dridex | 9f9e5e220ffdbfad25a863d7e9f99f345eecee23e695b6525a79337eb839c590

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f9e5e220ffdbfad25a863d7e9f99f345eecee23e695b6525a79337eb839c590.dll
Size

904KB
MD5

54d31559f9dbc295e20cf99dee50ac94
SHA1

81986b520be480a568f9683d8b93d06433cbb53c
SHA256

9f9e5e220ffdbfad25a863d7e9f99f345eecee23e695b6525a79337eb839c590
SHA512

1792ab82fee29d482c5f229096a477cfdeeb1b670f21b9542d91ad4bb4048e976ef9f0c73195675b4925fc2f7e2b8b9d3fb0fd3b8ae4162ad7a0ff043043d440
SSDEEP

12288:+qJ4FzHTx8cOjEIonNgQLtXKFg2t/KRi4Baed:+qGBHTxvt+g2gYed

Score

10^/10

dridex botnet evasion payload persistence privilege_escalation trojan

Malware Config

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Dridex Shellcode 1 IoCs

Detects Dridex Payload shellcode injected in Explorer process.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/1180-4-0x0000000002D90000-0x0000000002D91000-memory.dmp	dridex_stager_shellcode

Dridex payload 9 IoCs

Detects Dridex x64 core DLL in memory.

botnet payload

Processes:

resource	yara_rule
behavioral1/memory/2672-1-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload
behavioral1/memory/1180-24-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload
behavioral1/memory/1180-37-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload
behavioral1/memory/1180-36-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload
behavioral1/memory/2672-44-0x0000000140000000-0x00000001400E2000-memory.dmp	dridex_payload
behavioral1/memory/2600-54-0x0000000140000000-0x00000001400E3000-memory.dmp	dridex_payload
behavioral1/memory/2600-57-0x0000000140000000-0x00000001400E3000-memory.dmp	dridex_payload
behavioral1/memory/2908-73-0x0000000140000000-0x00000001400E3000-memory.dmp	dridex_payload
behavioral1/memory/2640-89-0x0000000140000000-0x00000001400E3000-memory.dmp	dridex_payload

Executes dropped EXE 3 IoCs

Processes:

notepad.exeBdeUISrv.exeosk.exe

pid	Process
2600	notepad.exe
2908	BdeUISrv.exe
2640	osk.exe

Loads dropped DLL 7 IoCs

Processes:

notepad.exeBdeUISrv.exeosk.exe

pid	Process
1180
2600	notepad.exe
1180
2908	BdeUISrv.exe
1180
2640	osk.exe
1180

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rcoehfpd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\GqBSQRmISe\\BdeUISrv.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exenotepad.exeBdeUISrv.exeosk.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	notepad.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BdeUISrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	osk.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exenotepad.exe

pid	Process
2672	rundll32.exe
2672	rundll32.exe
2672	rundll32.exe
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
1180
2600	notepad.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

description	pid	procid_target
PID 1180 wrote to memory of 3028	1180	31
PID 1180 wrote to memory of 3028	1180	31
PID 1180 wrote to memory of 3028	1180	31
PID 1180 wrote to memory of 2600	1180	32
PID 1180 wrote to memory of 2600	1180	32
PID 1180 wrote to memory of 2600	1180	32
PID 1180 wrote to memory of 2720	1180	33
PID 1180 wrote to memory of 2720	1180	33
PID 1180 wrote to memory of 2720	1180	33
PID 1180 wrote to memory of 2908	1180	34
PID 1180 wrote to memory of 2908	1180	34
PID 1180 wrote to memory of 2908	1180	34
PID 1180 wrote to memory of 2604	1180	35
PID 1180 wrote to memory of 2604	1180	35
PID 1180 wrote to memory of 2604	1180	35
PID 1180 wrote to memory of 2640	1180	36
PID 1180 wrote to memory of 2640	1180	36
PID 1180 wrote to memory of 2640	1180	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9f9e5e220ffdbfad25a863d7e9f99f345eecee23e695b6525a79337eb839c590.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2672

C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
1⤵
PID:3028

C:\Users\Admin\AppData\Local\QA9necRrY\notepad.exe
C:\Users\Admin\AppData\Local\QA9necRrY\notepad.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:2600

C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
1⤵
PID:2720

C:\Users\Admin\AppData\Local\kWFsVhLFh\BdeUISrv.exe
C:\Users\Admin\AppData\Local\kWFsVhLFh\BdeUISrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2908

C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
1⤵
PID:2604

C:\Users\Admin\AppData\Local\Ps3Z3Mz\osk.exe
C:\Users\Admin\AppData\Local\Ps3Z3Mz\osk.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Ps3Z3Mz\UxTheme.dll

Filesize
908KB

MD5
195123c793530b9b96eefa14bb1026cf

SHA1
96880207220ea0cbae888590e505637543792bf3

SHA256
08769ad6cd9d7bb910dae05cde191f1c81054df5766efc0211a1e760c2832113

SHA512
d9fa16259314a7a4f7e7102bbb6f26040b3a6fb3d36d731386dd596d9699110adb7fa4caa165f731d116acca0f9237e97d1e0537327bb351a4dfb72f548b1a9e

Download Submit
C:\Users\Admin\AppData\Local\Ps3Z3Mz\osk.exe

Filesize
676KB

MD5
b918311a8e59fb8ccf613a110024deba

SHA1
a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b

SHA256
e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353

SHA512
e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

Download Submit
C:\Users\Admin\AppData\Local\QA9necRrY\notepad.exe

Filesize
189KB

MD5
f2c7bb8acc97f92e987a2d4087d021b1

SHA1
7eb0139d2175739b3ccb0d1110067820be6abd29

SHA256
142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

SHA512
2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

Download Submit
C:\Users\Admin\AppData\Local\kWFsVhLFh\BdeUISrv.exe

Filesize
47KB

MD5
1da6b19be5d4949c868a264bc5e74206

SHA1
d5ee86ba03a03ef8c93d93accafe40461084c839

SHA256
00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c

SHA512
9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

Download Submit
C:\Users\Admin\AppData\Local\kWFsVhLFh\WTSAPI32.dll

Filesize
908KB

MD5
87b90f602128af9db73088e5c4198458

SHA1
4a0e9fda0ff654838aeeb6259cdea98eeb00ed9b

SHA256
a8ead2ae70b8844986952aee0ab7098a735bcba45349a61715d4481ce2b9f618

SHA512
c9bcba98631d401aa210863c94a009ef25a8f6a34a468486f7f3fbdd9906422f0f60dad8a7c49b579f52c8e2294bccc9acf236d38829ca6cef5a78effe0ba988

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yjafzwirjcl.lnk

Filesize
1KB

MD5
136d1e9e630ca028dd457e3966e71556

SHA1
583bc89e1742201bad8b1614a0d24dfe398e009f

SHA256
910fba9290bc3c6496a6bf54beb1461e6bb1ccd0ae96579362bd73c8bc2f7b46

SHA512
d9d0601b34b8f9d81e9445dbbb2ec6c7ab0ee0448732cf85dc59659b305e74b2053265080305bef3da6db3b1a0dfc17d71ceff0e4aa807ffcdcf85a85df4fbe8

Download Submit
\Users\Admin\AppData\Local\QA9necRrY\VERSION.dll

Filesize
908KB

MD5
9d624c15f02300ad1c4a7aa0c0f3f1e0

SHA1
90800a1419a873315fc144775f2847a8e2be52c9

SHA256
cb32442ea773dd7bf3d028556601e9ff36e09c23775c06ed2bef48fdbdbebe72

SHA512
00bbe7da67fde8682dce16038d20fd37b1ef5f1eee85a6883d8d5e4108b17dd8427f59ba4fa9ecc19a2543a9ac9a881fae65b07551fa89fd3d4a65b0c51f161e

Download Submit
memory/1180-25-0x0000000077810000-0x0000000077812000-memory.dmp

Filesize
8KB

Download
memory/1180-23-0x00000000025C0000-0x00000000025C7000-memory.dmp

Filesize
28KB

Download
memory/1180-11-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1180-10-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1180-9-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1180-8-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1180-7-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1180-6-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1180-26-0x0000000077840000-0x0000000077842000-memory.dmp

Filesize
8KB

Download
memory/1180-3-0x00000000774A6000-0x00000000774A7000-memory.dmp

Filesize
4KB

Download
memory/1180-24-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1180-37-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1180-36-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1180-4-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/1180-45-0x00000000774A6000-0x00000000774A7000-memory.dmp

Filesize
4KB

Download
memory/1180-13-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1180-15-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1180-14-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1180-12-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2600-57-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/2600-53-0x0000000000510000-0x0000000000517000-memory.dmp

Filesize
28KB

Download
memory/2600-54-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/2640-89-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download
memory/2672-44-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2672-0-0x0000000000110000-0x0000000000117000-memory.dmp

Filesize
28KB

Download
memory/2672-1-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2908-73-0x0000000140000000-0x00000001400E3000-memory.dmp

Filesize
908KB

Download