dridex | bc14ef4108eab623eb267b6dfebce5c1009837a6b126c567ff66922e5f4c8e5a

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc14ef4108eab623eb267b6dfebce5c1009837a6b126c567ff66922e5f4c8e5a.dll
Size

1.3MB
MD5

c593d8b78e3dda17474751a9a73f433a
SHA1

491a2e2a3426ff51c486b7343d8d6b0b79e2b8a3
SHA256

bc14ef4108eab623eb267b6dfebce5c1009837a6b126c567ff66922e5f4c8e5a
SHA512

e9ee27e03aee4bc227716fa3cdf641a48bee2ccc81237aa1323a3411a75ecca712ac61ce4d2e0892be383c6a140e0c002ccf77125ccccf7ac9d4530eea54df37
SSDEEP

12288:/tCtvNv+h26xiWZu8xDPtgPuSYAuXIPY2wKg7oGviTVp7OC0aO:/tChNv+ceiWjDVgyAurCg7osJ1

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral1/memory/1156-4-0x0000000002550000-0x0000000002551000-memory.dmp	dridex_stager_shellcode

Dridex payload 12 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral1/memory/2556-0-0x000007FEF66E0000-0x000007FEF682E000-memory.dmp	dridex_payload
behavioral1/memory/1156-30-0x0000000140000000-0x000000014014E000-memory.dmp	dridex_payload
behavioral1/memory/1156-38-0x0000000140000000-0x000000014014E000-memory.dmp	dridex_payload
behavioral1/memory/1156-50-0x0000000140000000-0x000000014014E000-memory.dmp	dridex_payload
behavioral1/memory/1156-49-0x0000000140000000-0x000000014014E000-memory.dmp	dridex_payload
behavioral1/memory/2556-58-0x000007FEF66E0000-0x000007FEF682E000-memory.dmp	dridex_payload
behavioral1/memory/2288-76-0x000007FEF71E0000-0x000007FEF732F000-memory.dmp	dridex_payload
behavioral1/memory/2288-81-0x000007FEF71E0000-0x000007FEF732F000-memory.dmp	dridex_payload
behavioral1/memory/2876-93-0x000007FEF66E0000-0x000007FEF682F000-memory.dmp	dridex_payload
behavioral1/memory/2876-97-0x000007FEF66E0000-0x000007FEF682F000-memory.dmp	dridex_payload
behavioral1/memory/2528-109-0x000007FEF6590000-0x000007FEF66DF000-memory.dmp	dridex_payload
behavioral1/memory/2528-113-0x000007FEF6590000-0x000007FEF66DF000-memory.dmp	dridex_payload

Executes dropped EXE 4 IoCs

pid	Process
2808	wermgr.exe
2288	EhStorAuthn.exe
2876	mblctr.exe
2528	rekeywiz.exe

Loads dropped DLL 8 IoCs

pid	Process
1156	Process not Found
1156	Process not Found
2288	EhStorAuthn.exe
1156	Process not Found
2876	mblctr.exe
1156	Process not Found
2528	rekeywiz.exe
1156	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uuyszikihxbb = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\IJcUx9RO\\mblctr.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EhStorAuthn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mblctr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rekeywiz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2556	rundll32.exe
2556	rundll32.exe
2556	rundll32.exe
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found
1156	Process not Found

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 1640	1156	Process not Found	31
PID 1156 wrote to memory of 1640	1156	Process not Found	31
PID 1156 wrote to memory of 1640	1156	Process not Found	31
PID 1156 wrote to memory of 2808	1156	Process not Found	32
PID 1156 wrote to memory of 2808	1156	Process not Found	32
PID 1156 wrote to memory of 2808	1156	Process not Found	32
PID 1156 wrote to memory of 2720	1156	Process not Found	33
PID 1156 wrote to memory of 2720	1156	Process not Found	33
PID 1156 wrote to memory of 2720	1156	Process not Found	33
PID 1156 wrote to memory of 2288	1156	Process not Found	34
PID 1156 wrote to memory of 2288	1156	Process not Found	34
PID 1156 wrote to memory of 2288	1156	Process not Found	34
PID 1156 wrote to memory of 2880	1156	Process not Found	35
PID 1156 wrote to memory of 2880	1156	Process not Found	35
PID 1156 wrote to memory of 2880	1156	Process not Found	35
PID 1156 wrote to memory of 2876	1156	Process not Found	36
PID 1156 wrote to memory of 2876	1156	Process not Found	36
PID 1156 wrote to memory of 2876	1156	Process not Found	36
PID 1156 wrote to memory of 2868	1156	Process not Found	37
PID 1156 wrote to memory of 2868	1156	Process not Found	37
PID 1156 wrote to memory of 2868	1156	Process not Found	37
PID 1156 wrote to memory of 2528	1156	Process not Found	38
PID 1156 wrote to memory of 2528	1156	Process not Found	38
PID 1156 wrote to memory of 2528	1156	Process not Found	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bc14ef4108eab623eb267b6dfebce5c1009837a6b126c567ff66922e5f4c8e5a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2556

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
1⤵
PID:1640

C:\Users\Admin\AppData\Local\o1d\wermgr.exe
C:\Users\Admin\AppData\Local\o1d\wermgr.exe
1⤵
- Executes dropped EXE
PID:2808

C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
1⤵
PID:2720

C:\Users\Admin\AppData\Local\yM9Txc9\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\yM9Txc9\EhStorAuthn.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2288

C:\Windows\system32\mblctr.exe
C:\Windows\system32\mblctr.exe
1⤵
PID:2880

C:\Users\Admin\AppData\Local\aUIiMYevK\mblctr.exe
C:\Users\Admin\AppData\Local\aUIiMYevK\mblctr.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2876

C:\Windows\system32\rekeywiz.exe
C:\Windows\system32\rekeywiz.exe
1⤵
PID:2868

C:\Users\Admin\AppData\Local\UWU\rekeywiz.exe
C:\Users\Admin\AppData\Local\UWU\rekeywiz.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\UWU\slc.dll

Filesize
1.3MB

MD5
cb98c5b9358d14e4931289bedf9c4a68

SHA1
a473810d335796a992e0d7e65c0450657508ebfa

SHA256
6ef1355e425fcdc7339b6dfbb974e572094af56f6baf89845e176cdaa95cabff

SHA512
72cade1fd236fa37354e6edb3d3e678bcd0551cd37aab1a2a1af76551bf8651f33696293121884ded3a3e5457f8f4a2a6cabb4c13d439934818866db06315813

Download Submit
C:\Users\Admin\AppData\Local\aUIiMYevK\dwmapi.dll

Filesize
1.3MB

MD5
7ffc25da672e0941ad82d1b021a6ce20

SHA1
82665b3133c9687953be46411747c947d98bfb34

SHA256
46d5f36c9c6ee52f5fdb2767cb8eded21c8e5128b87d4ebb52f197599e338972

SHA512
20533366aff625df880c60eaba625dd8ed327a274ea75e5c36e4ac65ce8daca9e47974149dbac7894d6f1b4c16ec72bdb8e841aacab417536a4dc0fd642e174f

Download Submit
C:\Users\Admin\AppData\Local\yM9Txc9\UxTheme.dll

Filesize
1.3MB

MD5
92d029f01ae8172f2099b9aa411655fe

SHA1
0d3a4c588c4f5d0a748c9adf5b96abaee9c35e74

SHA256
781456b167001699136726f22abaa0d7eb46d3937a58bd548811ca02f356a57a

SHA512
ee8c45c3cfab5b3a887df2a98fe2052e15de7b0555913c8268b5d4370aa3372d6214b298ddf682a65f407cc250f51051a6983c81ebdadf78bb88572ec25687cd

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Kkwpdvbxvgx.lnk

Filesize
1KB

MD5
0f6f8a285088a0d58af6f26be8140fc3

SHA1
469c631e4243148e0eb6c955a3a7c576761ce076

SHA256
aefc3c0850420c17970213fda52bf3e8a8a13f5d016feb270a245af1fd0eb4a8

SHA512
87801639bafa2b522154a3347cf54e513ad1258179dc7470f7f127f1824d364ead70a2ad090565920d3300ea09219d3011ffc501aab7beb3aa29cf4d14ffe8a2

Download Submit
\Users\Admin\AppData\Local\UWU\rekeywiz.exe

Filesize
67KB

MD5
767c75767b00ccfd41a547bb7b2adfff

SHA1
91890853a5476def402910e6507417d400c0d3cb

SHA256
bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395

SHA512
f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

Download Submit
\Users\Admin\AppData\Local\aUIiMYevK\mblctr.exe

Filesize
935KB

MD5
fa4c36b574bf387d9582ed2c54a347a8

SHA1
149077715ee56c668567e3a9cb9842284f4fe678

SHA256
b71cdf708d4a4f045f784de5e5458ebf9a4fa2b188c3f7422e2fbfe19310be3f

SHA512
1f04ce0440eec7477153ebc2ce56eaabcbbac58d9d703c03337f030e160d22cd635ae201752bc2962643c75bbf2036afdd69d97e8cbc81260fd0e2f55946bb55

Download Submit
\Users\Admin\AppData\Local\o1d\wermgr.exe

Filesize
49KB

MD5
41df7355a5a907e2c1d7804ec028965d

SHA1
453263d230c6317eb4a2eb3aceeec1bbcf5e153d

SHA256
207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861

SHA512
59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

Download Submit
\Users\Admin\AppData\Local\yM9Txc9\EhStorAuthn.exe

Filesize
137KB

MD5
3abe95d92c80dc79707d8e168d79a994

SHA1
64b10c17f602d3f21c84954541e7092bc55bb5ab

SHA256
2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad

SHA512
70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

Download Submit
memory/1156-15-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-16-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-13-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-12-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-14-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-3-0x0000000077126000-0x0000000077127000-memory.dmp

Filesize
4KB

Download
memory/1156-20-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-28-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-36-0x0000000002530000-0x0000000002537000-memory.dmp

Filesize
28KB

Download
memory/1156-30-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-29-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-27-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-26-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-25-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-24-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-23-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-22-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-21-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-19-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-18-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-17-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-11-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-40-0x00000000774C0000-0x00000000774C2000-memory.dmp

Filesize
8KB

Download
memory/1156-39-0x0000000077490000-0x0000000077492000-memory.dmp

Filesize
8KB

Download
memory/1156-38-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-50-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-49-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-4-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1156-59-0x0000000077126000-0x0000000077127000-memory.dmp

Filesize
4KB

Download
memory/1156-10-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-9-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-8-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-6-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1156-7-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2288-81-0x000007FEF71E0000-0x000007FEF732F000-memory.dmp

Filesize
1.3MB

Download
memory/2288-78-0x0000000000100000-0x0000000000107000-memory.dmp

Filesize
28KB

Download
memory/2288-76-0x000007FEF71E0000-0x000007FEF732F000-memory.dmp

Filesize
1.3MB

Download
memory/2528-109-0x000007FEF6590000-0x000007FEF66DF000-memory.dmp

Filesize
1.3MB

Download
memory/2528-113-0x000007FEF6590000-0x000007FEF66DF000-memory.dmp

Filesize
1.3MB

Download
memory/2556-58-0x000007FEF66E0000-0x000007FEF682E000-memory.dmp

Filesize
1.3MB

Download
memory/2556-0-0x000007FEF66E0000-0x000007FEF682E000-memory.dmp

Filesize
1.3MB

Download
memory/2556-2-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2876-93-0x000007FEF66E0000-0x000007FEF682F000-memory.dmp

Filesize
1.3MB

Download
memory/2876-97-0x000007FEF66E0000-0x000007FEF682F000-memory.dmp

Filesize
1.3MB

Download