf6966

SHA256
951fd8a45508ded8a67715b016e7f610787228e1fb7627fb322f9529f0f69f4a

SHA512
4413ba2fa66fecbc5d841326db644af5fe13d34af3ba2dc5906ea4f80ea26a28ebeb9c0e75b0fc0fe7b307ec5649e1117f23ce57f1a5893ed1e516485470e80f

Download Submit
C:\Users\Admin\AppData\Local\JvHx8gcP\bdeunlock.exe

Filesize
279KB

MD5
fef5d67150c249db3c1f4b30a2a5a22e

SHA1
41ca037b0229be9338da4d78244b4f0ea5a3d5f3

SHA256
dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603

SHA512
4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7

Download Submit
C:\Users\Admin\AppData\Local\W3iVJsR\XmlLite.dll

Filesize
1.1MB

MD5
c2e630f386bcc0440925b3dfefca6fe7

SHA1
9692c4f45f3153c78067bbbfbd7dc9fbf4c1ffcb

SHA256
801d61f01af48bdec6daddfe24dc3ad0bfb0729c056d81b24bc5c2b8ca324768

SHA512
e586ed47f2655ef4c30fcfdad55b45b4e74523d184fb7ad8ac2b67c7211e282939530fa501990f7423161e83ce56c97722d6bf4a47392ceecb8712b8df00f559

Download Submit
C:\Users\Admin\AppData\Local\W3iVJsR\ddodiag.exe

Filesize
39KB

MD5
85feee634a6aee90f0108e26d3d9bc1f

SHA1
a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2

SHA256
99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6

SHA512
b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zugrajzkhopu.lnk

Filesize
1KB

MD5
3101bac017c86d41c90786e874ecbf35

SHA1
9b6d453669fe1a24aabee445a2fbfcd57480f985

SHA256
3ce7b115de61643f2ff01349462e42d88084b8ad29b37a4db088bcd56ed81849

SHA512
a5692a46e211ac41d186a7572e7116b3f749a5af685e7280d9006f3fe351fccec219abc516ca828a6d62c6d14cd435bf99dccbbd32a7d1240dd10eb0345d4b21

Download Submit
memory/1380-81-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/1584-61-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/1584-63-0x000002272ECA0000-0x000002272ECA7000-memory.dmp

Filesize
28KB

Download
memory/1584-66-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/2728-2-0x0000022FA6CA0000-0x0000022FA6CA7000-memory.dmp

Filesize
28KB

Download
memory/2728-0-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/2728-38-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3476-8-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3476-12-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3476-10-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3476-7-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3476-6-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3476-11-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3476-24-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3476-35-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3476-4-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/3476-3-0x00007FF8B5AEA000-0x00007FF8B5AEB000-memory.dmp

Filesize
4KB

Download
memory/3476-9-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3476-25-0x00007FF8B5B80000-0x00007FF8B5B90000-memory.dmp

Filesize
64KB

Download
memory/3476-26-0x00007FF8B5B70000-0x00007FF8B5B80000-memory.dmp

Filesize
64KB

Download
memory/3476-15-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3476-23-0x00000000029E0000-0x00000000029E7000-memory.dmp

Filesize
28KB

Download
memory/3476-13-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/3476-14-0x0000000140000000-0x000000014011D000-memory.dmp

Filesize
1.1MB

Download
memory/4836-50-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/4836-46-0x0000000140000000-0x000000014011E000-memory.dmp

Filesize
1.1MB

Download
memory/4836-45-0x000001CA15550000-0x000001CA15557000-memory.dmp

Filesize
28KB

Download