dridex | bc14ef4108eab623eb267b6dfebce5c1009837a6b126c567ff66922e5f4c8e5a

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc14ef4108eab623eb267b6dfebce5c1009837a6b126c567ff66922e5f4c8e5a.dll
Size

1.3MB
MD5

c593d8b78e3dda17474751a9a73f433a
SHA1

491a2e2a3426ff51c486b7343d8d6b0b79e2b8a3
SHA256

bc14ef4108eab623eb267b6dfebce5c1009837a6b126c567ff66922e5f4c8e5a
SHA512

e9ee27e03aee4bc227716fa3cdf641a48bee2ccc81237aa1323a3411a75ecca712ac61ce4d2e0892be383c6a140e0c002ccf77125ccccf7ac9d4530eea54df37
SSDEEP

12288:/tCtvNv+h26xiWZu8xDPtgPuSYAuXIPY2wKg7oGviTVp7OC0aO:/tChNv+ceiWjDVgyAurCg7osJ1

Score

10^/10

dridex botnet evasion payload persistence trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

resource	yara_rule
behavioral2/memory/3508-3-0x0000000003020000-0x0000000003021000-memory.dmp	dridex_stager_shellcode

Dridex payload 13 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

resource	yara_rule
behavioral2/memory/4668-1-0x00007FFEC3130000-0x00007FFEC327E000-memory.dmp	dridex_payload
behavioral2/memory/3508-38-0x0000000140000000-0x000000014014E000-memory.dmp	dridex_payload
behavioral2/memory/3508-31-0x0000000140000000-0x000000014014E000-memory.dmp	dridex_payload
behavioral2/memory/4668-44-0x00007FFEC3130000-0x00007FFEC327E000-memory.dmp	dridex_payload
behavioral2/memory/3508-50-0x0000000140000000-0x000000014014E000-memory.dmp	dridex_payload
behavioral2/memory/996-59-0x00007FFEB4AA0000-0x00007FFEB4C34000-memory.dmp	dridex_payload
behavioral2/memory/996-64-0x00007FFEB4AA0000-0x00007FFEB4C34000-memory.dmp	dridex_payload
behavioral2/memory/3116-77-0x00007FFEC3740000-0x00007FFEC388F000-memory.dmp	dridex_payload
behavioral2/memory/3116-78-0x00007FFEC3740000-0x00007FFEC388F000-memory.dmp	dridex_payload
behavioral2/memory/2588-92-0x00007FFEC3730000-0x00007FFEC3885000-memory.dmp	dridex_payload
behavioral2/memory/2588-94-0x00007FFEC3730000-0x00007FFEC3885000-memory.dmp	dridex_payload
behavioral2/memory/708-102-0x00007FFEC3130000-0x00007FFEC327F000-memory.dmp	dridex_payload
behavioral2/memory/708-105-0x00007FFEC3130000-0x00007FFEC327F000-memory.dmp	dridex_payload

Executes dropped EXE 4 IoCs

pid	Process
996	SystemSettingsRemoveDevice.exe
3116	slui.exe
2588	mmc.exe
708	MusNotificationUx.exe

Loads dropped DLL 4 IoCs

pid	Process
996	SystemSettingsRemoveDevice.exe
3116	slui.exe
2588	mmc.exe
708	MusNotificationUx.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tsrvevdpr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\hcp\\slui.exe"	Process not Found

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MusNotificationUx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SystemSettingsRemoveDevice.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	slui.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mmc.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4668	rundll32.exe
4668	rundll32.exe
4668	rundll32.exe
4668	rundll32.exe
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found
3508	Process not Found

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3508	Process not Found
Token: SeCreatePagefilePrivilege	3508	Process not Found
Token: SeShutdownPrivilege	3508	Process not Found
Token: SeCreatePagefilePrivilege	3508	Process not Found
Token: SeShutdownPrivilege	3508	Process not Found
Token: SeCreatePagefilePrivilege	3508	Process not Found
Token: SeShutdownPrivilege	3508	Process not Found
Token: SeCreatePagefilePrivilege	3508	Process not Found
Token: SeShutdownPrivilege	3508	Process not Found
Token: SeCreatePagefilePrivilege	3508	Process not Found
Token: SeShutdownPrivilege	3508	Process not Found
Token: SeCreatePagefilePrivilege	3508	Process not Found

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 4240	3508	Process not Found	86
PID 3508 wrote to memory of 4240	3508	Process not Found	86
PID 3508 wrote to memory of 996	3508	Process not Found	87
PID 3508 wrote to memory of 996	3508	Process not Found	87
PID 3508 wrote to memory of 2512	3508	Process not Found	88
PID 3508 wrote to memory of 2512	3508	Process not Found	88
PID 3508 wrote to memory of 3116	3508	Process not Found	89
PID 3508 wrote to memory of 3116	3508	Process not Found	89
PID 3508 wrote to memory of 3808	3508	Process not Found	90
PID 3508 wrote to memory of 3808	3508	Process not Found	90
PID 3508 wrote to memory of 2588	3508	Process not Found	91
PID 3508 wrote to memory of 2588	3508	Process not Found	91
PID 3508 wrote to memory of 4812	3508	Process not Found	92
PID 3508 wrote to memory of 4812	3508	Process not Found	92
PID 3508 wrote to memory of 708	3508	Process not Found	93
PID 3508 wrote to memory of 708	3508	Process not Found	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\bc14ef4108eab623eb267b6dfebce5c1009837a6b126c567ff66922e5f4c8e5a.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4668

C:\Windows\system32\SystemSettingsRemoveDevice.exe
C:\Windows\system32\SystemSettingsRemoveDevice.exe
1⤵
PID:4240

C:\Users\Admin\AppData\Local\Hvkzb4As\SystemSettingsRemoveDevice.exe
C:\Users\Admin\AppData\Local\Hvkzb4As\SystemSettingsRemoveDevice.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:996

C:\Windows\system32\slui.exe
C:\Windows\system32\slui.exe
1⤵
PID:2512

C:\Users\Admin\AppData\Local\bqgV\slui.exe
C:\Users\Admin\AppData\Local\bqgV\slui.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3116

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
1⤵
PID:3808

C:\Users\Admin\AppData\Local\hDCN\mmc.exe
C:\Users\Admin\AppData\Local\hDCN\mmc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2588

C:\Windows\system32\MusNotificationUx.exe
C:\Windows\system32\MusNotificationUx.exe
1⤵
PID:4812

C:\Users\Admin\AppData\Local\ovzl7js5p\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\ovzl7js5p\MusNotificationUx.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Hvkzb4As\DUI70.dll

Filesize
1.6MB

MD5
d919914976d46f9ee27ac6c8fa4c010f

SHA1
08df02813fa949c0b03f695395f47e2b69771244

SHA256
1c0f52aaff8af58b93a838d16c6f0ac102b099b3cd43110598215e419c37754f

SHA512
f9136ace7f14911268cbda46c5d6fdc9ea4e0fdc5ae3e68e5d175a3058638a4a798fbb2499f2dda9f4b052bfc37dc226d5aca34561c7740461a4bb7ab8f9dc9e

Download Submit
C:\Users\Admin\AppData\Local\Hvkzb4As\SystemSettingsRemoveDevice.exe

Filesize
39KB

MD5
7853f1c933690bb7c53c67151cbddeb0

SHA1
d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6

SHA256
9500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d

SHA512
831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304

Download Submit
C:\Users\Admin\AppData\Local\bqgV\SLC.dll

Filesize
1.3MB

MD5
d6be6dc66e61d5cfad6e66aad1ccd242

SHA1
72c80c50c9ec9ab84c60a5dfbae95261a9026800

SHA256
6618c4f7025b22aa675ae74385054042bb8efc67a3b9184dd7d3289fb8c88c33

SHA512
fccd5c3b02b14475af0f84456a358de7bdfad77efba3b7b5cb00452d4eca8a7eecdf7a032a3c66915d377e96c04eea6acda639ccebc065717e76b4d0c1f74d5b

Download Submit
C:\Users\Admin\AppData\Local\bqgV\slui.exe

Filesize
534KB

MD5
eb725ea35a13dc18eac46aa81e7f2841

SHA1
c0b3304c970324952e18c4a51073e3bdec73440b

SHA256
25e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff

SHA512
39192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26

Download Submit
C:\Users\Admin\AppData\Local\hDCN\MFC42u.dll

Filesize
1.3MB

MD5
bde2d1acdf63764b9a5537909f0ebda3

SHA1
498d681f3856b6f3cc444a2890816d44dd8d5a7b

SHA256
9f37938bf0c7e98320d10e3528e0d35e25200372d6a5256c5608aee198cc1c90

SHA512
395475030e8c043957c1f46bc59d330deec8651c691d2e09f66594b5833a083ff801b5d7b88aa468980e18d85854d257b94c4d134835e1904cd46fbc7aefccf0

Download Submit
C:\Users\Admin\AppData\Local\hDCN\mmc.exe

Filesize
1.8MB

MD5
8c86b80518406f14a4952d67185032d6

SHA1
9269f1fbcf65fefbc88a2e239519c21efe0f6ba5

SHA256
895eef1eda5700a425934ae3782d4741dfefb7deafa53891bde490150187b98a

SHA512
1bbdaa3ae8b5716ad2bd517055533e286ddb8a6c23cbc7aa602143dbb1ae132b513088ab61527c49737c554269c51416cceb80206ac8128ac6b003f1864eb099

Download Submit
C:\Users\Admin\AppData\Local\ovzl7js5p\MusNotificationUx.exe

Filesize
615KB

MD5
869a214114a81712199f3de5d69d9aad

SHA1
be973e4188eff0d53fdf0e9360106e8ad946d89f

SHA256
405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361

SHA512
befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

Download Submit
C:\Users\Admin\AppData\Local\ovzl7js5p\XmlLite.dll

Filesize
1.3MB

MD5
d1d5ad16b1b15a8a3acac2fcda14a2d0

SHA1
ab8069dd8f201cf4aa6a49d054000d85a1a83f3c

SHA256
6b1fac4a6b6496e7c5d4d1ae7fed0b8fd9d790514291e1b934cbc1f5fe342cbc

SHA512
8558c5e27618741a07cfecdfb4aa0ec480f764bd34c75119ef2d58cc6e1748cc11b9c6fd70726d81f6cbb33ad698ee0b44eb45ad4f074678a1dbe19335dc2107

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ybgihhkn.lnk

Filesize
1KB

MD5
a2933c3eb5f97ff41c164fcea1d7eb38

SHA1
6e335d9630ba59c8161ac4ca2041b80d9f02dc8e

SHA256
89d6968aafc4684eb10c2caaffc879f06deea00665b78bbe4795da9aea127b77

SHA512
b8b17ee56039fee5d96cd3daab6f3e8549343e2b150c5f4361bf67bc357258ca009750e4f521e8984b6b86b9f148c07154e0664feb552e5b3049773368c9daa9

Download Submit
memory/708-102-0x00007FFEC3130000-0x00007FFEC327F000-memory.dmp

Filesize
1.3MB

Download
memory/708-105-0x00007FFEC3130000-0x00007FFEC327F000-memory.dmp

Filesize
1.3MB

Download
memory/996-64-0x00007FFEB4AA0000-0x00007FFEB4C34000-memory.dmp

Filesize
1.6MB

Download
memory/996-59-0x00007FFEB4AA0000-0x00007FFEB4C34000-memory.dmp

Filesize
1.6MB

Download
memory/996-61-0x000001D2837E0000-0x000001D2837E7000-memory.dmp

Filesize
28KB

Download
memory/2588-92-0x00007FFEC3730000-0x00007FFEC3885000-memory.dmp

Filesize
1.3MB

Download
memory/2588-94-0x00007FFEC3730000-0x00007FFEC3885000-memory.dmp

Filesize
1.3MB

Download
memory/3116-78-0x00007FFEC3740000-0x00007FFEC388F000-memory.dmp

Filesize
1.3MB

Download
memory/3116-77-0x00007FFEC3740000-0x00007FFEC388F000-memory.dmp

Filesize
1.3MB

Download
memory/3116-75-0x000001D56BD20000-0x000001D56BD27000-memory.dmp

Filesize
28KB

Download
memory/3508-26-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-21-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-17-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-16-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-15-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-14-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-13-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-11-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-10-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-9-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-8-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-19-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-6-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-12-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-3-0x0000000003020000-0x0000000003021000-memory.dmp

Filesize
4KB

Download
memory/3508-50-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-20-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-18-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-22-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-23-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-24-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-25-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-5-0x00007FFED1B7A000-0x00007FFED1B7B000-memory.dmp

Filesize
4KB

Download
memory/3508-27-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-29-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-31-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-38-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-39-0x00007FFED21E0000-0x00007FFED21F0000-memory.dmp

Filesize
64KB

Download
memory/3508-40-0x00007FFED21D0000-0x00007FFED21E0000-memory.dmp

Filesize
64KB

Download
memory/3508-37-0x0000000001200000-0x0000000001207000-memory.dmp

Filesize
28KB

Download
memory/3508-28-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/3508-7-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/4668-0-0x00000268B3AE0000-0x00000268B3AE7000-memory.dmp

Filesize
28KB

Download
memory/4668-44-0x00007FFEC3130000-0x00007FFEC327E000-memory.dmp

Filesize
1.3MB

Download
memory/4668-1-0x00007FFEC3130000-0x00007FFEC327E000-memory.dmp

Filesize
1.3MB

Download